Upload
alexzac
View
229
Download
1
Embed Size (px)
Citation preview
8/15/2019 ACSA - OSSIM
1/309
ACSA AlienVault Certified Security Analyst
1
8/15/2019 ACSA - OSSIM
2/309
2
8/15/2019 ACSA - OSSIM
3/309
About this document
• ACSA (AlienVault Certified Security Analyst)
• Author: Juan Manuel Lorenzo ([email protected])
• Document Version 3.0
• Last revision: 01/2011
• Product version used: 3.0
Copyright © Alienvault 2010 All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, includ ing photocopying,
recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and publisher.
Any trademarks referenced herein are the property of their respective holders
3
8/15/2019 ACSA - OSSIM
4/309
Target Audience
• Professionals from Security Information
• System’s administrators
• Security Operators
4
8/15/2019 ACSA - OSSIM
5/309
Requirements
• Previous Knowledge
! Networking
! Security
! Basic Linux Skills (Edit files on the command line)
• Technical Requirements
• Computer per assistant
• Internet access
• AlienVault Virtual Machine
5
8/15/2019 ACSA - OSSIM
6/309
Recommendations
• Have you got any problem with AlienVault?
• Is there something you always wanted to know about AlienVault?
• Do you have any suggestion?
• Think about your environment:
! Do you have a network map?
! How would you integrate this device or application?
! What products would suit my needs?
!
Do I have any compliance requirement? (PCI? ISO?)?
• If you have any questions, please tell us
6
8/15/2019 ACSA - OSSIM
7/309
ACSA - Contents
• Introduction to AlienVault
• Components
• Architecture
• Installation
• Configuration
• Network Security Tools
• Integrated Tools
• Basic Concepts
• AlienVault Web Interface
• User Management
• Policies
• Logger
• Vulnerability Management
• Security Analysis
• Ticketing System
• Reporting System
7
8/15/2019 ACSA - OSSIM
8/309
8
8/15/2019 ACSA - OSSIM
9/309
AlienVault
9
8/15/2019 ACSA - OSSIM
10/309
What is AlienVault?
• AlienVault is a SIEM (Security Information and Event Management)
! Data Aggregation
! Correlation
! Alerting
! Dashboards
! Compliance
! Retention
10
8/15/2019 ACSA - OSSIM
11/309
AlienVault: Data Aggregation
Collection
S y s l o g
SC P
SQL
W M I
Other supported collection methods: SNMP, SDEE, OPSEC, Socket...
Sensor
11
8/15/2019 ACSA - OSSIM
12/309
AlienVault: Data Aggregation
Normalization
Authentication Failed for user root from X12.02.2009 12:02:21
DROP 192.168.1.1 21.2.2.2 Dec 02 2009 12:02:21
plugin_id=4003 plugin_sid=2 username=rootdate="1295472603" src_ip=192.168.2.2
plugin_id=4503 plugin_sid=21 date="1295472603"src_ip=192.168.1.1 dst_ip=21.2.2.2
Sensor
12
8/15/2019 ACSA - OSSIM
13/309
AlienVault: Correlation
SSH Authfailed eventfrom X to Y
SSH Authfailed eventfrom X to Y
SSH Authfailed event
from X to Y
SSH
Successful Authevent from X
to Y
Brute Force Attack?
Successful Brute Force Attack?
Sensor
SIEM
13
8/15/2019 ACSA - OSSIM
14/309
AlienVault: Alerting
Worm Detected on Port 80
DOS Attack Against
WebServer
No disk space left on the
SQL Server
Policy Violation: P2P Usage
Send a command to the firewall to isolate the attacker
Open a ticket in AlienVault or in any otherticketing management system
Send an e-mail or an SMS to the IT Department
Disable the switch port used by the hostgenerating the P2P Traffic
14
8/15/2019 ACSA - OSSIM
15/309
AlienVault: Dashboards
15
8/15/2019 ACSA - OSSIM
16/309
AlienVault: Compliance
16
8/15/2019 ACSA - OSSIM
17/309
AlienVault: Retention
SAN
NAS
Logger
- Forensically secure-storage of RAW Data- Massive Log-storage- Can be configured to store information on existing NAS or SAN
17
8/15/2019 ACSA - OSSIM
18/309
And What Makes AlienVault Different?
All SIEM Products
Data Aggregation
Correlation
Alerting
Dashboards
Compliance
Retention
AlienVault Unified SIEM
Data Aggregation
Correlation
Alerting
Dashboards
Compliance
Retention
Vulnerability Management
Situation Awareness
NIDS
HIDS
WIDS
Network Monitoring
18
8/15/2019 ACSA - OSSIM
19/309
Vulnerability Management
• Comprehensive Vulnerability Management
• Centralized Reports
• Compliance auditing
Sensor
The remote host is missing the DSA-1996 security update
A vulnerable SMB server is running on the remote host.
Default user and password enabled in the running service
19
8/15/2019 ACSA - OSSIM
20/309
Situation Awareness
Identity Monitoring
Network Auto-Discovery
Resource Monitoring
Technology
Active Directory
LDAP
Authentication Logs
Events / Network Profiles / Active-PassiveFingerprinting
Topology Map Recurrent SNMP Scans
Inventory Active / Passive Fingerprinting
Profiling Time-Service-Usage Profiling
Network Monitoring Flows
Network Availability SNMP / Agent / Remote Requests
Host resources SNMP / Agent / Remote Requests
Anomaly Detection
20
8/15/2019 ACSA - OSSIM
21/309
• Network level IDS (Intrusion Detection System)
• Monitor network traffic
• No impact on the network
NIDS
Sensor
Network Tap
Switch
N e t w o r k t r a f fi c
N e t w o r k t r a f fi c
N e t w o
r k t r a
f fi c
Policy Violations (Porn, P2P, IM...)
Malware
Network anomalies
User activity
Router
21
8/15/2019 ACSA - OSSIM
22/309
• Host-based IDS (Intrusion Detection System)
• Monitors and analyzes the internals of a computing system
• Clients for every major Operating Systems
• Log analysis, rootkit detection, system integrity checking and
Windows registry monitoring.
HIDS
Attempt to login using a non-existent user
Attempt to use mail server as relay (client host rejected).
Logon failure: Account currently disabled
Sensor
22
http://207.158.15.105/ossim/forensics/base_qry_alert.php?submit=%2332-%2811-64751%29&sort_order=time_dhttp://207.158.15.105/ossim/forensics/base_qry_alert.php?submit=%2332-%2811-64751%29&sort_order=time_dhttp://207.158.15.105/ossim/forensics/base_qry_alert.php?submit=%2332-%2811-64751%29&sort_order=time_dhttp://207.158.15.105/ossim/forensics/base_qry_alert.php?submit=%2332-%2811-64751%29&sort_order=time_dhttp://207.158.15.105/ossim/forensics/base_qry_alert.php?submit=%2332-%2811-64751%29&sort_order=time_dhttp://207.158.15.105/ossim/forensics/base_qry_alert.php?submit=%2332-%2811-64751%29&sort_order=time_dhttp://207.158.15.105/ossim/forensics/base_qry_alert.php?submit=%2332-%2811-64751%29&sort_order=time_d
8/15/2019 ACSA - OSSIM
23/309
• Wireless Intrusion Detection System
• Monitor Wireless Networks in multiple locations
• Meet PCI Wireless Compliance requirements
WIDS
Sensorrunning a WIDS
Rogue AP
Suspicious Client
Cloaked Networks with uncloaked APS
Wireless Network Traffic is analyzed in the AlienVault Sensor23
8/15/2019 ACSA - OSSIM
24/309
The Market
Large Vendors Pure SIEM Unified SIEM
Sold in combination withother products
Pure Management LayerIntegrate other
Security Functions
24
8/15/2019 ACSA - OSSIM
25/309
The Unification of SIEM and Security Context Technologies
delivered in a single Product: AlienVault Unified SIEM
Management
Technologies
Security Context
Technologies
AlienVault Unified SIEM
25
8/15/2019 ACSA - OSSIM
26/309
Data Abstraction
Security Events
AlienVault Logger
Security Events AlienVault SIEM
Risk
Incidents
Logs AlienVault SensorsLow Level
Millions of Logs
Medium Level Tens of Incidents
High LevelMetrics
26
8/15/2019 ACSA - OSSIM
27/309
S e c u r i t y
T e c h n o l o g y
M a n a g e m e n t
Unification of technologies
SIEM
Incident
Management
Risk
IntelligenceStorage
Detection
IDS / IPS / WIDS
HIDS
File integrity
Prevention
Vulnerability
AssessmentThreat
Assessment
Awareness
Identity
Inventory
Resources
27
8/15/2019 ACSA - OSSIM
28/309
AlienVault SIEM
Correlation Dashboards Events aggregation Action / Response
Reports Forensic Storage Alerting system Vulnerability Management
AlienVault SIEM
Operating Systems Security Devices Applications Network electronics
28
8/15/2019 ACSA - OSSIM
29/309
3 major components
SensorEvent Collection
NIDS / WIDS / HIDSNetwork monitoring
Vulnerability Scanning
LoggerMassive Log Storage
Legal evidenceEnsure integrity
SIEMCorrelation
Risk Assessment Vulnerability Management
Real-time Monitoring
29
8/15/2019 ACSA - OSSIM
30/309
How AlienVault works?
