Network Monitoring Using

AlienVault’s Open Source Security

Information Management (OSSIM)

Created By
Fathimah Rahimullah (1506673542)

COMPUTER ENGINEERING
FACULTY OF ENGINEERING
UNIVERSITAS INDONESIA
DEPOK
DECEMBER 2018
 Contents

Contents .................................................................................................................. ii
Chapter 1 ................................................................................................................. 1
Introduction ............................................................................................................. 1

1.1 Background .............................................................................................. 1

1.2 Objective .................................................................................................. 1

Chapter 2 ................................................................................................................. 3
Literature Review .................................................................................................... 3

2.1 Computer Networks ...................................................................................... 3

2.2 Computer Networks Security ........................................................................ 4
2.3 AlienVault OSSIM ........................................................................................ 5
2.4 AlienVault OSSIM Components .................................................................. 6

Chapter 3 ................................................................................................................. 8
Methods and Experiments ....................................................................................... 8

3.1 Deploying OSSIM Server ............................................................................. 8

3.2 Deploying OSSIM Sensor ............................................................................. 8
3.3 Dashboard ..................................................................................................... 9

Chapter 4 ............................................................................................................... 12
Conclusion ............................................................................................................ 12
Bibliography.......................................................................................................... 13

ii
 Chapter 1
Introduction
1.1 Background
Industrialization played a massive role in the development of society. It
made processes much more structured which resulted in efficiency. The
development of computers and the internet in the 20th century boosted this
development. Now in the 21st century the technology has drastically improved since
the previous era. Now industries rely on automation and connectivity to increase
efficiency. The term used to call this era is Industry 4.0.

Connecting everything to a network seems like an easy task to do with

today’s technology. But there is more to that than just deploying the machines to a
network. The maintenance of the network is the real challenge especially for the
security side. Criminals too have taken benefit from the development of technology.
These cyber criminals are commonly known as hackers. An interconnected network
that means a hacker has an opportunity to exploit things in the said network. A
problem a hacker can cause relating to an industry 4.0 network is they can convert
the network into a network of botnets. [1] These botnets will then participate into an
attack that would be orchestrated by a hacker and need a lot of processing power
such as a Distributed Denial of Service (DDoS) attack.

Understanding the risks it can bring, vulnerabilities in a network must be

minimalized. An effort for minimalizing network vulnerabilities is to implement a
network monitoring tool with features such as vulnerability assessments. Other
things that should be kept in mind are behavioural monitoring, intrusion detection,
asset discovery, and security information and event management (SIEM). All the
features above are included in a tool called AlienVault OSSIM. This tool is open
source which means that it is free to use and open for development.

1.2 Objective
• Understand the concept of computer networks.

1
• Understand the concept of computer network security.
• Understand how AlienVault OSSIM works.
• Understand components of AlienVault OSSIM.
• Understand how to deploy AlienVault OSSIM.

2
 Chapter 2
Literature Review
2.1 Computer Networks
A computer network is defined as a group of computer systems and/or other
hardware devices that can compute which all are linked through a communication
channel. This channel would facilitate the communication that occurs and also the
resource sharing amongst the users of the network. The channels are usually made
of cables, but the development of technology has led to more flexibility where
wireless medias such as Wi-Fi and cellular networks can work as a channel.
One of the earliest uses of computer networks are for military purposes. An
example is the US military implemented the SAGE or Semi-Automatic Ground
Environment radar system which consisted of computers communicating in a
network. Other than military purposes academia also played a big role. Universities
in the USA such as University of California and University of Utah made a research
called ARPANET or Advanced Research Projects Agency Network which has now
evolved to the modern internet.[2]
Categorization of networks are usually based on their characteristics. The
most used one is the scale of the network. Based on the size networks are divided
into local area networks (LAN), personal area networks (PAN), wide area networks
(WAN), metropolitan area networks (MAN), the internet, and much more. This
paper will focus more on the local area network.
In a computer network.
In a computer network each device can communicate using an identifier
known as an IP (internet protocol) address which is unique in each network. There
are two types of IP address they are IP version 4 (IPv4) and IP version 6 (IPv6).
The main difference between the two is the size of the address where IPv4 size is
32 bits long and IPv6 is 128 bits long. As said before the IP addresses are unique in
only one network this means an IP address can be used twice if the devices are in
different networks. This could be done by utilizing a technique called NAT or
network address translations where there would be a public address for a network
and that would be used to connect to other networks in the internet. This technique

3
is also good security wise where someone from an external network would not
know the address of the ones on a local network.

