OSSIM (Open Source Security Information Management) is an open source project by Alienvault which provides the SIEM (Security information and event management) functionality. It provides following SIEM features which are required by security professionals.
- Event collection
OSSIM is a unified platform which is providing the essential security capabilities. Many proven open source security software's are built into the OSSIM platform. It continues to be the fastest way to make the first steps towards unified security visibility.
OSSIM platform support following open source software's/plugins:
Download an iso from AlienVault (http://downloads.alienvault.com/c/download?version=current_ossim_iso) and install it in the VM . In this tutorial, we will install OSSIM on VM instead of physical server which has following specifications
It has two interfaces, one is for the management of server and 2nd is for collecting logs and monitoring of the network devices. The details of the VM are given below.
Processor : 2 VCPU , RAM : 2 GB , Hard disk Size: 8GB , Management IP : 192.168.1.150/24 and Asset network : 192.168.0.0/24
When OSSIM VM boots with iso image, it shows following two option at installation wizard.
Highlighted option in above figure is selected which will install OSSIM on this VM. Press enter to start the installation process. Select language, location and keyboard setting in next few steps.
In this step, configure the network of OSSIM VM. We are using eth0 for the management and rest of the network is connected to eth1. Network configuration for eth0 is shown below.
Root User Setting
After network setting, next windows prompt for the password of user root which can access the CLI of OSSIM server. Password of root user must be strong.
Time Zone setting
Time zone information is important in logging system and shown below.
Following windows prompt after the complete installation of AlienVault OSSIM. We can access the web interface using following URL:
Login with user root and password test in CLI of OSSIM server.
Latest Mozilla firefox browser does not open the link, so use Chrome or IE browser for the access of web interface. Chrome and IE will prompt following windows which says that certificate are not trusted because OSSIM uses self signed certificate.
Following windows will appear after the completion of administration account. Username is admin and password is test@123.
After successful log in into the web interface, following wizard appear for further setting of OSSIM server.
It shows following three options
- Monitor Network (Configure network which is being monitored by the OSSIM server)
- Assets Discovery (Automatic discovery of network devices in the organization )
- Collecting logs and monitoring of network nodes
Click on the start button of the above figure for the configuration of OSSIM server.
After clicking on the 1st option, another windows will prompt for the network configuration which is shown in the below figure. We configured eth1 for the log collector and monitoring interface of the OSSIM server.
In the 2nd step, OSSIM will perform automatic discovery of the network assets . select Asset discovery (2) option and following windows will prompt for the configuration. It supports automatic and manual discovery of assets .
Type of Assets in the OSSIM server are
- Network device
After network setting and asset discovery, next step is the deployment of HIDS on windows/linux devices to perform file integrity, monitoring, rootkit detection and collection of event logs. Enter username/password of the asset for the deployment of HIDS.
Select desired host from the list and click on Deploy button for the HIDS deployment. Again click on Continue button to start deployment process which is shown in the figure. This process will take a few minute for the HIDS deployment on selected host.
Following figure showing the configuration of discovered asset for the management of different logs.
Final option of the configuration wizard is to join OTX (Threat exchanged program of AlienVault). We are not going to sign up for this option. Finish the configuration step by clicking on finish button.
The main dashboard of the OSSIM server is shown below .
Web interface of OSSIM server consist of following options on the main GUI.
It show a comprehensive view of all components of OSSIM server like severity of threat, vulnerabilities in the networks host, deployment status , risk maps and OTX stats. Sub menu of dashboard is shown in the following figure
Analysis is very important component of any SIEM device. OSSIM server analyzed the hosts based on their logs. This menu shows the alarms, SIEM (security events),tickets and raw logs. Analysis menu is further divided following sub menu.
In this menu of OSSIM server, setting are related to the assets of the organization. It shows the assets, group and network, vulnerabilities, netflow and detection settings. Sub menu for all these settings is shown in the figure.
Reporting is an important component of any logging Server. OSSIM server also generates reports which are very useful for the detail investigation of any specific host.
In the configuration meHow to Install and Configure AlienVault SIEM (OSSIM)nu, user can change the setting of OSSIM server such as change the ip address of management interface, add more host for monitoring and logging and add/remove different sensors/plugins. Sub menu for all services is shown below.
In this article,we explain the installation and configuration process of open source SIEM software which is backed by AlienVault. In our next article, our focus will be on the details of all components of OSSIM.