30
8/15/2019 ACSA - OSSIM
31/309
3 major components
SIEM
AlienVault SIEM processes all data provided by network devices and AlienVault Sensors.
The AlienVault SIEM leverages the Network Inventory created by AlienVault Sensors as well as external Threat Databases to Cross-Correlate events, weeding out False Positives and providing ActionableIntelligence.
Logger
AlienVault Logger provides forensically-secure storage of all raw data. This creates a court-admissible record of network activity.
Sensor
Events generated in the Network are collected by the AlienVault Sensor.
Applications running in the AlienVault Sensor generate security eventsthat are also collec ted by the AlienVault Sensor.
The AlienVault Sensor generates a normalized event that is sent to theSIEM and to the Logger.
31
8/15/2019 ACSA - OSSIM
32/309
SIEM Challenges and Roadblocks
• Challenges
• Lack of control of security andnetwork
• Risk management andcompliance
• Inconsistency & lack ofreliability
• Complexity & informationoverload
• Inefficient use of valuableresources
• Roadblocks
• High vendor pricing
• Convoluted licensing models
• High implementation costs
• Underperformance
• Black box solutions withlimited customization
32
8/15/2019 ACSA - OSSIM
33/309
What is / is not Alienvault?
• AlienVault is:
! A tool that integrates more than 30 Open Source tools
! A tool that can aggregate events from both Open Source andCommercial tools
! A tool that can be easily adaptable (Use what you need)
• AlienVault is not:
! A linux distribution integrating security tools (Backtrack, WifiSlax...)
! A product designed for home use
! A software package (deb, rpm, exe) that can easily be installed onany operating system. (Agents can be installed to monitor everysingle Operating System)
33
8/15/2019 ACSA - OSSIM
34/309
What makes us different? - Technically
• Detection capabilities
! Using Open Source tools (No extra cost)
! Can replace tools that have already been deployed
! Can co-exist with tools that have already been deployed
• Adaptability
! Enable / Disable functionality based on customer needs
• Customization
• Scalability
34
8/15/2019 ACSA - OSSIM
35/309
What makes us different?- Commercially
• Low cost licensing
• Licensed based on EPS (Events per second)
• There is no license based on the number of monitored devices
• Extra value with no additional cost
! WIDS
! NIDS
! HIDS
! Vulnerability Management
! Network Monitoring
35
8/15/2019 ACSA - OSSIM
36/309
Open Source vs Professional
Open Source Professional SIEM
Support Community 7x24
Quality Assurance Community Professional Q&A
Security Not audited Audited
Performance Moderate 30 x Open Source, Assured
SIEM Intelligence Logical Correlat ion
Simple Taxonomy
Cross Correlation
Rich TaxonomyLogger N/A Unlimited Forensic Storage
Reports < 25 + Jasper > 2000 + Web Wizard
Scalability/HA N/A HA, Distributed ,Multi-tenant, UnlimitedScale
Compliance High Level Reports High and Low Taxonomy-based
Updates None Daily rules and reports
User Management Individual, simple controls Templates and Granular Controls
36
8/15/2019 ACSA - OSSIM
37/309
The Company
• AlienVault was founded in 2007 by the creators of OSSIM to
support OSSIM community and develop enhanced products
• In 2011 AlienVault has a global presence and offers its servicesworldwide through an extensive network of partners.
• AlienVault leads the development of AlienVault Open Source SIEM
and AlienVault Professional SIEM
37
8/15/2019 ACSA - OSSIM
38/309
A little bit of history
• 2003: First release of OSSIM (Open Source Security Information
Management)
• 2007: AlienVault founded to support the OSSIM community anddevelop enhanced products
• 2009: More than half all SIEM installations worldwide
• 2010: Offices in Spain, Germany, UK and Mexico
• 2010: HQ in Silicon Valley, California
38
8/15/2019 ACSA - OSSIM
39/309
The Offices
Sales & Operations
Sales
39
8/15/2019 ACSA - OSSIM
40/309
The products
• AlienVault Unified SIEM
• AlienVault Open Source SIEM
• AlienVault Professional Feed
40
8/15/2019 ACSA - OSSIM
41/309
The Appliances
41
8/15/2019 ACSA - OSSIM
42/309
The services
AlienVault Services
Training
Support
Basic
Support
Premium 8x5
Support
Premium
24x7 Support
Implementation
Installtion Configuration
Upgrades
Administration
Consulting Consultative
Architecture
Dimensioning
Performance
& Scalability ACSA
ACSE
On-site
Training
42
8/15/2019 ACSA - OSSIM
43/309
References
43
8/15/2019 ACSA - OSSIM
44/309
Partners
44
8/15/2019 ACSA - OSSIM
45/309
Partners
45
8/15/2019 ACSA - OSSIM
46/309
Open Source
• AlienVault Open Source SIEM is distributed under the GPL license.
• AlienVault includes more than 30 well-known Open Source tools
• AlienVault developed a system to connect and provide intelligence toall these components
• Extra functionality - No extra cost
46
8/15/2019 ACSA - OSSIM
47/309
Open Source - Help for the recession
"Open source software and solutions have a great opportunity to survive and benefit
in this economy as they provide better returns for the companies that are looking to savehuge licensing costs and greater availability of solutions and software that can be easilyadopted."
"Open-source consumption is in for a boom, and commercial open-source start-upsshould be able ride the wave...In this downturn, open source offers the best value for money,and with more mature supported products, enterprises can continue to innovate whilebudgets are frozen."
"In a down economy, open source has more appeal than ever, so volume will continueto increase for open source, making the model even stronger over time.”
"In these times you follow your grandparents’ wisdom: Make the best of what you have. Thatmeans maximizing utilization of existing infrastructure. I expect open source and Linux,systems management tools, and virtualization technology, all of which allow for betterutilization rates of existing infrastructure at a low cost, to do well in this market."
"...this recession will be great for free and open source because of the shortage of cash.Last recession saw the mainstream legitimization of open source operating systems because itwas clear and away the most cost-effective choice."
47
8/15/2019 ACSA - OSSIM
48/309
Components
48
8/15/2019 ACSA - OSSIM
49/309
Sensor
• AlienVault Sensors collect and normalize the events generated
by the tools and devices running in the monitored network(Data Sources).
• Normalized events are sent to the AlienVault SIEM, AlienVaultLogger or to both.
S y s l o g
SC P
SQL
W M I
Sensor
Normalized events
Logger SIEM
49
8/15/2019 ACSA - OSSIM
50/309
Sensor
• An AlienVault deployment can have as many sensors as
needed (There is no limit in the number of deployed Sensors)
• The number of Sensors is determined based on the numberof monitored network and on the geographical distribution ofthe corporation
NY HeadquartersNew Jersey Data CenterLas Vegas Call Center
Sensor 1Sensor 1
Sensor 3
50
S S
8/15/2019 ACSA - OSSIM
51/309
Sensor: Data Source
• Any Application or Device generating information subject to
be collected by AlienVault is a Data Source within the AlienVault deployment. E.g.:
! Security Devices: IDS, IPS, Firewall, Antivirus, VulnerabilityScanner...
! Network Devices: Routers, Switches, Wireless AP...
! Servers: Domain Controller, Email server, LDAP...
! Applications: Web Servers, Databases, Proxy...
! Operating Systems: Linux, Windows, Solaris...
51
S D S C
8/15/2019 ACSA - OSSIM
52/309
Sensor: Data Source Connectors
• The AlienVault Sensors can aggregate events from new sources by
creating a Data Source Connector
• Data Sources connectors include the information on how eventsare stored and formatted and regular expressions to help theSensor understanding how the information should be collectedand normalized
52
S
8/15/2019 ACSA - OSSIM
53/309
• The AlienVault Sensor can aggregate events using multiple
collection methods
Sensor
Collection Methods
SYSLOG
FTP
SCP
SAMBA
WMI
SQL
SDEEE
SOCKET
SNMP
Custom DS Connectors
F I L T E R I N G
C L A S S I F I C A T I O N
N
O R M A L I Z A T I O N
OUTPUT
LOGGER
SIEM
53
S
8/15/2019 ACSA - OSSIM
54/309
Sensor
• AlienVault Sensor includes detection functionalities in its
Sensor using well-known Open Source Software
• The AlienVault Data Sources can co-exist with the DataSources that have already been deployed on the monitorednetwork
• In some scenarios these Data Sources can replacecommercial software that was used in the monitored network
54
S
8/15/2019 ACSA - OSSIM
55/309
Sensor
• To get benefit of the detection capabilities of the AlienVault Sensor.
Networking on the Sensor must be configured to:
• Have access to the network that is being monitored
! Event collection (Syslog, FTP, SCP, Samba, WMI...)
! Vulnerability Scanning
! Availability Monitoring...
• Collect all traffic of the monitored network configuring orusing:
! Port mirroring or port span
! HUB
! Network Tap
55
L
8/15/2019 ACSA - OSSIM
56/309
Logger
• The Logger component stores events in raw format in the file
system.
• Events are digitally signed and stored en masse ensuring theiradmissibility as evidence in a court of law.
• The logger component allows storage of an unlimited number of
events with forensic purpose.
• For this purpose the logger is usually configured so that events arestored in a NAS / SAN network storage system.
