ossec

Subject: Use HTTPS instead of HTTPPosted by phishphreek on Thu, 22 May 2008 19:46:05 GMTView Forum Message <> Reply to Message

In this how to we'll go over how to make OSSIM run over HTTPS instead of HTTP.

Warning: Doing this will mess up the dashboard links to ntop and nagios. Be sure to read thisWHOLE THREAD before you proceed. The links can be fixed by editing the /etc/ossim/framework/ossim.conf file and running the/home/ossim/dist/reconfig.pl script.

This how to is tested in a freshly installed OSSIM vmware install using the 1.0.4 ISO installer.Immediately following the install, apt-get update && apt-get dist-upgrade was run. A reboot toget to the newly installed kernel was in order. The OSSIM update script was also run to get theinstaller to the latest version 1.0.5p1

Create a certificateopenssl req $@ -new -x509 -days 365 -nodes -out /etc/apache2/apache.pem -keyout/etc/apache2/apache.pem

Fill out all of the fields. When you get to the "your name" section, use the FQDN address ofyour OSSIM server. (ossimserver.domain.com)If you don't, you'll get certificate mismatch warnings.

Enable ssl support for apachea2enmod ssl

Turn on SSL for the default site. Edit /etc/apache2/sites-available/default with your favorite text editor.

NameVirtualHost *<VirtualHost *> ServerAdmin webmaster@localhost SSLEngine On SSLCertificateFile /etc/apache2/apache.pem DocumentRoot /var/www/ <Directory />

Tell apache2 to use HTTPS instead HTTP Edit /etc/apache2/ports.confListen 443

Restart apache2/etc/init.d/apache2 restartNow every website that apache2 hosts will be using SSL.

of 123 ---- Generated from OSSIM by FUDforum 2.7.7

https://www.alienvault.com/forum/index.php?t=usrinfo&id=46

https://www.alienvault.com/forum/index.php?t=rview&th=44&goto=98#msg_98

https://www.alienvault.com/forum/index.php?t=post&reply_to=98

https://www.alienvault.com/forum/index.php

Subject: Re: Use HTTPS instead of HTTPPosted by phishphreek on Fri, 23 May 2008 14:32:42 GMTView Forum Message <> Reply to Message

Change NTOP to use SSLNote: This part isn't 100% yet. Have to figure out how to get the dashboard to redirect to thenew link without having to change every dashboard piece separately.

NTOP is running it's own web server. Let's tell it to run over SSL too.I can't figure out where the NTOP admin password is so lets reset it.

ntop -ASet a new password.

Copy the apache.pem certificate to the ntop config folder.cp /etc/apache2/apache.pem /etc/ntop/ntop-cert.pem

Configure NTOP to use HTTPSOpen NTOP in your web browser.http://ossim.ip:3000

Go to the admin tab and choose startup options.Enter the admin for the userid and the password you just assigned to it.

Change the HTTP Server (-w) field from 3000 to 0.Change the HTTPS Server (-W) field from 0 to 3000.Scroll down and click Save Preferences.

Shutdown NTOP Click on the admin tab and then click on shutdown.This will stop NTOP. OSSIM is running a monitor for this service, so you can just simply waitand OSSIM will restart it.

Change the OSSIM configuration to point to the new ssl site.Edit /etc/ossim/framework/ossim.conf and change the ntop_link field from # tohttps://serverip:3000

Run the reconfig.pl scriptchmod 700 /home/ossim/dist/reconfig.pl/home/ossim/dist/reconfig.pl

Now if you go into the ossim web based config utility, the link will be changed and grayed out.Unfortunately, that still doesn't change the dashboard links... I'm still trying to find out how tochange those.






Subject: Installing the OSSEC Web Interface on OSSIMPosted by gsporter on Fri, 30 May 2008 04:02:37 GMTView Forum Message <> Reply to Message

I found I can see the OSSEC output directly as a cross check by install the web ui

Start by following the general instructions here. I have provided the changes I had to make toinstall on the OSSIM all-in-one from the installer:

http://www.ossec.net/wiki/index.php/OSSECWUI:Install

Changes:

Step 3

# mv ossec-wui-0.3 /var/www/htdocs/ossec-wui to # mv ossec-wui-0.3 /var/www/ossec-wui

Step 5

# nano /etc/group .. From: ossec:x:1002: To: ossec:x:1002:www-data

Step 6

# chmod 770 tmp/# chgrp www-data tmp/# /etc/init.d/apache2 restart

You can access the interface thru

http://<your_host>/ossec-wui

Subject: Re: Use HTTPS instead of HTTPPosted by henry01 on Fri, 06 Jun 2008 11:00:34 GMTView Forum Message <> Reply to Message

any luck on this?









Thanks

Subject: Re: Use HTTPS instead of HTTPPosted by jimsmithkka on Fri, 06 Jun 2008 17:57:09 GMTView Forum Message <> Reply to Message

I followed these steps and my pages are now secure, but when i try to use the links in thesidebar of the availability tab (Nagios) i get a page not found, the issue i know is that the linksare for http, not https.

My question is where is the file that has these links so i can update it or is there a configchange i can make in apache auto forward http requests to https for each page.

The system is a almost bare bones install from the install cd i got from AlienVault.

I am not to familiar with apache, i use lighttpd most of the time instead, so any help would begratefully accepted.

Subject: Re: Use HTTPS instead of HTTPPosted by phishphreek on Fri, 06 Jun 2008 21:35:45 GMTView Forum Message <> Reply to Message

I haven't had an opportunity to mess with it too much more. I ended up changing the links viaDashboard, edit and then editing the panels separately. This works OK for me as I am the onlyuser.

These dashboards are configured on a per user basis, so if you have multiple users, each userwill have to change their links.

The panel config files are located in /etc/framework/panel/configs

The main dashboard page is /etc/framework/panel/configs/admin_1

The dashboard page with the ntop data is /etc/framework/panel/configs/admin_5_1

Each time I try to manually edit those files to update the links, it get OSSIM throwing an errorcomplaining about bad data.

From looking at their reconfig script in /home/ossim/dist/reconfig.pl I found they are using a filecalled edit_serialized_ips_panels_conf.php which they use to replace the ip address if youchange it and use the reconfig script.









I haven't yet had the free time to modify this script to have it grab the ntop_link field from/etc/framework/ossim.conf if it has been modified and store it in some variable. Then have thescript go through and change it in the *_1 and *_5_1 files.

jimsmithkka: I think you're running into a little different issue. My nagios is actually running on aseparate server. I changed my links to point to the server and all worked fine for me... I'll haveto look into it in vmware and see why yours won't work.

Subject: Re: Use HTTPS instead of HTTPPosted by phishphreek on Fri, 06 Jun 2008 21:53:13 GMTView Forum Message <> Reply to Message

jimsmithkka: You can do it in one of two places. Either in the web configuration --> main -->nagios link

Change from /nagios2/ to https://serverip/nagios2/

Or, edit /etc/ossim/framework/ossim.conf and change the link to nagios.

#nagios_link nagios_link=https://serverip/nagios2/

Then run /home/ossim/dist/reconfig.pl It will update to the correct link.

Sorry about that!

Subject: Re: Use HTTPS instead of HTTPPosted by jimsmithkka on Mon, 09 Jun 2008 13:30:11 GMTView Forum Message <> Reply to Message

It all works now, Thanks

Figured it would be help others as well so i posted the question here.

Once Again thanks

Subject: NagiosQL Walktrough Posted by umarzuki on Mon, 09 Jun 2008 14:48:25 GMTView Forum Message <> Reply to Message












Note: This was done on installer version 1.0.4, so as they say, YMMV.

After you got OSSIM up and running, install php-pear then executepear install HTML_Template_IT

After that download the latest NagiosQL from http://www.nagiosql.org/index.php/component/content/article/ 44 then extract in your /var/www

cd into the extracted directory

Create mysql databasemysql -uroot -p < nagiosQL_v2_db_mysql.sqlif asked for password, find it somewhere in /etc/ossim/ossim_setup.conf

put these into Apache2 config file: httpd.conf<Directory /srv/www/htdocs/nagiosQL> <FilesMatch \.(?i:ini)$> Order allow,deny Deny from all </FilesMatch></Directory>

then edit setting.ini and change value in it accordinglyroot = /nagiosql-2.0.2/ physical = /var/www/nagiosql-2.0.2/ config = "/etc/nagios2/" confighosts = "/etc/nagios2/conf.d/" configservices = "/etc/nagios2/conf.d/" binary = "/usr/sbin/nagios2" cmdfile = "/var/lib/nagios2/rw/nagios.cmd" pidfile = "/var/run/nagios2/nagios2.pid"lang = lang_en

then try browsing to: server_IP/nagiosql-directory/testQL.php

if you got permission read/write error, chmod -R 777 it

if you got error about folder missing o something like that, make one by referring to setting.ini

Don't forget to import config files: Tools > Data Import

Corrections are most welcome :)

Subject: Re: NagiosQL Walktrough



Posted by eflinton on Mon, 09 Jun 2008 18:27:28 GMTView Forum Message <> Reply to Message

can't find nagios.cmd on a freshly installed system v1.0.4 and upgraded throughossim-update.pl.

any ideas?

thanks.

Subject: Re: NagiosQL Walktrough Posted by jvblanco on Mon, 09 Jun 2008 20:56:41 GMTView Forum Message <> Reply to Message

Check at /etc/nagios2/nagios.cfg if you have external commands enabled.

BTW, this is a very interesting Nagios addon. I'm going to give it a try.

Juan.

Subject: Re: NagiosQL Walktrough Posted by umarzuki on Tue, 10 Jun 2008 00:02:12 GMTView Forum Message <> Reply to Message

it's a pipe file, to make itmknod nagios.cmd p

but it'll give error anyway thru testQL.php. Actually, a pipe file will only be there when nagiosrun.

Subject: Re: NagiosQL Walktrough Posted by eflinton on Tue, 10 Jun 2008 14:44:45 GMTView Forum Message <> Reply to Message

Thanks had the external command value set on the prod. unit and saw the file but hadn't movethe configs to the test unit.

Its there after adjusting the value -- thanks jvblanco!

Subject: Re: NagiosQL Walktrough















Posted by umarzuki on Tue, 10 Jun 2008 23:57:42 GMTView Forum Message <> Reply to Message

wow you guys got it up and running? Nice, since i never setup manual nagios before, stuckwhen creating host (the pull downs don't have value) rouven from ngiosql said something about timeperiods.cfg which is isn't available at fist soprobably i'll have to create it.

Subject: Re: NagiosQL Walktrough Posted by eflinton on Wed, 11 Jun 2008 00:29:47 GMTView Forum Message <> Reply to Message

haven't gotten the prod_configs into nagiosql yet but things are working out will post anyinformation that may be of value. i didn't know this was available so trying it out.

in regards to nagios -- i keep the host file simple, than group with hostgroup. I have several*.cfg depending on the system type and required checks. not sure if default ossim is setup likethat as I have just been moving prod_configs over.

Subject: Re: NagiosQL Walktrough Posted by umarzuki on Wed, 18 Jun 2008 06:32:56 GMTView Forum Message <> Reply to Message

actually, i had to import the config files :)

Subject: Re: NagiosQL Walktrough Posted by eflinton on Wed, 18 Jun 2008 14:42:28 GMTView Forum Message <> Reply to Message

If starting from scratch there were a lot of dependencies between hosts, contacts, services. Iwould agree import your configs.

Subject: Re: Installing the OSSEC Web Interface on OSSIMPosted by umarzuki on Wed, 25 Jun 2008 08:31:22 GMTView Forum Message <> Reply to Message

this tutorial works..i can confirm that. But no fancy graphs... 8)


















Subject: Re: NagiosQL Walktrough Posted by redbarron on Fri, 27 Jun 2008 01:55:10 GMTView Forum Message <> Reply to Message

So, from the last few posts it sounds like I should NOT attempt this if I haven't set up nagios atall yet? Or is it just the couple extra steps as mentioned?

If it's going to make configuring nagios harder for a nagios noob, I'll just stick with straightnagios until I feel like I've got that under my belt.

Thanks,Joe

Subject: Re: NagiosQL Walktrough Posted by umarzuki on Mon, 30 Jun 2008 14:12:04 GMTView Forum Message <> Reply to Message

Quote:If it's going to make configuring nagios harder for a nagios noobyeah, absolutely. Mostof 'em are.

Subject: OSSIM: Configuration stepsPosted by ajcborges on Mon, 14 Jul 2008 19:21:28 GMTView Forum Message <> Reply to Message

HI,

I have been wokning on Security Information around 8yrs. I know several SIM products,including Sentinel from Novell. I am currently putting together a monitoring project with OpenSource Products and OSSIM caught my attention. I know Linux (debian, among others),Windows, Unix, etc. OSSIM has many virtues which I do not know where to start.If anyone knows or has done a guide to perform a basic configuration of OSSIM, it will bewidely appreciated. Already download the ISO. And I installed it without any problems ... I think I am ok. :!:

I would learn to configure it. I think it is a solution with a high market potential. 8)

TIA.

Subject: Re: OSSIM: Configuration steps












Posted by kristian_paul on Mon, 14 Jul 2008 20:50:00 GMTView Forum Message <> Reply to Message

i may help

http://www.ossim.com/blog/dk/ossim/tutorials/tut3_intro.html

Subject: Re: OSSIM: Configuration steps Posted by guihen01 on Fri, 18 Jul 2008 01:50:21 GMTView Forum Message <> Reply to Message

use tutorial on ossim web site

Subject: Re: OSSIM: Configuration steps Posted by kristian_paul on Fri, 18 Jul 2008 14:16:19 GMTView Forum Message <> Reply to Message

did you get running snort and ossim for windows? are you're collecting data to your masterserver?

couse i never did it :cry: , so far ;)

any way, if you can help i apreciate

Subject: Re: OSSIM: Configuration stepsPosted by gsporter on Sun, 27 Jul 2008 03:29:35 GMTView Forum Message <> Reply to Message

Once you have gone through DK's inital setup try reading:

Wiki

http://www.ossim.net/dokuwiki/doku.php

General Description

http://www.ossim.net/dokuwiki/doku.php?id=documentation:gene ral_description

Users Manual

http://www.ossim.net/dokuwiki/doku.php?id=user_manual:introd uction















It helped me to understand the structure and "work flow" of OSSIMGP

Subject: OSSEC Quick Start GuidePosted by Ahriakin on Sun, 07 Sep 2008 00:34:03 GMTView Forum Message <> Reply to Message

Hi Folks,

This is not a detailed tutorial on OSSEC just a getting started guide. I highly recommendSyngress "OSSEC - Host Based Intrusion Detection Guide" http://www.amazon.com/OSSEC-Host-Based-Intrusion-Detection-Guide/dp/159749240X/ref=pd_bbs_sr_1?ie=UTF8&s=books&q id=1220745267&sr=8-1 if youintend to seriously use this excellent tool.I'm still a Linux beginner myself and from the other posts I see here I'm not the only one so I'mgoing to try and make these instructions as verbose as possible command-wise so that evenbeginners can perform them.

