(4) Configuring password for the configuration backup.
For
the first two items you need to either do a ssh into the system or else
can use the VMware console itself. If you’re planning to do a ssh, you
can use the putty (http://www.putty.org/).
Use the IP address of the OSSIM you gave at part 1, with port 22. Your
computer mouse may not work in the console/putty, so you have to rely
merely on to the arrows keys of your keyboard. Hence it becomes easy to
use. You can only use your arrow keys to select any of the options in
the menu and then hit the enter key to open it.
Once you login into the console as root , you’ll be welcomed with configuration window, as shown in Fig. 1
 |
| Figure 1 |
Select
system preferences -> change location-> date and time
->configure time zone->hit “yes” when you are prompted
with a dialog box
Once you see the following window (Fig.2),
 |
| Figure 2 |
Select
you geographic area and hit enter, since my current location is India, I
chose Asia and hit enter. On the following screen select your nearest
city, hit enter again and it’ll take few seconds before it fall back to
our console window. Then navigate back to the system preferences window
Configure hostname -> Type a new hostname -> hit ok, navigate back to the main Alienvault setup menu(Fig. 3).
 |
| Figure 3 |
Hit
Apply all changes -> yes, when all the settings are applied,
reboot the device by using options 6 on the same Alienvault setup menu
(Fig. 4).
 |
| Figure 4 |
Once
the device has successfully rebooted, open the web browser and navigate
to the OSSIM IP address using https protocol. The browser will show a
warning describing the connection is not secure. Just accept the
certificate, add an exemption and let it load.
Once
it is loaded, login with user account you’ve created while
installation. The username will be admin and use the same password you
entered while configuring the credentials for web UI in part 1.
Once you login navigate to the 'setting' menu at right top corner.
Change the time zone and then enter your current password, click save to apply the settings (Fig. 5).
 |
| Figure 5 |
Then navigate to configuration->administration->main->backup
Scroll down to see “Password to encrypt backup files”, put a password next to it, scroll up click on update configuration.
So
to summarize, you have three credentials with you right now, one for
the console (root:password) another one for webui(admin:password) and
third one for the encryption of backup file(password)
Here is small video on my YouTube channel on how to do all of these.
Step:2 Adding assets & Configuring VA
Anything
which has an IP address can be called as an asset. Your assets from
mobile device to servers and IP cameras to network printers can be added
to OSSIM. For demonstration I’ll only add a few. To add assets first
you need to login to web UI as an admin, then navigate to
Environment->assets & groups->add assets
There are 4 ways to add assets; I’m using the 4th method ‘Scan for new assets’, which will be faster and easier to start with adding assets(Fig. 6).
 |
| Figure 6 |
A new window will appear in which you can select your network from the list or add it by yourself (Fig. 7).
 |
| Figure 7 |
Leave
everything else to the default, and hit start scan. It might take a
while to complete. Please be patient. Once scanning is complete. You
will be on the same window, with the results under the “start scan” button (Fig. 8)
 |
| Figure 8 |
Click on “update managed assets”, leave everything to default unit it saves the results (Fig. 9)
 |
| Figure 9 |
Now
it is time to edit our assets. It is mandatory that we teach OSSIM,
what actually our asset's are. For that navigate back to
Environment->assets & groups. On list of assets, click on
the lens icon on right hand side of the asset you want to edit (Fig.
10).
 |
Figure 10
|
A new window appears, click on actions->edit on the right top corner(Fig. 11)
 |
| Figure 11 |
On
the popup box that appears set your device name and also the device
type and hit save. You can see my asset details has been updated (Fig.
12)
 |
| Figure 12 |
Repeat the process for all your assets.
Vulnerability Assessment
Next we’ll configure the vulnerability engine in OSSIM.
Navigate to Environment->vulnerabilities
If
you’re planning to go for an authenticated scan, click on settings,
create your profile for credentials (Fig.13). If not, just skip this
step
 |
| Figure 13 |
Then navigate back to Environment->vulnerabilities->scan jobs->new scan job.
