or start your subscription, please visit ... article... · vulnerabilities in nessus. by doing so,...

To read more Linux Journal or start your subscription, please visit http://www.linuxjournal.com.

2 | march 2010 www.l inux journa l .com

Security Information Management (SIM) systems have mademany security administrators’ lives easier over the years. SIMsorganize an enterprise’s security environment and provide acommon interface to manage that environment. Many SIMproducts are available today that perform well in this role, butnone are as ambitious as AlienVault’s Open Source SecurityInformation Management (OSSIM). With OSSIM, AlienVaulthas harnessed the capabilities of several popular securitypackages and created an “intelligence” that translates, analyzesand organizes the data in unique and customizable waysthat most SIMs cannot. It uses a process called correlation tomake threat judgments dynamically and report in real timeon the state of risk in your environment. The end result is adesign approach that makes risk management an organizedand observable process that security administrators andmanagers alike can appreciate.

In this article, I explain the installation of an all-in-oneOSSIM agent/server into a test network, add hosts, deploy athird-party agent, set up a custom security directive and take aquick tour of the built-in incident response system. In additionto the OSSIM server, I have placed a CentOS-based ApacheWeb server and a Windows XP workstation into the testnetwork to observe OSSIM’s interoperation with differentsystems and other third-party agents.

InstallationTo keep deployment time to a minimum, I deployed OSSIM on a VMware-based virtual machine (VM). OSSIM is built onDebian, so you can deploy it to any hardware that Debian supports. I used the downloadable installation media from the

AlienVault site in .iso form (version 2.1 at the time of thiswriting) and booted my VM from the media.

On bootup, you will see a rather busy and slightly difficult-to-read install screen (Figure 1). The default option is the text-based install, but by pressing the down arrow, you will see agraphical install option. Select the Text option and press Enter.If you’ve seen Debian install screens, the OSSIM installer willlook very familiar. Set your language preferences and partitionyour hard drive(s). Configure your settings for Postfix if desired.Finally, set your root password, and enter a static IP address forthe server when prompted. The installer will restart the


Figure 1. A little tough to read, but this is where everything starts.

AlienVaultthe Future of Security

Information Management

Meet AlienVault OSSIM, a complex security system designedto make your life simpler.

JERAMIAH BOWLING

www.l inux journa l .com march 2010 | 3

machine to complete the configuration.Open a browser from a machine on

the same network and enter the IPaddress of the OSSIM server in the URLfield (Figure 2). Enter “admin” as theuser and password to log in to the man-agement site. Change your passwordunder the Configuration→Users section.After logging in, the main dashboardview loads (Figure 3).

The next step is to add systems for the OSSIM server to monitor. Startby defining your local network andperforming a cursory scan. On theNetworks tab under Policy, click InsertNew Network. Enter your LAN infor-mation in the fields provided. If youdon’t see a sensor listed, insert a new one using the hostname and IP address of your all-in-one OSSIMserver. Leave the Nagios check box enabled, but the Nessus boxunchecked (Figure 4) to reduce thetime needed for the first scan. Afterthe scan completes, several hostsshould appear on the Hosts tab of thePolicies section. OSSIM installs andauto-configures Nagios and ntop during installation, so you also can seebasic network information by visitingthe Monitors section of the manage-ment page (Figure 5). Once all hostsare found, find the CentOS Web serverin the Hosts section under Policies,and modify its priority from 1 to 5(Figure 6). You will use this later in the

article when I discuss correlation.You now have an active OSSIM server

using passive network monitors likesnort, Nagios and ntop to report onyour test network’s activity. Next, let’sadd some client-based agents that feeddata into the OSSIM server.

Installing the OSSEC AgentMany client agents can communicatewith OSSIM, but because of space limitations, I am covering the one Ibelieve is the most valuable to securityadministrators: OSSEC. OSSEC is a freelyavailable host intrusion detection system(HIDS) maintained byTrend Micro that performs a multitude of client security tasks,such as logging, alert-ing, integrity checkingand rootkit detection.Additionally, a largenumber of OSSIM plug-ins for OSSEC alreadyare installed with yourserver that can monitorvirtually any part of aUNIX/Linux/Windowssystem.