I'll try and follow this up with some tips that I've found useful in later posts. If anyone has anycomments or improvements let me know (like I said I am no expert, or a script-god likePhishPhreak ;), this is just an attempt to help others at my level so any comments arewelcome)

Anyway :

****

Upgrade the master server:

As of posting OSSIM includes OSSEC 1.4 and 1.6 has just become available. Thankfullyupgrading is a very simple process.

1. Download the latest source from www.ossec.net to your TMP folder- cd /tmp- wget http://www.ossec.net/files/ossec-hids-1.6.tar.gz (for later versions simply open abrowser and go to the OSSEC.net download page and right-click the link to the file you want,then copy-link-location and paste it after "wget "2. Extract the file- tar -zxvf ossec-hids-1.6.tar.gz3. Enter the newly extracted folder- cd ossec-hids-1.64. Run the install script- ./install.sh






--- It will detect the existing install and ask if you want to upgrade: YES--- It will ask if you want to upgrade the rules: YES5. Add OSSEC to the agent plugin list- nano /etc/ossim/agent/config.cfg--- under the [plugins] section add the following lineossec=/etc/ossim/agent/plugins/ossec.cfg6. Restart the OSSIM agent- /etc/init.d/ossim-agent restart

That's it the OSSEC server is now on the latest version and OSSIM is monitoring it. Thisupgrade will keep any existing client details, historical data etc. and is backward compatiblewith older clients so you won't break anything by doing it.

**

Adding clients to the OSSEC serverAll important files for OSSEC are located in /var/ossec, the control utilities are in /var/ossec/bin1. Add a new client:- cd /var/ossec/bin- ./manage_agents--- Choose A to add an agent, enter the client IP and ID you'd like to use (accepting thedefaults is fine, ID's are how OSSEC keeps track of clients internally so it doesn't have tomatch anything else it just has to be unique)

Personally I prefer to pre-configure all of my clients here at once so I add each and every hostthat will have OSSEC agents installed now. I'm going to presume you do the same and don'thave RSS injuries when you're done :). So from this point on I will act as if you have addedevery agent to the master server.

2. Restart the OSSEC server to make the changes (in this case new agents) active.- ./ossec-control stop- ./ossec-control start

****

Installing the OSSEC agent on Windows HostsGet the latest agent from www.ossec.net1. Run the installer executable and accept all defaults.2. When presented with the 'OSSEC Agent Manager' enter the IP of your OSSIM/OSSECMaster Server.3. Enter the Client/Server authentication key- SSH to your Master Server and run the manage_agent utility- /var/ossim/bin/manage_agents--- choose 'E' to extract a client key



--- Enter the ID for this client (if you are not sure of the ID then first choose 'L' to list the agentsand record the ID number). --- Copy the entire text below the line "Agent key Information for "ID" is:" and paste it into theAuthentication Key line on the client's OSSEC Manage Agent window, then hit Save -IMPORTANT when you hit save it will show a small popup window with this client's IP, nameand ID, make sure they are all correct as this is the data it has extracted from the key you justpasted in and it is what the server is expecting to see, if they do not match then the client willnot authenticate to the server and it won't work. If they do match just hit Okay, if not go backand check how the agent was setup on the server and that you pasted the extracted keyproperly.4. Start the OSSEC service- From the client OSSEC Manage Agent utility click Manage / Start OSSEC and then refresh,make sure it says it is running.

* An alternative of course is to extract all keys and IDs into a text file that you can access fromeach client but if you do make sure it is absolutely secure, and ideally secure delete it whendone.

**

Installing on Linux Hosts1. Download the agent software to the TMP folder:- cd /tmp- wget http://www.ossec.net/files/ossec-hids-1.6.tar.gz (it uses the same package for all 3 typesof Linux installs so you could just copy the file you used on the server)2. Extract the package- tar -zxvf ossec-hids-1.6.tar.gz3. Install it- cd ossec-hids-1.6- ./install.sh--- When prompted for the installation type choose "agent"--- When prompted for the OSSEC server IP use the OSSIM/OSSEC Master server--- Accept all other defaults.4. Configure the agent authentication from the client- /var/ossec/bin/manage_agent--- choose 'I' to import the key--- follow the steps described in the Windows agent install to copy the client's key from theMaster Server and paste it into the Import Key prompt.5. Restart the agent- /var/ossec/bin/ossec-control stop- /var/ossec/bin/ossec-control start

**

Replacing the full OSSEC server on OSSIM-Child servers with agent only reporting to yourmaster server, and also upgrading



Follow the steps above for the Linux agent installation but at the start OSSEC will detect theexisting installation:--- When prompted to upgrade say 'No'--- When prompted to delete the folder say 'Yes'

Otherwise it is identical to a normal Linux Agent install. (and remember to restart with"/var/ossec/bin/ossec-control stop+start" when done.

****

Testing the connection between client and server

Firstly you can install OSSEC's own Web interface alongside OSSIM's. There is a guide onhow to do this here https://www.ossim.net/forum/index.php?t=msg&th=62&start=0&S=d92e33f115348ff90f531433414935e0 . The only thing I'd add is I had issues withsome of the other functions like NTop and Snort graphs until I changed the permissions on/TMP to anyone full control (chmod 777 /tmp) which is not the most secure but it solved myissues. Most of the UI's functions are intact except some searches and graphs.

Anyway to directly test the client connection: From the Master Server:1. List active all clients - /var/ossec/bin/agent_control -l--- Look for the clients you have connected and make sure they are Active2. Get more detail from the client- /var/ossec/bin/agent_control -i (ID of client)--- This will tell you the last scan times, client version etc.

If your client is shown as active you should be good to go....

Subject: Re: OSSEC Quick Start GuidePosted by DK on Wed, 10 Sep 2008 19:03:38 GMTView Forum Message <> Reply to Message

Cheers on the nice update guide, will be releasing an update with OSSEC 1.6 pretty soon.

Blame Daniel for not getting it into 1.0.6 :) (Just kidding, OSSEC is awesome.)

Subject: Re: OSSEC Quick Start GuidePosted by Ahriakin on Wed, 10 Sep 2008 19:42:15 GMTView Forum Message <> Reply to Message









No problem, I ask enough questions here and obviously use OSSIM enough that I'm glad to beable to give even a little back. Thanks for all your great work.

Subject: ossim for newbiesPosted by ashar on Sat, 20 Sep 2008 09:59:00 GMTView Forum Message <> Reply to Message

Hi,

I have started to document configuration of the various parts, for newbies. I aim to get peoplestarted quickly - there is a huge amount to figure out.

Let me know if there are any mistakes, and what I should do next.

http://sites.google.com/site/ossimnewbie/Home

Subject: Re: OSSEC Quick Start GuidePosted by gsporter on Sat, 20 Sep 2008 23:48:01 GMTView Forum Message <> Reply to Message

I also have to give you kudos’s. Sometimes training and documentation doesn't seemthat excitingBut it can mean the success or failure of a project!

Subject: Re: ossim for newbiesPosted by gsporter on Sat, 20 Sep 2008 23:48:46 GMTView Forum Message <> Reply to Message

I have to give you kudos’s. Sometimes training and documentation doesn't seem thatexcitingBut it can mean the success or failure of a project!

Subject: Re: ossim for newbiesPosted by DK on Fri, 03 Oct 2008 20:54:48 GMTView Forum Message <> Reply to Message

Cheers on this, please keep up the awesome work.















I'd suggest opening an own thread for this (please give me a shout should you want specialrights) and updating it frequently, including dates :p

Subject: Documentation OverhaulPosted by gsporter on Sat, 04 Oct 2008 19:01:14 GMTView Forum Message <> Reply to Message

If you did not see this in DK's blog PLEASE read before posting questons!!!

http://www.alienvault.com/blog/dk

Documentation OverhaulThu, 02 Oct 2008

"Just a quick note to throw some attention at the major changes we are making to the OSSIMdocumentation section.

We're sort-of hiding deprecated or non-important documentation, reorganizing existing one andreleasing new stuff such as configuration instructions forthird party devices. "

Configuration

http://www.ossim.net/dokuwiki/doku.php?id=documentation:conf iguration

Subject: Re: NagiosQL Walktrough Posted by gsporter on Wed, 08 Oct 2008 23:57:57 GMTView Forum Message <> Reply to Message

Quick question. Which versions did you use nagiosql-2.0.2.tar.gz /installer 1.04/6?

Thanks GP

Subject: Osiris - Quick GuidePosted by Ahriakin on Sun, 12 Oct 2008 01:54:15 GMTView Forum Message <> Reply to Message

Hi folks,












Just like the OSSEC guide this is just to get you going, if you want to delve into Osiris properlyI highly recommend "Host Integrity Monitoring using Osiris and Samhain" by Brian Wotring ( http://www.amazon.com/Integrity-Monitoring-Using-Osiris-Samh ain/dp/1597490180/ref=sr_1_1?ie=UTF8&s=books&qid=122 3771961&sr=8-1).

Firstly why would you want to use Osiris when you use OSSEC? OSSEC is more fully featuredin that it performs system file, registry, service, user, rootkit checks, parses Syslog etc. withsome event correlation whereas Osiris is mainly a file integrity (change) monitor with someextra modules for detecting changes in services, ports and users. If you had to choosebetween the 2 then OSSEC is a better bet for intensive monitoring (it also works brilliantlywithin allowing you to use it to filter Syslog and other events from it's own engine beforeplacing them in the Database which can save you a lot of CPU cycles if your OSSEC server isa child OSSIM server), but that's just it it is intensive whereas Osiris is more easily tuned andless resource intensive. \By default OSSEC agents run their system checks every 6 hours (you can change this but I'llplace that note in the OSSEC thread). If you increase the frequency you run the risk ofdegrading host performance but at the same time I think you need more granularity in the logs,at least for the more important files. What I like to do is running Osiris every 2 hours to bridgethe gaps between the more intensive OSSEC scans. I may change this in the future but fornow I think it works well. I'm also planning on setting up a second scan weekly that does not purge the databases so Ihave a 7 day snapshot of the files for my records but I'm getting a but beyond the scope of thisguide, just trying to make it clear why I still use Osiris in conjunction with OSSEC.

Anyway on to the installation/config:

****************************************************

Osiris agents work differently to OSSEC. With OSSEC you created keys on the server andimported them to the agents, from then on the agents run on their own schedule with their ownconfigs and report the results back to the server based on the <frequency>xxxxx</frequency>value in ossec.conf. Osiris agents work differently in that they are essentially like remotesockets to which the Server will push the scan config and request scans when needed, i.e. theagent will do nothing on it's own, it always waits for instructions from the Master server. You donot need to manually create and import authentication keys it uses certificates, when youinstall an agent it will listen for and trust the first master server that contacts it, after that it willonly accept communications from that server as it saves it's certificate. You still have to createclients on the Master Server

Server Configuration - Configs

Before configuring within Osiris itself you will want to view and perhaps modify the configs itwill use on the agents. Since Osiris keeps all of it's config data within flat files you can editthem with nano, though many can be configured within Osiris CLI itself I prefer to do it



manually outside.The host config files are located in /var/lib/osirismd/configs/ . In the following example I willread and modify the Server 2003 config to change the file hash method to SHA1 and add theoptional module for reading port changes, add scanning of C:\Windows (Osiris defaults tousing c:\winnt as the Windows folder, adding a folder that does not exist (i.e. having both Winntand Windows) will not cause any issues as it will just skip the one that isn't there) and include.bat and .scr files in the scan filetypes, finally I will add an exclusion to ignore my Symantec AVdefinition folder aswell as the OCS Inventory Agent folder (as they change a lot and yieldlog-noise false positives).

enter the config folder1. cd /var/lib/osirismd/configs/run 'ls' to read the directory and then 'nano' your config file2. nano default.windowsserver2003change the hash method to SHA13. Change 'Hash md5' to 'Hash sha1'add the port module4. Under <system> add 'Include mod_ports'add .bat and .scr to the filetypes to scan 5. Under <Directory c:\WINNT> add 'Include suffix("bat")' and 'Include suffix("scr")'Add the same scanning options for c:\windows6. Highlight the entire <Directory c:\winnt> section (including </Directory>, press CTRL+C,move the cursor to below that Directory section and right-click to paste (most terminalemulators follow that convention, if yours doesn't then find how to paste). Edit the new<Directory c:\winnt> line to read <Directory c:\windows>Exclude the Symantec definition and OCS folders7. Under <Directory C:\Program Files> add : NoEntry OCS Inventory Agent NoEntry Common Files\Symantec Shared\VirusDefs NoEntry Common Files\Symantec Shared\SymcData NoEntry Symantec\Symantec Endpoint Protection Manager\Inetpub\content NoEntry SAV\I2_LDVP.VDB NoEntry Symantec AntiVirus\I2_LDVP.VDBSave and exit8. Press CTRL+X, Y to save changes and accept the same filename.

OPTIONAL: Use the same config for your Windows 2000 Servers9. Rename the existing Server 2000 config mv default.windows2000 default.windows2000.old.Copy your modified 2003 config to replace it cp default.windowsserver2003default.windows2000

When you look at the config files you'll see they are very intuitive so adding files,including/excluding folders etc. is quite easy. Just remember that if you modify a config andwant to manually scan an existing client you need to push the config first, if you manually starta scan it does not send the new config (however the scheduled scans always push the currentconfig first so they are covered).



**********

Installing the Linux agent1. apt-get install osirisThat's it :) - if you are doing this on an existing server like an OSSIM child server remove it first(apt-get remove osiris).

**********

Installing the Windows Agent1. Get the executable from OSSIM / TOOLS / DOWNLOADS and run it. When presented withthe installation options only leave the Osiris agent ticked and continue until complete.

