Beruflich Dokumente
Kultur Dokumente
Warning: Doing this will mess up the dashboard links to ntop and nagios. Be sure to read this
WHOLE THREAD before you proceed.
The links can be fixed by editing the /etc/ossim/framework/ossim.conf file and running the
/home/ossim/dist/reconfig.pl script.
This how to is tested in a freshly installed OSSIM vmware install using the 1.0.4 ISO installer.
Immediately following the install, apt-get update && apt-get dist-upgrade was run. A reboot to
get to the newly installed kernel was in order. The OSSIM update script was also run to get the
installer to the latest version 1.0.5p1
Create a certificate
openssl req $@ -new -x509 -days 365 -nodes -out /etc/apache2/apache.pem -keyout
/etc/apache2/apache.pem
Fill out all of the fields. When you get to the "your name" section, use the FQDN address of
your OSSIM server. (ossimserver.domain.com)
If you don't, you'll get certificate mismatch warnings.
NameVirtualHost *
<VirtualHost *>
ServerAdmin webmaster@localhost
SSLEngine On
SSLCertificateFile /etc/apache2/apache.pem
DocumentRoot /var/www/
<Directory />
Restart apache2
/etc/init.d/apache2 restart
Now every website that apache2 hosts will be using SSL.
NTOP is running it's own web server. Let's tell it to run over SSL too.
I can't figure out where the NTOP admin password is so lets reset it.
ntop -A
Set a new password.
Shutdown NTOP
Click on the admin tab and then click on shutdown.
This will stop NTOP. OSSIM is running a monitor for this service, so you can just simply wait
and OSSIM will restart it.
Now if you go into the ossim web based config utility, the link will be changed and grayed out.
Unfortunately, that still doesn't change the dashboard links... I'm still trying to find out how to
change those.
Start by following the general instructions here. I have provided the changes I had to make to
install on the OSSIM all-in-one from the installer:
http://www.ossec.net/wiki/index.php/OSSECWUI:Install
Changes:
Step 3
# mv ossec-wui-0.3 /var/www/htdocs/ossec-wui
to # mv ossec-wui-0.3 /var/www/ossec-wui
Step 5
# nano /etc/group
..
From:
ossec:x:1002:
To:
ossec:x:1002:www-data
Step 6
http://<your_host>/ossec-wui
My question is where is the file that has these links so i can update it or is there a config
change i can make in apache auto forward http requests to https for each page.
The system is a almost bare bones install from the install cd i got from AlienVault.
I am not to familiar with apache, i use lighttpd most of the time instead, so any help would be
gratefully accepted.
These dashboards are configured on a per user basis, so if you have multiple users, each user
will have to change their links.
Each time I try to manually edit those files to update the links, it get OSSIM throwing an error
complaining about bad data.
From looking at their reconfig script in /home/ossim/dist/reconfig.pl I found they are using a file
called edit_serialized_ips_panels_conf.php which they use to replace the ip address if you
change it and use the reconfig script.
jimsmithkka: I think you're running into a little different issue. My nagios is actually running on a
separate server. I changed my links to point to the server and all worked fine for me... I'll have
to look into it in vmware and see why yours won't work.
#nagios_link
nagios_link=https://serverip/nagios2/
After you got OSSIM up and running, install php-pear then execute
pear install HTML_Template_IT
if you got error about folder missing o something like that, make one by referring to setting.ini
any ideas?
thanks.
BTW, this is a very interesting Nagios addon. I'm going to give it a try.
Juan.
but it'll give error anyway thru testQL.php. Actually, a pipe file will only be there when nagios
run.
in regards to nagios -- i keep the host file simple, than group with hostgroup. I have several
*.cfg depending on the system type and required checks. not sure if default ossim is setup like
that as I have just been moving prod_configs over.
If it's going to make configuring nagios harder for a nagios noob, I'll just stick with straight
nagios until I feel like I've got that under my belt.
Thanks,
Joe
I have been wokning on Security Information around 8yrs. I know several SIM products,
including Sentinel from Novell. I am currently putting together a monitoring project with Open
Source Products and OSSIM caught my attention. I know Linux (debian, among others),
Windows, Unix, etc. OSSIM has many virtues which I do not know where to start.
If anyone knows or has done a guide to perform a basic configuration of OSSIM, it will be
widely appreciated.
Already download the ISO. And I installed it without any problems ... I think I am ok. :!:
I would learn to configure it. I think it is a solution with a high market potential. 8)
TIA.
http://www.ossim.com/blog/dk/ossim/tutorials/tut3_intro.html
Wiki
http://www.ossim.net/dokuwiki/doku.php
General Description
http://www.ossim.net/dokuwiki/doku.php?id=documentation:gene ral_description
Users Manual
http://www.ossim.net/dokuwiki/doku.php?id=user_manual:introd uction
This is not a detailed tutorial on OSSEC just a getting started guide. I highly recommend
Syngress "OSSEC - Host Based Intrusion Detection Guide"
http://www.amazon.com/OSSEC-Host-Based-Intrusion-Detection-G
uide/dp/159749240X/ref=pd_bbs_sr_1?ie=UTF8&s=books&q id=1220745267&sr=8-1 if you
intend to seriously use this excellent tool.
I'm still a Linux beginner myself and from the other posts I see here I'm not the only one so I'm
going to try and make these instructions as verbose as possible command-wise so that even
beginners can perform them.
I'll try and follow this up with some tips that I've found useful in later posts. If anyone has any
comments or improvements let me know (like I said I am no expert, or a script-god like
PhishPhreak ;), this is just an attempt to help others at my level so any comments are
welcome)
Anyway :
****
As of posting OSSIM includes OSSEC 1.4 and 1.6 has just become available. Thankfully
upgrading is a very simple process.
That's it the OSSEC server is now on the latest version and OSSIM is monitoring it. This
upgrade will keep any existing client details, historical data etc. and is backward compatible
with older clients so you won't break anything by doing it.
**
Personally I prefer to pre-configure all of my clients here at once so I add each and every host
that will have OSSEC agents installed now. I'm going to presume you do the same and don't
have RSS injuries when you're done :). So from this point on I will act as if you have added
every agent to the master server.
2. Restart the OSSEC server to make the changes (in this case new agents) active.
- ./ossec-control stop
- ./ossec-control start
****
* An alternative of course is to extract all keys and IDs into a text file that you can access from
each client but if you do make sure it is absolutely secure, and ideally secure delete it when
done.
**
**
Replacing the full OSSEC server on OSSIM-Child servers with agent only reporting to your
master server, and also upgrading
Otherwise it is identical to a normal Linux Agent install. (and remember to restart with
"/var/ossec/bin/ossec-control stop+start" when done.
****
Firstly you can install OSSEC's own Web interface alongside OSSIM's. There is a guide on
how to do this here https://www.ossim.net/forum/index.php?t=msg&th=62&st
art=0&S=d92e33f115348ff90f531433414935e0 . The only thing I'd add is I had issues with
some of the other functions like NTop and Snort graphs until I changed the permissions on
/TMP to anyone full control (chmod 777 /tmp) which is not the most secure but it solved my
issues. Most of the UI's functions are intact except some searches and graphs.
Anyway to directly test the client connection: From the Master Server:
1. List active all clients
- /var/ossec/bin/agent_control -l
--- Look for the clients you have connected and make sure they are Active
2. Get more detail from the client
- /var/ossec/bin/agent_control -i (ID of client)
--- This will tell you the last scan times, client version etc.
Blame Daniel for not getting it into 1.0.6 :) (Just kidding, OSSEC is awesome.)
I have started to document configuration of the various parts, for newbies. I aim to get people
started quickly - there is a huge amount to figure out.
Let me know if there are any mistakes, and what I should do next.
http://sites.google.com/site/ossimnewbie/Home
http://www.alienvault.com/blog/dk
Documentation Overhaul
Thu, 02 Oct 2008
"Just a quick note to throw some attention at the major changes we are making to the OSSIM
documentation section.
We're sort-of hiding deprecated or non-important documentation, reorganizing existing one and
releasing new stuff such as configuration instructions forthird party devices. "
Configuration
http://www.ossim.net/dokuwiki/doku.php?id=documentation:conf iguration
Thanks
GP
Firstly why would you want to use Osiris when you use OSSEC? OSSEC is more fully featured
in that it performs system file, registry, service, user, rootkit checks, parses Syslog etc. with
some event correlation whereas Osiris is mainly a file integrity (change) monitor with some
extra modules for detecting changes in services, ports and users. If you had to choose
between the 2 then OSSEC is a better bet for intensive monitoring (it also works brilliantly
within allowing you to use it to filter Syslog and other events from it's own engine before
placing them in the Database which can save you a lot of CPU cycles if your OSSEC server is
a child OSSIM server), but that's just it it is intensive whereas Osiris is more easily tuned and
less resource intensive. \
By default OSSEC agents run their system checks every 6 hours (you can change this but I'll
place that note in the OSSEC thread). If you increase the frequency you run the risk of
degrading host performance but at the same time I think you need more granularity in the logs,
at least for the more important files. What I like to do is running Osiris every 2 hours to bridge
the gaps between the more intensive OSSEC scans. I may change this in the future but for
now I think it works well.