A
new window appears. In that Job name is just a name, give a name
-> If you’ve configured a password profile, then select on
advanced click on ssh or smb credentials or else just add your asset or
network to be scanned and click save to start scan(Fig.14)
Step:3 Configuring IDS
Setting up HIDS
Configuring
HIDS is out next task. It is very easy deploying HIDS in windows
servers but, it is bit tricky while deploying it on Linux
servers. First we need to do some configuration in the OSSIM. For that
navigate to Environment->Detection->add agent, on the
popup window, fill up your asset details and click save(Fig.15).
 |
Figure 15
|
Repeat
the process to add all the servers you want to integrate. Here I’ve
added a Linux server first. Now we have to download the OSSEC agent from
Download the latest stable “Server/Agent unix” and copy it to your Linux server. Now you need to have root account in Linux server in order to run the installer smoothly.
Once you login as root, copy the installer to linux machine, decompress the installer; use the following command
#tar –xvf ossec-hids-2.8.3.tar.gz (or whatever version version, with full path of the file you’ve copied to linux server)
Now open the decompressed folder and install the agent
#cd ossec-hids-2.8.3
#./install.sh
The very first thing it will ask for is the language for installer, by default “EN” is selected hit enter to continue
Then the first question will be the kind of installation we want, type in agent and hit enter (Fig.16)
 |
| Figure 16 |
Set everything to default except for question 3, OSSEC HIDS server IP will be your OSSIM’s log collector IP(Fig 17)
 |
| Figure 17 |
At the end it will ask again to hit enter to close the installer(Fig 18).
 |
| Figure 18 |
Once
you’ve installed the agent, we’ve to configure it or in simple word we
need to connect our agent with our OSSIM. For that type in the following
command in linux machine and hit enter
#/var/ossec/bin/manage_agents
And Type “I” to import keys. (Fig.19)
 |
| Figure 19 |
For
the keys you need to navigate into environment->detection in
WebUI of the OSSIM, locate your linux server in the list, Click on the
golden key symbol to extract keys (Fig.20)
 |
| Figure 20 |
Keys will be shown as a popup. Copy the entire key, in my case, starting from MDAx to ZGI= (Fig.21)
 |
| Figure 21 |
And
paste it on to the terminal of linux machine. Hit enter to continue,
check the agent information shown matches with the asset we’re trying to
integrate and type in Y then hit enter to confirm.(Fig.22)
 |
| Figure 22 |
Now you can type in Q to quit from the manage agents window. Then we have to restart the HIDS in Linux for that
#/var/ossec/bin/ossec-control restart
And hit enter (Figure 23)
 |
| Figure 23 |
To
deploy agent in any windows machine, navigate to right corner of that
particular asset in agent information tab and click download for
preconfigured agent. You can also choose auto deployment option next to
it, if you want a remote deployment. (Fig.24)
 |
| Figure 24 |
Once
downloaded, copy it to the windows server and simply double click it to
install. Since it is a preconfigured agent you don’t need to change or
edit anything. You can see OSSEC Manager in under "start menu" in windows(Fig 25)
 |
| Figure 25 |
Now
we need to restart the HIDS server module in OSSIM. Navigate to
Environment->Detection->HIDS Control-> HIDS service
restart(Fig.26)
 |
| Figure 26 |
Once restarted navigate back to Environment->Detection and check the status. It should be active.(Fig 27)
 |
| Figure 27 |
Seting up NIDS
You
can ask OSSIM to monitor traffic coming into interfaces. By default two
interfaces will be enabled. If you want to change those, login into
console of OSSIM then go to
Configure sensor->configure network monitoring
I
don’t want NIDS to monitor my management interface(Eth0); instead I
want it to monitor log collecting and the span interface (Fig.28).
You need to apply the changes before exiting the console.
 |
| Figure 28 |
Here is a small video from my YouTube channel to help you out
Configuring HIDS
Step:4 Adding devices
Next
we’re going to integrate devices that send syslogs. So first ask your
network admin to forward syslogs towards UDP port 514 of the log
collector IP of OSSIM. Then use putty and then SSH into the OSSIM
management interface. Once logged in select "jailbreak system" and hit enter.