**********

Adding clients to the Master Server1. From the server CLI just run the command osiris (Its in the path so you don't need to specifyany folders), User/Pass = admin (make sure to change the password when inside)2. Press ? for help. Again you will see the layout is very intuitive. 3. Edit basic server parameters:edit-mhost (mainly here if you plan on using email alerts outside of OSSIM add your defaultaddress, you can override this on each client if you wish but it can save sometime just to do ithere, add your SMTP host and if you wish modify the Authorized management hosts (I adviseyou to just leave it on the default of 127.0.0.1 so it can only be edited when logged into theserver directly).4. Edit admin users:edit-users Add a new user or change the admin password - WARNING it does not prompt youto verify your password changes so make sure you get it right :), it's a good idea to add abackdoor account for this reason.5. Add new clients - I'm going with the OSSIM recommended setup, only changing the emailoptions and scheduling.new-host - Name (only significant to Osiris, but it's a good idea to match it to the hostname or functionalname you use in all of OSSIM's other tools (I like to use (location)-(type)-(hostname) e.g. Aserver called SuperServer in Orlando would be orl-SRVR-SuperServer). The name is similar toIDs in OSSEC, it is how you identify the client through the console for all operations.- Hostname/IP (yes you can use the DNS FQDN here if you wish)- Description (up to you)- agent-port (do not change)- enable log files for this host? (Since we are logging to OSSIM no need, and they take upspace)- Keep archives of scan databases? (Definitely no as it will keep databases even if no changesare detected...what's the point unless you want a nice warm fuzzy feeling that nothing haschanged?)- auto accept changes? (Yes, let it set the new baselines when changes are detected)



- purge databases? (Again since we are logging to OSSIM leave this as Yes, if disabled eachscan of each host is kept on the server and they can pretty soon eat up your storage space -this is not your only option for keeping historical data outside of OSSIM though, see the emailsection below)- enable email notifications for this host? (Here's where I deviate from the OSSIMrecommendations as I want historical data available to my colleagues without having themaccess OSSIM/Osiris directly). I set it to Yes but it's your call.-- send notification on scheduled scan failures? (Yes, I want to know if it didn't run).- send scan notification, even when no changes detected? (No, again I think this is pointlessunless it is required by your security policy).- send notification when agent has lost session key? (I set it to Yes, Clients use the samesession key with the Server until their Osirisd service is restarted. It will happen naturally whenthe client is rebooted, but if the client lost it's session key and it wasn't rebooted then someonerestarted the service and that is a wee bit suspicious to me and you may need the event laterfor correlation).- notification email? (here you can override the default email address you entered when youused 'edit-most' earlier to set some basic server parameters, leaving it blank just uses thatdefault address)- configure scan scheduling information? (yes)- enter the start date and time- enter the scan frequency (enter the time between scans in minutes. The default is 4 hours, Iprefer 2 - I am using Osiris to fill the gaps between the OSSEC scans (6 hours). If you areentering a lot of hosts at once I recommend varying your scan frequency a little, e.g. 1st = 120,next = 121, next = 119 etc. This way over time the scans will move apart and you randomizethe scan times a bit to reduce the load on your Master Server)- enable this host (Yes).

The server will contact the client and provided it is a clean install of Osiris it will show you theOS type and ask if you want to use the default config (since we edited that config earlier wecan accept it). And finally initialize and begin scanning the host.

********

Getting OSSIM to read the Osiris events - Credit to Crislato for clarifying this for me1. Edit the agent configuration on the Master Servernano /etc/ossim/agent/plugins/osiris.cfgUnder the [translation] section add all of the clients you added previously with the same Namesand IP addresses you used within Osiris.2. Restart the OSSIM agent/etc/init.d/ossim-agent restart

************************************************

I mentioned setting up email alerts earlier and the reason I do is my default address is amailbox that my colleagues also have access to. They can quickly read the email alerts for theservers they need details on for the time period in question right from their email clients rather



than me having to show them how to navigate OSSIM (and restoring archived data for olderevents). I find it pretty handy. Also I advise setting up a Plugin group called HIMS, adding onlyOsiris, and adding it as an Event filter so you can quickly just view Osiris events from withinOSSIM.Anyway I hope this helps.

Subject: Re: Installing the OSSEC Web Interface on OSSIMPosted by gmicalzoma on Mon, 03 Nov 2008 22:25:22 GMTView Forum Message <> Reply to Message

Thanks gsporter, it works like a charm, cheers!!!!

Subject: Installing WebminPosted by kristian_paul on Thu, 06 Nov 2008 14:57:21 GMTView Forum Message <> Reply to Message

Installing WebminWebmin is a great tool for manage a gnu/linux system using a web framework(remember don't leave the powerful console)

1. Edit the /etc/apt/sources.list file on your system and add the line :

deb http://download.webmin.com/download/repository sarge contrib

2. You should also fetch and install a GPG key with which the repository is signed :

cd /root wget http://www.webmin.com/jcameron-key.asc apt-key add jcameron-key.asc

3. You will now be able to install:

apt-get update apt-get install webmin

Adding Webmin to OSSIM Framework

1. edit:

/usr/share/ossim/www/top.php









add:

if (Session::menu_perms("MenuConfiguration", "ConfigurationSystem")) $menu["Configuration"][] = array( "name" => gettext("System"), "id" => "System", "url" => "https://ossimip:10000" );

2. edit:/usr/share/ossim/include/ossim_acl.inc

add:

"ConfigurationMaps" => array ( "name" => "Configuration -> System", "default_perm" => true ),

Go user=> reload ACl

Done, know you can access webmin at Configuration => System

Subject: Re: NagiosQL Walktrough Posted by umarzuki on Mon, 17 Nov 2008 23:25:10 GMTView Forum Message <> Reply to Message

that was 1.0.4

Subject: Re: ossim for newbiesPosted by umarzuki on Mon, 17 Nov 2008 23:34:20 GMTView Forum Message <> Reply to Message

ashar wrote on Sat, 20 September 2008 03:59Hi,

I have started to document configuration of the various parts, for newbies. I aim to get peoplestarted quickly - there is a huge amount to figure out.

Let me know if there are any mistakes, and what I should do next.









http://sites.google.com/site/ossimnewbie/HomeHow about one that I'm trying to figure out here https://www.ossim.net/forum/index.php?t=msg&goto=1522&S=82542d405b07209204333f984f11d169#msg_1522 and the right way for sending sms ande-mail alert (my last attempt on 1.0.4 didn't work) or would it be possible for a (annoying)pop-up message?

Subject: Re: Installing WebminPosted by kurtsecure on Tue, 18 Nov 2008 17:40:11 GMTView Forum Message <> Reply to Message

This is excellent although a couple of typos:

apt-get install should be apt-get install webmin

/usr/share/ossim/include/ossim.acl.incshould be/usr/share/ossim/include/ossim_acl.inc

ThanksKurt

Subject: Re: ossim for newbiesPosted by dropadrop on Wed, 19 Nov 2008 12:53:50 GMTView Forum Message <> Reply to Message

Thanks, nice instructions. There is a typo on your interfaces page concerning eth1 though:

Quote:down ifconfig down

for eth2 it's correct.

Subject: Bare metal back up and restorePosted by here2serve on Fri, 21 Nov 2008 20:30:48 GMT










View Forum Message <> Reply to Message

We wanted a fool proof back up and restore. That would not require any real thought or skill.Restoring from scratch with this method took less than 25 minutes. Backup script

#!/bin/bash#Proccesses to shut down before backup,apache2,arpwatch,cron,munin-node #mysql,mysql-ndb,mysql-ndb-mgm,nagios2,nessusd,ntop,openvpn, osirisd #osirismd,ossec,ossim-agent,ossim-framework,ossim-server,pad s,snmpd,snmptrapfmt#snort,ssh,webmin

/etc/init.d/arpwatch stop/etc/init.d/ntop stop/etc/init.d/munin-node stop/etc/init.d/apache2 stop/etc/init.d/nagios2 stop/etc/init.d/openvpn stop/etc/init.d/osirisd stop/etc/init.d/osirismd stop/etc/init.d/ossec stop/etc/init.d/ossim-agent stop/etc/init.d/ossim-framework stop/etc/init.d/ossim-server stop/etc/init.d/pads stop/etc/init.d/snmpd stop/etc/init.d/snmptrapfmt stop/etc/init.d/snort stop/etc/init.d/ssh stop/etc/init.d/webmin stop/etc/init.d/cron stop/etc/init.d/mysql stop/etc/init.d/mysql-ndb stop/etc/init.d/mysql-ndb-mgm stoptar cvpzf /mnt/backup/backup.tgz --exclude=/proc --exclude=/lost+found --exclude=/mnt--exclude=/sys /

reboot -n

Restore Script

!#/bin/bash#restore Scriptcp /media/cdrom0/*.tgz /backup.tgztar xvpfz /backup.tgz -C /





reboot -n

Directions for the Tech

OSSIM RestoreIn case of a system failure you will need the OSSIM cd and the most recent full back up andrestore script. The full system back up and script can be found on (what ever location)

1. Unplug the NIC, Boot from the OSSIM cd2. Enter what ever values you like at any prompt. Except under partitioning accept the defaults.3. After the install is complete put in the backup cd with the restore script.4. Log in at the prompt as root with whatever password you set during the install.5. type " mount /dev/hda "6. type "/media/cdrom0/./restore.sh "7. After it is finished restoring it will reboot. Remove the cd, plug in the NIC, log in and test outyour restored system. All user accounts,original passwords, data and programs should beavailable.

I don't know if you really need to kill all the services in the back up script but it works. The Ideacame from a forum somewhere. Just don't know which one.

Subject: Re: Bare metal back up and restorePosted by kristian_paul on Fri, 21 Nov 2008 20:42:17 GMTView Forum Message <> Reply to Message

need to add monit process or you'll get all ossim process stuff running again

Subject: Important configuration filesPosted by umarzuki on Sat, 22 Nov 2008 14:53:01 GMTView Forum Message <> Reply to Message

This is sort of a quick info page for ossim users. The main reason I posted it here so I cancheck on it back later. I'm a very forgetful person ;) You all can add up and correct me if I'mwrong. Highly appreciate it.

/home/ossim/dist/ossim-update.pl is to update your OSSIM to current version.









/etc/ossim/ossim_setup.conf is where you can configure information on various things such asmysql's user root password, sensor, main NIC and such.

/home/ossim/dist/reconfig.pl is to update informations on interfaces and related configurationsthat you had done manually.

Subject: Re: Bare metal back up and restorePosted by here2serve on Tue, 25 Nov 2008 09:49:11 GMTView Forum Message <> Reply to Message

I tested it 3 times and it worked like a champ. I kind of thought I was killing more stuff thanneeded.

Subject: Re: OSSEC Quick Start GuidePosted by redbarron on Mon, 01 Dec 2008 15:45:44 GMTView Forum Message <> Reply to Message

So, if I upgrade my OSSEC via this guide, what happens when 1.07 (presumably) comes outwith 1.6 and I run ossim-update.pl on my 1.06 box. Do I need to be concerned with breakage?

Thanks!

DK wrote on Wed, 10 September 2008 15:03Cheers on the nice update guide, will bereleasing an update with OSSEC 1.6 pretty soon.


Subject: Install Oinkmaster and update snort rulesPosted by umarzuki on Wed, 03 Dec 2008 13:13:14 GMTView Forum Message <> Reply to Message

This is some sort of a walktrough in hope anyone can benefit from my past experience

Install oinkmaster packageaptitude install oinkmasterRegister at snort's site to get access and download the rules from http://www.snort.org/Get the oinkcode












Edit oinkmaster.confvi /etc/oinkmaster.conf commentQuote:url = http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gzand place under itQuote:url = http://www.snort.org/pub-bin/oinkmaster.cgi/your-oinkcode/sn ortrules-snapshot-2.7.tar.gzTo make list of what rules have been disabled/usr/share/oinkmaster/makesidex.pl/etc/snort/rules/ >autodisable.confAs normal user, update rules withoinkmaster -C /etc/oinkmaster.conf -C /etc/autodisable.conf-o /etc/snort/rules/ Run create_sidmap.pl (Generates the priority and reliability level for every snort rule)perl/usr/share/ossim/scripts/create_sidmap.pl /etc/snort/rules/Restart ossim-server/etc/init.d/ossim-server restart

*The last two steps were pointed out by juanmaCredits to http://internetsecurityguru.com/ and ossim forum members.

Note: Later the next day, I got mysql error about not be able to access certain socket (I forgotto copy the error message) but I don't know if this related to oinkmaster. A quick reconfigwithperl /home/ossim/dist/reconfig.plwould fix that. At least visually :)

Moderator note: I've modified the post so it points to the correct scripts, thank you. Juanma

Subject: Re: Install Oinkmaster and update snort rulesPosted by juanma on Fri, 05 Dec 2008 03:56:10 GMTView Forum Message <> Reply to Message

Hi umarzuki

Thanks a lot for writing this tutorial. Just two notes, every time you add new snort rules inossim you have to run:

perl /usr/share/ossim/scripts/create_sidmap.pl /etc/snort/rules/

and restart the ossim-server.

This is going to insert into the database the priority and reliability information for all the newrules into the database.Without this info the server is not going to store any event coming fromthe new snort rules.

Also as a note, you do not have to run reconfig.pl after downloading new rules. It would be niceif you could update your tutorial, if you can not do that just let me know and I'll edit your post.

Thank you

Juanma






***Note: I've edited my post, I was talking about create_sidmap.pl, but the command I wasrunning was reconfig.pl

Subject: Re: Bare metal back up and restorePosted by here2serve on Sat, 06 Dec 2008 14:23:39 GMTView Forum Message <> Reply to Message

I was having some trouble with rrd_threshold. I took your suggestion to add monit to theprocesses that need to be stopped during backup. rrd is back up again. I'll continue monitoringto see if this fixed my rrd problem or not. Looks good for now.

Thanks- Would love to know why it came back but it's just good to have it working again. Thebox I am using started off with the 1.04 installer and has all it's up dates. I may be able to freeup another box to run up with the 1.06.

After adding monit to to script I tried to restore from backup. Mysqld fails to start. Had to goback to dec 6 backup/Troubleshoot Mysqld.

Subject: Re: Bare metal back up and restorePosted by here2serve on Sat, 06 Dec 2008 14:43:54 GMTView Forum Message <> Reply to Message

Spoke to soon rrd is down. Back to the rrd forum.