I'm also planning on setting up a second scan weekly that does not purge the databases so I
have a 7 day snapshot of the files for my records but I'm getting a but beyond the scope of this
guide, just trying to make it clear why I still use Osiris in conjunction with OSSEC.
****************************************************
Osiris agents work differently to OSSEC. With OSSEC you created keys on the server and
imported them to the agents, from then on the agents run on their own schedule with their own
configs and report the results back to the server based on the <frequency>xxxxx</frequency>
value in ossec.conf. Osiris agents work differently in that they are essentially like remote
sockets to which the Server will push the scan config and request scans when needed, i.e. the
agent will do nothing on it's own, it always waits for instructions from the Master server. You do
not need to manually create and import authentication keys it uses certificates, when you
install an agent it will listen for and trust the first master server that contacts it, after that it will
only accept communications from that server as it saves it's certificate. You still have to create
clients on the Master Server
Before configuring within Osiris itself you will want to view and perhaps modify the configs it
will use on the agents. Since Osiris keeps all of it's config data within flat files you can edit
them with nano, though many can be configured within Osiris CLI itself I prefer to do it
OPTIONAL: Use the same config for your Windows 2000 Servers
9. Rename the existing Server 2000 config mv default.windows2000 default.windows2000.old.
Copy your modified 2003 config to replace it cp default.windowsserver2003
default.windows2000
When you look at the config files you'll see they are very intuitive so adding files,
including/excluding folders etc. is quite easy. Just remember that if you modify a config and
want to manually scan an existing client you need to push the config first, if you manually start
a scan it does not send the new config (however the scheduled scans always push the current
config first so they are covered).
**********
**********
The server will contact the client and provided it is a clean install of Osiris it will show you the
OS type and ask if you want to use the default config (since we edited that config earlier we
can accept it). And finally initialize and begin scanning the host.
********
Getting OSSIM to read the Osiris events - Credit to Crislato for clarifying this for me
1. Edit the agent configuration on the Master Server
nano /etc/ossim/agent/plugins/osiris.cfg
Under the [translation] section add all of the clients you added previously with the same Names
and IP addresses you used within Osiris.
2. Restart the OSSIM agent
/etc/init.d/ossim-agent restart
************************************************
I mentioned setting up email alerts earlier and the reason I do is my default address is a
mailbox that my colleagues also have access to. They can quickly read the email alerts for the
servers they need details on for the time period in question right from their email clients rather
1. Edit the /etc/apt/sources.list file on your system and add the line :
2. You should also fetch and install a GPG key with which the repository is signed :
cd /root
wget http://www.webmin.com/jcameron-key.asc
apt-key add jcameron-key.asc
apt-get update
apt-get install webmin
1. edit:
/usr/share/ossim/www/top.php
if (Session::menu_perms("MenuConfiguration", "ConfigurationSystem"))
$menu["Configuration"][] = array(
"name" => gettext("System"),
"id" => "System",
"url" => "https://ossimip:10000"
);
2. edit:
/usr/share/ossim/include/ossim_acl.inc
add:
I have started to document configuration of the various parts, for newbies. I aim to get people
started quickly - there is a huge amount to figure out.
Let me know if there are any mistakes, and what I should do next.
apt-get install
should be
apt-get install webmin
/usr/share/ossim/include/ossim.acl.inc
should be
/usr/share/ossim/include/ossim_acl.inc
Thanks
Kurt
Quote:
down ifconfig down
Backup script
#!/bin/bash
#Proccesses to shut down before backup,apache2,arpwatch,cron,munin-node
#mysql,mysql-ndb,mysql-ndb-mgm,nagios2,nessusd,ntop,openvpn, osirisd
#osirismd,ossec,ossim-agent,ossim-framework,ossim-server,pad s,snmpd,snmptrapfmt
#snort,ssh,webmin
/etc/init.d/arpwatch stop
/etc/init.d/ntop stop
/etc/init.d/munin-node stop
/etc/init.d/apache2 stop
/etc/init.d/nagios2 stop
/etc/init.d/openvpn stop
/etc/init.d/osirisd stop
/etc/init.d/osirismd stop
/etc/init.d/ossec stop
/etc/init.d/ossim-agent stop
/etc/init.d/ossim-framework stop
/etc/init.d/ossim-server stop
/etc/init.d/pads stop
/etc/init.d/snmpd stop
/etc/init.d/snmptrapfmt stop
/etc/init.d/snort stop
/etc/init.d/ssh stop
/etc/init.d/webmin stop
/etc/init.d/cron stop
/etc/init.d/mysql stop
/etc/init.d/mysql-ndb stop
/etc/init.d/mysql-ndb-mgm stop
tar cvpzf /mnt/backup/backup.tgz --exclude=/proc --exclude=/lost+found --exclude=/mnt
--exclude=/sys /
reboot -n
Restore Script
!#/bin/bash
#restore Script
cp /media/cdrom0/*.tgz /backup.tgz
tar xvpfz /backup.tgz -C /
OSSIM Restore
In case of a system failure you will need the OSSIM cd and the most recent full back up and
restore script. The full system back up and script can be found on (what ever location)
I don't know if you really need to kill all the services in the back up script but it works. The Idea
came from a forum somewhere. Just don't know which one.
Thanks!
DK wrote on Wed, 10 September 2008 15:03Cheers on the nice update guide, will be
releasing an update with OSSEC 1.6 pretty soon.
Blame Daniel for not getting it into 1.0.6 :) (Just kidding, OSSEC is awesome.)
Note: Later the next day, I got mysql error about not be able to access certain socket (I forgot
to copy the error message) but I don't know if this related to oinkmaster. A quick reconfig
withperl /home/ossim/dist/reconfig.plwould fix that. At least visually :)
Moderator note: I've modified the post so it points to the correct scripts, thank you. Juanma
Thanks a lot for writing this tutorial. Just two notes, every time you add new snort rules in
ossim you have to run:
This is going to insert into the database the priority and reliability information for all the new
rules into the database.Without this info the server is not going to store any event coming from
the new snort rules.
Also as a note, you do not have to run reconfig.pl after downloading new rules. It would be nice
if you could update your tutorial, if you can not do that just let me know and I'll edit your post.
Thank you
Juanma
Thanks- Would love to know why it came back but it's just good to have it working again. The
box I am using started off with the 1.04 installer and has all it's up dates. I may be able to free
up another box to run up with the 1.06.
After adding monit to to script I tried to restore from backup. Mysqld fails to start. Had to go
back to dec 6 backup/Troubleshoot Mysqld.
Subject: OSSIM@VMWARE
Posted by udom on Mon, 08 Dec 2008 10:16:29 GMT
View Forum Message <> Reply to Message
Hi,
in version 1.0.6 of ossim-installer = debian 2.6.18 at vmware esx 2.5.1 and 2.5.4 and probably
some more versions) the clock is not synchronized. I solved the problem by using
vmware-tools but the configuration of the vmware-tools is not working without doing some
changes. Here is the full list of the necessary commands:
cd vmware-tools-distrib
./vmware-install.pl
#all default-values are ok, but do not configure at the end of the install-script!
cd /usr/src/linux-headers-`uname -r`/include/linux
vmware-tools-config.pl
Double check to make sure your system is fully up to date and there are no newer versions out
there.
Install some required files onto the system for the packages I will be installing.
#apt-get install gcc g++ make flex gawk automake bison byacc \ libc6 libc6-dev build-essential
libtool autoconf mysql-common \ libmysqlclient15-dev libnet1 libnet1-dev libpcre3 libpcre3-dev
\ ssh
Now that we have the required packages for snort it's time to install a special version of
libpcap. This version of libpcap has mmap enabled. This means that instead of snort waiting
for libpcap to move or copy the packets into user land memory it enables snort to pull directly
from memory where the packets are first written. So lets go ahead and download it.
#wget http://public.lanl.gov/cpw/libpcap-0.9.8.20081022.tar.gz
#mv libpcap-0.9.8.20081022.tar.gz /usr/src
#cd /usr/src
#tar xvzf libpcap-0.9.8.20081022.tar.gz
#cd libpcap-0.9.8.20081022
#bash bootstrap answer with a lowercase y
I like to use c flags for optimization when I install libpcap and snort so feel free to ignore this if
you dont want to use my c flats
#CFLAGS=-O3 ./configure --enable-shared
make
make install
Copy the following files to the following directories
#cp ./libs/libpcap-0.9.8.so /lib/libpcap.so
#cp ./libs/libpcap-0.9.8.so /lib/libpcap-0.9.8.so
#cp pcap.h /usr/include
#cp pcap-bpf.h /usr/include
Now you will need to download and install snort I am using the latest stable version at this time
2.8.3.1....