56
SIEM
8/15/2019 ACSA - OSSIM
57/309
SIEM
• The SIEM component provides the system with Security
Intelligence and Data Mining capacities, featuring:
- Risk assessment
- Correlation
- Risk metrics
- Vulnerability scanning
- Data mining for events
- Real-time monitoring
• AlienVault SIEM uses a SQL database and stores informationnormalized allowing strong analysis and data mining capacities.
57
SIEM
8/15/2019 ACSA - OSSIM
58/309
SIEM
SIEM
SQL Storage
Correlation
Risk Assessment
Policy
Collection
E V E N T S
N e w
e v e n t s g e n e r a t e d d u r i n g c o r r e l a t i o n
• Events processing on the SIEM
58
SIEM
8/15/2019 ACSA - OSSIM
59/309
SIEM
SIEM
Events are stored in the Database
Events are correlated (Logical correlation,Cross Correlation and Inventory Correlation)
A Risk value (0-10) is calculated for everyevent
Policies configure how the SIEM will processthe events (To create exceptions)
SIEM collects events sent by the Sensors or byother SIEM or Logger
E V E N T S
N e w
e v e n t s g e n e r a t e d d u r i n g c o r r e l a t i o n
• Events processing on the SIEM
59
D t b
8/15/2019 ACSA - OSSIM
60/309
Database
• The AlienVault database runs on a MySQL server
• SIEM Events, configurations, and inventory are stored in theDatabase
• Database is a required component in any AlienVault deployment,even if only the Logger is been used
60
W b i t f
8/15/2019 ACSA - OSSIM
61/309
Web interface
• The AlienVault Web Interfaces provides access to:
! Inventory Management
! Configuration
! Reports and metrics
! Real time monitoring
! Forensic Analysis
! Vulnerability scanning
61
8/15/2019 ACSA - OSSIM
62/309
Architecture
62
AlienVa lt Architect re
8/15/2019 ACSA - OSSIM
63/309
SQL Database
AlienVault Architecture
Operating Systems Security Devices Applications Network electronics
Sensor
Logger
SIEM
Web Interface
Disk Storage
E V E N T S
63
AlienVault Deployment: Scenario
8/15/2019 ACSA - OSSIM
64/309
AlienVault Deployment: Scenario
64
Log collection
8/15/2019 ACSA - OSSIM
65/309
Log collection
S Y S L O G
W M I
W M I
S Y S L O G
SDEE
S Y S L O G
O P S E C
F T P
SDEE
O P S E C
S Y S L O G
S N A R E
S C P
S Q L
S A M B A
S Y S L O G
S Y S L O G
SDEE
SYSLOG
SNMP
SYSLOG
LOG COLLECTION
65
Port mirroring
8/15/2019 ACSA - OSSIM
66/309
Port mirroring
PORT MIRRORING
66
Vulnerability Scanning & Availability Monitoring
8/15/2019 ACSA - OSSIM
67/309
Vulnerability Scanning & Availability Monitoring
SENSOR 1
SENSOR 2
SENSOR 3
67
AlienVault Deployment
8/15/2019 ACSA - OSSIM
68/309
AlienVault Deployment
SENSOR 1
SENSOR 2
SENSOR 3
PORT MIRRORING
S Y S L O G
W M I
W M I
S Y S L O G
SDEE
S Y S L O G
O P S E C
F T P
SDEE
O P S E C
S Y S L O G
S N A R E
S C P
S Q L
S A M B A
S Y S L O G
S Y S L O G
SDEE
SYSLOG
SNMP
SYSLOG
LOG COLLECTION
ALIENVAULT INTERNALCOMMUNICATIONS
68
Simple Deployment
8/15/2019 ACSA - OSSIM
69/309
Simple Deployment
• A single Customer
• A single location
• Small amount of events to be collected
• Small number of networks to be monitored (Events collection,
Availability Monitoring, Vulnerability Scanning...)• Low network throughput to be analyzed
69
Simple Deployment
8/15/2019 ACSA - OSSIM
70/309
Simple Deployment
Events
Network 1
Network 2
Network 3
N e t w
o r k T r a f fi
c
Sensor
Logger
SIEM
Web Interface
SQL Database
Customer Premises
70
Simple Deployment II
8/15/2019 ACSA - OSSIM
71/309
Simple Deployment II
• A single Customer
• Multiple locations
• AlienVault Sensors reduce the data transferred between thedifferent locations:
! Events are filtered
! Vulnerability and Availability Scanners are done from multiplelocations (Each Sensor scans the closest networks)
71
Simple Deployment II
8/15/2019 ACSA - OSSIM
72/309
Simple Deployment II
Headquarters
Office 1 Office 2 Office 3
SensorLogger SIEM
Sensor SensorSensor
Web InterfaceSQL Database
72
Complex Deployment
8/15/2019 ACSA - OSSIM
73/309
Complex Deployment
• Multiple Customers
• Multiple Locations
• Some Customers multiple Sensors
• Some Customers have their own Logger (E.g.: Compliance
Requirements)• Some Customers have a fully operational AlienVault Deployment
• Correlation and Storage at different levels
73
Complex Deployment
8/15/2019 ACSA - OSSIM
74/309
Complex Deployment
Services Provider Customer 1 Customer 2Customer 3
Logger
SIEM
Sensor SensorSensor
Web Interface
SQL Database
Sensor
Logger
SIEM
Web Interface
SQL Datab
Logger
74
National Deployment
8/15/2019 ACSA - OSSIM
75/309
National Deployment
Al Sensors send events to the Logger deployed in California
Some locations can have a fully functional AlienVaultdeployment, with SIEM, Logger, Database and Web
interface. Although the Logger in Texas will also forwardevents to California
Some locations can have multiple Sensors, with or without aLogger or SIEM, that can be used to consolidate at StateLevel or to provide Storage or Correlation at multiple levels
75
World Deployment
8/15/2019 ACSA - OSSIM
76/309
World Deployment
Sensors in Brazil send event to the Logger in Brazil. There isa SIEM, Logger and Database in Brazil. The Logger and
SIEM deployed in Brazil could also be used to consolidateevents from some other countries (Argentina, Chile...)
Sensors in USA send event to the Logger in USA. There is a fully
functional AlienVault deployment inthe USA.
Sensors deployed worldwide sendtheir events to the main Logger in
India.US and Brazil have their own SIEM
and Logger so it is possible toconfigure correlation at two levels
as well as creating forwardingpolicies to decide what kind of
information is forwarded to India.
76
Sensor
8/15/2019 ACSA - OSSIM
77/309
Sensor
• At least one Sensor in each Alienvault Deployment
• As many Sensors as required
• Usually one Sensor in each Customer Location
• A Sensor can monitor multiple networks within the same location
• AlienVault Sensors can send events to Logger and SIEM
• AlienVault Sensors can be configured to send events to more thanone SIEM or Logger
77
Logger
8/15/2019 ACSA - OSSIM
78/309
Logger
• There must be at least a Logger or a SIEM in each functional
deployment
• The Logger can send events to another SIEM or Logger
• The Logger stores raw data in the disk and it can beconfigured to use a NAS or SAN storage system
• As many Loggers as required
! Performance
! Requirements to store information securely in more than
one location
• The Logger collects events sent by the AlienVault Sensors orby another Logger or SIEM
78
SIEM
8/15/2019 ACSA - OSSIM
79/309
SIEM
• There must be at least a Logger or a SIEM in each functional
deployment
• The SIEM can send events to another SIEM or Logger
• The SIEM stores information in an SQL Database (DatabaseComponent)
• As many SIEM’s as required
! Performance
! Multiple correlation level
• The SIEM collects events sent by the AlienVault Sensors or byanother Logger or SIEM
79
Database
8/15/2019 ACSA - OSSIM
80/309
Database
• There must be at least a Database in each deployment
• If multiple SIEM components have been deployed these SIEM mayuse multiple Databases
• SIEM, Logger and the Web Interface will access the informationstored in the Database
• Some Custom Data Sources may also require access to theDatabase
80
Web Interface
8/15/2019 ACSA - OSSIM
81/309
Web Interface
• There must be at least a Web Interface in each functional
deployment
• If there are multiple storage points in the deployment (SIEM and/orLogger) multiple Web interfaces may also be deployed
• A single Web Interface can show information stored in multiple
Databases and in multiple Loggers
81
8/15/2019 ACSA - OSSIM
82/309
Installation
82
Hardware recommendations
8/15/2019 ACSA - OSSIM
83/309
Hardware recommendations
• For a production system:
! At least 4GB Ram
! 64 Processor
! DUAL Core Processor
• Depending on the amount of traffic being monitored and theamount of data captured RAM has to be increased, alwaysavoiding SWAP memory usage.
• If we don’t have the appropriate hardware:
! "Divide et vinces"
83
Network Requirements: Sensor
8/15/2019 ACSA - OSSIM
84/309
Network Requirements: Sensor
• Port mirroring/Port Span/Network tap avoiding:
! Duplicated traffic: May happen if we get the same traffic redirectedfrom two different port mirroring devices on the network
! Non-analyzable traffic: It makes little sense to configure a portmirror on a network segment where all the traffic will traverse a VPNor be otherwise encrypted
• Enough IP addresses and interfaces have to be reserved for:
! AlienVault Inter-component communication
! Sensor network access to targeted networks (OpenVas, Nmap,
Nagios, WMI, SCP require network access)
! Provide an IP address for external devices to send data to (Syslog,FTP, Samba, Snare, OSSEC)
84
Network Requirement: Sensor
8/15/2019 ACSA - OSSIM
85/309
Network Requirement: Sensor
• The most problems when configuring AlienVault happen with the
Sensor profiles:
The red line represents a port mirroring that’sbeen setup on a switch for the Sensor profileand it’s applications (Ntop, Snort, Pads, P0fand Arpwatch) to passively analyze traffic.