Subject: OSSIM@VMWAREPosted by udom on Mon, 08 Dec 2008 10:16:29 GMTView Forum Message <> Reply to Message

Hi,

in version 1.0.6 of ossim-installer = debian 2.6.18 at vmware esx 2.5.1 and 2.5.4 and probablysome more versions) the clock is not synchronized. I solved the problem by usingvmware-tools but the configuration of the vmware-tools is not working without doing somechanges. Here is the full list of the necessary commands:

apt-get install autoconf automake make psmisc gcc

apt-get install linux-headers-`uname -r` build-essential












tar -xzvf VMwareTools-######.tar.gz

cd vmware-tools-distrib

./vmware-install.pl

#all default-values are ok, but do not configure at the end of the install-script!

cd /usr/src/linux-headers-`uname -r`/include/linux

cat utsrelease.h >> version.h

vmware-tools-config.pl

# all default-values are ok

reboot and the clock ist synchronized

Subject: SNORT - Fast Sensor Up to datePosted by sapling on Wed, 10 Dec 2008 20:09:53 GMTView Forum Message <> Reply to Message

First of all I would like to say that although I like OSSIM and its abilities I do not like the agent. Iseem to have nothing but issues trying to get the agent to properly give OSSIM servers datafrom agents. The other problem I have is that by default the OSSIM installer for a server is wayto slow and not easy to customize for my needs. Not the speed of which it installs but its abilityto handle data and create alerts.This is why I decided that I would build a snort sensor that was capable of handling a large flowof data. My snort sensor is capable of handling all of the rules turned on if I so desired andcapture full packets from a our bandwidth which is 3xT1's. I am not logging in unified formatand send the data directly into mysql. On top of all of this I am running it on a Pentium 4 SingleCore 2.4Ghz desktop machine with 1.5Gb's of RAM without any dropped packets. I have asingle 80Gb 7200RPM IDE drive.

So with that in mind let me begin my tutorial...Insert a minimal installer disk for debian.Install debian with no additional packages selected. So in other words when it asks if you wantServer files, Desktop files, etc... unselect all the options so that it installs only the minimal






packages.Next for my purpose of I decided to give my system 4Gb's of Swap space and formatted thesystem using ext 2 file system.The reason I decided on ext 2 was for the speed of the reading and writing.Once my system has rebooted and I have my new command line server I get to work. First I edit the sources from etch to testing distribution because I want the newest packages. #nano /etc/apt/sources.listChange everywhere it says etch to testing...#apt-get update#apt-get upgrade#apt-get dist-upgrade#apt-get upgradereboot

Double check to make sure your system is fully up to date and there are no newer versions outthere.Install some required files onto the system for the packages I will be installing.#apt-get install gcc g++ make flex gawk automake bison byacc \ libc6 libc6-dev build-essentiallibtool autoconf mysql-common \ libmysqlclient15-dev libnet1 libnet1-dev libpcre3 libpcre3-dev\ ssh

Now that we have the required packages for snort it's time to install a special version oflibpcap. This version of libpcap has mmap enabled. This means that instead of snort waitingfor libpcap to move or copy the packets into user land memory it enables snort to pull directlyfrom memory where the packets are first written. So lets go ahead and download it.

#wget http://public.lanl.gov/cpw/libpcap-0.9.8.20081022.tar.gz#mv libpcap-0.9.8.20081022.tar.gz /usr/src#cd /usr/src#tar xvzf libpcap-0.9.8.20081022.tar.gz#cd libpcap-0.9.8.20081022#bash bootstrap answer with a lowercase yI like to use c flags for optimization when I install libpcap and snort so feel free to ignore this ifyou dont want to use my c flats#CFLAGS=-O3 ./configure --enable-sharedmakemake installCopy the following files to the following directories#cp ./libs/libpcap-0.9.8.so /lib/libpcap.so#cp ./libs/libpcap-0.9.8.so /lib/libpcap-0.9.8.so#cp pcap.h /usr/include#cp pcap-bpf.h /usr/include

Now you will need to download and install snort I am using the latest stable version at this time2.8.3.1....



#cd /usr/src#wget http://www.snort.org/dl/snort-2.8.3.1.tar.gz#tar -xvzf snort-2.8.3.1.tar.gz#cd snort-2.8.3.1#CFLAGS=-O3 ./configure --with-mysql --enable-dynamicplugin#make#make install

#mkdir /etc/snort#mkdir /etc/snort/rules#mkdir /var/log/snort#addgroup snort#useradd -g snort snort#chown snort:snort /var/log/snort#cp etc/*.conf* /etc/snort/#cp etc/*.map /etc/snort/

I use oinkmaster for my rules because its easier when using the emerging threat rules as theychange sometimes daily and it updates your sids for you.

#apt-get install oinkmasterEdit oinkmaster to the latest free ruleset and enter your oinkcode assuming your registered atsnort.orgadd in the following url to get the emerging threat ruleshttp://www.emergingthreats.net/rules/emerging.rules.tar.gz

#oinkmaster -o /etc/snort/rulesIn the future if you want to backup your rules you can always use the -b flag to specify adirectory to backup the old rule sets.

I create a simple little script for the purpose of starting snort and the key here is that.========/etc/init.d/snort==========#!/bin/bashifconfig eth0 up #change this to whatever sniffing interface you so desire to usePCAP_MEMORY=650000 snort -c /etc/snort/snort.conf -D -i eth0 -M -u snort -g snort -P 65000===================================Explanation of the above:Check to make sure the interface is upDedicate 650,000kb to snort and use that config in Daemon mode, sniff on interface eth0, Logmessages to /var/log/syslog to gather information back, use user snort and group snort, andcapture the first 65000 bytes.Now I know I said I do full packet captures and I do sorta, I dont capture the tail because of abug in something I did earlier I can actually run that command with 65412 which isn't themaximum size a packet can be but you will be hard pressed to find packets this large most ofthe time.



#chmod +x /etc/init.d/snort

Modify your snort config to include your emerging threat rules and configure it to log to yourdatabase on your ossim server.=======================================output database: log, mysql, user=root password=your password dbname=snort host=ossimserver ip sensor_name=I use local ip addresses hereoutput database: alert, mysql, user=root password=your password dbname=snort host=ossimserver ip sensor_name=I use local ip addresses here=======================================

Now we need to make a change on the ossim server so that it will allow us to log to thedatabase.First modify the mysql server to listen on an accessible ip address... Through the/etc/mysql/my.cnf and just to make sure that it doesnt get changed I went ahead and modifiedthe file /etc/ossim/ossim_setup.conf

Then make sure you tell the database that the user is allowed to access things from that ipaddress. I stuck with using the root account for this tutorial because I wanted to keep thingssimple but you could always create other users that have limited access in mysql.

#mysql -u root -p

mysql> GRANT create,insert,select,update,delete on snort.* to root@$mysensor1IPaddressidentified by 'mypassword';mysql>GRANT create,insert,select,update,delete on snort.* to root@$mysensor2IPaddressidentified by 'mypassword'; #make sure your password is the one from the ossim_setup.conf ifyou use root

Modify the snort database so that it can be used by the latest version of snort...

mysql> use snort;mysql> ALTER TABLES signature ADD sig_gid INT UNSIGNED;mysql> INSERT INTO `schema` (vseq, ctime) VALUES ('107', now());mysql> DELETE FROM `schema` WHERE vseq=106;

That should take care of it all. Now if you want to determine how many packets your droppingbased on all of this you can do the following.You can enable all rules if you like through this oinkmaster command...#oinkmaster -e -o /etc/snort/rules

Now all your rules are turned on which I dont recommend because there are some noisy ones.Just try and keep things to what might happen on your network.

Then go ahead and start snort up in another screen without the -DSo use this command...



#apt-get install screen#screen -S snort#PCAP_MEMORY=650000 snort -c /etc/snort/snort.conf -i eth0 -M -u snort -g snort -P 65000

Hit Ctrl+a+d to minimize that screen and allow snort to run during a busy time on your network.Go back into the screen snorts running on with...#screen -x snortCtrl+c to kill the process and if you like restart it again this time you can use the -D if you wantit to run in the background without issues.Ctrl+a+d again and now run this command#cat /var/log/syslog |grep DroppedThis should show you how many packets if any snort dropped mine always says 0% 0

Enjoy!

Subject: Re: OSSEC Quick Start GuidePosted by javieralbarra on Wed, 10 Dec 2008 21:42:12 GMTView Forum Message <> Reply to Message

Problem Update

#ossim:/tmp/ossec-hids-1.6.1# ./install.sh

os_xml_writer.c:74: error: for each function it appears in.)os_xml_writer.c:74: error: 'fp_in' undeclared (first use in this function)os_xml_writer.c:75: error: 'fp_out' undeclared (first use in this function)os_xml_writer.c:85: warning: implicit declaration of function 'fopen'os_xml_writer.c:96: warning: implicit declaration of function 'fclose'os_xml_writer.c:101: warning: implicit declaration of function '_WReadElem'os_xml_writer.c:115: warning: implicit declaration of function 'fseek'os_xml_writer.c:115: error: 'SEEK_END' undeclared (first use in this function)os_xml_writer.c:116: warning: implicit declaration of function 'fprintf'os_xml_writer.c:116: warning: incompatible implicit declaration of built-in function 'fprintf'os_xml_writer.c: At top level:os_xml_writer.c:153: error: expected ')' before '*' tokenos_xml_writer.c:204: error: expected ')' before '*' tokenmake[1]: *** [xml] Error 1make[1]: Leaving directory `/tmp/ossec-hids-1.6.1/src/os_xml'

Error Making os_xmlmake: *** [all] Error 1






Error 0x5. Building error. Unable to finish the installation.

Subject: Re: SNORT - Fast Sensor Up to datePosted by kristian_paul on Tue, 16 Dec 2008 21:23:42 GMTView Forum Message <> Reply to Message

are you sure sending events to snort database is the best way to improcve?

i remenber ossim earlies it used that method, and was replaced for the unfied format (kind offormate binary info) with the intention of be able to send more data faster on high trafic network(ej: 500 mbs)

in my point of view, put snort write to databse alone with acidabase is ok, but remeber thatossim exists (if u think snort + spade + ossim system) - also all that info is saved on mysql databases for future analisis

other point is:if ur trying improve package capture there are experimental approaches out there like PF RINGand Streamline (FFPF), or just begin disabling device polling, in fact there is a big work to doaround that area (http://sc08.supercomputing.org/)

Subject: Re: SNORT - Fast Sensor Up to datePosted by sapling on Tue, 23 Dec 2008 19:28:22 GMTView Forum Message <> Reply to Message

You bring up some very good things and I am here to address them.First yes on heavier networks you should absolutely use Binary output aka unified inconjunction with Barnyard sending the alerts to Mysql. Why?Well if you want snort to move a quickly as possible and capture everything it takes less timefor it to keep everything in binary format. AKA Snort doesnt have to convert anything to userreadable formats.But why barnyard? Well because taking the burden off of snort by using an additional programto convert from unified format over to user readable and inserting into our database...Cant OSSIM do this? Well ossim will send the unified format over to the OSSIM_Serverhowever when I attempted this I ran into a many issues. Also it put more burden on my already









heavily loaded OSSIM_server.

Second PF_RING: Well you have to first understand PF_RING and MMAP on a more indepthbasis before you go assuming one is better. The benefits of PF_RING are... It handles morevolume and its not as sloppy and it doesnt require the kernel as much which means kernelrelated tasks are now free to continue...MMAP - Allows us to get our packets directly out of RAM so we can analyze them immediately.

So when does it really have an advantage over PF_RING? When your dealing with largerpackets. In the article I am assuming you read Advanced Packet Capturing he touched thesurface of how PF_RING is generally only about .5% slower than MMAP when the packet is1500bytes long and the bandwidth is full... Well how about when you have a larger packetcome across? Tried it? Yes I have... MMAP due to the fact I am giving it Direct Memoryallocation can handle it while PF_RING begins to lose focus. So its greatest benefit is for Lotsof Packets which are smaller. Making it perfect for NTOP, and other systems that only pull thefirst 1000 bytes or so.

Any other benefits to MMAP? yes its easier to install and get working if your not runningRED-HAT...What about PF_RING? Not only is it a kernel patch meaning there is no longer and interaction,but from what I understand you shouldnt need to do anything extra to make it work. As long asyour libpcap version supports PF_RING then you dont have to worry about your applicationsbeing allocated x memory.

In the articles I have been reading as well I dont like that they only use MMAP at its basicstages... using PCAP_PACKETS=max is not the best solution if your trying to make surenothing gets dropped like in my case. I want EVERYTHING.So I use PCAP_MEMORY= (meaning I tell it instead of allocating the based on maximumpackets Allocate me a chunk of memory which is the more ideal solution if your are capturinglarger packets)How do I know if my packets are that large? If your NTOP is running it will tell you... On mynetwork its not as common but I do see packets above 1500 bytes because we dont restrict iton the routers. I am not the network admin dont ask me...So if your not seeing a lot of packets over 1500 yes PF_RING will be a great solution.

So they apparently have been improving the PF_RING work as I read but I can't say for sure ifit is the ultimate solution. What I can say is for most of us try both and try and turn oneverything. If all goes smoothly on a lower class machine on one way than the other then youhave your solution.

Now what I have also read is that adding in a few other patches such as the RTIRQ patch willincrease even further the amount you can capture with PF_RING. Again test it out... My tutorialis just so you can understand how I am doing it and to improve your homegrown ossimsolution.



I do recommend though if you are concerned with the mysql solution adding in barnyard andhave it perform the MYSQL transfers as I do still believe you should get it into mysql as well.

Subject: Re: SNORT - Fast Sensor Up to datePosted by DK on Fri, 09 Jan 2009 10:12:37 GMTView Forum Message <> Reply to Message

I'd like to join this interesting discussion :)

Personally I've had very good experiences using PF_RING, getting to a <1% package loss with2 interfaces sniffing at around 900Mbps each.

As for the database output part, last time I checked into it snort was single-threaded; capture /analysis and output sharing a single thread. That would mean it's not optimal for any type ofserious capture.

On the other hand, since you're talking about 3xT1 (4.5Mbps), you really don't have to checkonto PF_RING and such.

But as said, I disagree with direct database output and, if you having issues with the agent,barnyard should be the way to go. Fixing the issues you've got with the agent would be evenbetter ;)

Subject: Re: OSSEC Quick Start GuidePosted by DK on Fri, 09 Jan 2009 10:14:11 GMTView Forum Message <> Reply to Message

javieralbarra wrote on Wed, 10 December 2008 22:42Problem Update

#ossim:/tmp/ossec-hids-1.6.1# ./install.sh

os_xml_writer.c:74: error: for each function it appears in.)os_xml_writer.c:74: error: 'fp_in' undeclared (first use in this function)os_xml_writer.c:75: error: 'fp_out' undeclared (first use in this function)os_xml_writer.c:85: warning: implicit declaration of function 'fopen'os_xml_writer.c:96: warning: implicit declaration of function 'fclose'os_xml_writer.c:101: warning: implicit declaration of function '_WReadElem'os_xml_writer.c:115: warning: implicit declaration of function 'fseek'os_xml_writer.c:115: error: 'SEEK_END' undeclared (first use in this function)









os_xml_writer.c:116: warning: implicit declaration of function 'fprintf'os_xml_writer.c:116: warning: incompatible implicit declaration of built-in function 'fprintf'os_xml_writer.c: At top level:os_xml_writer.c:153: error: expected ')' before '*' tokenos_xml_writer.c:204: error: expected ')' before '*' tokenmake[1]: *** [xml] Error 1make[1]: Leaving directory `/tmp/ossec-hids-1.6.1/src/os_xml'

Error Making os_xmlmake: *** [all] Error 1

Error 0x5. Building error. Unable to finish the installation.