#mkdir /etc/snort
#mkdir /etc/snort/rules
#mkdir /var/log/snort
#addgroup snort
#useradd -g snort snort
#chown snort:snort /var/log/snort
#cp etc/*.conf* /etc/snort/
#cp etc/*.map /etc/snort/
I use oinkmaster for my rules because its easier when using the emerging threat rules as they
change sometimes daily and it updates your sids for you.
#oinkmaster -o /etc/snort/rules
In the future if you want to backup your rules you can always use the -b flag to specify a
directory to backup the old rule sets.
I create a simple little script for the purpose of starting snort and the key here is that.
========/etc/init.d/snort==========
#!/bin/bash
ifconfig eth0 up #change this to whatever sniffing interface you so desire to use
PCAP_MEMORY=650000 snort -c /etc/snort/snort.conf -D -i eth0 -M -u snort -g snort -P 65000
===================================
Explanation of the above:
Check to make sure the interface is up
Dedicate 650,000kb to snort and use that config in Daemon mode, sniff on interface eth0, Log
messages to /var/log/syslog to gather information back, use user snort and group snort, and
capture the first 65000 bytes.
Now I know I said I do full packet captures and I do sorta, I dont capture the tail because of a
bug in something I did earlier I can actually run that command with 65412 which isn't the
maximum size a packet can be but you will be hard pressed to find packets this large most of
the time.
Modify your snort config to include your emerging threat rules and configure it to log to your
database on your ossim server.
=======================================
output database: log, mysql, user=root password=your password dbname=snort host=ossim
server ip sensor_name=I use local ip addresses here
output database: alert, mysql, user=root password=your password dbname=snort host=ossim
server ip sensor_name=I use local ip addresses here
=======================================
Now we need to make a change on the ossim server so that it will allow us to log to the
database.
First modify the mysql server to listen on an accessible ip address... Through the
/etc/mysql/my.cnf and just to make sure that it doesnt get changed I went ahead and modified
the file /etc/ossim/ossim_setup.conf
Then make sure you tell the database that the user is allowed to access things from that ip
address. I stuck with using the root account for this tutorial because I wanted to keep things
simple but you could always create other users that have limited access in mysql.
#mysql -u root -p
Modify the snort database so that it can be used by the latest version of snort...
That should take care of it all. Now if you want to determine how many packets your dropping
based on all of this you can do the following.
You can enable all rules if you like through this oinkmaster command...
#oinkmaster -e -o /etc/snort/rules
Now all your rules are turned on which I dont recommend because there are some noisy ones.
Just try and keep things to what might happen on your network.
Hit Ctrl+a+d to minimize that screen and allow snort to run during a busy time on your network.
Go back into the screen snorts running on with...
#screen -x snort
Ctrl+c to kill the process and if you like restart it again this time you can use the -D if you want
it to run in the background without issues.
Ctrl+a+d again and now run this command
#cat /var/log/syslog |grep Dropped
This should show you how many packets if any snort dropped mine always says 0% 0
Enjoy!
#ossim:/tmp/ossec-hids-1.6.1# ./install.sh
i remenber ossim earlies it used that method, and was replaced for the unfied format (kind of
formate binary info) with the intention of be able to send more data faster on high trafic network
(ej: 500 mbs)
in my point of view, put snort write to databse alone with acidabase is ok, but remeber that
ossim exists (if u think snort + spade + ossim system)
- also all that info is saved on mysql databases for future analisis
Second PF_RING: Well you have to first understand PF_RING and MMAP on a more indepth
basis before you go assuming one is better. The benefits of PF_RING are... It handles more
volume and its not as sloppy and it doesnt require the kernel as much which means kernel
related tasks are now free to continue...
MMAP - Allows us to get our packets directly out of RAM so we can analyze them immediately.
So when does it really have an advantage over PF_RING? When your dealing with larger
packets. In the article I am assuming you read Advanced Packet Capturing he touched the
surface of how PF_RING is generally only about .5% slower than MMAP when the packet is
1500bytes long and the bandwidth is full... Well how about when you have a larger packet
come across? Tried it? Yes I have... MMAP due to the fact I am giving it Direct Memory
allocation can handle it while PF_RING begins to lose focus. So its greatest benefit is for Lots
of Packets which are smaller. Making it perfect for NTOP, and other systems that only pull the
first 1000 bytes or so.
Any other benefits to MMAP? yes its easier to install and get working if your not running
RED-HAT...
What about PF_RING? Not only is it a kernel patch meaning there is no longer and interaction,
but from what I understand you shouldnt need to do anything extra to make it work. As long as
your libpcap version supports PF_RING then you dont have to worry about your applications
being allocated x memory.
In the articles I have been reading as well I dont like that they only use MMAP at its basic
stages... using PCAP_PACKETS=max is not the best solution if your trying to make sure
nothing gets dropped like in my case. I want EVERYTHING.
So I use PCAP_MEMORY= (meaning I tell it instead of allocating the based on maximum
packets Allocate me a chunk of memory which is the more ideal solution if your are capturing
larger packets)
How do I know if my packets are that large? If your NTOP is running it will tell you... On my
network its not as common but I do see packets above 1500 bytes because we dont restrict it
on the routers. I am not the network admin dont ask me...
So if your not seeing a lot of packets over 1500 yes PF_RING will be a great solution.
So they apparently have been improving the PF_RING work as I read but I can't say for sure if
it is the ultimate solution. What I can say is for most of us try both and try and turn on
everything. If all goes smoothly on a lower class machine on one way than the other then you
have your solution.
Now what I have also read is that adding in a few other patches such as the RTIRQ patch will
increase even further the amount you can capture with PF_RING. Again test it out... My tutorial
is just so you can understand how I am doing it and to improve your homegrown ossim
solution.
Personally I've had very good experiences using PF_RING, getting to a <1% package loss with
2 interfaces sniffing at around 900Mbps each.
As for the database output part, last time I checked into it snort was single-threaded; capture /
analysis and output sharing a single thread. That would mean it's not optimal for any type of
serious capture.
On the other hand, since you're talking about 3xT1 (4.5Mbps), you really don't have to check
onto PF_RING and such.
But as said, I disagree with direct database output and, if you having issues with the agent,
barnyard should be the way to go. Fixing the issues you've got with the agent would be even
better ;)
#ossim:/tmp/ossec-hids-1.6.1# ./install.sh
Error 0x5.
Building error. Unable to finish the installation.
This looks like either an OSSEC issue or a compilation environment issue to me. The installer
isn't meant to be a complete development environment :)
Thanks!
DK wrote on Wed, 10 September 2008 15:03Cheers on the nice update guide, will be
releasing an update with OSSEC 1.6 pretty soon.
Blame Daniel for not getting it into 1.0.6 :) (Just kidding, OSSEC is awesome.)
No, an ossec update shouldn't break that becasue either we include the new one (it would
overwrite yours) or don't touch it.
ossim:/tmp/ossec-hids-1.6.1# ./install.sh
Error 0x3.
You need a compiler (like gcc or cc) to continue with the
with the installation.
ossim:/tmp/ossec-hids-1.6.1#
I even tried with ver. 1.6, and i got the same error.
Regards
Blucas
Since OSSIM is an appliance rather than a development environment it does not have all the
development tools installed.
GP
Error 0x5
Building error. Unable to finish the installation.
Any ideas?
There is a well written basic discussion on Wireshark site discussing the various methods of
capturing Ethernet along with the pros and cons of each method.
http://wiki.wireshark.org/CaptureSetup/Ethernet
If you login to the Snort site there are a number of articles under IDS Deployment
Guides” on the requirements for different types of taps
http://www.snort.org/docs/
These even include a guide for building your own “passive tap”. This can be
important for proto-types, labs etc since commercial taps start at @ $300 and go up.
A follow up article on building a passive tap which also covers how to set up nic
http://altsec.info/passive-network-tap.html
http://www.howtoforge.com/nic_bonding
http://packages.debian.org/stable/net/ifenslave
I hope forums readers will post their solutions and ideas here!
http://www.ossec.net/wiki/index.php/OSSECWUI:Install
I checked
I believe the problem is to be sure the ossec user has permissions to the web directory which
is accomplished by
making it a part of the apache (www-data) group.
I had updated ossec (1.4 to 1.6)on the ossim server using the tutorial on the forums which may
account for the differance in the group.
https://www.ossim.net/forum/index.php?t=msg&th=290&s
tart=0&S=449d8eaaa2181cd6b7a6db10b81a833f
When I get a few minutes I will do the upgrade/web install and see if I can reproduce the issue.
While i try to enable OSSEC WUI i get the following error. Please do help me.
./setup.sh
which: no htpasswd in (/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/l
ocal/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin)
which: no htpasswd2 in (/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/l
ocal/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin)
Setting up ossec ui...
Username:
Username: root
** ERROR: Could not find htpasswd. No password set. :(
Regards
Wintech
Regards
Wintech
Shows how to basic configurations to make the sensor just do that and send info to a main
server.