85
Network Requirement: Sensor
8/15/2019 ACSA - OSSIM
86/309
Network Requirement: Sensor
This second case represents a sensor profilewhere only log collection and analysis will beperformed, without listening to any traffic. Nolistening application should be running on thissystem since there is no configured port
mirroring.
This third case requires both an IP address as
well as a passively listening interface since oursensor profile will be both capturing trafficfrom a port mirror as well as collecting logs.
86
Recommendations
8/15/2019 ACSA - OSSIM
87/309
Recommendations
• Always use the latest installation image
• If you need performance you can’t use “any” Hardware
• Use only what you need (Disable unused Data Sources)
• If you install your system in English you’ll have an easier timefinding help
• For network traffic analysis ensure your NIC supports the e1000driver.
• Whenever possible setup a separate machine for the Databaseprofile
87
Recommendations II
8/15/2019 ACSA - OSSIM
88/309
Recommendations II
• It makes little sense to enable the listening applications (Snort,
Ntop, Arpwatch…) if we don’t have a port mirror setup.
• 64 Bits greatly improves performance
• The best network cards should always be used for the listeninginterfaces (promiscuous mode)
• The not-so-good network cards can be used for administration orcollection (Syslog, OpenVas, Nagios…)
88
Check List
8/15/2019 ACSA - OSSIM
89/309
Check List
• Check List for an AlienVault Installation
• Rack Space
• Power
• Network Configuration
! Port mirroring
! IP addresses
• Professional Key
• Internet Access (Required when installing the professional version)
89
Installation Profiles
8/15/2019 ACSA - OSSIM
90/309
Installation Profiles
• Depending on the role of the new host within the AlienVault
deployment it is possible to configure the profile in use. This canbe configured during the installation process or after installation.By default the Automated Installation will enable all profiles in thesame box.
90
Installation Profile: Sensor
8/15/2019 ACSA - OSSIM
91/309
Installation Profile: Sensor
• The Sensor Profile will enable the Sensor functionality of AlienVault.
• The following AlienVault Data Sources are enabled by default:
! Snort (Network Intrusion Detection System)
! Ntop (Network and usage Monitor)
! OpenVAS (Vulnerability Scanning)
! P0f (Passive operative system detection)
! Pads (Passive Asset Detection System)
! Arpwatch (Ethernet/Ip address parings monitor)
!
OSSEC (Host Intrusion Detection System)
! Nagios (Availability Monitoring)
! OCS (Inventory)
91
Installation Profile: Server
8/15/2019 ACSA - OSSIM
92/309
Installation Profile: Server
• This installation profiles combines the SIEM and Logger
component. The Sensors will connect to the AlienVault Server tosend the normalized events.
• Simple deployments will include a single Server in the deployment.More complex deployments could have more than one Server withdifferent roles or in case it is required to deploy the AlienVault
Server in high availability.
• The server installation profile also comes with a Sensor with limitedfunctionality to monitor the Server itself
92
Installation Profile: Database
8/15/2019 ACSA - OSSIM
93/309
Installation Profile: Database
• The Database profile will enable a MySQL database to store
configuration and events (If the SIEM functionality is in use). Atleast one Database is required in each deployment.
• Even if only the Logger profile is enabled (And not the SIEM) adatabase will be required to store the inventory information and theconfiguration parameters.
93
8/15/2019 ACSA - OSSIM
94/309
Installation Profile: All-in-one
8/15/2019 ACSA - OSSIM
95/309
Installation Profile: All in one
• The All-in-one profile will enable all profiles in a single box. This is
the default installation profile and it will be enabled if the user doesan automated installation
95
Installation Overview
8/15/2019 ACSA - OSSIM
96/309
s a a o O e e
Automated Installation
1.Boot the installation system
2.Configure networking
3.Create and mount the partitions on which AlienVault will be installed
4.Watch the automatic download/install/setup/update of the base
system.
5.Set up users and passwords
6.Load the newly installed system for the first time
Custom Installation
1.Boot the installation system
2.Select the installation language
3.Configure keyboard
4.Configure location
5.Select the installation AlienVault profiles for this installation
6.Configure networking
7.Create and mount the partitions on which AlienVault will be installed
8.Enter the professional license
9.Watch the automatic download/install/setup/update of the base
system.
10.Set up users and passwords
96
8/15/2019 ACSA - OSSIM
97/309
97
8/15/2019 ACSA - OSSIM
98/309
Configuration
98
Basic System Configuration
8/15/2019 ACSA - OSSIM
99/309
y g
• Changing the keyboard layout
! To change the keyboard layout simply type this command:
- # dpkg-reconfigure console-data
• Setting the Current System Date and Time
! To display the current system time, enter the date command
- # date
! To set the current system time, use the following form of the datecommand:
- # date MMDDhhmm[CC]YY[.ss]
99
Basic System Configuration
8/15/2019 ACSA - OSSIM
100/309
y g
• Set the date and time via NTP
! To set the date using an NTP server type the following command inthe terminal
- # ntpdate pool.ntp.org
- pool.ntp.org can be replaced by the NTP server in your corporation or
by any other NTP server in the Internet.
• Changing the time zone
! To change the timezone just type this command:
- # dpkg-reconfigure tzdata
100
AlienVault Basic Configuration
8/15/2019 ACSA - OSSIM
101/309
g
• The centralized configuration is stored in the following file:
! /etc/ossim/ossim_setup.conf
• You can edit this file using any text editor (vim, nano, pico…).
• Inexperienced users should be using the following command toedit this file:
! # alienvault-setup
• To apply the centralized configuration on every configuration fileyou will have to run the following command:
! # alienvault-reconfig
101
AlienVault Basic Configuration
8/15/2019 ACSA - OSSIM
102/309
g
• Enable / Disable Plugins (Data Sources)
! To select the enabled Plugins (Data Sources) type the followingcommand:
- # alienvault-setup
! Then select the Option ‘Change Sensor Settings”, and then ‘Enable/
Disable detector plugins’, you will get a list of enabled and disabledplugins, just click on space when over the name of the plugin toenable or disable that plugin. To apply changes select ‘Save & Exit’in the main menu.
102
AlienVault Basic Configuration
8/15/2019 ACSA - OSSIM
103/309
g
• Configure Plugins (Data Sources)
! Once the plugin has been enabled you may need to configure someplugins. Plugin configuration files are stored in the directory /etc/ ossim/agent/plugins. There you will find a .cfg file for each plugin.
! You may need to edit the location parameter to point the AlienVaultcollector to the file in which the log of that application are being
stored. If you modify the configuration file of one of your plugins typethe following command to restart the OSSIM Agent:
- # /etc/init.d/ossim-agent restart
103
AlienVault Basic Configuration
8/15/2019 ACSA - OSSIM
104/309
g
• Configure listening interfaces
! The alienvault-setup script allows configuring the network interfacesin promiscuous mode. All the AlienVault detectors that requireanalyzing all network traffic will be configured to work on thesenetwork cards (Snort, Ntop, Fprobe, Pads...).
! Select only those interfaces that are connected to a mirrored port, or
to a network tap, as these applications will be useless if they are notanalyzing all traffic in the network.
! To select the listening interfaces type the following command
- # alienvault-setup
- and then choose ‘Change Sensor Settings’ and then ‘Select interfacesin promiscuous mode’, then select ‘Save & Exit’ to apply changes.
104
alienvault-reconfig
8/15/2019 ACSA - OSSIM
105/309
g
/etc/ossim/ossim-setup.conf
/etc/network/interfaces alienvault-reconfig
/etc/snort*
/etc/default/ntop
/etc/rsyslog.conf
/etc/ossim/agent/config.cfg
/etc/ossim/server/config.xml
/etc/ossim/framework.conf
/etc/mysql/my.cnf
/etc/logrotate*
.....
/etc/default/fprobe
105
VPN Configuration
8/15/2019 ACSA - OSSIM
106/309
g
• When performing a custom installation in different the installer will
automatically configure a VPN Network to encrypt communicationbetween the different AlienVault components. This feature has beenimplemented using OpenVPN.
• The VPN Server will be configured in the machine running the ServerProfile. If we want to include another AlienVault component in the
VPN we have to run this command in the machine running the ServerProfile. We will use in the following examples the IP address192.168.0.200, as if it were a box running the Collector profile:
! # alienvault-reconfig --add_vpnnode 192.168.0.200
! This command will generate a compressed file containing all required files
to configure the VPN network in the AlienVault component we want to putinside the VPN network. This file will be stored in the following directory:
! /etc/openvpn/nodes/
106
Network Configuration
8/15/2019 ACSA - OSSIM
107/309
• Setting the hostname
! To change the hostname, simply modify the value of the parameterhostname in the /etc/ossim/ossim_setup.conf and run thecommand:
- # alienvault-reconfig
• Setting up DNS
! You can add hostname and IP addresses to the file /etc/hosts forstatic lookups. To cause your machine to consult with a particularserver for name lookups you simply add their addresses to/etc/ resolv.conf.