This looks like either an OSSEC issue or a compilation environment issue to me. The installerisn't meant to be a complete development environment :)

Subject: Re: OSSEC Quick Start GuidePosted by DK on Fri, 09 Jan 2009 10:16:47 GMTView Forum Message <> Reply to Message

redbarron wrote on Mon, 01 December 2008 16:45So, if I upgrade my OSSEC via this guide,what happens when 1.07 (presumably) comes out with 1.6 and I run ossim-update.pl on my1.06 box. Do I need to be concerned with breakage?

Thanks!

DK wrote on Wed, 10 September 2008 15:03Cheers on the nice update guide, will bereleasing an update with OSSEC 1.6 pretty soon.


No, an ossec update shouldn't break that becasue either we include the new one (it wouldoverwrite yours) or don't touch it.

Subject: Re: OSSEC Quick Start GuidePosted by blucas on Sun, 08 Feb 2009 22:20:31 GMTView Forum Message <> Reply to Message









Hello all,

I'm newbie at linux and even more at OSSIM,i try to do the upgrade to ossec, but i always get this msg.

ossim:/tmp/ossec-hids-1.6.1# ./install.sh

** Para instalaÃ§Ã£o em portuguÃªs, escolha [br]. ** è¦ä½¿ç¨ä¸æè¿¡å®è£, è¯·éæ© [cn]. ** Fur eine deutsche Installation wohlen Sie [de]. ** ÎÎ¹Î± ÎµÎ³ÎºÎ±Ï Î¬ÏÏ Î±ÏÎ· ÏÏ Î± ÎÎ»Î»Î·Î½Î¹ÎºÎ¬, ÎµÏÎ¹Î»ÎÎ¾Ï Îµ [el]. ** For installation in English, choose [en]. ** Para instalar en EspaÃ±ol , eliga [es]. ** Pour une installation en franÃ§ais, choisissez [fr] ** Per l'installazione in Italiano, scegli [it]. ** æ¥æ¬èªã§ã¤ã³ã¹ãã¼ã«ãã¾ãï¼é¸æãã¦ä¸ãã ï¼[jp]. ** Aby instalowaÄ w jÄzyku Polskim, wybierz [pl]. ** ÐÐ»Ñ Ð¸Ð½ÑÑÑÑÐºÑÐ¸Ð¹ Ð¿Ð¾ ÑÑÑÐ°Ð½Ð¾Ð²ÐºÐµ Ð½Ð° ÑÑÑÑÐºÐ¾Ð¼,Ð²Ð²ÐµÐ´Ð¸ÑÐµ [ru]. ** Za instalaciju na srpskom, izaberi [sr]. ** TÃ¼rkÃ§e kurulum iÃ§in seÃ§in [tr]. (en/br/cn/de/el/es/fr/it/jp/pl/ru/sr/tr) [en]:

Error 0x3. You need a compiler (like gcc or cc) to continue with the with the installation.

ossim:/tmp/ossec-hids-1.6.1#

I even tried with ver. 1.6, and i got the same error.

Does anyone know why this happen?

Thanks for the great work.

RegardsBlucas



Subject: Re: OSSEC Quick Start GuidePosted by gsporter on Mon, 09 Feb 2009 01:11:39 GMTView Forum Message <> Reply to Message

I assume you are working with a install from the installer?It should have gcc included. Try running this to check andsee if gcc is installed

# dpkg -l | grep gcc

You should get an output similar to this:

ii gcc-4.1-base 4.1.1-21 The GNU Compiler Collection (basepackage)ii libgcc1 4.1.1-21 GCC support library

Since OSSIM is an appliance rather than a development environment it does not have all thedevelopment tools installed.

Try running this:apt-get install build-essential

then retrying the install script.

GP

Subject: Re: OSSEC Quick Start GuidePosted by hidoa on Fri, 13 Feb 2009 21:56:32 GMTView Forum Message <> Reply to Message

I have OSSIM 1.06.I see the OSSEC version is 1.4.I tried running the update.I am in /ossec/tmp.I have it extracted to folder.I run ./install.sh.I tell it 'en', then tell it to upgrade, it fails with this error.

Error making os_xmlmake: *** [all] Error 1

Error 0x5Building error. Unable to finish the installation.









Takes me back to prompt....

Any ideas?

Subject: Re: Installing the OSSEC Web Interface on OSSIMPosted by hidoa on Fri, 13 Feb 2009 22:03:09 GMTView Forum Message <> Reply to Message

I followed the instructions and I get the error below when I try to browse to the site....My step 5 was ossec:x:113:www-datanotossec:x:1002:www-data.Not sure if that matters or not...

Warning: opendir(/var/ossec) [function.opendir]: failed to open dir: Permission denied in/var/www/ossec-wui/lib/os_lib_handle.php on line 94Unable to access ossec directory.

Subject: Ethernet capture Posted by gsporter on Sun, 15 Feb 2009 00:52:02 GMTView Forum Message <> Reply to Message

In talking with my students I realized there is a need to discuss the need for a method ofcapturing Ethernet traffic. As the industry moves away from shared media (hubs) it becomesmore complicated than simply putting your nic in promiscuous mode. The principle methods inuse are Taps / Span-Mirroring / Hubs / Inline Machine

There is a well written basic discussion on Wireshark site discussing the various methods ofcapturing Ethernet along with the pros and cons of each method.

http://wiki.wireshark.org/CaptureSetup/Ethernet

If you login to the Snort site there are a number of articles under IDS DeploymentGuides” on the requirements for different types of taps

http://www.snort.org/docs/

These even include a guide for building your own “passive tap”. This can beimportant for proto-types, labs etc since commercial taps start at @ $300 and go up.

A follow up article on building a passive tap which also covers how to set up nic









bonding/trunking which is necessary if you want to hear full duplex traffic

http://altsec.info/passive-network-tap.html

I am including a couple of additional referances on nic bonding also

(Note: since OSSIM is based on Debian I have stuck to that distro.)

http://www.howtoforge.com/nic_bonding

http://packages.debian.org/stable/net/ifenslave

I hope forums readers will post their solutions and ideas here!

Subject: Re: Installing the OSSEC Web Interface on OSSIMPosted by gsporter on Sun, 15 Feb 2009 01:23:00 GMTView Forum Message <> Reply to Message

To be honest I can't seem to lay my hands on my orginal documentation. I checked theoriginal OSSEC wiki documentation here:


I checked

grep ossec /etc/groupsgrep ossec /etc/passwd

I received the same group (113) you did.

I believe the problem is to be sure the ossec user has permissions to the web directory whichis accomplished by making it a part of the apache (www-data) group.

I had updated ossec (1.4 to 1.6)on the ossim server using the tutorial on the forums which mayaccount for the differance in the group.

https://www.ossim.net/forum/index.php?t=msg&th=290&start=0&S=449d8eaaa2181cd6b7a6db10b81a833f

When I get a few minutes I will do the upgrade/web install and see if I can reproduce the issue.






GP

Subject: Re: Installing the OSSEC Web Interface on OSSIMPosted by wintech on Mon, 23 Feb 2009 08:24:40 GMTView Forum Message <> Reply to Message

Hi,

While i try to enable OSSEC WUI i get the following error. Please do help me.

I have installed in Centos 5.2 with Apache 2.x.x Version

./setup.sh which: no htpasswd in (/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin)which: no htpasswd2 in (/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin)Setting up ossec ui...

Username: Username: root** ERROR: Could not find htpasswd. No password set. :(

RegardsWintech

Subject: Re: Installing the OSSEC Web Interface on OSSIMPosted by DK on Mon, 23 Feb 2009 17:41:36 GMTView Forum Message <> Reply to Message

OSSEC is searching htpasswd in your path, try a "find / -name htpasswd" or "find / -namehtpasswd2", then add that path to your $PATH or link it to some of the paths searched by thewui installer.

Subject: Re: Installing the OSSEC Web Interface on OSSIMPosted by wintech on Tue, 24 Feb 2009 11:37:41 GMTView Forum Message <> Reply to Message

Hi,












Thanks for the reply.. I have rectified the issue. Should i add the Ossec-WUI in Apache VirtualHost directory... When i try to access the site i get "You don't have permission to access/ossec-wui/index.php on this server.".

Kindly help on this issue.

RegardsWintech

Subject: Re: Installing the OSSEC Web Interface on OSSIMPosted by DK on Tue, 24 Feb 2009 11:43:08 GMTView Forum Message <> Reply to Message

You should check your apache logs, I don't know where they are located on CentOS. Maybeit's indeed a permission problem, a symlink problem or it's just trying to reach the wrong site.

Subject: Basic OSSIM 1.0.6 Sensor set upPosted by paul_psmith on Wed, 25 Feb 2009 20:03:32 GMTView Forum Message <> Reply to Message

Created this document to build a basic OSSIM sensor on 1.0.6 installer.

Shows how to basic configurations to make the sensor just do that and send info to a mainserver.

Assumes main server is DB, Server, webgui, main policy host.

Please post changes, ideas, corrections, etc.

PS

File Attachments1) Build OSSIM 1.0.6 sensor.doc, downloaded 650 times

Subject: Re: Install Oinkmaster and update snort rulesPosted by binaryman on Wed, 25 Feb 2009 20:44:39 GMTView Forum Message <> Reply to Message

Hi,








https://www.alienvault.com/forum/index.php?t=getfile&id=91





Thanks for this. I was able to perform these steps with a few minor adjustments:

1. I first had to do an "apt-get update" before I could do "aptitude install oinkmaster"

2. You said "Get the oinkcode" which confused me, but I figured out you need to perform thefollowing steps:

- Create an account at https://www.snort.org - Once you login, you will see a section "Oinkmaster Download Codes" click the "Get Code"button at the very bottom - Follow the instructions in "Configuration Changes:" section

3. You need to make sure you include (/etc) before autodisable.conf if you are not in the /etcdirectory when running the command: /usr/share/oinkmaster/makesidex.pl /etc/snort/rules/>/etc/autodisable.conf

Subject: Re: Basic OSSIM 1.0.6 Sensor set upPosted by binaryman on Wed, 25 Feb 2009 21:54:10 GMTView Forum Message <> Reply to Message

Thanks Paul, good job.

Some comments:

1. According to DK in this post, this is not necessary:

Modify the /etc/ossim/ossim_setup.conf file and change two profile= lines to sensor. No otherchanges needed.a. profile=sensor

2. For step #7, you put "I can’t remember if I hit “Insert New Sensor” or Iclicked the modify button. Will need to fix this." I can confirm you do not need to "Insert NewSensor" it shows up automatically.

3. Can you add the oinkmaster thread (or a link to it).

It would be great if we can update this thread on how to configure the sensor for each agent(ie. Nessus, Ntop, OSSEC, etc.), or at least include a link if it is somewhere else in the forum.

Subject: Re: OSSIM@VMWAREPosted by binaryman on Wed, 25 Feb 2009 21:56:25 GMTView Forum Message <> Reply to Message









Thanks, I needed this.

Subject: Re: Basic OSSIM 1.0.6 Sensor set upPosted by paul_psmith on Wed, 25 Feb 2009 22:32:05 GMTView Forum Message <> Reply to Message

Thanks b-man.

Ah. i see what you mean on the ossim_setup.conf. i think you might want to change it anywayfor forward compatibility with the upcoming upgrade? DK could possible answer that. Seems tome after i did that things changed, but maybe that was on the server. i know when i changed itthere, the agent stuff went away.

I also think this file gets used on boot to tell ossim what this system is used for. So you mightbe able to remove or add agents there in the sensor area.

on step 7, what i meant to say was that the sensor showed up without me doing anything, buthad a state of Active=no. i don;t remember what i did to change it to active=yes. if youremember let me know.

Thanks!!

Subject: Re: Installing the OSSEC Web Interface on OSSIMPosted by wintech on Thu, 26 Feb 2009 08:38:02 GMTView Forum Message <> Reply to Message

Hi,

I have some other sites accessing same location... All sites works perfect and when i tryossec-wui i can able access the site and i get password prompt and after that i get "You don'thave permission to access /ossec-wui/index.php on this server.".

Please help in this to resolve the issue once for all

Subject: Re: Installing the OSSEC Web Interface on OSSIMPosted by gsporter on Thu, 26 Feb 2009 13:31:25 GMTView Forum Message <> Reply to Message












I don't have the ossec-wui installed anywhere right now to check but let me see if I understandthe problem.

When you access the ossec-wui from another box you get the password prompt andpermission error? If that is what is happening is you didn't assign the apache user permissionsto the folder. If it is a ossim installer box the apache user is www-data.

Please let me know if I am not following the problem correctly.

GP

Subject: Re: Installing the OSSEC Web Interface on OSSIMPosted by hidoa on Thu, 26 Feb 2009 15:29:54 GMTView Forum Message <> Reply to Message

gsporter wrote on Sat, 14 February 2009 18:23To be honest I can't seem to lay my hands onmy orginal documentation. I checked the original OSSEC wiki documentation here:


I checked

grep ossec /etc/groupsgrep ossec /etc/passwd

I received the same group (113) you did.

I believe the problem is to be sure the ossec user has permissions to the web directory whichis accomplished by making it a part of the apache (www-data) group.

I had updated ossec (1.4 to 1.6)on the ossim server using the tutorial on the forums which mayaccount for the differance in the group.

https://www.ossim.net/forum/index.php?t=msg&th=290&start=0&S=449d8eaaa2181cd6b7a6db10b81a833f

When I get a few minutes I will do the upgrade/web install and see if I can reproduce the issue.

GP

GP,I do have the ossec user in the www-data group.






This line in etc/group - ossec:x:113:www-data.