PS
File Attachments
1) Build OSSIM 1.0.6 sensor.doc, downloaded 650 times
2. You said "Get the oinkcode" which confused me, but I figured out you need to perform the
following steps:
3. You need to make sure you include (/etc) before autodisable.conf if you are not in the /etc
directory when running the command: /usr/share/oinkmaster/makesidex.pl /etc/snort/rules/
>/etc/autodisable.conf
Some comments:
Modify the /etc/ossim/ossim_setup.conf file and change two profile= lines to sensor. No other
changes needed.
a. profile=sensor
2. For step #7, you put "I can’t remember if I hit “Insert New Sensor” or I
clicked the modify button. Will need to fix this." I can confirm you do not need to "Insert New
Sensor" it shows up automatically.
It would be great if we can update this thread on how to configure the sensor for each agent
(ie. Nessus, Ntop, OSSEC, etc.), or at least include a link if it is somewhere else in the forum.
Ah. i see what you mean on the ossim_setup.conf. i think you might want to change it anyway
for forward compatibility with the upcoming upgrade? DK could possible answer that. Seems to
me after i did that things changed, but maybe that was on the server. i know when i changed it
there, the agent stuff went away.
I also think this file gets used on boot to tell ossim what this system is used for. So you might
be able to remove or add agents there in the sensor area.
on step 7, what i meant to say was that the sensor showed up without me doing anything, but
had a state of Active=no. i don;t remember what i did to change it to active=yes. if you
remember let me know.
Thanks!!
I have some other sites accessing same location... All sites works perfect and when i try
ossec-wui i can able access the site and i get password prompt and after that i get "You don't
have permission to access /ossec-wui/index.php on this server.".
When you access the ossec-wui from another box you get the password prompt and
permission error? If that is what is happening is you didn't assign the apache user permissions
to the folder. If it is a ossim installer box the apache user is www-data.
GP
http://www.ossec.net/wiki/index.php/OSSECWUI:Install
I checked
I believe the problem is to be sure the ossec user has permissions to the web directory which
is accomplished by
making it a part of the apache (www-data) group.
I had updated ossec (1.4 to 1.6)on the ossim server using the tutorial on the forums which may
account for the differance in the group.
https://www.ossim.net/forum/index.php?t=msg&th=290&s
tart=0&S=449d8eaaa2181cd6b7a6db10b81a833f
When I get a few minutes I will do the upgrade/web install and see if I can reproduce the issue.
GP
GP,
I do have the ossec user in the www-data group.
I did a vi /etc/group and couldn't find the 1000 group anywhere...not sure who/what that is.
Thanks
You are correct... As per the Wiki docs i have installed and configured, But still i get the error
Wintech
I do not recall the exact step I did to make the sensor active in console, but I remember it was
a single click such as "activate"
Aaah, and cheers on the doc. I'm afraid I didn't have the time to check it out yet, am very busy
with the release right now :)
GP
Basic behaviour is that the installer creates a random password that gets stored into
/etc/ossim/ossim_setup.conf.
Then there's the OSSIM interface user/password combination "admin/admin" by default. This is
stored as an md5 hash with a user-configured salt under ossim.users. Other users are stored
in here too.
OCS uses a default admin/admin too (we need to code single sign on for this). This password
is stored inside the ocs_inventory DB (verify DB/table).
The jasperserver console defaults to jasperadmin/jasperadmin. Ditto with single sign on. This
is configured in the jasperadmin DB.
Note: it's on top of our todo list to unify password management for all the admin/jasper stuff.
If you're missing any place or see something incorrect please post below and I'll edit this post :)
Thanks for the reply.... Please let me know once the document is uploaded...
Regards
Wintech
Steps are:
1. Go to "Executive Panel" page
2. Click [Edit] at the top right hand corner
3. Click [config] next to the graph which cannot be shown
4. In “Sub-category”, change the image src from http to https, then click
“Accept config”.
Thanks
-Wintech
Not only for you.. Everyone faces the same issue :blush: ....
Regards
Wintech 8o
http://www.ossec.net/wiki/index.php/OSSECWUI:Install
I like the splunk method alot better (see post else where) and it has pretty graphs! Great for
management.
GP
For Splunk:
https://www.ossim.net/forum/index.php?t=msg&goto=2543&am
p;S=d30366386f5cd9ca818860c7bac52009#msg_2543
Also there is a typo in the doc. This has been noted before.
GP
as in I could get to the web interface again, but I got an error when running the network restart
command:
So when I configured the eth1 info in the same format as eth0, I didnt get any errors but I still
couldnt see any non broadcast traffic in the web interface. (eth1 is on a mirrored switch port)
and
Referances:
http://www.debian.org/doc/manuals/reference/ch-gateway.en.ht ml
so it sees the interface when I configure the interface file as I mentioned. When I configure it
like
I get an error
What I was trying to find out is if OSSIM was seeing your nic's and if so correctly.
or
lshw -C network
Will show what nics are physically in your machine. That way we can tell more what is
going on
By the way which installer are you running? OSSIM 1.0.X is running an older kernel
and does not have as much hardware support.
P.S.
For output that runs off the page you can either
or
GP
you wrote:
'>lspci by itself returns a list that contains two ethernet controllers.'
Dell uses Intel NICs on the motherboard and it looks like those two are showing up since you
say you see two NICs.
Your two other NICs in PCI slots are not being recognized is my guess.
Do you know what model the other two NICs are? If they are Intel do something like this
Also, when you define NICs in /etc/network/interfaces you will need to add settings for each
adapter, but change the iface name on the first line of each section and put them all in the auto
line at the top.
Most everything in Linux/Unix type systems is case sensitive, that's why "lspci | grep ethernet"
didn't work (non-capitalized Ethernet), but "lspci" by itself did..
Quote:I am running ossim 1.0.6 in Sun virtual box on a Dell Poweredge 2950 that has 4
ethernet ports, (gigabit), and two Intel(R) Xeon(R) CPU E5405 @ 2.00GHz processors. I dont
have the hardware available to run this on a dedicated machine. I tried installing ossim 1.2 and
it returned an error that I had the wrong processor type. It said it was looking for x86 and
found I86. I suspect this is because the server has two processors.
I think I know why this happened: OSSIM 1.0.6 is 32bit, while 1.2 is 64bit. I suspect the "Sun
virtual box" (I'm not familiar with it) will not run 64bit OS's? Is the host OS 64bit? The Xeon
E5405 most certainly is 64bit.
If you're having trouble because it's 1.2 is 64bit, OSSIM 1.1 should be available sometime
reasonably soon I think, and it should pretty much be a 32bit version of 1.2, so that may be
good.
The command is "lshw", not "lshow"... It stands for "list hardware" by the way (remember
everything is case sensitive also).
Tip: you can use tab completion - for example, type "lsh", then hit the 'tab' key (after lshw is
installed). It saves on typing (and typos...). 8)
Anton
The trick is which ones are important and translating it into some thing usable.
My test network is behind both a hardware and software firewall that are configured fairly
strictly and all host run current AV. Therefore so I started under the idea most of the
alerts/incidents I was seeing were generated by my network.
Note: For the purpose of base lining my network I have not set the two firewalls to log to
OSSIM. That will be the next step.
The trick as I see it is identifying “normal” traffic from your network, and the
traffic generated by OSSIM (plus sensors etc) in order to implement a way to filter out normal
traffic.
First I have to establish a baseline and “normalize” my data. Then I can look at
ways to configure OSSIM correctly
If I select “Unique Alerts” (by the way click on the little graph box to the left for
a time trend of that specific alert)
My system is current showing 621 total unique alerts. The vast majority of the volume of
alerts is generated by 5 signatures’:
The first three are generated by OSSIM itself. In fact OSSIM is listed reports a the
“attacker” 97% of the time. The UPnP is being generated by Vista and I can
disable it.
II. Incidents
Host Report
Alarm Report
Security Report
Incident Report
From those reports I found some of the other things to look into :
Identify IP addresses you do not recognize ( both source /attacker and destination /target).
Note: I put a referance of special use IP ranges used for things like routing protocols at the end
of this document
192.0.2.42 673#unknown
207.46.197.32 633#unknown
202.47.28.150 #unknown
68.1.17.1# my ISP
212.211.132.32 # villa.debian.org
Identify ports you do not recognize ( both source/ destination ). And the service that use them (
and if you are suppose to be running them!!)
59313 unknown
__________________________________________________________
__________________________________________________________
__________________________________________________________
__________________________________________________________
Note: some of these values are skewed since I have deleted some events and put policies not
to store others.
__________________________________________________________
__________________________________________________________
DK mentions
a.Filtering at origin (disabling a snort rule, setting a tcpdump-style filter at p0f, etc...)
b.Policy
c.Agent Consolidation (undocumented)”
Ref: Re: Hyperthreading [message #1913 is a reply to message #1912 ]
I believe “directives” maybe another approach to this
I think that might be a good place to stop for now.
P.S. I just noticed the team has added an installation guide for “rolling your
own” on lenny debian to the DOCs section. Cool! Plus I was reminded what a great
tool the “architecture diagrams” are towards understanding the logic behind
OSSIM (same page under Misc)
https://www.ossim.net/docs.php
GP
Multicast IP Addresses
There are a number of addresses that are set aside for special purposes, such as the IP's used
in OSPF, Multicast, and experimental purposes that cannot be used on the Internet.