First, let’s installOSSEC on the CentOSWeb server. Downloadand extract the clienttar from the OSSECWeb site. If you havedifficulty finding theOSSEC agent, or anyother agent, links toOSSIM’s supportedthird-party agents are available in theTools/Downloads sectionof the managementpage. Next, run theinstall.sh script from theunpacked tar folder.Verify your machineinformation and selectthe agent install option.Accept the defaultinstall directory. Enterthe IP address of theserver (the OSSIM server). Run the integrity-check dæmon andenable the rootkit-detect engine. Whenasked to enable activeresponse, answer “no”.

To start the agent, run:

/var/ossec/bin/ossec-control start

Now, from the CentOS Web server,ssh to the OSSIM server, and run thefollowing command to add your clientagent to the OSSEC server:

/var/ossec/bin/manage_agents

Select A to add an agent, and enter a unique name for it. Add the IP addressof your CentOS Web server and give theagent a unique ID. The default ID usually


Figure 2. Main Login Screen

Figure 3. Main Dashboard

Figure 4. Setting Up the First Network Scan

Figure 5. Nagios Working under the Hood

Figure 6. Changing the Web Server’s Asset Value


is fine, unless you plan on implementinga naming convention for your OSSECclients. Enter Y to confirm adding theagent. This returns you to the mainmenu. Select E to extract. Input the client ID you want to extract (the ID youassigned to the CentOS server). Fromanother terminal window on the CentOSWeb server, run the local manage_agentscommand. Select I to import the uniquekey. Copy and paste the unique key fromthe SSH window to the Web server’s localprompt. Enter Y to confirm the key, andselect Q to quit. Close the SSH connection,and from the local prompt, restart theagent by running the command:

/var/ossec/bin/ossec-control restart

On your XP client, download andinstall the OSSEC agent as well as thePutty SSH client. When finished, run thePutty client to SSH to the OSSIM serverand repeat the same manage_agentscommand to generate and extract theXP client’s unique key from the server.Once extracted, paste it into the XPclient by opening the Manage Agentapplet from the start menu under theOSSEC program group.

Finally, to begin receiving OSSECevents in OSSIM, open the file/etc/ossim/ossim_setup.conf on theOSSIM server and in the [sensor] sectionadd ossec to the end of the line thatbegins with the word detectors. Saveand exit the config file, and restartyour OSSIM server using the shutdown -r now command. Upon reboot, youshould start to see OSSEC events appearin OSSIM. To test this, restart the OSSECagent on the XP machine and look in theEvents→SIM Events section of the OSSIMmanagement page. You should see mes-sages related to the OSSEC agent (Figure

7). As you now have an external feedcoming into your OSSIM server, let’s lookat how it digests and analyzes the data.

Events, Alarms, Directivesand CorrelationFor OSSIM to decipher data from anysource, it first must have a plugin. Aplugin is an XML-based configuration filethat tells OSSIM how to read informationfrom a particular data source and whento register a security event. According to the AlienVault site, more than 2,300plugins currently are available (see thePopular OSSIM Plugins sidebar for a brieflisting of the leading ones).

An event is any occurrence that aplugin’s native software deems impor-tant enough to log or warn on.Events in OSSIM should be treatedlike log entries. They are not necessarilyindicative of a problem, but should bereviewed nonetheless. When multipleevents take place in such a way that anadministrator has marked them as being“suspicious”, OSSIM throws an alarm. It is also possible for a plugin to set asingle event’s settings high enough thatit can throw an alarm when the singleevent occurs. The criteria used to triggeran alarm from multiple different eventsis known as a directive. The process ofanalyzing multiple events within a direc-tive is called correlation. Correlation is central to OSSIM’s operation. Withcorrelation, administrators can take datafrom a multitude of disparate securitydevices and tailor directives to reducefalse positives and extrapolate threatdata in real time.