My exact error is--------------Warning: opendir(/var/ossec) [function.opendir]: failed to open dir: Permission denied in/var/www/ossec-wui/lib/os_lib_handle.php on line 94Unable to access ossec directory. ----------------------------

I did a ls -l in /var/www, here are the results.drwxr-xr-x 8 ossec 1000 4096 2009-02-13 15:10 ossec-wui

I also did a ls -l in /var/www/ossec-wui, here are the results.-rwxr-xr-x 1 ossec 1000 278 2008-02-27 18:38 CONTRIBdrwxr-xr-x 3 ossec 1000 4096 2008-03-04 12:24 css-rw-r--r-- 1 ossec 1000 218 2008-02-29 13:21 htaccess_def.txtdrwxr-xr-x 2 ossec 1000 4096 2008-03-04 12:24 img-rwxr-xr-x 1 ossec 1000 5225 2008-02-27 18:38 index.phpdrwxr-xr-x 2 ossec 1000 4096 2008-03-04 12:24 jsdrwxr-xr-x 3 ossec 1000 4096 2009-02-13 15:10 lib-rw-r--r-- 1 ossec 1000 35745 2008-03-03 08:27 LICENSE-rw-r--r-- 1 ossec 1000 462 2007-03-19 21:36 ossec_conf.php-rw-r--r-- 1 ossec 1000 1157 2008-02-27 18:38 README-rw-r--r-- 1 ossec 1000 923 2008-02-27 18:38 README.search-rwxr-xr-x 1 ossec 1000 1824 2008-02-29 13:21 setup.shdrwxr-xr-x 2 ossec 1000 4096 2009-02-13 15:10 sitedrwxrwx--- 2 root www-data 4096 2009-02-13 15:10 tmp-------------------------------------------

I did a vi /etc/group and couldn't find the 1000 group anywhere...not sure who/what that is.

Thanks

Subject: Re: Installing the OSSEC Web Interface on OSSIMPosted by wintech on Fri, 27 Feb 2009 10:38:55 GMTView Forum Message <> Reply to Message

Hi,

You are correct... As per the Wiki docs i have installed and configured, But still i get the error






Regards

Wintech

Subject: Re: Basic OSSIM 1.0.6 Sensor set upPosted by binaryman on Fri, 27 Feb 2009 16:09:06 GMTView Forum Message <> Reply to Message

Yeah, it would be good if DK can confirm if this is needed or not.

I do not recall the exact step I did to make the sensor active in console, but I remember it wasa single click such as "activate"

Subject: Re: Basic OSSIM 1.0.6 Sensor set upPosted by DK on Fri, 27 Feb 2009 17:40:02 GMTView Forum Message <> Reply to Message

Hey, both of you are right but the best idea is to set it to sensor. Indeed I intend to release thenext version with the multi-profile reconfig script.

Aaah, and cheers on the doc. I'm afraid I didn't have the time to check it out yet, am very busywith the release right now :)

Subject: Re: Installing the OSSEC Web Interface on OSSIMPosted by gsporter on Sat, 28 Feb 2009 05:28:57 GMTView Forum Message <> Reply to Message

I just got the OSSIM OSSEC server output into a standalone Splunk server working. I thinkthis is a better way to analysis the OSSEC output than to OSSEC-WUI since you can do moregranular searchs plus the ablity to do "pretty" graphs.

I will be putting together a tutorial soon.

GP

Subject: OSSIM Password listingPosted by DK on Sat, 28 Feb 2009 09:33:33 GMTView Forum Message <> Reply to Message















I want to summarize the default passwords used inside ossim, where they are located and howto change them. This is work in progress as new stuff with passwords is being added andbehaviour may change. It will always refer to the latest AlienVault installer version, which rightnow is:- 1.2beta1 (public testing release)

Basic behaviour is that the installer creates a random password that gets stored into/etc/ossim/ossim_setup.conf.

An automated way to extract it would be:

grep pass /etc/ossim/ossim_setup.conf | cut -f 2 -d "="

This password is used for:- ntop(it's inside a db file under /var/lib/ntop/)- mysql database password (mysql.users table)- ossim (/etc/ossim/framework/ossim.conf)- snort database access (somewhere in the table ossim.config)- phpgacl database access (somewhere in the table ossim.config)- osvdb database access (somewhere in the table ossim.config)- nessus (for the user ossim /var/lib/nessus/users/ossim/auth/hash)- ossim server, various entries (/etc/ossim/server/config.xml)- SEM crypto signing key (same server config.xml, only applies to the pro version)- Jasperserver mysql access (/var/tomcat/conf/Catalina/localhost/jasperserver.xml)- Forensics console, former BASE (/usr/share/ossim/www/forensics/base.conf and/etc/acidbase/database.php)

Then there's the OSSIM interface user/password combination "admin/admin" by default. This isstored as an md5 hash with a user-configured salt under ossim.users. Other users are storedin here too.

OCS uses a default admin/admin too (we need to code single sign on for this). This passwordis stored inside the ocs_inventory DB (verify DB/table).

The jasperserver console defaults to jasperadmin/jasperadmin. Ditto with single sign on. Thisis configured in the jasperadmin DB.

Tomcat management access defaults to admin/admin, configured under /var/tomcat/conf/(selfnote: ENTER FILE). Ditto.

Note: it's on top of our todo list to unify password management for all the admin/jasper stuff.

If you're missing any place or see something incorrect please post below and I'll edit this post :)



Subject: Re: Installing the OSSEC Web Interface on OSSIMPosted by wintech on Mon, 02 Mar 2009 06:52:05 GMTView Forum Message <> Reply to Message

HI GP,

Thanks for the reply.... Please let me know once the document is uploaded...

RegardsWintech

Subject: Re: Use HTTPS instead of HTTPPosted by kingwah on Tue, 03 Mar 2009 07:58:14 GMTView Forum Message <> Reply to Message

I found a way to update the graphs in Executive Panel while running HTTPS.

Steps are:1. Go to "Executive Panel" page2. Click [Edit] at the top right hand corner3. Click [config] next to the graph which cannot be shown4. In “Sub-category”, change the image src from http to https, then click“Accept config”.

Subject: Re: Basic OSSIM 1.0.6 Sensor set upPosted by binaryman on Tue, 03 Mar 2009 17:02:34 GMTView Forum Message <> Reply to Message

Thank you for the clarification DK

Subject: Re: Installing the OSSEC Web Interface on OSSIMPosted by wintech on Thu, 05 Mar 2009 11:56:24 GMTView Forum Message <> Reply to Message

HI,

Please let us know once you uploaded the document...

Thanks-Wintech















Subject: Re: OSSIM Password listingPosted by mime on Thu, 05 Mar 2009 19:15:05 GMTView Forum Message <> Reply to Message

Thanks a lot DK

Subject: Re: Installing the OSSEC Web Interface on OSSIMPosted by ecuison on Wed, 11 Mar 2009 16:51:49 GMTView Forum Message <> Reply to Message

I have this setup on CentOS 5.2. The user is apache if anyone comes across any problems asI found this out the hard way.

Subject: Re: Installing the OSSEC Web Interface on OSSIMPosted by wintech on Thu, 12 Mar 2009 09:57:10 GMTView Forum Message <> Reply to Message

Hi,

Not only for you.. Everyone faces the same issue :blush: ....

Regards

Wintech 8o

Subject: Re: Installing the OSSEC Web Interface on OSSIMPosted by gsporter on Thu, 12 Mar 2009 12:42:46 GMTView Forum Message <> Reply to Message

Correct the apache user may vary by distro. See step 5 of the OSSEC documentation Ireferanced in my orginal post:


I was assuming everyone would be using the installer therefore Debian.

I like the splunk method alot better (see post else where) and it has pretty graphs! Great formanagement.

GP

For Splunk:















Down and dirt OSSIM OSSEC >> Splunk [message #2543 is a reply to message #2285 ]

https://www.ossim.net/forum/index.php?t=msg&goto=2543&S=d30366386f5cd9ca818860c7bac52009#msg_2543

Subject: Re: ossim for newbiesPosted by attrib75 on Thu, 12 Mar 2009 18:27:07 GMTView Forum Message <> Reply to Message

I tried this method and the result after checking ifconfig is:

ip: unknown host failed to bring up eth1

I installed this as a virtual machine with two host attached nics.

Subject: Re: ossim for newbiesPosted by paul_psmith on Thu, 12 Mar 2009 18:43:40 GMTView Forum Message <> Reply to Message

Are your IF's named eth ?

Also there is a typo in the doc. This has been noted before.

For my sensor IF I used:

#The sensor interface eth1iface eth1 inet manual up ifconfig $IFACE up up ifconfig $IFACE promisc up ifconfig $IFACE -arp down ifconfig $IFACE down

And it works fine.

Subject: Re: ossim for newbiesPosted by gsporter on Thu, 12 Mar 2009 22:48:12 GMTView Forum Message <> Reply to Message












If you are using the new 1.2 installer try using ossim-setup from the cli for netwworkconfiguration. Makes it network configuration menu driven.

GP

Subject: Re: ossim for newbiesPosted by attrib75 on Sat, 14 Mar 2009 17:33:08 GMTView Forum Message <> Reply to Message

Ok, after configuring it the way described in the above turorial, the web interface went down.So I tried it a lot of ways, and it seemed to work when I configured it like this:

auto lo eth0 eth1iface lo inet loopback

iface eth0 inet staticaddress ...netmask ...network ...broadcast ...gateway ...

iface eth1 inet manualup ifconfig $iface upup ifconfig $iface promiscup ifconfig $iface -arpdown ifconfig $iface down

as in I could get to the web interface again, but I got an error when running the network restartcommand:

UP: error fetching interface infomrmation: device not foundFailed to bring up eth1

So when I configured the eth1 info in the same format as eth0, I didnt get any errors but I stillcouldnt see any non broadcast traffic in the web interface. (eth1 is on a mirrored switch port)

Subject: Re: ossim for newbies






Posted by gsporter on Sat, 14 Mar 2009 18:10:12 GMTView Forum Message <> Reply to Message

From you post it is hard to determine the cause. I would narrow it down. First your nic itself:

Can you post the output of:

ifconfig -a # this should show all the nics the OS sees

and

lspci |grep Ethernet # Information about your nic hardware

Another tool you can use to get info is

ethtool <device> # ie. eth0 or eth1

Referances:

Low level nic/ip

http://www.debian.org/doc/manuals/reference/ch-gateway.en.ht ml

Subject: Re: ossim for newbiesPosted by attrib75 on Mon, 16 Mar 2009 12:50:21 GMTView Forum Message <> Reply to Message

Sorry I'm a Windows guy, new at this shell. I don't know how to prevent the info from scrollingpast the window. Is there an equivalent to /p?

Subject: Re: ossim for newbiesPosted by umarzuki on Mon, 16 Mar 2009 13:19:47 GMTView Forum Message <> Reply to Message

if you want to 'stop/freeze' say, certain info from a command like ifconfig to flow just pipe it tolessifconfig | lessor you could scroll up by holding shift and pressing page up.












Subject: Re: ossim for newbiesPosted by attrib75 on Mon, 16 Mar 2009 15:32:50 GMTView Forum Message <> Reply to Message

Ok, the ifconfig -a shows

eth0 Link encap:Ethernet HWaddr .... inet addr:....

eth1 Link encap:Ethernet HWaddr .... inet addr ......

so it sees the interface when I configure the interface file as I mentioned. When I configure itlike

iface eth1 inet manualup ifconfig $IFACE upup ifconfig $IFACE promiscup ifconfig $IFACE -arpdown ifconfig $IFACE down

I get an error

thanks for all your help so far!

Subject: Re: ossim for newbiesPosted by gsporter on Mon, 16 Mar 2009 19:20:49 GMTView Forum Message <> Reply to Message

attrib75

What I was trying to find out is if OSSIM was seeing your nic's and if so correctly.

For example I am running a number of systems on Intel D945GCLF/D945GCLF2 with olderdebiankernels. They have Realtek 8168/8111 nics which are incorrectly detected as 8169's. The 8169 driver loads and may even run for awhile then stops. You have to download thecorrect driver and build it.









I understand about the learning curve for linux when coming from windows.I would sugguest installing putty and winscp on a windows box if you have one available. Then it is very easy to run cli commands in putty (you can even cut and paste from these forums) or edit files in a windows type environment with winscp.

lspci | grep Ethernet

or

lshw -C network

Will show what nics are physically in your machine. That way we can tell more what is going on

By the way which installer are you running? OSSIM 1.0.X is running an older kerneland does not have as much hardware support.

P.S.

For output that runs off the page you can either

lsmod | less # q to quit

or

lsmod | more # similar to the windows more pipe

GP

Subject: Re: ossim for newbiesPosted by attrib75 on Tue, 17 Mar 2009 12:58:54 GMTView Forum Message <> Reply to Message

lspci|grep ethernet returns a blank line.lspci by itself returns a list that contains two ethernet controllers.I am running ossim 1.0.6 in Sun virtual box on a Dell Poweredge 2950 that has 4 ethernetports, (gigabit), and two Intel(R) Xeon(R) CPU E5405 @ 2.00GHz processors. I dont have thehardware available to run this on a dedicated machine. I tried installing ossim 1.2 and it






returned an error that I had the wrong processor type. It said it was looking for x86 and foundI86. I suspect this is because the server has two processors.lshow returned command not found.ethtool returned command not found.I posted the ifconfig -a already. I really like Ossim and would love to get it to work. Thanksagain for the help everyone.

Subject: Re: ossim for newbiesPosted by paul_psmith on Fri, 20 Mar 2009 20:22:53 GMTView Forum Message <> Reply to Message

Try getting a copy of putty that you can install on your PC assuming you are using Windows.Then you can SSH to the OSSIM box and cut and paste things from the comfort of your desk.Note: highlighting text in putty is like copy.

you wrote:'>lspci by itself returns a list that contains two ethernet controllers.'

Dell uses Intel NICs on the motherboard and it looks like those two are showing up since yousay you see two NICs.

Your two other NICs in PCI slots are not being recognized is my guess.

This is all based upon your comments.

Do you know what model the other two NICs are? If they are Intel do something like this

dmesg | grep -i eth

Also, when you define NICs in /etc/network/interfaces you will need to add settings for eachadapter, but change the iface name on the first line of each section and put them all in the autoline at the top.

auto lo eth0 eth1 eth2 eth3









Subject: Re: ossim for newbiesPosted by anton on Fri, 20 Mar 2009 23:01:15 GMTView Forum Message <> Reply to Message

attrib75 wrote on Tue, 17 March 2009 08:58lspci|grep ethernet returns a blank line.lspci by itself returns a list that contains two ethernet controllers.

Most everything in Linux/Unix type systems is case sensitive, that's why "lspci | grep ethernet"didn't work (non-capitalized Ethernet), but "lspci" by itself did..

Quote:I am running ossim 1.0.6 in Sun virtual box on a Dell Poweredge 2950 that has 4ethernet ports, (gigabit), and two Intel(R) Xeon(R) CPU E5405 @ 2.00GHz processors. I donthave the hardware available to run this on a dedicated machine. I tried installing ossim 1.2 andit returned an error that I had the wrong processor type. It said it was looking for x86 andfound I86. I suspect this is because the server has two processors.

I think I know why this happened: OSSIM 1.0.6 is 32bit, while 1.2 is 64bit. I suspect the "Sunvirtual box" (I'm not familiar with it) will not run 64bit OS's? Is the host OS 64bit? The XeonE5405 most certainly is 64bit.