Class D
Start End
224.0.0.0 239.255.255.255
Any time I install a beta or new program I am VERY interested in what is going
on in the background. Traditionally sys admins have used log files for this purpose.
They allow you to locate bugs, errors, bottlenecks and even sometimes rogue processes
or program you do not want running. I have always hated trying to have to wade through
log files from the command line. So I chose to install logcheck to email my OSSIM log
files to me. That way I can go thru them on a workstation with a gui at my leisure.
"What is Logcheck?
Logcheck parses system logs and generates email reports based on anomalies. Anomalies
can be defined by users with 'violations' files. It differentiates between 'Active System Attacks'
, 'Security Violations', and 'Unusual Activity', and is smart enough to remember where in the
log
it stopped processing to improve efficiency. It can also warn when log files shrink, and does
not report errors when they are rotated." (1)
nano /etc/logcheck/logcheck.conf
SENDMAILTO="root"
MAILASATTACH=1
There is alot more that can be done such as installing logtail when added,
allows any number of log files on one or more machines on a network to be
transfered.
Logtail - Logs which transfer to new files are automatically followed, and an option
allows translation of numeric Internet addresses into the corresponding
hostnames where possible. Log items can be relayed to one or more other
References:
(1) http://www.debianhelp.co.uk/logcheck.htm
(2) http://www.fourmilab.ch/webtools/logtail/
GP
Thanks!
Just updated a couple of missing lines, still have to find the admin/admin password for tomcat.
DISCLAIMER: I ran this on a system setup using the OSSIM 1.2beta5 installer. If you are
using any other distro or installer you may have issues.
ftp://ftp.mondorescue.org/debian/5.0/mindi-busybox_1.7.3-1_a md64.deb
ftp://ftp.mondorescue.org/debian/5.0/mindi_2.0.5_amd64.deb
Install dependancies
dpkg -i mindi-busybox_1.7.3-1_amd64.deb
dpkg -i mindi_2.0.5_amd64.deb
Test mindi
# mindi
Run mondo
mondoarchiver
I have not covered every step but there is alot of mondo documentation out there.
Warning: Cannot modify header information - headers already sent by (output started at
/usr/share/ossim/include/classes/Session.inc:13) in /usr/share/ossim/www/session/login.php on
line 94
Warning: Unknown(): Failed to write session data (files). Please verify that the current setting
of session.save_path is correct (/var/lib/php4) in Unknown on line 0
Warning: Unknown(): Failed to write session data (files). Please verify that the current setting
of session.save_path is correct (/var/lib/php4) in Unknown on line 0
Thank you!
console = 192.168.1.10
sensor = 192.168.1.11
Note:
I figured that on 1.0.6, without configuring snort and ntop correctly, ossim-reconfig would fail
and the sensor won't be listed on the console's sensor list.
I don't know if there's much interest in building XMPP/Jabber stuff on the top of OSSIM on
order to simply monitoring process and facilitate the collaboration between OSSIM node
operators. Anyway, if you think it is a fun project to play around, let me know, I'll post up on
writing ossim-xmpp agents and plugins later. This howto hopefully should get you started.
== OSSIM + OpenFire MiniHOWTO ==
By integrating ossim with openfire we get to have a collaboration framework where you could
have groups of operators use Jabber messaging client as primary means of communication
and collaboration. Of course you can do even more than that. XMPP is an extendable protocol.
You can build security monitoring services on the top of it, so you could use your messaging
client (with extensions) as primary security monitoring interface.
The monitoring part can be easily done with XMPP based agents, which could talk to OSSIM
database or other components directly, and maybe we could talk about it later some time. The
cool thing about using agents, that it runs over standard XMPP protocol so you could
technically even use your gmail.com client, or mobile phone jabber client to collaborate with
your ossim system. However, when you run into huge number of users, scallability might
become an issue...
There's also another really neat way of adding things up by extending OpenFire server with
anyway, we'll start with the basics. Right now we simply want OSSIM users to be able to login
into our XMPP server using ossim framework authentication credentials.
I used ossim installer here to install the base system. Once you get that stuff done, you'll need
to install Java's JRE on your box.
Ossim installer is based on debian, so you'll have to install sun-java6-jre package on it.
dpkg -i openfire_3.6.4_all.deb
now you should have openfire running on your box with admin console on ports 9090 and
9091(ssl'ed).
One thing you will need to do now is to configure the mysql database for openfire to use.
(you'll need to peek at root password for mysql, which can be found in
/etc/ossim/ossim_setup.conf)
Once you're done w/ this stuff, launch your browser to ossim:9090 and complete the setup.
Select external database, and choose mysql database for it. Then correct the url for the mysql
database thing. You can skip the setup user part at the end.
Once you're done with this stuff, you'll need to save this into a file, i.e. custom.sql and make
some changes.
At the very least you'll want to change the connection string and set the user id and password
to those you use to connect to your ossim database. You may also want to change
admin.authorizedJIDS to list users, who would be allowed to login into openfire admin console:
/* make modifications */
/* connection */
/* authentication */
/* user */
--/cut here/--
once you're done with this stuff, save it and then do something like:
For the agents and stuff, maybe I'll make another post :)
Sources:
http://www.igniterealtime.org/builds/openfire/docs/latest/do cumentation/database.html
http://www.igniterealtime.org/community/thread/38646
you can also try to locate nagios2 folder (though i doubt it'll anywhere else)
updatedb
locate nagios2
I did all the stuff here, but now the big problem is that Nagios and others are not seen through
the ossim, I couldn't manage to do
/home/ossim/dist/reconfig.pl
Line 4
Line 5
Change
to
GP
Subject: Method to check and see what OSSEC is logging (without the web gui)
Posted by gsporter on Wed, 22 Jul 2009 23:47:41 GMT
View Forum Message <> Reply to Message
In case you have not had a chance to check it out OSSEC v2.0 added a command-line
"reporting" tool. It is great for checking to see if agents, syslog etc is actually making it into
OSSEC|OSSIM without having to install the web gui on OSSIM.
Note: These commands are from the OSSEC tutorial but I have made a change in the path to
the ossec-reportd binary:
_________________________________________________________
_________________________________________________________
Show all IP addresses/users that logged in during the day and related srcips locations for each
user
_________________________________________________________
Referance:
http://www.ossec.net/dcid/?p=153
GP
es un manual he instalado muchas veces el ossim y por fin decidi hacer este pequeño manual
que comparto para ustedes.
Willians Herrera.
File Attachments
1) OSSIM 1.1 - Configuracion después de la Instalacionx.pdf,
downloaded 718 times
ON SNORT SERVER
1. Install ossim-agent (apt-get install ossim-agent) - You may have to add the repositories. You
OSSIM Server
1. In the Web Interface - Go to Policy > Sensors
2. Add the stand-alone snort box as a sensor (hostname/IP)
3. Reload sensors
You should be receiving alerts under the SIM Events page now. On the OSSIM server, you
may have to restart ossim-server and/or the ossim-agent. I don't remember if it was necessary
or not. Good Luck!
I do exactly as you said but i got the below error when i start ossim-agent
2009-11-04 19:09:30,129 Conn [ERROR]: (32, 'Broken pipe')
2009-11-04 19:09:31,135 Conn [ERROR]: (104, 'Connection reset by peer')
2009-11-04 19:09:32,137 Conn [ERROR]: (104, 'Connection reset by peer')
2009-11-04 19:09:33,144 Conn [ERROR]: (104, 'Connection reset by peer')
2009-11-04 19:09:34,149 Conn [ERROR]: (104, 'Connection reset by peer')
2009-11-04 19:09:35,155 Conn [ERROR]: (104, 'Connection reset by peer')
2009-11-04 19:09:36,161 Conn [ERROR]: (104, 'Connection reset by peer')
2009-11-04 19:09:37,166 Conn [ERROR]: (104, 'Connection reset by peer')
2009-11-04 19:09:38,172 Conn [ERROR]: (104, 'Connection reset by peer')
2009-11-04 19:09:39,177 Conn [ERROR]: (104, 'Connection reset by peer')
2009-11-04 19:09:40,178 Conn [ERROR]: Error receiving data from server: (104, 'Connection
reset by peer')
and the ossim-server sensor give me X on my sensor when i remove snort from agent plugin it
works again but of course i still need snort alerts, any recommendation
Also what about the ossim-server / ossim-framework services, are they needed in such a set
up?
Are part of the rule sets included with ossim such that oinkmaster won't touch them
(community / emerging threats)?
http://ossim.net/dokuwiki/doku.php?id=installation
Spanish:
http://ossim.net/dokuwiki/doku.php?id=installationES
If you want to help translating it to your own language please send an email to jmlorenzo at
alienvault.com.