! For example a machine which should perform lookups from the DNSserver at IP address 192.168.1.200 would have a resolv.conf filelooking like this: search my.domain
nameserver 192.168.1.1
107
Network Configuration
8/15/2019 ACSA - OSSIM
108/309
• Setting up the IP address
- The IP addresses associated with any network cards you might haveare read from the file /etc/network/interfaces. This file hasdocumentation you can read with:
• # man interfaces
- A sample entry for a machine with a static address (eth0) would looklike this:
allow-hotplug eth0iface eth0 inet static address 192.168.1.133 netmask 255.255.0.0 network 192.168.0.0 broadcast 192.168.255.255 gateway 192.168.1.1 dns-nameservers 192.168.1.100
- If you make changes to this file you can cause them to take effect byrunning:
• # /etc/init.d/networking restart
108
Network Configuration
8/15/2019 ACSA - OSSIM
109/309
• Setting up a network card in promiscuous mode
• If a network is going to be used to analyze all traffic in the network, itshould not have an assigned IP address. This will improveconsiderably the performance of the network card. To do this you willhave to include a new entry in the file /etc/network/interfaces :
up ifconfig eth0 0.0.0.0 promisc -arp
109
Network Configuration
8/15/2019 ACSA - OSSIM
110/309
• Setting the default Gateway
• The default route for a host with a static IP address can be set in/ etc/network/interfaces.
• If you wish to view your current default route/gateway then youcan run:
! # netstat -nr
• To change your default route you must first remove the currentone:
! # /sbin/route del default gw 192.168.0.1
110
Network Configuration
8/15/2019 ACSA - OSSIM
111/309
• In case you change the management IP address of one your AlienVault boxes you have to dothe following to make sure that all components using the old IP address are now using the new
one.
• To do that, once you will have modified /etc/network/interfaces and restarted networking youwill need to edit the file /etc/ossim_setup.conf
• In this file you could just do a search (Old IP Address) and replace (New IP Address) or take alook to the following parameters:
! admin_ip: Management IP (SSH and Web access)
! db_ip: IP address of the host running the Database Profile
! framework_ip: IP address of the host running the Web Management Interface
! server_ip: IP address of the host running the Server Profile
• Once you have set the correct ip addresses you can generate all configuration files by running:
! # alienvault-reconfig
111
Rename network interfaces
8/15/2019 ACSA - OSSIM
112/309
• Rename network interfaces
- # apt-get install ifrename
- Edit the file /etc/iftab
- Insert a line for each network interface with the following format :
eth0 mac 00:17:31:56:BC:2D
eth1 mac 00:16:3E:2F:0E:9C
- Network cards with more than one interface usually have consecutivesMAC addresses
• # ifconfig -a | grep HWaddr
112
AlienVault Local Firewall
8/15/2019 ACSA - OSSIM
113/309
• AlienVault configures a firewall during the installation process. If
you want to disable or enable the firewall you can do that bytyping:
! # alienvault-setup
• Select ‘Change General Settings’ and then select ‘ConfigureFirewall’. Then, in the main menu select ‘Save & Exit’.
• If you want to add exceptions to that firewall write your own rules(iptables firewall rules) in the following file:
! /etc/ossim/firewall_include
• and execute:
! # alienvault-reconfig
113
8/15/2019 ACSA - OSSIM
114/309
114
8/15/2019 ACSA - OSSIM
115/309
Basic Tools
8/15/2019 ACSA - OSSIM
116/309
• Ping: Check the connection status with a remote host or Gateway
• Telnet: Communicate with another host using the TELNETprotocol.
• Dig: Query a DNS server.
• Traceroute: Prints the route packets take to a network host.
• Whois: Looks up records in the databases maintained by severalNetwork Information Centers (NICs).
• Netstat: The Netstat command symbolically displays the contentsof various network-related data structures.
• Nslookup: Check whether a DNS server is resolving thehostnames correctly or not.
116
Tcpdump
8/15/2019 ACSA - OSSIM
117/309
• Tcpdump is a common packet analyzer that runs under the
command line. It allows the user to intercept and display TCP/IPand other packets being transmitted or received over a network towhich the computer is attached.
! See the list of interfaces on which tcpdump can listen:
- # tcpdump -D
! Listen on interface eth0:
- # tcpdump -i eth0
! Listen on any available interface :
- # tcpdump -i any
117
Tcpdump (Usage Examples)
8/15/2019 ACSA - OSSIM
118/309
• Display traffic from/to host 192.168.1.1
! # tcpdump host 192.168.1.1
• Display traffic in the port 22
! # tcpdump port 22
• Display all traffic but except the port 80
!
# tcpdump tcp and not port 80
• Capture any packets where the destination host is 192.168.1.1. Display IP addresses andport numbers:
! # tcpdump -n dst host 192.168.1.1
• Capture any packets where the source host is 192.168.1.1. Display IP addresses and port
numbers:
! # tcpdump -n src host 192.168.1.1
118
Tcpdump (Usage Examples II)
8/15/2019 ACSA - OSSIM
119/309
• Capture any packets where the destination network is 192.168.1.0/24. Display IPaddresses and port numbers:
! # tcpdump -n dst net 192.168.1.0/24
• Capture any packets where the source or destination network is 192.168.1.0/24. Display IPaddresses and port numbers:
! # tcpdump -n net 192.168.1.0/24
• Capture any packets where the destination port is 23. Display IP addresses and portnumbers:
! # tcpdump -n dst port 23
• Capture any packets where the destination port is is between 1 and 1023 inclusive. DisplayIP addresses and port numbers:
! # tcpdump -n dst portrange 1-1023
119
Tcpdump (Usage Examples III)
8/15/2019 ACSA - OSSIM
120/309
• Capture any packets with destination IP 192.168.1.1 and destination port 23. Display IPaddresses and port numbers:
! # tcpdump -n "dst host 192.168.1.1 and dst port 23"
• Capture any packets with destination IP 192.168.1.1 and destination port 80 or 443.Display IP addresses and port numbers:
! # tcpdump -n "dst host 192.168.1.1 and (dst port 80 or dst port 443)"
• Capture only TCP packets where the destination port is is between 1 and 1023 inclusive.Display IP addresses and port numbers:
! # tcpdump -n tcp dst portrange 1-1023
• Capture either ICMP or ARP packets:
! # tcpdump -v "icmp or arp"
• Capture any packets that are broadcast or multicast:
! # tcpdump -n "broadcast or multicast"
120
Tcpreplay
8/15/2019 ACSA - OSSIM
121/309
• Tcpreplay is a tool for replaying network traffic from files saved with
tcpdump or other tools which write pcap files (Ngrep, WireShark, Tshark...)
• The basic operation of tcpreplay is to resend all packets from theinput file(s) at the speed at which they were recorded, or aspecified data rate, up to as fast as the hardware is capable.
• Tcpreplay provides the ability to classify traffic as client or server,edit packets at layers 2-4 and replay the traffic at arbitrary speedsonto a network for sniffing or through a device.
121
Tcpreplay (Usage Examples)
http://linux.die.net/man/3/pcaphttp://linux.die.net/man/3/pcap
8/15/2019 ACSA - OSSIM
122/309
• Basic Usage: Replay sample.cap file (Send traffic out interface ‘eth0’)
! # tcpreplay -i eth0 pcap.cap
• To replay traffic as quickly as possible:
! # tcpreplay --topspeed -i eth0 sample.pcap
• To replay traffic at half-speed:
!
# tcpreplay --multiplier=0.5 --intf1=eth0 sample.pcap
• To replay at 25 packets per second:
! # tcpreplay --pps=25 --i eth0 sample.pcap
• To replay the sample.pcap file 10 times:
!
# tcpreplay --loop=10 -i eth0 sample.pcap
122
Tcpreplay (Usage Examples II)
8/15/2019 ACSA - OSSIM
123/309
• Capturing packets using Tcpdump
! The default tcpdump parameters result in a capture file whereeach packet is truncated. To ensure that you capture completepackets, use the following command:
- # tcpdump -i -s 65535 -w
! Capture all traffic in the port 53 (Interface ‘eth0’)
- # tcpdump -i eth0 -s 65535 port 80 -w sample.cap
! Download packet captures (PCAP):
- http://www.pcapr.net/
- https://www.evilfingers.com/repository/pcaps.php
- http://sourceforge.net/projects/networkminer/
123
Ngrep
http://sourceforge.net/projects/networkminer/https://www.evilfingers.com/repository/pcaps.phphttp://www.pcapr.net/http://sourceforge.net/projects/networkminer/http://sourceforge.net/projects/networkminer/https://www.evilfingers.com/repository/pcaps.phphttps://www.evilfingers.com/repository/pcaps.phphttp://www.pcapr.net/http://www.pcapr.net/
8/15/2019 ACSA - OSSIM
124/309
• Ngrep strives to provide most of GNU grep’s common features,
applying them to the network layer.• Ngrep is a pcap-aware tool (Wireshark, Tcpdump...)
• Ngrep allows you to specify extended regular expressions tomatch against data payloads of packets.
• Ngrep uses the same filtering syntax than Tcpdump
124
Ngrep (Usage Examples)
8/15/2019 ACSA - OSSIM
125/309
• Monitor all activity crossing source or destination port 25 (SMTP). On any interface.