If you're having trouble because it's 1.2 is 64bit, OSSIM 1.1 should be available sometimereasonably soon I think, and it should pretty much be a 32bit version of 1.2, so that may begood.

Quote:lshow returned command not found.ethtool returned command not found.

The command is "lshw", not "lshow"... It stands for "list hardware" by the way (remembereverything is case sensitive also).

You can install these tools as follows:






apt-get install ethtool lshw

Tip: you can use tab completion - for example, type "lsh", then hit the 'tab' key (after lshw isinstalled). It saves on typing (and typos...). 8)

Anton

Subject: Re: Installing WebminPosted by gutzba on Tue, 24 Mar 2009 18:04:49 GMTView Forum Message <> Reply to Message

ThnksExcellent How To Install WebMin

Subject: Re: ossim for newbiesPosted by attrib75 on Wed, 25 Mar 2009 15:31:49 GMTView Forum Message <> Reply to Message

Awesome answer! I think I figured out what the problem was. I think I was typing $Ifaceinstead of $IFACE. Anyway it shows the nic in promiscuous mode. I look forward to Ossim1.1. I'm not sure if you can run 64 bit OS in virtual box. Now its just a matter of tackling therest of the configuration for Ossim. You would think I could see all of the destinationaddresses for remote traffic in Nmap, since the promiscuous port is attached to a switch portwhere traffic for the whole network is mirrored. But so far I only see local broadcast andunicast traffic. How disappointing! I'm still only seeing what I would see on a non mirroredswitch port.

Subject: Tuning OSSIM for Your EnvironmentPosted by gsporter on Thu, 26 Mar 2009 02:57:35 GMTView Forum Message <> Reply to Message

For those of you who have kept up with the 1.2beta’s you know there areLOT’s of alerts and incidents.

The trick is which ones are important and translating it into some thing usable.












I am trying to work out a process to start cutting down the “white noise” or falsepositives generated by my network. I am running a heterogeneous network with severaldistro’s of linux, Windows (AD domain), a number of vmware guest and themiscellaneous other OS.

My test network is behind both a hardware and software firewall that are configured fairlystrictly and all host run current AV. Therefore so I started under the idea most of thealerts/incidents I was seeing were generated by my network.

Note: For the purpose of base lining my network I have not set the two firewalls to log toOSSIM. That will be the next step.The trick as I see it is identifying “normal” traffic from your network, and thetraffic generated by OSSIM (plus sensors etc) in order to implement a way to filter out normaltraffic.First I have to establish a baseline and “normalize” my data. Then I can look atways to configure OSSIM correctly

The areas I see for identifying reported traffic include:

I.The “Forensics Console”

If I select “Unique Alerts” (by the way click on the little graph box to the left fora time trend of that specific alert)My system is current showing 621 total unique alerts. The vast majority of the volume ofalerts is generated by 5 signatures’:

portscan: Open Port unclassified 261798(47%) Spade: Closed dest port used unclassified 185224(33%) Spade: Source used odd dest port unclassified 145818(26%) MISC UPnP malformed advertisement unclassified 127904(23%) WEB-MISC Invalid HTTP Version String" unclassified 50706(9%)

Note: the percentages do not seem to total up to 100% at this time

The first three are generated by OSSIM itself. In fact OSSIM is listed reports a the“attacker” 97% of the time. The UPnP is being generated by Vista and I candisable it.

II. Incidents

I am hoping that by “tagging” incidents that are benign in my network asOSSIM_INTERNAL_FALSE_POSITIVE or things I need to harden/disable etcOSSIM_INTERNAL_PENDING I will be able to use the jasper server and iReports to generatea more detailed implementation plan.



III Reports

Host Report

Alarm Report

Security Report

Incident Report

From those reports I found some of the other things to look into :

Identify IP addresses you do not recognize ( both source /attacker and destination /target).

Note: I put a referance of special use IP ranges used for things like routing protocols at the endof this document

202.47.28.150#still unknown not registered

239.255.255.250#special use broad cast UPnP Vista

192.0.2.42 673#unknown

207.46.197.32 633#unknown

202.47.28.150 #unknown

213.30.161.23 241#mondo.hpintelco.net mondo project ok

68.1.17.1# my ISP

208.67.222.222 # OpenDNS server

208.67.220.220 # OpenDNS server

212.211.132.32 # villa.debian.org

35.9.37.225 # ike.egr.msu.edu debian repository

195.20.242.89 # wieck.debian.org debian repository

64.50.238.52 534#ftp-atl.osuosl.org debian repository



Note: I had already identified some of the IP’s as my DNS servers or debianrepositories and added them as host and created a policy to drop them. I use nslookup, whoisand a browser to try and identify the rest. The IP’s that show up on your box maybedifferent. Check them out and be sure they are suppose to be showing up.

P.S. Any help identifying the unknowns would be appreciated

Identify ports you do not recognize ( both source/ destination ). And the service that use them (and if you are suppose to be running them!!)

From the alarms report I had listed the following ports :__________________________________________________________

59313 unknown 32768-61000tcpip-local-port-rangelocal-client-port-linuxlocal clients ports for outgoing trafficon LinuxKurt SeifriedThis port range can be configured on Linux by using the "sysctl"command and the "net.ipv4.ip_local_port_range" variable.

32768-61000udpip-local-port-rangelocal-client-port-linuxlocal clients ports for outgoing trafficon LinuxKurt SeifriedThis port range can be configured on Linux by using the "sysctl"command and the "net.ipv4.ip_local_port_range" variable.

Note: need to confirm

__________________________________________________________

25611 unknown #see above

__________________________________________________________

49804 unknown #see above

__________________________________________________________

47149 unknown#see above

__________________________________________________________

Now look at the events section:__________________________________________________________

Top 15 Events Occurrences

MISC UPnP malformed advertisement 130208



portscan: Open Port 115145"WEB-MISC Invalid HTTP Version String" 46777"BLEEDING-EDGE POLICY Nagios HTTP Monitoring Connection" 43469POLICY VNC server response 32335"COMMUNITY WEB-MISC mod_jrun overflow attempt" 26873ossec: Login session closed. 24631ossec: Login session opened. 24382DNS SPOOF query response with ttl: 1 min. and no authority 16132portscan: TCP Portsweep 10667p0f: OS Change 9101directive_event: An important host (SRC_IP) has changed its OS 8933portscan: TCP Portscan 8529directive_event: TCP Portscan against DST_IP 7047Spade: Closed dest port used 6047

Note: some of these values are skewed since I have deleted some events and put policies notto store others.

__________________________________________________________

Top 15 Events by risk

directive_event: TCP Portscan against DST_IP 3directive_event: Recurrent Snort event 2directive_event: NMAP portscan against DST_IP 2directive_event: Possible DST_PORT intrusion against DST_IP 2directive_event: Possible portscan against DST_IP 1directive_event: Possible Worm port 80. Origin: SRC_IP 1directive_event: Possible Worm port DST_PORT/PROTOCOL 1EXPLOIT ntpdx overflow attempt1FTP command overflow attempt 1SNMP AgentX/tcp request 1directive_event: HTTP Tunnel through web proxy 1WEB-CGI cgiforum.pl access 0WEB-MISC changepw.exe access 0"BLEEDING-EDGE POLICY Yahoo Chat Activity Inside Webmail" 0WEB-CGI ezadmin.cgi access0__________________________________________________________

Now that I have a “baseline” or an idea of “normal” traffic on mynetwork I can consider how to tune OSSIM

The incident report also give me a list of Vulnerabilities to work on

__________________________________________________________



Now what do I do?

DK mentions

“There are at least three ways of doing this:

a.Filtering at origin (disabling a snort rule, setting a tcpdump-style filter at p0f, etc...)b.Policyc.Agent Consolidation (undocumented)”Ref: Re: Hyperthreading [message #1913 is a reply to message #1912 ]I believe “directives” maybe another approach to thisI think that might be a good place to stop for now.

As always any comments, suggestions’ or ideas are appreciated.

P.S. I just noticed the team has added an installation guide for “rolling yourown” on lenny debian to the DOCs section. Cool! Plus I was reminded what a greattool the “architecture diagrams” are towards understanding the logic behindOSSIM (same page under Misc)

https://www.ossim.net/docs.php

GP

Special use IP ranges (case you are running routers,VOIP etc)_________________________________________________________

Multicast IP AddressesThere are a number of addresses that are set aside for special purposes, such as the IP's usedin OSPF, Multicast, and experimental purposes that cannot be used on the Internet.Class DStart End 224.0.0.0 239.255.255.255

Special Use Addresses - Table from RFC 3330 Address Block CIDR Mask Used for Reference 0.0.0.0 /8 Used to communicate with "This" network RFC1700, p. 4 10.0.0.0 /8 Private-Use Networks RFC 1918 14.0.0.0 /8 Public-Data Network RFC1700, p.181 24.0.0.0 /8 Cable TV Networks -- 39.0.0.0 /8 Previously ReservedAvailable for Regional Allocation RFC1797 127.0.0.0 /8 Loopback address RFC1700, p. 5 128.0.0.0 /16 Previously ReservedAvailable for Regional Allocation --



169.254.0.0 /16 Link Local (eg. Microsoft XP systems use Automatic Private IP Addressing(APIPA) which selects addresses in this range.) 172.16.0.0 /12 191.255.0.0 /16 192.0.0.0 /16 192.88.99.0 /16 192.168.0.0 /16

Subject: Setting Up Logcheck on OSSIMPosted by gsporter on Sun, 29 Mar 2009 18:12:01 GMTView Forum Message <> Reply to Message

I have been trying to keep up with the new 1.2 beta's. If you have not triedthem I really suggest you install beta4 even if it is in a vm. It has a lotof great new features and if it is any indication OSSIM is moving to a whole newlevel.

Any time I install a beta or new program I am VERY interested in what is going on in the background. Traditionally sys admins have used log files for this purpose.They allow you to locate bugs, errors, bottlenecks and even sometimes rogue processesor program you do not want running. I have always hated trying to have to wade through log files from the command line. So I chose to install logcheck to email my OSSIM log files to me. That way I can go thru them on a workstation with a gui at my leisure.

"What is Logcheck?

Logcheck parses system logs and generates email reports based on anomalies. Anomalies can be defined by users with 'violations' files. It differentiates between 'Active System Attacks', 'Security Violations', and 'Unusual Activity', and is smart enough to remember where in thelog it stopped processing to improve efficiency. It can also warn when log files shrink, and does not report errors when they are rotated." (1)

Since OSSIM is going to be our "Central Security Repository" it is important that we stay on top of potential problems and intrusions. Therefore it is a good ideato install both a HIDS (ossec) and move copies of the log files to another hopefullysecure location. One of the first steps any intruder is going to take is to hide their tracks and one of the ways to do this is alter or delete log files.






#apt-get install logcheck

Main Configuration file for logcheck located at /etc/logcheck/logcheck.conf

nano /etc/logcheck/logcheck.conf

First thing to change

REPORTLEVEL="server" # if you set paranoid you will be buried!

# Should be set to an offsite "[email protected]"

SENDMAILTO="root"

I create an offsite email account similar to [email protected]

Then I create the following filters/directories on the account

logcheck, optional - firewall, OSSIM (for my OSSIM notification)

Logcheck If From contains 'logcheck' move to logcheck;

firewall If From contains 'firewall' move to firewall;

I prefer my logs to be sent as an attachment. To do this you need to install nail

apt-get install nail

Then change this in the logcheck.conf

# Send the results as attachment or not.# 0=not as attachment; 1=as attachment# Default is 0

MAILASATTACH=1

There is alot more that can be done such as installing logtail when added, allows any number of log files on one or more machines on a network to be transfered. Logtail - Logs which transfer to new files are automatically followed, and an option allows translation of numeric Internet addresses into the corresponding hostnames where possible. Log items can be relayed to one or more other



hosts on the network, permitting a machine's local log files to be monitored there. (2)

References:

(1) http://www.debianhelp.co.uk/logcheck.htm

(2) http://www.fourmilab.ch/webtools/logtail/

GP

The future is here. It's just not widely distributed yet. - William Gibson

Subject: Re: OSSIM Password listingPosted by dantasrotole on Fri, 03 Apr 2009 18:23:20 GMTView Forum Message <> Reply to Message

Dear DK,What did you mean ? nessus (for the user ossim (insert File Location)?

Insert which file and where?

Thanks!

Subject: Re: OSSIM Password listingPosted by DK on Fri, 03 Apr 2009 18:28:11 GMTView Forum Message <> Reply to Message

Sorry, expected to fill that in as soon as I got access to an installed ossim :)

Just updated a couple of missing lines, still have to find the admin/admin password for tomcat.

Subject: Use DVD Backup >Full Restore OSSIM 1.2Posted by gsporter on Sun, 12 Apr 2009 02:25:07 GMTView Forum Message <> Reply to Message

I have wanted a full hopefully bare metal backup/restore for OSSIM and had trouble installing












mondo on OSSIM on lenny.Found the correct deb files and here is the down and dirty install process. Hope it is helpfull tosome of you:

DISCLAIMER: I ran this on a system setup using the OSSIM 1.2beta5 installer. If you areusing any other distro or installer you may have issues.

Add mondo repositories to /etc/apt/sources.list

deb ftp://ftp.mondorescue.org/debian 5.0 contribdeb-src ftp://ftp.mondorescue.org/debian 5.0 contrib

Download busybox and mindi

ftp://ftp.mondorescue.org/debian/5.0/mindi-busybox_1.7.3-1_a md64.debftp://ftp.mondorescue.org/debian/5.0/mindi_2.0.5_amd64.deb Install dependancies

apt-get install binutils bzip2 dosftools mkisofs syslinux parted mtools

Install busybox and mindi

dpkg -i mindi-busybox_1.7.3-1_amd64.debdpkg -i mindi_2.0.5_amd64.deb

Test mindi

# mindi

Install additional dependancies for mondo

apt-get install afio bufferdpkg -i mondo_2.2.8_amd64.deb

Install cd/dvd burning tools

apt-get install cdrecord dvd+rw-tools dvdrtools

Run mondo

mondoarchiver

I have not covered every step but there is alot of mondo documentation out there.