Juanma
Introdução
Uma vez que os eventos gerados por ferramentas e por dispositivos diferentes são coletados
pelo OSSIM, o sistema executa uma avaliação de risco para cada evento e a correlação
destes. Durante o processo de correlação, de uma série de testes padrões, o OSSIM gera
novos eventos para detectar ataques ou problemas na sua rede.
Para acessar toda a informação coletada e gerada pelo sistema, o OSSIM inclui uma interface
Web que nós permite configurar todo o sistema e ver o estado total da rede em tempo real.
Antes de começar
Se seu processador é de 64-bits então você pode aproveitar todo desempenho desta
arquitetura.
Em uma instalação OSSIM pode-se ter quantos agentes forem necessários. Em alguns casos,
se tem um agente em cada posição da rede da empresa, ou um agente dentro do DMZ ou um
outro agente dedicado para coletar todos os registros do “firewall”.
O agente do OSSIM inclui um jogo das ferramentas (Snort, Ntop, Tcptrack, Arpwatch), para
analisar o tráfego de rede à procura dos problemas e das anomalias de segurança. Para
aproveitar-se desta funcionalidade do OSSIM, o agente do OSSIM deve receber todo o
tráfego na rede, usando uma conexão, configurar uma porta espelhada ou usando uma porta
de extensão nos dispositivos da rede.
Todos os agentes de OSSIM enviam seus eventos a um único servidor de OSSIM. Este
servidor carrega a avaliação de risco e a correlação. Uma vez que estes processos ocorreram,
os eventos são armazenados na base de dados de OSSIM.
Para acessar estas informações, o OSSIM inclui uma interface gráfica (web), que pode ser
usada para modificar parâmetros da configuração e para gerar o métricas e os relatórios. A
interface gráfica (web), igualmente, fornecerá o acesso as informações, em tempo real, de um
grande número de aplicações, que analisam o status global de nossa rede (Ntop, Nagios, etc).
Perfis
Uma vez que a instalação terminou, o OSSIM, permite mudar o perfil da instalação . Por
Perfil Completo
O perfil completo é uma combinação de todos os perfis em uma única máquina. Inclui a
interface do sensor, um servidor, uma base de dados e uma interface gráfica (web).
Sensor
O Sensor é o responsável pela captura e pela normalização dos eventos. Para permitir a
captura e coleção de todos os registros (log) pelo Sensor, teremos que enviar todos os
eventos ao Sensor usando Syslog, ftp, samba, Snare, etc.
Snort, Ntop, Arpwatch, P0f e Pads são igualmente habilitados no perfil do Sensor somente.
Para fazer estas ferramentas úteis, nós devemos usaar uma conexão, configurar uma porta
espelhada ou usar uma porta de extensão nos dispositivos da rede (geralmente no Switch).
Servidor
O perfil do Servidor é preparar o OSSIM (box) para coletar os registros (logs) de todos os
Sensores OSSIM.
Uma vez que os eventos foram processados, todas as informações são armazenadas na base
de dados. O Servidor incluirá um agente de OSSIM para monitorar a segurança do sistema
(Pam Unix, SSH)
Banco de Dados
Requirementos
Requirementos de Hardware
Ao falar sobre placas de rede, você deve tentar escolher aqueles suportados pelo
“driver” e1000. O modelo do desenvolvimento de Open Source deste
“drive” assegura a boa compatibilidade destas placas com o Debian
GNU/Linux.
As placas de rede de menor desempenho podem ser usadas nos OSSIM (box) para coletar
eventos de outros dispositivos ou como interfaces de gerênciamento.
Requerimentos de Rede
A fim de apresentar o OSSIM corretamente, você deverá ter um grande conhecimento dos
dispositivos da sua rede. Você terá que configurar uma porta espelhada naqueles dispositivos
de rede que suportem esta característica. Para configurar uma porta espelhada corretamente,
você terá que manter na mente que deve evitar estas duas situações:
* Tráfego de rede duplicado: Isto aconteceu quando nós estamos enviando o mesmo tráfego
de rede mais de uma vez em diferentes dispositivos da rede.
* Tráfego de rede criptografado: Em alguns casos não tem nenhum sentido configurar uma
porta espelhada naqueles dispositivos que mostram somente o tráfego criptografado (VPN,
SSH), porque este tráfego não pode ser facilmente analizedo por algumas aplicações.
Ainda sobre porta espelhada, nós precisamos ter endereços de IP prontos para todas os
OSSIM (box). Alguns OSSIM (box), que funcionam como Sensores podem exigir mais de uma
placa de rede, porque o Sensor poderá ter acesso à redes diferentes (Nessus, Nagios, Nmap)
Como exemplo, OpenVas (exploração da vulnerabilidades), terá que ter acesso para alcançar
as “redes alvo”, quando a varredura acontecer. Ao usar OpenVas, Nagios ou
Nmap nós igualmente temos que nos certificar de que nossos “firewalls” estão
configurados corretamente, permitindo o acesso de nossos sensores às redes ou aos
servidores das “redes alvo”.
Os eventos têm que ser normalizados antes de processados pelo Servidor OSSIM, o sensor
1- Você terá que certificar-se de que seu computador pode ser inicializado pelo CDROM/DVD
(boot). Procure pela documentação do sistema para mais informações. Isto pode exigir a
alteração das configurações do BIOS. Para começar o programa de instalação, inicialize o
computador e aguarde o boot pelo CDROM.
Atenção: O instalador APAGARÁ todos os dados armazenados em seu disco rígido.
2-Escolha a língua usada para o processo de instalação. A língua escolhida será usada
também para o sistema instalado.
5-Neste ponto você terá que configurar a placa de rede. Se você tem mais de uma placa de
rede, terá que escolher qual será usada como a interface de gerenciamento. Em caso de ter
múltiplas placas de rede, o instalador perguntará que placa de rede deverá ser usada como a
interface de gerenciamento. Esta interface deve ter acesso à Internet durante o processo da
instalação.
8-Entre com os endereços IP dos servidores de nomes (DNS), separados por espaços. Se
você tem um servidor de nomes (DNS) local em sua rede deverá ser o primeira nesta
configuração. Você pode entrar com quantos servidores de nomes (DNS) que desejar.
10-If you are using a domain name in the computers of your network, enter the domain name
10-Se você está usando um servidores de nomes (DNS) nos computadores de sua rede, entre
com as informações do servidores de nomes (DNS)
Se você não tem um servidor de email na sua rede ou se você deseja ter um próprio no
OSSIM Box, selecionamos “Site de Internet”.
Se você já tem um servidor de email na sua rede, pode selecionar o “Sistema
Satélite”.
18-Uma vez que todo o software esteja instalado e configurado (isto poderá demorar alguns
minutos), o sistema pedirá a senha da raiz (senha de root). Você terá que digitar duas vezes a
senha da raiz (senha de root).
Para terminar o processo de instalação, espere a carga automática da Ossim. Uma vez que
você termina o processo de carga, poderá prosseguir, configurando todas as aplicações de
acordo com os ajustes necessários para a sua rede e conforme a suas vontades.
Guia de Instalação do OSSIM (AlienVault Open Source SIM ) – Parte III
Configuração do Sistema
/etc/ossim/ossim_setup.conf
Nós podemos editar este arquivo usando um editor de texto (vim, nano, pico, kate). os
usuários inexperimentes devem usar o seguinte comando para editar este arquivo:
ossim-setup
ossim-reconfig
Todos os perfis são habilitados por padrão, após ter funcionado o instalador. Você poderá
mudar o perfil usando o “ossim-setup” (script de configuração) da instalação do
Ossim, selecionando a segunda opção (”Trocar Configurações do
Perfil”/”Change Profile Settings”)
Baseado no perfil escolhido você terá que configurar diferentes parâmetros de configuração:
completo
* Escolha interfaces: Entre com todas as interfaces (separadas pela vírgula) que estão
recebendo todo o tráfego da sua rede.
* Perfil de redes: Entre com as redes (redes locais) no formato CIDR, separado por vírgula,
estas redes são as que o Sensor poderá ver (acessar) em sua interface de escuta (por
exemplo: 192.168.0.0 /24, 10.0.0.0 /8)
* Escolha os plugins: Selecione aqueles plugins que devem ser habilitados neste Sensor. Os
plugins do monitor somente serão habilitados sob pedidos (requisições) do Servidor do
OSSIM, durante a correlação. Os plugins do detetor estarão coletando eventos em tempo real
dos arquivos, bases de dados e soquetes.
Sensores
* Escolha interfaces: Entre com todas as interfaces (separadas pela vírgula) que estão
recebendo todo o tráfego da sua rede.
* Perfil de Redes: Entre com as redes (redes locais) no formato CIDR, separado por vírgula,
estas redes são as que o Sensor poderá ver (acessar) em sua interface de escuta (por
exemplo: 192.168.0.0 /24, 10.0.0.0 /8)
* Escolha os plugins: Selecione aqueles plugins que devem ser habilitados neste Sensor. Os
plugins do monitor somente serão habilitados sob pedidos (requisições) do Servidor do
OSSIM, durante a correlação. Os plugins do detetor estarão coletando eventos em tempo real
dos arquivos, bases de dados e soquetes.