Take a typical IDS (Intrusion DetectionSystem) device, for example. Animproperly tuned IDS can record a largenumber of false positives. However,with OSSIM, you can create a directive

that correlates your IDSevents with known vulnerabilities in Nessus.By doing so, you reducefalse positives and refinequestionable data into avaluable security check.As another example, youcould correlate multipleport scans from Nmapwith failed logins fromsyslog (or OSSEC, as Iexplain later) to detectbreak-ins. A third exam-ple would be to correlate

FEATURE AlienVault


Figure 7. Verifying the OSSEC Agent Is Talking to OSSIM

PopularOSSIMPlugins

Some of the more popularplugins for OSSIM include the following:

� Snort

� Nagios

� OpenVAS

� Nessus

� ntop

� Nmap

� OSSEC

� Passive OS Fingerprinter(p0f)

� Osiris

� arpwatch

� syslog

� PAM

� Honeyd

� Passive Asset DetectionSystem (pads)

� Cisco—Routers and Pix

� Multiple firewalls—iptables,sonicwall, monowall andpfsense

� Web servers—IIS andApache

� Windows logs—Snare,OSSEC and ntsyslog

� OCS-NG—inventory software

aberrant network behavior using ntopwith rootkit checks from OSSEC or virusdetections from Sophos, ClamAV orMcAfee to monitor for client-basedthreats. With the number of pluginsavailable for OSSIM, the possibilities forcorrelation are almost limitless.

Custom Directives, Risk andIncident ResponseLet’s create a simple directive so you cansee correlation in action. As an example,let’s use a simple directive to monitorsuspicious access to the Web server usingtwo different plugins. In order to do so,first turn down the values for yourOSSEC plugin. From the OSSIM manage-ment page, go to the Plugins sectionunder Configuration. Scroll through thetables to find Plugin ID 7010, and clickon the ID column to edit the plugin’s values. On the resulting page, changethe reliability values for the SIDs 5503and 5716 from 5 to 1 (Figure 8). If youleft these values at 5, they would sendan alarm before the rule is processed.Because the goal is to observe correla-tion, you need to turn them down.

Click on the Directives link foundunder the Correlation section of thenavigation pane. From here, you get abrief description of how directives areordered and processed. Click on theAdd Directive line in the top left of thepage. In the resulting fields, enter“Unauthorized Access to Web Server”as the Name. In the blank field next toId, enter 101, which places your direc-tive in the Generic directives group. Setthe Priority to 2 and click Save. On thenext page (Figure 9), click on the + symbol to add a rule to your new direc-tive. In the Name field, type “NMAPScan on Web Server from ForeignHost”. Enter 1001 as the Plugin Id(snort). In the Plugin Sid field, type“2000537, 2000545”, and under theNetwork section in the To field, type inthe IP address of your CentOS serverand the Port to List 22. In the Risk field,set Occurrence to 3, Reliability to 1.Set the Sticky field to True and StickyDifferent to SRC_IP. Click the Savebutton at the bottom of the page.

In theory, you have a directive thatwill send an alarm when a host runs anNmap scan against port 22 on your Webserver. However, you won’t receivealerts yet. In order for a directive tosend an alarm, the risk of the directive

being tripped must be greater than 1.Although I have not talked much

about risk until now, it is integral tothe function of correlation. Risk is theprimary factor used by the correlationengine to determine when alarms aregenerated. It is calculated using a seriesof subjective numerical values assignedby the agents and administrators.Expressed in mathematical form, theformula for risk looks like this:

Risk = (priority x reliability x asset) / 25

Priority is the number OSSIM uses toprioritize rules. It is set at the Directivelevel. Priority can have a value of 0–5. 0 means OSSIM should ignore the alert.A value of 5 means OSSIM should treatthis as a serious threat. Reliability refersto how reliable a rule is based on thechance that it’s a false positive. It is setat the individual rule level and can becumulative if there is more than onerule in a directive. Possible values forreliability are 1–10, and they equate topercentages, so6 would mean arule is reliable60% of thetime. Asset isthe value thatrepresents theimportance of ahost. Youassigned thehighest possiblepriority (5) toyour CentOSserver in thePolicies sectionearlier in thearticle.