! # ngrep -d any port 25
• Monitor FTP activity searching for user|pass
! # ngrep -wi -d any 'user|pass' port 21
• Monitor syslog events searching for errors
! # ngrep -d any 'error' port syslog
• Monitor all outgoing web requests from machine 12.13.14.15 (Interface eth0):
! # ngrep -d eth0 -q -t '^(GET|POST) ' 'src host 12.13.14.15 and tcp and dst port 80'
• Determine client application that client host is running
! # ngrep -q 'user-agent' tcp port 80
125
IPTraf
8/15/2019 ACSA - OSSIM
126/309
• IPTraf is a console-based network statistics utility
• It gathers a variety of figures such as TCP connection packet andbyte counts, interface statistics and activity indicators, TCP/UDPtraffic breakdowns, and LAN station packet and byte counts.
• Usage:
! #iptraf
126
Wireshark
8/15/2019 ACSA - OSSIM
127/309
• Wireshark is a GUI network protocol analyzer. It lets you
interactively browse packet data from a live network or from apreviously saved capture file.
• Wireshark is a pcap-aware tool
• Wireshark is very similar to tcpdump, but has a graphical front-
end, and many more information sorting and filtering options
127
Etherape
http://en.wikipedia.org/wiki/Front-end_and_back-endhttp://en.wikipedia.org/wiki/Front-end_and_back-endhttp://en.wikipedia.org/wiki/Front-end_and_back-endhttp://en.wikipedia.org/wiki/Front-end_and_back-endhttp://en.wikipedia.org/wiki/Graphical_user_interfacehttp://en.wikipedia.org/wiki/Graphical_user_interfacehttp://en.wikipedia.org/wiki/Tcpdumphttp://en.wikipedia.org/wiki/Tcpdump
8/15/2019 ACSA - OSSIM
128/309
• EtherApe is a packet sniffer/network traffic monitoring tool
developed for Unix.• Network traffic is displayed using a graphical interface. Each node
represents a specific host.
• Links represent connections to hosts. Nodes and links are colorcoded to represent different protocols forming the various types oftraffic on the network. Individual nodes and their connecting linksgrow and shrink in size with increases and decreases in networktraffic.
128
Tshark
http://en.wikipedia.org/wiki/Graphical_interfacehttp://en.wikipedia.org/wiki/Graphical_interfacehttp://en.wikipedia.org/wiki/Packet_snifferhttp://en.wikipedia.org/wiki/Packet_sniffer
8/15/2019 ACSA - OSSIM
129/309
• TShark is a network protocol analyzer. It lets you capture packetdata from a live network, or read packets from a previously savedcapture file, either printing a decoded form of those packets to thestandard output or writing the packets to a file.
• TShark’s native capture file format is libpcap format (Tcpdump, Tcpreplay, Ngrep, Wireshark...).
129
Tshark (Usage Examples)
8/15/2019 ACSA - OSSIM
130/309
• Display the source port of all tcp packets in the file /tmp/capture.cap.
! # tshark -z "proto,colinfo,tcp.srcport,tcp.srcport" -r /tmp/capture.cap
• Display the network packets of an IP address in the file /tmp/capture.cap
! # tshark -R "ip.addr == 192.168.0.1" -r /tmp/capture.cap
• Display http response codes
! # tshark -o "tcp.desegment_tcp_streams:TRUE" -i eth0 -R "http.response" -T fields -ehttp.response.code
• Display MySQL queries sent to a MySQL Server
! # tshark -i any -T fields -R mysql.query -e mysql.query
130
Ethtool / mii-tool
8/15/2019 ACSA - OSSIM
131/309
• Ethtool
• Ethtool displays or changes ethernet card settings (Link,Negotiation info, Statistics...)
! Usage (# ethtool )
- # ethtool eth0
• Mii-tool
! Mii-tool checks or sets the status of a network interface
- Usage
• # mii-tool
131
Dsniff
8/15/2019 ACSA - OSSIM
132/309
• Dsniff automatically detects and minimally parses eachapplication protocol, only saving the interesting bits, and usesBerkeley DB as its output file format, only logging uniqueauthentication attempts.
! tcpkill: Kills specified in-progress TCP connections
! urlsnarf: Outputs all requested URLs sniffed from HTTPtraffic
! msgsnarf: Records selected messages from AOL InstantMessenger, ICQ 2000, IRC, MSN Messenger, or YahooMessenger chat sessions.
! filesnarf: Saves files sniffed from NFS traffic in the currentworking directory.
132
Nmap
8/15/2019 ACSA - OSSIM
133/309
• Nmap is a tool for network exploration and security auditing.
! Basic IP scan
- # nmap 172.18.1.1
! IP scan with OS and service detection
- # nmap –sV 172.18.1.1
! Network scan
- # nmap 172.18.1.*
- # nmap 172.18.1.0/16
! Scan port 22 of every host in the network
- # nmap –p22 192.168.1.0/16
! Find unused IPS on a given Subnet
- # nmap -T4 -sP 192.168.2.0/24 && egrep "00:00:00:00:00:00" /proc/net/arp
133
Honeypots
8/15/2019 ACSA - OSSIM
134/309
• A honeypot is a trap set to detect, deflect, or in some mannercounteract attempts at unauthorized use of information systems.
• A honeypot consists of a computer, data, or a network site thatappears to be part of a network, but is actually isolated andmonitored, and which seems to contain information or a resourceof value to attackers.
Port Scans
Shellcodes
Spam
Vulnerability Scan
Malware
134
Honeypots
http://en.wikipedia.org/wiki/Computer_networkhttp://en.wikipedia.org/wiki/Computer_networkhttp://en.wikipedia.org/wiki/Computerhttp://en.wikipedia.org/wiki/Computerhttp://en.wikipedia.org/wiki/Trap_(tactic)http://en.wikipedia.org/wiki/Trap_(tactic)
8/15/2019 ACSA - OSSIM
135/309
• mwcollect
! Mwcollect is a versatile malware collection daemon, uniting thebest features of nepenthes and honeytrap licensed under theLGPL.
! http://www.mwcollect.org
• Dionaea
! Dionaea is a malware collection honeypot focusing primarily onSMB emulation. Dionaea uses Python as scripting language,
using libemu to detect shellcodes, supporting ipv6 and tls
! http://www.mwcollect.org
135
Honeypots
8/15/2019 ACSA - OSSIM
136/309
• Amun
! Amun is a low-interaction honeypot designed to captureautonomous spreading malware in an automated fashion.
Amun is written in Python and therefore allows easy integrationof new features.
! http://amunhoney.sf.net
• Omnivora
! Omnivora is a low-interaction honeypot for systems runningWindows operating systems and is implemented using BorlandDelphi.
! http://www.ohloh.net/p/omnivora
136
Websites - Security
http://www/http://amunhoney.sf.net/http://www/http://www/http://amunhoney.sf.net/http://amunhoney.sf.net/
8/15/2019 ACSA - OSSIM
137/309
• http://www.shadowserver.org
!
Malware, Botnet activity, electronic fraud...
• http://isc.sans.edu
! Analysis and warning Service against malicious attackers
• http://www.osvdb.org
! Open Source Vulnerability Database
• http://www.securityfocus.org
! Discussion on computer security related topics
• http://www.exploit-db.com
! Archive of exploits and vulnerable software.
137
Websites - Malware
http://www.exploit-db.com/http://www.securityfocus.org/http://www.osvdb.org/http://www.exploit-db.com/http://www.exploit-db.com/http://www.securityfocus.org/http://www.securityfocus.org/http://www.osvdb.org/http://www.osvdb.org/http://isc.sans.org/http://isc.sans.org/http://www.shadowserver.org/http://www.shadowserver.org/
8/15/2019 ACSA - OSSIM
138/309
• Malware samples
! http://www.malwareurl.com
! http://www.malwaredomainlist.com
• Malware Analysis
! http://www.virustotal.com
! http://www.threatexpert.com
! http://www.offensivecomputing.net
WARNING: This sites contain samples of live malware. Use at your own risk.
138
Backtrack
http://www.threatexpert.com/http://www.threatexpert.com/http://www.virustotal.com/http://www.virustotal.com/http://www.malwaredomainlist.com/http://www.malwaredomainlist.com/http://www.malwareurl.com/http://www.malwareurl.com/
8/15/2019 ACSA - OSSIM
139/309
• BackTrack is a Linux-based penetration testing arsenal that aidssecurity professionals in the ability to perform assessments in apurely native environment dedicated to hacking.
! http://www.backtrack-linux.org/
139
Metasploit
http://www.backtrack-linux.org/http://www.backtrack-linux.org/
8/15/2019 ACSA - OSSIM
140/309
• The Metasploit Framework is the open source penetration testingframework with the world's largest database of public, testedexploits.
• Metasploit is part of the software included in BacTrack
! http://www.metasploit.com
140
Metasploitable
http://www.metasploit.com/http://www.metasploit.com/
8/15/2019 ACSA - OSSIM
141/309
• Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5image. A number of vulnerable packages are included, includingan install of tomcat 5.5 (with weak credentials), distcc, tikiwiki,twiki, and an older mysql.