2.2 Computer Networks Security

As computer networks are increasing and used in many aspects of life the
security of the network has become a vital aspect. Security is embedded into most
of the features and specifications. It includes protocols, technologies, devices, tools,
and techniques. In this modern era the objective of network security is to prevent
hackers by staying one step forward of them. Businesses have now depended on
computer networks which means that the security of the networks will impact
deeply on the operations of the business.
Though keep the network secure is no simple task. It is full of complexities
where administrators need to have strategies similar to how an army would have
strategies in defending a country. These strategies though have to comply to the
policies regarding the network that is usually published by the network’s company.
These policies are also known as network security policy. Inside there would be
policies regarding access list, incident mitigation, and other important security
regulation that all staff would have to comply to.
Network security are divided into domains which are:

• risk assessment;
• security policy;
• organization of information security;
• asset management;
• human resources security;
• physical and environmental security;
• communications and operations management;
• information systems acquisition, development, and maintenance;
• access control;
• information security incident management;
• business continuity management;
• and compliance. [3]

4
 Other than network security also covers the attacks that are done or in other
words the threats to a network. Threats to a network can be classified by the target
of the threat that is network-based or host-based and the location of the threat from
the network that is external or internal.

2.3 AlienVault OSSIM

OSSIM which stands for Open Source Security Information and Event
Management is an opensource product by AlienVault which is used for network
monitoring like and has feature like its name. The focus of this tools can be divided
into four points. Those points are:

• mitigating risks;
• identifying vulnerabilities;
• detecting threats;
• and prioritizing response to threats and vulnerabilities that are of high
priority.

These four points are implemented by doing these measures:

• Identifying events that can eventually become a threat or vulnerability.

• Determining the risk of attacks.
• Implementing controls to mitigate vulnerabilities.
• Mitigate the attacks.
• Monitoring and reporting activities of the network and hosts.

For all of this to be able to be achieved risk assessment must be done first.
After that security policies can be designed. OSSIM will help to identify critical
assets which will make it easier for creating policies. Security events are also
analysed by OSSIM, the parameters it takes to judge these events are the value of
the assets associated with the even, the threat the event represents, and the
probability of the occurrence of the event.
The main capabilities and tools that OSSIM utilize to detect threats and
prioritize responses are asset discovery, vulnerability assessment, intrusion
detection, behavioural monitoring, and SIEM. This can be seen in the figure below.

5
Below is a brief description for each process:

• Asset Discovery: Gives information about the devices on the network using
a combination of discovery and inventory technology.
• Vulnerability Assessment: Identifies the vulnerabilities on the network.
Vulnerabilities consists of unpatched software, insecure configuration, etc.
• Intrusion Detection: Detects and then response to the incident and threat
management in the network with the help of built-in security monitoring
technologies, seamless closed-loop workflow for speed of mitigation and
the resources from AlienVault Labs.
• Behavioral Monitoring: Monitors the behaviour of the network which
focuses on the anomalies and suspicious activities of the network which can
develop into threats.
• Security Information and Event Management (SIEM): Threats are
identified, contained, and remediated which uses risk and response as
references.

2.4 AlienVault OSSIM Components

There are three components of OSSIM they are as follow:

• Server: Receives information from the sensors and then process them so
they could be used for management, reporting, and administration.

6
 • Sensors: Gathers information from the network by being deployed
throughout the network. They process data from devices such as firewalls,
routers, and host servers by using plugins.
• Logger: Stores all the raw event log which can later be used for forensic
research and audits.

