Documente Academic
Documente Profesional
Documente Cultură
Introductions
AlienVault Forums:
https://www.alienvault.com/forums/discussions/tagged/ossim
LinkedIn Group: https://www.linkedin.com/groupInvitation?gid=3793
USM & OSSIM On-Demand Training Archives:
https://www.alienvault.com/product-training
AlienVault Blog – Analysis from the AlienVault Labs research team, practical
tips to secure your environment & industry trends
Agenda
How to deploy & configure OSSEC agents
Best practices for configuring syslog and
enabling plugins
Scanning your network for assets and
vulnerabilities
Lets get started!
Host IDS Configuration
Host IDS
OSSIM comes with OSSEC host-based IDS, which OSSEC Agent
provides: Servers
• Log monitoring and collection
UDP 1514
• Rootkit detection
• File integrity checking OSSEC Server
• Windows registry integrity checking OSSIM Sensor
OSSIM Server
Deploying HIDS
Manual
installation for
other OS Download preconfigured
Key extraction agent for Windows.
is required for
manual
installation Automatic deployment
for Windows.
Extract key.
Change Configuration File on Agent
OSSEC
configuration is
controlled by a
text file.
Agent needs to
be restarted after
configuration
Configuration
changes. file.
Log file is
available for
troubleshooting.
Log
file.
Verify HIDS Operations
Displays overview of
OSSEC events and
agent information
Agent status
should be active.
Verify presence
of rootkits.
Environment > Detection > HIDS > Agents > Agent Control
Syslog & Plugins
Syslog Forwarding
Syslog configuration will vary based on
source device/application but, usually,
the necessary parameters are:
• Destination IP
• Source IP
• Port (default is UDP 514)
Enabling Plugins
Enable plugin at the
asset level
General > Plugins > Edit
Plugins
Green light under
“Receiving Data” will
confirm successful log
collection
Vulnerability Assessment
Vulnerability Assessment
Uses a built-in OpenVAS scanner
Detects vulnerabilities in assets
• Vulnerabilities are correlated with
events‘ cross-correlation rules
• Useful for compliance reports and
auditing
Managed from the central SIEM
console:
• Running and scheduling
vulnerability scans
• Examining reports
• Updating vulnerability signatures
Advanced Options
Vulnerability assessment can be:
• Authenticated (SSH and SMB)
• Unauthenticated
Predefined profiles can be selected:
• Non destructive full and slow scan
• Non destructive full and fast scan
• Full and fast scan including destructive tests
Custom profiles can be created.
Vulnerability Assessment Config
1. (Optionally) tune global vulnerability assessment settings.
2. (Optionally) create a set of credentials.
3. (Optionally) create a scanning profile.
4. Create a vulnerability scan job.
5. Examine scanning results.
6. Optionally create a vulnerability or compliance report.
Tune Global Vulnerability Assessment Settings
The vulnerability
assessment
system opens a Update
configuration.
ticket for found
vulnerabilities.
Start with a high
threshold and fix
important
vulnerabilities first.
Select vulnerability
ticket threshold.
Supports the
DOMAIN/USER Specify credential
username set name.
Specify login
username. Select
authentication type.
Examine 3 default
profiles.
Enable/disable
plugin family.
Create a
new profle.
Select assets.
Save job.
Examine vulnerability
statistics.
View vulnerability
report for all assets.
“I started out with OSSIM and I didn’t fully realize how much value I would get out of USM until I started using it.
The reporting is awesome, it’s been a big benefit for me. And, having a fully supported solution means I can get
answers to my questions much more quickly than before.”
http://www.alienvault.com/marketing/smb-bundles
Now for some Q&A
Resources for OSSIM Users CONTACT US
OSSIM vs. USM Comparison Chart
https://www.alienvault.com/products/compare-ossim-to-alienvault-usm 888.613.6023
AlienVault Forum
https://www.alienvault.com/forums/discussions/tagged/ossim
ALIENVAULT.COM
LinkedIn Group
https://www.linkedin.com/groupInvitation?gid=3793