The
OSSIM receives log at its log collector interface. The logs are then
saved into /var/log/syslog file in the OSSIM. When you have more devices
sending logs, the OSSIM will have some trouble to extract these logs
from the syslog file and process it. So in order to make it simple for
OSSIM, we create a rsyslog filter which actually moves the device logs
into a different file rather than putting all of it together in deafult
OSSIM syslog file.
From
the console navigate to the folder /etc/rsyslog.d and list the files in
it. If you have your device name among the *.conf files, then you don’t
need to create a syslog filter for that particular asset. Then you can
jump to "enabling Plugin" section . if not, use nano or vim editor to
create a file.
I’m writing down a syslog filter below for my Sophos utm.
#nano /etc/ryslog.d/sophos.conf
If ($fromhost-ip == ’10.10.10.1’) then /var/log/sophos-utm.log
&~
Hit ctrl+o to save and ctrl+x to exit from nano editor
10.10.10.1 is the IP address of my Sophos-utm sending logs to our OSSIM.
Enabling Plugins
Type ossim-setup to start the console UI again.
Configure sensor -> Configure data source plugin ->
Select all the device plugins you need enable and select ok, navigate back to main menu and apply all changes. (Fig.29, Fig.30)
 |
| Figure 29 |
 |
| Figure 30 |
Open
your web ui navigate to Analysis->siem select data source as
your device check whether you’re seeing logs as shown below(Fig.31,
Fig.32).
Step5: Availability Monitoring
The
last option to enable in OSSIM will be the Availability monitoring. As
the word means, it simply checks whether the resource/service is
available or not. Say for an example, I can ask host availability monitoring to check whether my firewall is up or not. Same way I can ask service availability monitoring to check whether my apache service in a particular server is running or not.
Service availability monitoring
Here,
we’ll ask OSSIM to check whether a port of particular server is UP or
DOWN for demonstration purpose, I’m going to ask OSSIM to monitor my IIS
service on one of my test server.
Navigate to Environment-> Assets & groups and click on lens button of the asset on the right hand side. (Fig.33)
 |
| Figure 33 |
You’ll be taken to asset details page. There you’ll see a services tab, click on it. (Fig.34)
 |
| Figure 34 |
If you scroll down a little bit you’ll see edit services under the services tab. Click on edit services. (Fig.35)
 |
| Figure 35 |
You’ll
have a new popup in which you can enable/disable the services to be
monitored. It also help you to add a port/service manually, if not
identified by OSSIM. (Fig.36)
 |
| Figure 36 |
Host Availability Monitoring
We
can use this feature to check if a device like firewall or router is UP
or NOT. For demonstration, I’m going to ask OSSIM to monitor my
SOPHOS-UTM. For that, just like before I’ve opened the asset detail
window, Instead of editing the services, we have to click on the Actions
button on right top corner and click on Enable Availability Monitoring
(Fig.37).
 |
| Figure 37 |
It
will take at least 5 mins for OSSIM to start monitoring and refresh the
changes. You can navigate to Assets & groups and click on the
assets to see the status(Fig.38).
 |
| Figure 38 |
You
can also navigate to Environment -> Availability to see further
details. There are lots of options including reporting which may come
handy in future. Please feel free to explore yourself(Fig.39).
 |
| Figure 39 |
Environment Snapshot
The
Environment snap is a small hidden window, in which you can see the
current status of your SIEM . No matter in which page you are, you can
see a small arrow on the right–center of the page(Fig.40).
 |
| Figure 40 |
Once
you click on it, you will see a window slide from right, which will
have details like open tickets, system health, current EPS and monitored
devices (Fig.41).
 |
| Figure 41 |
Now you are good to start SIEM/LOG Analysis. It is not an easy task to set it up. But if you’ve done it properly, its worthy . Thanks Pentester Blog :D
Comments
Post a Comment