! http://blog.metasploit.com/2010/05/introducing-metasploitable.html
! http://www.metasploit.com/documents/express/Metasploitable.zip.torrent
141
http://blog.metasploit.com/2010/05/introducing-metasploitable.htmlhttp://blog.metasploit.com/2010/05/introducing-metasploitable.htmlhttp://blog.metasploit.com/2010/05/introducing-metasploitable.htmlhttp://blog.metasploit.com/2010/05/introducing-metasploitable.html
8/15/2019 ACSA - OSSIM
142/309
142
8/15/2019 ACSA - OSSIM
143/309
Integrated Tools
143
Tools Classification
8/15/2019 ACSA - OSSIM
144/309
• Tools integrated in AlienVault can be classified into two categoriesaccording to the behavior of these tools within the network beingmonitored.
! Active: They generate traffic within the Network that is beingmonitored.
! Passive: They analyze network traffic without generating any traffic
within the monitored network.
The passive tools require a port mirroring/port span configured in the network
equipment to be able to analyze all traffic of the monitored network/s.
144
Snort
PASSIVE TOOL
NIDS
8/15/2019 ACSA - OSSIM
145/309
• Snort is a free and open source network intrusion preventionsystem (NIPS) and network intrusion detection system (NIDS).
! http://www.snort.org
• Snort generates security events when analyzing the network traffic
• Snort combines signature, protocol, and anomaly-based
inspection
• Utility within AlienVault:
! Port scans
! Worms
! Malware
! Policy violations (P2P, IM, Porn, Games...)
145
http://www.snort.org/http://www.snort.org/http://www.snort.org/http://en.wikipedia.org/wiki/Network_intrusion_detection_systemhttp://en.wikipedia.org/wiki/Network_intrusion_detection_systemhttp://en.wikipedia.org/wiki/Intrusion-prevention_systemhttp://en.wikipedia.org/wiki/Intrusion-prevention_systemhttp://en.wikipedia.org/wiki/Intrusion-prevention_systemhttp://en.wikipedia.org/wiki/Intrusion-prevention_systemhttp://en.wikipedia.org/wiki/Open_source_softwarehttp://en.wikipedia.org/wiki/Open_source_softwarehttp://en.wikipedia.org/wiki/Free_softwarehttp://en.wikipedia.org/wiki/Free_software
8/15/2019 ACSA - OSSIM
146/309
Snort
PASSIVE TOOL
NIDS
8/15/2019 ACSA - OSSIM
147/309
• Virus and Trojans
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET VIRUS Bugbear@MM virus via SMTP"; flow: established; content:"uv+LRCQID7dIDFEECggDSLm9df8C/zSNKDBBAAoGA0AEUQ+FEN23f7doqAT/dCQk/xWcEQmDxCTD";reference:url,www.symantec.com/avcenter/venc/data/[email protected]; classtype: misc-activity;reference:url,doc.emergingthreats.net/2001764; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_BugBear;sid: 2001764; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM UPX encrypted file download - possible worm"; flow: established;content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE";distance: 0; content:"|00|code|00|"; content:"|00 C0|text|00|"; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001047;reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_Suspicious_Extensions; sid: 2001047; rev:6;)
• Scans
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET SCAN Unusually Fast 403 Error Messages, Possible Web Application Scan"; flow:from_server,established; content:"HTTP/1.1 403"; depth:13; threshold: type threshold, track by_dst, count 35,seconds 60; classtype:attempted-recon; reference:url,www.checkupdown.com/status/E403.html; reference:url,doc.emergingthreats.net/ 2009749; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_403; sid:2009749; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"ET SCAN Rapid POP3 Connections - Possible Brute Force A ttack"; flags: S,12; threshold: type both, track by_src, count 10, seconds 120; classtype: misc-activity; reference:url,doc.emergingthreats.net/2002992;reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_General_Services; sid: 2002992; rev:5;)
147
Ntop
PASSIVE TOOL
Network Monitor
http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_General_Serviceshttp://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_General_Serviceshttp://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_Suspicious_Extensionshttp://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_Suspicious_Extensionshttp://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_General_Serviceshttp://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_General_Serviceshttp://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_403http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_403http://www.checkupdown.com/status/E403.htmlhttp://www.checkupdown.com/status/E403.htmlhttp://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_Suspicious_Extensionshttp://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_Suspicious_Extensionshttp://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_BugBearhttp://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_BugBearhttp://www.symantec.com/avcenter/venc/data/[email protected]://www.symantec.com/avcenter/venc/data/[email protected]
8/15/2019 ACSA - OSSIM
148/309
• Ntop is a network probe that shows network usage in a waysimilar to what top does for processes. Ntop is a network and usemonitor.
! http://www.ntop.org
• Ntop provides information (Real-time and historical) of the networkusage
• Utility within AlienVault:
! Usage network statistics
! Assets information
! Time and activity matrixes
! Real-time session monitoring
148
Ntop - RRD Aberrant Behaviour PASSIVE TOOL
Network Anomalies
http://www.ntop.org/http://www.ntop.org/http://www.ntop.org/http://en.wikipedia.org/wiki/Top_(Unix)http://en.wikipedia.org/wiki/Top_(Unix)
8/15/2019 ACSA - OSSIM
149/309
! Analyzing the historical data, Ntop uses the RRD AberrantBehaviour algorithm to draw predictions of future behaviour ofour assets and networks.
!
If the prediction differs from the real traffic an event is generatedin AlienVault
149
Fprobe
PASSIVE TOOL
NetFlows generator
8/15/2019 ACSA - OSSIM
150/309
! Fprobe is a tool that collects network traffic data and emits it asNetFlow flows towards the specified collector (NFdump in
AlienVault).
- http://fprobe.sf.net
AlienVault Sensor running Fprobe emits NetFlows when collectingthe network traffic (Port mirroring / HUB / Network tap...)
NetFlows
The AlienVault Web Interface (Framework) runs the Netflow collector.
The major manufacturers implement into their devices the ability tosend Netflows. in this case is not necessary using Fprobe.
NetFlows
150
NFDump
PASSIVE TOOL
Netflows collection
http://www.ntop.org/http://www.ntop.org/
8/15/2019 ACSA - OSSIM
151/309
! The nfdump tools collect and process netflow data
- http://nfdump.sourceforge.net/
NetFlows
NFDump runs in the box running the AlienVault Web Interface
NetFlows
151
Web Based ToolNFSen
http://www.ntop.org/http://www.ntop.org/
8/15/2019 ACSA - OSSIM
152/309
! NFSen is a graphical web based front end for the nfdumpnetflow tools.
- http://nfsen.sourceforge.net/
! NetFlow is a network protocol developed by Cisco Systems to run on Cisco IOS-enabled equipment for collecting IP traffic information.
! It is supported by platforms other than IOS such as Juniper, Linux, FreeBSD orOpenBSD.
152
OCS
Inventory
Agent
ACTIVE TOOL
http://www.ntop.org/http://www.ntop.org/http://www.ntop.org/http://en.wikipedia.org/wiki/Cisco_Systemshttp://en.wikipedia.org/wiki/Cisco_Systemshttp://www.ntop.org/http://www.ntop.org/http://www.ntop.org/http://www.ntop.org/http://www.ntop.org/http://www.ntop.org/http://www.ntop.org/http://www.ntop.org/http://www.ntop.org/http://www.ntop.org/
8/15/2019 ACSA - OSSIM
153/309
• Open Computer and Software Inventory Next Generation (OCSinventory NG) is free software that enables users to inventory theirIT assets.
! http://www.ocsinventory-ng.org
• OCS-NG collects information about the hard- and software ofnetworked machines running the OCS client program ("OCS
Inventory Agent").
• Utility within AlienVault
! Inventory Management (Software & Hardware)
! Vulnerability Management
! Policy violations
! Hardware monitoring
153
Nagios
ACTIVE TOOL
Availability Monitor
Agent - Web
http://en.wikipedia.org/wiki/Free_softwarehttp://en.wikipedia.org/wiki/Free_softwarehttp://en.wikipedia.org/wiki/Software_applicationhttp://en.wikipedia.org/wiki/Network_monitoringhttp://en.wikipedia.org/wiki/Computer_system
8/15/2019 ACSA - OSSIM
154/309
• Nagios is a computer system and network monitoring softwareapplication.
• It watches hosts and services, alerting users when things gowrong and again when they get better.
! http://www.nagios.org
• Multiple checks (Different complexity) can be configured in Nagios.E.g.: MySQL Server
! Check whether the host is up or not
! Check whether the MySQL port is opened or closed
!
Check whether there is a MySQL listening in that port
! Do a query and check the result
154
Nagios ACTIVE TOOL
Availability Monitor
Agent - Web
http://en.wikipedia.org/wiki/Node_(networking)http://en.wikipedia.org/wiki/Node_(networking)http://en.wikipedia.org/wiki/Software_applicationhttp://en.wikipedia.org/wiki/Software_applicationhttp://en.wikipedia.org/wiki/Software_applicationhttp://en.wikipedia.org/wiki/Software_applicationhttp://en.wikipedia.org/wiki/Network_monitoringhttp://en.wikipedia.org/wiki/Network_monitoringhttp://en.wikipedia.org/wiki/Computer_systemhttp://en.wikipedia.org/wiki/Computer_system
8/15/2019 ACSA - OSSIM
155/309
• Utility within AlienVault:
! Availability monitoring (As any other Data Source)
! Availability monitoring by request (During Logical Correlation)
• Nagios can do checks remotely or with agent deployed on thehost that is being monitored.
