Sie sind auf Seite 1von 12

HOW ALIENVAULT COMPONENTS

COMMUNICATE
TCP/IP Connections Between
OSSIM/USM Components
SERVER HOST
Server
Web Framework
Database
Identity Management
Vulnerability Management
CORE ALIENVAULT COMPONENTS
SENSOR HOST
Agent
Vulnerability Scanner
Log Collection
REFERENCE: OPEN SERVER PORTS
An AlienVault Server will have the following ports listening for incoming connections
TCP/22 SSH Secure Shell Management Service
TCP/443 HTTPS Web UI
TCP/40001 alienvault-server - the core server process
TCP/40002 - alienvault-idmidentity management process
TCP/40003 - alienvault-frameworkd web UI process
TCP/40004 forwarder log forwarding (server to server)
TCP/40005 machete AlienVault Smart Event Collection service (USM Only)
TCP/40006 mixterd AlienVault Smart Event Collection service (USM Only)
TCP/40007 - alienvault-center Server and Sensor status monitoring
TCP/40008 - alienvault-idm identify management process
UDP/514 rsyslog syslog collection service
UDP/1514 ossec OSSEC agent management service
REFERENCE: OPEN SENSOR PORTS
An AlienVault Sensor will have the following ports listening for incoming connections
TCP/22 SSH - Secure Shell Management Service
TCP/9390 - openvasmd - OpenVAS management client
TCP/9391 - openvassd - OpenVas VulnerabilityScanner
TCP/4949 munin - Sensor Service Watching
TCP/3000 ntop Traffic monitoring service
TCP/40007 - Alienvault-Center Server and Sensor status monitoring
UDP/514 rsyslog syslog collection service
ALIENVAULT SERVER
OSSIM Server provides the core SIEM functions of log
aggregation, normalization, prioritization , reputation and
correlation
The Server process accepts communication from
agents (on sensors) and the OSSIM Framework, via
TCP port 40001 inbound.
Agents communicate with Alienvault IDM (Identify
Management) on the Server over TCP Port 40002
inbound
OSSIM Server communicates with the Database over
TCP port 3306 outbound.
OSSIM Server is managed via command line over TCP
port 22 inbound (Secure Shell)
ALIENVAULT FRAMEWORK (WEB UI)
Framework provides connectivity and
management between OSSIM components and
the primary User Interface
The Web UI is served over HTTPS, TCP port
443 Inbound. Port 80 Inbound is also active by
default, but serves only to redirect clients to the
HTTPS port.
OSSIM Framework communicates with the
Database over TCP port 3306 outbound.
OSSIM Framework is managed via command
line over TCP port 22 inbound (Secure Shell)
ALIENVAULT SENSOR (NETWORK INTERFACES)
OSSIM Sensors are typically
configured with two interfaces a
Management interface and a
Monitoring interface. The
management interface is configured
with an IP and is used for
communication to other OSSIM
components, the monitoring
interface requires visibility to network
traffic (typically via a SPAN port on a
network switch).
ALIENVAULT SENSOR - CONNECTIONS
Devices transmit log data to the sensors via the
syslog protocol operating on UDP (and optionally
TCP where supported) Port 514.
Other log types may require outbound connections
from the Sensor to the device consult
documentation for a particular device type for
information on which ports are used.
Sensors communicate back to the OSSIM Server
via TCP ports 40001 and 40002 outbound.
The Server pulls updates for inventory and network
monitoring via TCP ports 3000 and 4949 and UDP
Port 555
The Vulnerability Scanning systems operates from
the Sensor and is controlled via TCP Ports 9390
and 9391
REMOTE SENSORS OVER VPN
AlienVault Sensors may also be
configured to establish a VPN tunnel to the
AlienVault Server.
In this configuration all connectivity
between the Sensor to the Server occurs
over UDP port 1194.
The Database system stores event data
and runtime configurations for OSSIM
components.
Both the OSSIM Server and OSSIM
framework connect to the Database over
TCP Port 3306
ALIENVAULT DATABASE
ALL COMPONENTS
All Hosts running AlienVault components can be managed via
commandline over Secure Shell on TCP port 22
All Hosts require internet access to TCP Port 80 and Port 443 (Or
an HTTP Proxy) for retrieval of software updates and reputation
data.
NETWORK VISIBILITY
AlienVault Sensors require visibility to network traffic for monitoring
functions . Usually via a SPAN port on a network switch.
Active scanning for asset and vulnerability detection will require
uninhibited network access from the Sensor to achieve accurate
results.
NETFLOW COLLECTION
Netflow Collection from AlienVault Sensors or third party devices will require an additional
UDP port on the AlienVault Server.
This port is configured when activating NetFlow on the Sensor (or when creating a dummy
sensor to collect netflow data from a third party source.
Each device will be configured to transmit on a different port, and thus each device will
require a separate UDP port listening on the Server.
By default, these ports are assigned from UDP Port 12000 and upwards.

Das könnte Ihnen auch gefallen