At thispoint, youhave one ruleunder yourdirective, but nocorrelation, soyou need to addanother rule.Click on the +symbol on yourdirective. Givethe new rule aname of “TooMany AuthFailures”. Setthe Plugin ID to7010 (OSSEC),

and set the From field to the IP addressof your Web server as the OSSEC agentwill show the Web server as the sourceof the events. Set Occurrence to 4 andReliability to 0 for now. Click Save. Afteradding the second rule, navigate to therow of the new rule and move themouse over the directional arrows thatcontrol how rules are treated inside thedirective. The up and down arrows aresimilar to AND statements, meaning bothrules must match, and the left and rightarrows nest rules within each other likenested IF statements. Move your secondrule to the right. Open the second ruleback up and change the reliability to +2,which will increase the reliability by 2over the previously processed rule (3 ifthe first rule is met). Now, if both rulesare met, the risk will be > 1 and analarm will be generated. Listing 1 showsthe directive in XML format.

To generate an alarm, log on to theXP client and download Nmap. Run fourscans against the CentOS server usingthe zenmap GUI and the quick scan


Figure 8. Adjusting the Reliability of Our Plugin’s SIDs

Figure 9. The First Rule of the Test Directive

www.l inux journa l .com march 2010 | 5


option. Then, ssh to the same server and attempt to log inas root, but enter an incorrect password five times. Youshould see a new alarm in the Unresolved Alarms link at thetop of the page. Access this link and find the alarm triggeredby your test directive (Figure 10). Identify the row with yourtest alarm and click on the icon resembling a sheet of paper inthe Action column to open a new Alarm Incident (Figure 11).A new window will pop up and display basic informationabout the incident that will be used to create a ticket. ClickOK to confirm the information, and the full ticket editor willload. Add a description and any other pertinent information tothis page, and click on the Add ticket button. You should seea new Unresolved Ticket on the indicator at the top of the

page. To edit a ticket, navigate to the Tickets link in theIncidents section of the navigation pane. From here you can addnotes, attach files and change the status of your tickets. A ticketwill no longer show in the list once its status is set to Closed.Although quite simple, this built-in ticketing system contains thenecessary functionality to satisfy most enterprises’ incident-response needs. OSSIM also contains a knowledge base thatyou can use to link tickets and external documents that addsanother layer of depth to its incident response system.

The Sky’s the LimitThis brief walk-through barely touches on the power of OSSIM.Its correlation abilities and its multitude of plugins make it anintriguing alternative to the traditional SIM. If you factor in theability to write your own plugins, you have a tool that is fully

customizable for any environment andwhose value is limited only by your cre-ativity. The makers of OSSIM have givenSIMs a new intelligence that hopefully willdrive innovation in the field and takesecurity management to the next level.�

Jeramiah Bowling has been a system administrator and networkengineer for more than ten years. He works for a regionalaccounting and auditing firm in Hunt Valley, Maryland, andholds numerous industry certifications, including the CISSP.Your comments are welcome at [email protected].

FEATURE AlienVault


Resources

OSSIM Installer Download:www.alienvault.com/opensourcesim.php?section=Downloads

OSSIM Wiki: www.ossim.net/wiki/doku.php

OSSEC: www.ossec.net

Figure 10. Test Directive Generating an Alarm

Figure 11. A New Ticket Generated by the Alarm

Listing 1. Directive in .xml Format

<directive id="101"

name="Unauthorized Access to Web Server"

priority="5">

<rule type="detector"

name="NMAP Scan from Foreign host"

from="ANY"

to="web.server.ip.address"

port_from="ANY"

port_to="22"

reliability="1"

occurrence="1"

plugin_id="1001"

plugin_sid="2000537,2000545"

sticky="true"

sticky_different="SRC_IP">

<rules>

<rule type="detector"

name="Too Many Logins"

from="web.server.ip.address"

to="ANY"

port_from="ANY"

port_to="ANY"

reliability="+2"

occurrence="2"

time_out="86400"

plugin_id="7010"

plugin_sid="5716"/>

</rules>

</rule>

</directive>

or start your subscription, please visit ... article... · vulnerabilities in nessus. by doing so,...

Documents