The high level architecture of AlienVault OSSIM can be seen in the figure below:

The workflow of these components are as follow:

1. Sensors will actively probe networks’ assets so information about what’s

going on can be generated while passively collecting logs and mirrored
traffic for the reports.
2. Then the sensor will parse the raw date from the sources and process it into
a stream of events which will then be sent to the server.
3. The server will correlate the events and asses the risks.
4. The server will then send it to the log to be stored for later uses.[4]

7
 Chapter 3
Methods and Experiments
3.1 Deploying OSSIM Server
For this project the OSSIM server will be deployed in VMware.

a) First the OVF template must be downloaded.

b) In the vSphere desktop client click deploy OVF template that was
downloaded.
c) Continue the installation and specify the specifications needed which for
this
d) After all the configurations has been configured and the installation done
this message will appear.

e) After that the console will open and the dashboard can be accessed by
accessing the IP address of the VM.

3.2 Deploying OSSIM Sensor

For this project the sensor will be deployed on Ubuntu Server 14.04.

a) Make sure that the OS is up to date by executing the apt-get update & apt-
get upgrade commands.
b) Enter the opt directory

c) Download the file needed for the installation

d) Unpack the file the enter the directory

e) Start the installation

8
 f) During the installation there will be prompts for the configuration for this
installation we will pick the installation type as agent/sensors and then pick
the default ones for the other configuration.
g) After that there will be key configuration to map the sensor with the server.
[5][6]

3.3 Dashboard
The main dashboard of the application is shown in the figure below.

This dashboard is the first dashboard that the user will access when entering
the server’s IP address. From the picture the overview status of the network can
be seen. This could be customized to each user’s liking. In this case the dashboard
shows the top 5 alarming security events, events that the SIEM scanned which in
this network is authentication and system. Since this is a demo network thus the
results do not have a good variety.

9
 Next, we have the alarms information page which is depicted in the figure
above. On this page attacks on the network are put under alarms. The risk of the
attacks will also be analysed to sort out which attack has the highest risk.
The last page that will be discussed in this paper is the assets page. This
page will detect hosts on the network with their details such as IP, device type,
operating system, asset value, if there is vulnerability scan that is done, and HIDS
status. Because the network belongs to a private company therefore the picture must
be censored to comply to the policy of confidentiality of hosts. A brief view of the
hosts can be seen in the figure below.

There are a lot more great features that are implemented in this tool. The
ones discussed in this paper are just a small portion of what there really is. But to

10
maximize those feature it needs to be implemented in a real working network where
production takes place. The open source characteristic is also great so the
community can develop it easier with customizations based on their own style and
needs. But there are some disadvantages to this tool. Such as the agent architecture
which is quite hard to maintain.

11
 Chapter 4
Conclusion
• AlienVault OSSIM is a great open source network monitoring tool
with an abundance of features available.

• In a working network environment it will show its best sides.

• The open-source characteristics is also great especially for new

security enthusiasts and small business or startups.

• Users can get creative and customize the application based on their
network’s need.

12
 Bibliography
[1] J. Malik, “IoT: Usability Dream or Privacy Nightmare? | AlienVault.”
[Online]. Available: https://www.alienvault.com/blogs/security-
essentials/iot-usability-dream-or-privacy-nightmare. [Accessed: 14-Dec-
2018].
[2] “What is a Computer Network? - Definition from Techopedia.” [Online].
Available: https://www.techopedia.com/definition/25597/computer-
network. [Accessed: 20-Dec-2018].
[3] “CCNA Security.” [Online]. Available: https://static-course-
assets.s3.amazonaws.com/CCNAS2/en/index.html#1.3.2.1. [Accessed: 20-
Dec-2018].
[4] U. March, “USM Appliance TM Deployment Guide,” pp. 1–313, 2018.
[5] “How To Monitor OSSEC Agents Using an OSSEC Server on Ubuntu 14.04
| DigitalOcean.” [Online]. Available:
https://www.digitalocean.com/community/tutorials/how-to-monitor-ossec-
agents-using-an-ossec-server-on-ubuntu-14-04. [Accessed: 21-Dec-2018].
[6] “Install OSSEC on Ubuntu 14.04 | RoseHosting.” [Online]. Available:
https://www.rosehosting.com/blog/install-ossec-on-ubuntu-14-04/.
[Accessed: 21-Dec-2018].

13