Servidor
* Porta do servidor de banco de dados do MySql: Porta de escuta para o MySql. (A porta
padrão é 3306)
Danco de Dados
Se você precisar somente reconfigurar o perfil em uso, selecione-o e você será questionado à
entrar com os parâmetros da configuração.
Para aplicar as alterações que você selecionou, clique em “aplique e salve todas as
mudanças / Apply and save all changes” ou rode o comando da reconfiguração do
Ossim “ossim-reconfig”.
Configuração de Rede
Aquelas máquinas que rodam o OSSIM exigem um cuidado especial ao configurar a rede.
Those machines running OSSIM require special care when configuring networking.
/etc/network/interfaces
/etc/init.d/networking restart
Cada OSSIM Box deve ter pelo menos um endereço IP estático, assim os componentes
diferentes do OSSIM podem comunicar-se entre si e o administrador pode ter o acesso
remoto às máquinas.
Cada interface (placa de rede) com um endereço IP válido, deve ter uma entrada no arquivo
/etc/network/interfaces usando o seguinte esquema:
Aquelas interface (placa de rede) usadas para coletar todo o tráfego de rede nunca devem ter
um endereço IP. As interface (placa de rede) em modo promíscuos (promiscuous mode) não
exigem nenhuma configuração especial no arquivo de configuração da rede.
Atualizando o OSSIM
O software que atualiza o sistema, usado no instalador do OSSIM, foi projetado para
assegurar-se que as versões corretas sejam usadas. Permite aos colaboradores de OSSIM
bloquearem ou forçar atualizações de determinado software no sistema. Por este motivo, você
nunca deve incluir repositórios de software novos em seu /etc/apt/sources.list. Esta
informação é muito importante.
Fonte: http://ossim.net/dokuwiki/doku.php?id=installation
Artigo Original: Juan Manuel Lorenzo (jmlorenzo at AlienVault dot com)
Tradução e complementos: Jailson Jan (jailsonjan at yahoo dot com dot br / jailsonjan at
previsioni dot com dot br)
http://www.previsioni.com.br/jailsonjan/
Recomendações Gerais
* Nunca instale um Sensor de OSSIM em um ambiente virtualizado se este sensor está indo
coletar enormes quantidades de tráfego de rede. Por causa da maneira que estas ferramentas
da virtualização controlam as interfaces de rede virtual, uma grande quantidade do tráfego da
rede é perdido, sem ser analisada.
* Nunca instale softwares no OSSIM Box, que necessitem de alteração dos repositórios de
Debian no arquivo “/etc/apt/sources.list”.
* O OSSIM sempre terá suporte para a versão mais estável do Debian GNU/Linux. Quando
uma versão nova de Debian for liberada os colaboradores fornecerão um guia em como
atualizar o o Ossim instalado para a versão mais nova.
* Não há nenhuma limitação de instalação de software que possa ser instalado nas máquinas
(desde que estejam no sources.list original do Ossim), mas lembre-se que um elevado
consumo de memória ou de processador (cpu) de algumas aplicações, podem prejudicar a
performance da mesma.
Como exemplo, você nunca deve instalar um ambiente desktop nas máquinas OSSIM.
Fonte: http://ossim.net/dokuwiki/doku.php?id=installation
Tradução e complementos: Jailson Jan (jailsonjan at yahoo dot com dot br / jailsonjan at
previsioni dot com dot br)
Blog: http://www.previsioni.com.br/jailsonjan/
Fonte: http://ossim.net/dokuwiki/doku.php?id=installation
Tradução e complementos: Jailson Jan (jailsonjan at yahoo dot com dot br / jailsonjan at
previsioni dot com dot br)
Blog: http://www.previsioni.com.br/jailsonjan/
Jailson Jan é o tradutor do Ossim para o português do Brasil (pt_BR)
http://www.previsioni.com.br/jailsonjan/
http://www.previsioni.com.br/jailsonjan/
http://www.previsioni.com.br/jailsonjan/
Once you find the file path and navigate to it, you can use an editor(i.e. pico) to open and edit
the file.
Cheers
Since so far i did not have time to delve into ossim-configuration and set-up i'm a bit lost.
Is there a simple way to have ossim read the mysql-db on the centos-snort machine ? Since
this set-up is experimental i assumed this would be read by setting the db in the
configuration(advanced) but no luck.
tnx
jplee3 wrote on Wed, 04 November 2009 12:18Hey guys, will this still work with the latest
versions of OSSEC and OSSIM? I was trying to tie the two together but could not figure it out.
I'll have to play around with it more when I have the time.
Or you can patch snort to work with ossim agen using the unified stuff and get better speed if is
needed
#/bin/sh
The line:
juanma
Leaving me with:
#/bin/sh
Note that if you subscribe to the snort rules your oinkmaster.conf path to grab the snort rules
will be different.
/usr/local/bin/alienvault-feed-sync openvas
/etc/init.d/openvas-server restart
P.S. For restart to work for openvas you need to edit /etc/init.d/openvas-server script to add the
path for start-stop-daemon
rossonr wrote on Tue, 02 February 2010 06:13I have this in a script that I execute from cron
/usr/local/bin/alienvault-feed-sync openvas
/etc/init.d/openvas-server restart
P.S. For restart to work for openvas you need to edit /etc/init.d/openvas-server script to add the
path for start-stop-daemon
Thanks in advance. :p
with regards.,
manean.kvs.
OSSIM 2.2 is out. I don't see any straightforward way to setup https for the OSSIM webpages.
Could you point us to the right direction?
Thanks,
Sam
In my file I have:ocs_db=ocsweb
ossim_db=ossim
[expert]
profile=server
[sensor]
detectors=snare, p0f, osiris, arpwatch, snortunified, pads, ssh, pam_unix, rrd,
sudo, iptables, nagios
interfaces=eth0
ip=
monitors=nmap-monitor, ntop-monitor, ossim-monitor
name=ossim
priority=5
[server]
server_ip=
server_plugins=osiris, pam_unix, ssh, snare, sudo
server_port=40001
Does this refer to changing the expert profile setting to sensor instead of server? Not really
sure what it means to 'check on sensor', if eth0 is the configuration in the
/etc/network/interfaces, then would this ossim_setup.conf already be a working configuration?
I assume this means if you have 2 interfaces in the same network, use 1 as default
management and 1 as promiscuous for snort etc.? Otherwise if you have multiple interfaces in
different subnets wouldn't you want it promiscuous on all interfaces?
Thanks,
Trevor
Subject: Re: Method to check and see what OSSEC is logging (without the web
gui)
Posted by kristian_paul on Thu, 25 Mar 2010 19:32:52 GMT
View Forum Message <> Reply to Message
I used to activay temporally logall option in the ossec config so i can debug what are logs are
Use this a step-by-step guide to make NESSUS 4.0.2 work on a fresh OSSIM 2.2.1 install.
Upload the file to your OSSIM server using SCP.I uploaded it to the /home directory.
2. Update OSSIM
run:
/ossim-update. Answer "yes" to all questions
run:
ossim-setup go to Change General Setting --> Configure Firewall. Highlight "No" and hit space.
Hit OK and then "Save $ Exit". This step is not necessarily needed if you have correctly
configured your firewall.
4. Install NESSUS
run:
dpkg -i /home/Nessus-4.0.2-debian5_i386
5. Update Plugins
run:
ossim-db
TRUNCATE `vuln_nessus_category`;
TRUNCATE `vuln_nessus_family`;
TRUNCATE `vuln_nessus_plugins`;
TRUNCATE `vuln_nessus_preferences`;
TRUNCATE `vuln_nessus_preferences_defaults`;
TRUNCATE `vuln_nessus_settings`;
TRUNCATE `vuln_nessus_settings_category`;
TRUNCATE `vuln_nessus_settings_family`;
TRUNCATE `vuln_nessus_settings_plugins`;
exit
7. Configure NESSUS
run:
nano /opt/nessus/etc/nessus/nessusd.conf and change the "listening ip" to your local IP.
ATTENTION: This is the IP assigned to your NIC (e.g. 192.168.1.1), NOT LOCALHOST
b. Create a user
run:
/opt/nessus/sbin/nessus-adduser. Use pass instead of cert and make user an admin
c. Create a cert
run:
/opt/nessus/sbin/nessus-mkcert. Choose all the defaults
8. Configure OSSIM
9. Start NESSUS
Run:
cd /usr/share/ossim/scripts/vulnmeter/
./updateplugins.pl
cd /usr/share/ossim/scripts/vulnmeter/
./update_nessus_ids.pl
You can initiate new scans by going to OSSIM's web interface under
Analysis-->Vulnerabilities-->Scan Jobs
Please
TRUNCATE `vuln_nessus_settings_preferences`;
TRUNCATE `vuln_settings`;
Not necesary!!