• Nagios has a wide number of plugins to monitor different devicesand applications.
155
OpenVas ACTIVE TOOL
Vulnerability Scanning
8/15/2019 ACSA - OSSIM
156/309
• OpenVAS (Open Vulnerability Assessment System) is a frameworkof several services and tools offering a vulnerability scanning andvulnerability management solution.
! http://www.openvas.org
• OpenVas uses signatures to identify vulnerabilities in the host ofour network.
• Utility within AlienVault
! Attacks prevention (We know what is vulnerable)
! Is the network policy being violated?
! Shared folders, forbidden activities...
! Compliance monitoring
156
OpenVas ACTIVE TOOL
Vulnerability Scanning
8/15/2019 ACSA - OSSIM
157/309
• Some vulnerabilities can only be verified after actually exploitingthem (E.g.: DOS)
• OpenVas allows scanning aggressiveness fine-tuning.
• OpenVas is able to perform local scans on remote machines ifvalid credentials for them are provided.
Mis-configured scans may severely impact the scanned network. After installation,the first scanning profiles have to be defined and watched over very carefully.
The OpenVas component scanning the network is installed bydefault in each AlienVault Sensor
157
Nikto
ACTIVE TOOL
Vulnerability Scanning
http://www.gnu.org/licenses/licenses.html#GPL
8/15/2019 ACSA - OSSIM
158/309
• Nikto is an Open Source (GPL) web server scanner whichperforms comprehensive tests against web servers for multipleitems
! http://cirt.net/nikto2
• Nikto scans web servers to find potential problems and securityvulnerabilities, including:
! Server and software misconfigurations
! Default files and programs
! Insecure files and programs
! Outdated servers and programs
158
OSVDB Database
http://cirt/http://cirt/http://cirt/http://www.gnu.org/licenses/licenses.html#GPLhttp://www.gnu.org/licenses/licenses.html#GPL
8/15/2019 ACSA - OSSIM
159/309
• OSVDB is an independent and open source database created byand for the security community.
• The goal of the project is to provide accurate, detailed, current andunbiased technical information on security vulnerabilities.
! http://www.osvdb.org
! Usage within AlienVault
- Correlation rule creation
- Vulnerability identifier cross-relation
- Complements OpenVas scanning information
159
OSVDB Database
V l bili D i i
http://www.osvdb.org/http://www.osvdb.org/http://www.osvdb.org/
8/15/2019 ACSA - OSSIM
160/309
• Vulnerability Description
• Indicators and references
160
OSVDB Database
T l l ti hi
8/15/2019 ACSA - OSSIM
161/309
• Tool relationships
• CVSSv2 Score (Common Vulnerability Scoring System):
161
OSSEC i HIDS (H t l l I t i D t ti S t ) th t
ACTIVE TOOL
HIDS
Agents
OSSEC
8/15/2019 ACSA - OSSIM
162/309
• OSSEC is a HIDS (Host-level Intrusion Detection System) thatfeatures log analysis, rootkit detection, system integrity checking
and Windows registry monitoring.
! http://www.ossec.org
• OSSEC requires an agent to be installed for monitoring. (Exceptssh-accesible systems)
The OSSEC Server runs in the AlienVault Sensor
OSSEC Agent-less collectionSSH-accessible system
OSSEC Agent for Windows System
OSSEC Agent for MacOSX
162
ACTIVE TOOL
HIDS
Agents
OSSEC
OSSEC i b d li t hit t Ali V lt
8/15/2019 ACSA - OSSIM
163/309
• OSSEC is based on a client -> server architecture, AlienVaultcollects events from the OSSEC server (Installed in the AlienVault
Sensor).
• OSSEC provides it’s own plugin system used for Windows andUNIX tool analysis.
• Utility within OSSIM:
! Windows and Unix log collection
! Application log collection
! Registry, file and folder monitor (DLP)
163
WIDSKismet
Ki t i 802 11 l 2 i l t k d t t iff d
PASSIVE TOOL
8/15/2019 ACSA - OSSIM
164/309
• Kismet is an 802.11 layer2 wireless network detector, sniffer, andintrusion detection system.
• http://www.kismetwireless.net
• Kismet will work with any wireless card which supports rawmonitoring (rfmon) mode, and (with appropriate hardware) can sniff802.11b, 802.11a, 802.11g, and 802.11n traffic.
• Utility within AlienVault:
! Securing WIFI network.
! Rogue AP detection
! Compliance enforcement (PCI Wireless requirements)
164
ScannerNmap
• Nmap is a security scanner used to discover hosts and services
ACTIVE TOOL
http://www.kismetwireless.net/http://www.kismetwireless.net/http://en.wikipedia.org/wiki/Web_servicehttp://en.wikipedia.org/wiki/Host_(network)http://en.wikipedia.org/wiki/Network_scanner
8/15/2019 ACSA - OSSIM
165/309
• Nmap is a security scanner used to discover hosts and serviceson a computer network
! http://www.nmap.org
• Nmap provides customizable options for host and networkscanning (Speed, range, precision…)
• Utility within AlienVault:
! Asset Discovery
! Open port discovery
!
Service version discovery! Operating System manufacturer and version discovery
165
P0f
• P0f is a versatile passive OS fingerprinting tool
PASSIVE TOOL
OS Fingerprinting
http://www.kismetwireless.net/http://www.kismetwireless.net/http://www.kismetwireless.net/http://en.wikipedia.org/wiki/Computer_networkhttp://en.wikipedia.org/wiki/Computer_networkhttp://en.wikipedia.org/wiki/Web_servicehttp://en.wikipedia.org/wiki/Web_servicehttp://en.wikipedia.org/wiki/Host_(network)http://en.wikipedia.org/wiki/Host_(network)http://en.wikipedia.org/wiki/Network_scannerhttp://en.wikipedia.org/wiki/Network_scanner
8/15/2019 ACSA - OSSIM
166/309
• P0f is a versatile passive OS fingerprinting tool
! http://lcamtuf.coredump.cx/p0f.shtml
• Passive Operating System detection based on traffic patternanalysis.
• Utility within AlienVault:
! Operating System changes
! Inventory Management
! Unauthorized network access
166
Pads
• PADS is a signature based detection engine used to passively
PASSIVE TOOLServices Fingerprinting
http://lcamtuf.coredump.cx/p0f.shtmlhttp://lcamtuf.coredump.cx/p0f.shtml
8/15/2019 ACSA - OSSIM
167/309
• PADS is a signature based detection engine used to passivelydetect network assets.
! http://passive.sourceforge.net
• Utility within AlienVault:
! Inventory Management
! Service version changes
! Policy violations
! Inventory correlation
167
Arpwatch
• Arpwatch is an ethernet monitor program that keeps tracks of
PASSIVE TOOLMAC Fingerprinting
http://passive.sourceforge.net/http://passive.sourceforge.net/
8/15/2019 ACSA - OSSIM
168/309
• Arpwatch is an ethernet monitor program that keeps tracks ofethernet/ip address pairing
! http://ee.lbl.gov
• Utility within AlienVault:
! Inventory Management
! IP address change detection
! ARPSpoofing
168
Nedi
• NeDi is an open source network management framework which
ACTIVE TOOLNetwork Discovery
8/15/2019 ACSA - OSSIM
169/309
• NeDi is an open source network management framework whichuses scheduled discovery to examine your network.
! http://nedi.ch
• NeDI requires SNMP read access for all network hardware.
169
8/15/2019 ACSA - OSSIM
170/309
170
8/15/2019 ACSA - OSSIM
171/309
Basic Concepts
171
Detection
• The process of identifying behaviour that leads to the generation of
8/15/2019 ACSA - OSSIM
172/309
• The process of identifying behaviour that leads to the generation ofan event is called Detection.
• Multiple elements are used by AlienVault to provide detectioncapabilities:
! Snort, Ntop, Arpwatch… (Data Sources included in AlienVault)
! Existing corporate applications/tools
! Tools that have been deployed prior to AlienVault installation(Firewalls, Antivirus…)
139
ET VIRUS -W32.Opaserv Worm Infection
FirewallTraffic Dropped Port 139
172
Collection
• The task that determines which events shall be collected into
8/15/2019 ACSA - OSSIM
173/309
• The task that determines which events shall be collected into AlienVault is called Collection. Collection is done by the AlienVault
Sensors
• AlienVault can collect events using multiple methods, some ofthem require configuring the Data Source to send events to the
AlienVault Sensor (E.g.: Syslog, FTP...). When other collectionmethods are use the AlienVault Sensor gathers the events from theapplication or device (WMI, SQL, SCP...)
• AlienVault uses regular expressions to determine the format inwhich the events will be arriving at the system
S y sl o g
SQL
W M I
The Regular Expression in the AlienVaultSensor determines filters the events that
have to be collected.
173
Normalization
• The process of translating the events generated by different tools
8/15/2019 ACSA - OSSIM
174/309
The process of translating the events generated by different toolsinto an unique and normalized format is called Normalization
• Normalization is done in the AlienVault Sensor
• Information is normalized using regular expressions
Mar 22 20:40:15 ossim-A su[27992]: Successful su for root by root
event type="detector" date="2008-03-22 20:40:15" sensor="192.168.1.109" interface="eth0"plugin_id="4005" plugin_sid="2" src_ip="192.168.1.109" dst_ip="192.168.1.109" userna