Thx
thanx for your input, but could you briefly explain why? I merely copy-pasted those lines from
DK's post, don't know much about their functionality other than they change settings in the
database.
fable
Thx
Subject: Re: Method to check and see what OSSEC is logging (without the web
gui)
Posted by link on Wed, 31 Mar 2010 10:55:57 GMT
View Forum Message <> Reply to Message
I see all the logs of my devices in ossec.log but when I go to check this logs in SIEM gui, I can't
see all these logs.
Subject: Re: Method to check and see what OSSEC is logging (without the web
gui)
Posted by juanma on Wed, 31 Mar 2010 11:01:49 GMT
View Forum Message <> Reply to Message
hi link,
please use the support forum and open a new thread for that issue.
and followed your manual - and now all works great! Thank You!
Thank you for your comments. I run this tutorial on a clean OSSIM 2.2.1 install and I noticed
something similar to what you did. If I run a scan job and try to open the report that appears
next to my scan under the "scan jobs" tab, I have a much different report from the one under
the "vulnerabilities" tab. The "scan jobs" tab report though is the same as the one under the
"reports" tab.
The report under "vulnerabilities" tab didn't have nearly as many vulnerabilities as the one
under "scan jobs" and "reports" tab, which were much more spread out (serious,
high,medium,info etc).
My guess is that the reports under the "scan jobs" and "reports" tabs are actually the "raw"
Nessus scans with just the Alienvault logo in them. The report under "vulnerabilities" tab
though, are processed by OSSIM. Over there OSSIM actually presents what vulnerabilities it
thinks were present (based on the way it processes Nessus reports).
What's weird though is that OSSIM is generating as many tickets as vulnerabilities found in the
report under "scan jobs".
Can you check to see if there are any differences on the various reports available?
Also, could you run a credentiated scan towards an unpatched pc (e.g. windows xp) just so
you know you will normal get a lengthy report.
Could someone shed some light on why OSSIM isn't actually intergratting the NESSUS scans?
Because the way I see it right now, it NESSUS is just a way to generate reports. Something
that I can do by installing nessus on a windows xp machine and run the scan from there?
I think the vulnerability management capability of OSSIM is very important to its general
purpose as a Security Information Management System.
fable
OSSIM 2.2 is out. I don't see any straightforward way to setup https for the OSSIM webpages.
Could you point us to the right direction?
Thanks,
Sam
truth
The new problem I just started to notice is that even though I updated the settings to point to
the new nessus scanner it does not want to show up as an option to scan with. So I checked
things out in the database and sure enough in the vuln_nessus_servers the new server isnt
showing up.
I could add it manually I suppose but I wanted to know where it was suppose to be added from
i.e. script or web interface that inserts it into the mysql table.
I am actually thinking I will rebuild all my systems soon and re-install them all virtually on each
box so that I can make snapshots as well as have another group of "testing servers" that I can
use before upgrading to production. But I want to make sure that before I do that everything
else is in good working order. I also can't do it until roughly may due to some project
obligations I have.
So DK or Jamie or anyone else have any idea why its not inserting the nessus server in there
and also any idea why its not doing what I am expecting? I can work with you more outside of
the forums if you guys like.
Thanks,
thanks.
login admim
password admin
url = http://www.snort.org/pub-bin/oinkmaster.cgi/MY-oinkcode/snor
trules-snapshot-2852.tar.gz
The url :
Can I update snort to the official version, or is it another way to update the rules ?
Regards
Subject: ossec&asterisk
Posted by jabi on Fri, 28 May 2010 09:43:15 GMT
View Forum Message <> Reply to Message
I've written two posts about protecting Asterisk with OSSEC.
http://sysbrain.wordpress.com/2010/04/22/asterisk-ossec-part -1/
http://sysbrain.wordpress.com/2010/05/24/asterisk-ossec-part -ii/
I hope it will help you and if you see any error or improvement, tell me.
I'm new in OSSIM and now i'm curious with OSSIM and NESSUS. I've installed Nessus 4.0.2
and yes I got same problems like any of you got there. Here's the problems :
The positive issue is scan jobs and results (at vulnerability --> scan jobs) show us actual info :)
About the problems, here I try to find out why (from updateplugins.pl) :
my $risk=7;
$risk=1 if ($pdescription =~ m/Risk [fF]actor\s*:\s*(\\n)*Serious/s);
not really sure about that..but by default the risk will set to 7 if..bla bla bla..and if risk factor
value is NONE then it will set to 7 :d. From another thread of openVAS, the problem looks like
not happened, i'll check the scripts later (openVAS is terribly slower than NESSUS) :(
2. next..about cross correlation and customation there not working, why? Here i try to find out :
Here's the place where NESSUS store IP and its Vulnerabilities (from scanning result).
mine just showing 11 results there..hehehe..and still don't know why..if we trace back from
update_nessus_ids.pl :
--snip--
if(keys %plugin_rel_hash){
print "Updating...\n";
foreach $key (keys %plugin_rel_hash){
print "$key:$plugin_rel_hash{$key}:$plugin_prio_hash{$key}\n";
#$plugin_rel_hash{$key} =~ s/'/''/;
$plugin_rel_hash{$key} =~ s/'/\\'/gs;
$plugin_rel_hash{$key} =~ s/"/\\"/gs;
my $sid = $key;
if ($key =~ /\./){
my @tmp = split(/\./, $key);
$sid = $tmp[$#tmp];
}
it must be load data from somewhere, process, then insert to this table :(
Next about 'plugin_reference' table (used for correlate with another plugins by default) :
1. We try to find out one result (nessus plugin sid) from scanning activity :
|
+-------+----------------------------------------------------------+--------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------+
| 10150 | Windows NetBIOS / SMB Remote Host Information Disclosure | ;Synopsis :;;It is
possible to obtain the network name of the remote host.;;Description :;;The remote host listens
on UDP port 137 or TCP port 445 and replies to ;NetBIOS nbtscan or SMB requests.;;Note that
this plugin gathers information to be used in other vuln_plugins;but does not itself generate a
report.;;Solution :;;n/a;;Risk factor :;;None;; |
+-------+----------------------------------------------------------+--------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------+
1 row in set (0.00 sec)
mysql>
enough for the first part, i try to lookup the vulnerability information from 'host_plugin_sid' then
try to find out what is the vulnerability shown there (show by plugin_sid) at
'vuln_nessus_plugins' in 'id' field.
next try to find out the plugin_sid at correlation tables (plugin_reference and plugin_sid) :
can't find the correlation between snort and nessus sid there, so i have to
customize/define/create it first :p need to check another table :
see, just like what i've said at first..in this table, i just got 11 (eleven) entries, so i can do
nothing except manually insert reference from vuln_nessus_plugins to this plugin_sid :( (which
should've be done by script "update_nessus_ids.pl".
Any info from developers? Oh I forgot, I also realized about the "alienvault_feed_sync.sh"
script, have tried it but failed. Looks like alienvault rsync server is now down.
after waiting for several days and got no reply here, so i tried to find out the problems and now
it's all fixed..next step is to make sure that snort <-> nessus correlation will work :d
1. Analysis --> Vulnerabilities --> Threats Database Problem, all vulnerabilities/plugins have
'serious' risk factor.
2. Intelligence --> Cross Correlation --> Correlation Rules, nessus plugins not loaded/inserted
well into ossim.plugin_sid table in database.
Here the new scripts to fix the problems (rename it to .pl, run updateplugins.pl first then
update_nessus_ids.pl):
1. http://temon.banget.de/ossim/updateplugins.txt
2. http://temon.banget.de/ossim/update_nessus_ids.txt
1. http://temon.banget.de/ossim/updateplugins.txt
2. http://temon.banget.de/ossim/update_nessus_ids.txt
Can You please upload theese files to another server? Or to this forum?
File Attachments
1) ossim_nessus_dbupdate.tar.gz, downloaded 36 times
<ossec_config>
<client>
<server-ip>10.1.1.8</server-ip>
</client>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>79200</frequency>
We have an existing OCS Inventory install that has data on all of our existing assets. It is also
integrated with our CMDB System (CMDBuild) and ITSM system.
I'm wanting to deploy an OSSIM server (initially in a development lab) so I can test the system
and prepare it for a production environment.
Is it possible to integrate OSSIM with an existing OCS Inventory installation? Be it via an API,
Database synchronisation or by simply point the OSSIM to the existing build?
Kind Regards
Harry West
https://discussions.nessus.org/message/4293#4293
Thoughts?
if port 1241 opened, then try to connect to port 1241 using telnet from another machine
iptables -F ; iptables -X
try to telnet again, if you get escape character is ^] means you've successfully connected and
try to connect using nessus-client again. Don't forget to allow port 1241 on ossim-firewall.
NOTE : Nessus 4.2 is not support NTP (port 1241) for homefeed, only professional feed
/etc/apache2/conf.d/ocsinventory.conf
/usr/share/ossim/www/ocsreports/dbconfig.inc.php
What I did:
logged into mysql
mysql -p
used password extracted via the first post.
use ossim;
update users set pass=NULL where login='admin';
TIA,
Nathan
a2ensite default-ssl
a2dissite default
/etc/init.d/apache2 reload