Subject: Re: Use HTTPS instead of HTTPPosted by idealids on Mon, 13 Apr 2009 18:58:43 GMTView Forum Message <> Reply to Message

I tried to make ntop work by following the above instructions and as a result, i am now unableto even login to my dashboard.as soon as i login, i get the following errors:

Warning: session_start() [function.session-start]:open(/var/lib/php4/sess_ef715ed3e933e7492b0fbb88c872c13d, O_RDWR) failed: Permissiondenied (13) in /usr/share/ossim/include/classes/Session.inc on line 13

Warning: session_start() [function.session-start]: Cannot send session cookie - headersalready sent by (output started at /usr/share/ossim/include/classes/Session.inc:13) in/usr/share/ossim/include/classes/Session.inc on line 13

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headersalready sent (output started at /usr/share/ossim/include/classes/Session.inc:13) in/usr/share/ossim/include/classes/Session.inc on line 13

Warning: Cannot modify header information - headers already sent by (output started at/usr/share/ossim/include/classes/Session.inc:13) in /usr/share/ossim/www/session/login.php online 94

Warning: Unknown(): open(/var/lib/php4/sess_ef715ed3e933e7492b0fbb88c872c13d,O_RDWR) failed: Permission denied (13) in Unknown on line 0

Warning: Unknown(): Failed to write session data (files). Please verify that the current settingof session.save_path is correct (/var/lib/php4) in Unknown on line 0

Can anyone offer some assitance. thx

Subject: Re: Use HTTPS instead of HTTPPosted by DK on Tue, 14 Apr 2009 07:24:05 GMTView Forum Message <> Reply to Message

Looks like you somehow got php4 into your running apache. Look at this line:

Warning: Unknown(): Failed to write session data (files). Please verify that the current settingof session.save_path is correct (/var/lib/php4) in Unknown on line 0









(chown www-data /var/lib/php4 or chmod 1777 /var/lib/php4 should fix that for you)

Subject: Re: Use HTTPS instead of HTTPPosted by idealids on Wed, 15 Apr 2009 20:21:23 GMTView Forum Message <> Reply to Message

Thanks DK, that worked!

Subject: Re: Use HTTPS instead of HTTPPosted by crimondi on Fri, 01 May 2009 17:29:21 GMTView Forum Message <> Reply to Message

Have you had a chance to reconfigure that php script to update the IPs? I would like to seewhat you did. Thanks.

Subject: Re: ossim for newbiesPosted by deaqo on Wed, 06 May 2009 15:49:38 GMTView Forum Message <> Reply to Message

Hi, i'm a newbie and i found out that your documentation is good but i want to have an exampleof correlate event interpretation, because in the whole forum i just can't find anything about thecorrelation event DB or it's interpretation and for me personally i don't understand very wellabout how to work with that. Sorry, but i recently install this product and i don't know about it.

Thank you!

Subject: Set second OSSIM server as sensor/agent onlyPosted by umarzuki on Wed, 27 May 2009 12:51:08 GMTView Forum Message <> Reply to Message

This how to is on configuring a second ossim server as a sensor (agent only)

console = 192.168.1.10sensor = 192.168.1.11

Install ossim as console (lets set its hostname as console)















Install ossim as sensor (same here, hostname = sensor)Check on sensor ossim_setup.conf so it will act as sensorCheck sensor's interface(s) in /etc/network/interfaces so it's configuration is consistent with/etc/ossim/ossim_setup.conf, one as default, other set in promiscuous mode if it have morethan 1 interfaceConfigure snortdpkg-reconfigure snortConfigure ntopdpkg-reconfigure ntopStop mysql and remove it from starting at boot timepgrep mysql | xargs kill -9update-rc.d remove mysqldRun ossim-reconfigossim-reconfig

Note:I figured that on 1.0.6, without configuring snort and ntop correctly, ossim-reconfig would failand the sensor won't be listed on the console's sensor list.

Feel free to comment or add correction.

Subject: OSSIM + XMPP - mini howtoPosted by fyfy on Thu, 11 Jun 2009 04:17:21 GMTView Forum Message <> Reply to Message

Heya!

I don't know if there's much interest in building XMPP/Jabber stuff on the top of OSSIM onorder to simply monitoring process and facilitate the collaboration between OSSIM nodeoperators. Anyway, if you think it is a fun project to play around, let me know, I'll post up onwriting ossim-xmpp agents and plugins later. This howto hopefully should get you started.== OSSIM + OpenFire MiniHOWTO ==

By integrating ossim with openfire we get to have a collaboration framework where you couldhave groups of operators use Jabber messaging client as primary means of communicationand collaboration. Of course you can do even more than that. XMPP is an extendable protocol.You can build security monitoring services on the top of it, so you could use your messagingclient (with extensions) as primary security monitoring interface.

The monitoring part can be easily done with XMPP based agents, which could talk to OSSIMdatabase or other components directly, and maybe we could talk about it later some time. Thecool thing about using agents, that it runs over standard XMPP protocol so you couldtechnically even use your gmail.com client, or mobile phone jabber client to collaborate withyour ossim system. However, when you run into huge number of users, scallability mightbecome an issue...

There's also another really neat way of adding things up by extending OpenFire server with






custom plugins, then you won't really need agents anymore. But you'll need customized Jabberclients. You can read more about this appraoch here: http://java.sys-con.com/node/232087

anyway, we'll start with the basics. Right now we simply want OSSIM users to be able to logininto our XMPP server using ossim framework authentication credentials.

I used ossim installer here to install the base system. Once you get that stuff done, you'll needto install Java's JRE on your box.

Ossim installer is based on debian, so you'll have to install sun-java6-jre package on it.

echo " deb http://www.backports.org/debian/ etch-backports main non-free" >>/etc/apt/sources.listapt-get get updateapt-get install sun-java6-jre

if this went smooth, go to http://www.igniterealtime.org/downloads/index.jsp and download .debpackage. Once you've got it, install it:

dpkg -i openfire_3.6.4_all.deb

you can try to run openfire server at this point:/etc/init.d/openfire start

now you should have openfire running on your box with admin console on ports 9090 and9091(ssl'ed).

One thing you will need to do now is to configure the mysql database for openfire to use.

echo "create database openfire" | mysql -pcat /usr/share/openfire/resources/database/openfire_mysql.sql | mysql -p openfire

(you'll need to peek at root password for mysql, which can be found in/etc/ossim/ossim_setup.conf)

Once you're done w/ this stuff, launch your browser to ossim:9090 and complete the setup.Select external database, and choose mysql database for it. Then correct the url for the mysqldatabase thing. You can skip the setup user part at the end.

Once you're done with this stuff, you'll need to save this into a file, i.e. custom.sql and makesome changes.At the very least you'll want to change the connection string and set the user id and passwordto those you use to connect to your ossim database. You may also want to changeadmin.authorizedJIDS to list users, who would be allowed to login into openfire admin console:



--/cut here/--

/* make modifications */

update ofProperty set propValue = 'org.jivesoftware.openfire.auth.JDBCAuthProvider' wherename = 'provider.auth.className';

update ofProperty set propValue = 'org.jivesoftware.openfire.user.JDBCUserProvider' wherename = 'provider.user.className';

/* connection */

insert into ofProperty (name, propValue) values ('jdbcProvider.driver', 'com.mysql.jdbc.Driver');

insert into ofProperty (name, propValue) values ('jdbcProvider.connectionString', 'jdbc:mysql://localhost:3306/ossim?user=root&password=you rpass');

/* authentication */

insert into ofProperty (name, propValue) values ('jdbcAuthProvider.passwordSQL', 'select passfrom users where login=?');

insert into ofProperty (name, propValue) values ('jdbcAuthProvider.passwordType', 'md5');

insert into ofProperty (name, propValue) values ('admin.authorizedJIDs', 'yourleetuser, admin');

/* user */

insert into ofProperty (name, propValue) values ('jdbcUserProvider.loadUserSQL', 'selectname, email from users where login=?');

insert into ofProperty (name, propValue) values ('jdbcUserProvider.userCountSQL', 'selectcount(*) from users');

insert into ofProperty (name, propValue) values ('jdbcUserProvider.allUsersSQL', 'select loginfrom users');

insert into ofProperty (name, propValue) values ('jdbcUserProvider.searchSQL', 'select loginfrom users where');



insert into ofProperty (name, propValue) values ('jdbcUserProvider.usernameField', 'login');

insert into ofProperty (name, propValue) values ('jdbcUserProvider.nameField', 'name');

insert into ofProperty (name, propValue) values ('jdbcUserProvider.emailField', 'email');

--/cut here/--

once you're done with this stuff, save it and then do something like:

cat custom.sql | mysql -p openfire

then restart your openfire server and you're done ;)

For the agents and stuff, maybe I'll make another post :)

Sources: http://www.igniterealtime.org/builds/openfire/docs/latest/do cumentation/database.htmlhttp://www.igniterealtime.org/community/thread/38646

Subject: Re: NagiosQL Walktrough Posted by hayfa on Mon, 15 Jun 2009 09:03:52 GMTView Forum Message <> Reply to Message

hello can't find /etc/nagios2

Subject: Re: NagiosQL Walktrough Posted by umarzuki on Mon, 15 Jun 2009 14:19:23 GMTView Forum Message <> Reply to Message

i'm sorry for your lost but it is not possible since i can find /etc/nagios2 in my ossim server

did you accidentally removed it?

you can view past command with historyhistory

you can also try to locate nagios2 folder (though i doubt it'll anywhere else)updatedblocate nagios2

best of luck. If all fails, reinstallation isn't that hard.









Subject: Re: Use HTTPS instead of HTTPPosted by rul3z on Tue, 16 Jun 2009 07:51:17 GMTView Forum Message <> Reply to Message

Hello guys,

I did all the stuff here, but now the big problem is that Nagios and others are not seen throughthe ossim, I couldn't manage to do /home/ossim/dist/reconfig.pl

The perl script is not found on my system.

I have no report server now !!!

Any help shall be appreciated.

Subject: Re: OSSEC Quick Start GuidePosted by hayfa on Wed, 17 Jun 2009 15:21:15 GMTView Forum Message <> Reply to Message

hello i have a small problemi configured a linux host like this tuto but in the server it's shown never connected !!!!!!!!!!!!!!!!!!!

Subject: Re: Install Oinkmaster and update snort rulesPosted by gsporter on Wed, 08 Jul 2009 03:34:58 GMTView Forum Message <> Reply to Message

Modification to allow for the upgrade of Snort to 2.8

Line 4

http://www.snort.org/pub-bin/oinkmaster.cgi/<your oink codehere>/snortrules-snapshot-2.8.tar.gz

Line 5

Change

/usr/share/oinkmaster/makesidex.pl /etc/snort/rules/ >autodisable.conf

to












/usr/share/oinkmaster/makesidex.pl /etc/snort/rules/ >/etc/autodisable.conf

GP

Subject: Re: OSSIM Password listingPosted by catchacold on Fri, 10 Jul 2009 11:59:01 GMTView Forum Message <> Reply to Message

Nevermind

Subject: Method to check and see what OSSEC is logging (without the web gui)Posted by gsporter on Wed, 22 Jul 2009 23:47:41 GMTView Forum Message <> Reply to Message

In case you have not had a chance to check it out OSSEC v2.0 added a command-line"reporting" tool. It is great for checking to see if agents, syslog etc is actually making it intoOSSEC|OSSIM without having to install the web gui on OSSIM.

Note: These commands are from the OSSEC tutorial but I have made a change in the path tothe ossec-reportd binary:

_________________________________________________________

Show all IP addresses/users that logged in during the day

cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -n “Loginssummary” -f group authentication_success

_________________________________________________________

Show all IP addresses/users that logged in during the day and related srcips locations for eachuser

cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -n “Loginssummary” -f group authentication_success -r user srcip -r user location

_________________________________________________________

Show all multiple authentication failures (brute force attacks)

cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -n “Failuressummary” -f group authentication_failures









_________________________________________________________

Show a summary for the month (or day) <July 2009>

zcat /var/ossec/logs/alerts/2009/Jul/*.gz | /var/ossec/bin/ossec-reportd -n “MonthSummary”

Referance:http://www.ossec.net/dcid/?p=153

GP

Subject: OSSIM 1.1 - Configuracion después de la InstalacionPosted by willians on Tue, 11 Aug 2009 15:02:41 GMTView Forum Message <> Reply to Message

esta es una pequeña contribucion.

es un manual he instalado muchas veces el ossim y por fin decidi hacer este pequeño manualque comparto para ustedes.

Willians Herrera.

File Attachments1) OSSIM 1.1 - Configuracion después de la Instalacionx.pdf,downloaded 718 times

Subject: HOWTO: Get Snort 2.8.X on Ubuntu feeding to OSSIMPosted by cringe on Wed, 30 Sep 2009 20:26:32 GMTView Forum Message <> Reply to Message

So you have a stand-alone snort box that you want to start sending data to your OSSIM server.You may be in luck. The instructions below are for snort on Ubuntu.

ON SNORT SERVER1. Install ossim-agent (apt-get install ossim-agent) - You may have to add the repositories. You










can find these on your OSSIM server in /etc/apt/sources.list

2. Download the legacy snort.cfg plugin at http://os-sim.cvs.sourceforge.net/viewvc/*checkout*/os-sim/agent/etc/agent/plugins/snort.cfg?revision=1.7

3. Copy the plugin to your /etc/ossim/agent/plugins folder as snort.cfg

4. Edit your /etc/ossim/agent/config.cfg and

4a. Add this line under [plugins]:snort=/etc/ossim/agent/plugins/snort.cfg

4b. Point the agent to your ossim server under [output-server]:ip=<OSSIM SERVER>

5. Edit your /etc/snort/snort.debian.conf

5a. Add the snort option to log to alert file:DEBIAN_SNORT_OPTIONS="-A full"

6. Restart snort and ossim-agent services

OSSIM Server1. In the Web Interface - Go to Policy > Sensors2. Add the stand-alone snort box as a sensor (hostname/IP)3. Reload sensors

You should be receiving alerts under the SIM Events page now. On the OSSIM server, youmay have to restart ossim-server and/or the ossim-agent. I don't remember if it was necessaryor not. Good Luck!

Subject: Re: Set second OSSIM server as sensor/agent onlyPosted by kevint on Mon, 19 Oct 2009 13:42:29 GMTView Forum Message <> Reply to Message

Thanks for the tutorial here. I'd like to add that in step 7 to remove mysqld from starting at boottime, the command to remove it is close, but not exactly correct. It should read as:

pgrep mysql | xargs kill -9update-rc.d mysqld remove -f






Subject: Re: HOWTO: Get Snort 2.8.X on Ubuntu feeding to OSSIMPosted by last1ghost on Wed, 04 Nov 2009 17:01:45 GMTView Forum Message <> Reply to Message

Hi Sir,

I do exactly as you said but i got the below error when i start ossim-agent2009-11-04 19:09:30,129 Conn [ERROR]: (32, 'Broken pipe')2009-11-04 19:09:31,135 Conn [ERROR]: (104, 'Connection reset by peer')2009-11-04 19:09:32,137 Conn [ERROR]: (104, 'Connection reset by peer')2009-11-04 19:09:33,144 Conn [ERROR]: (104, 'Connection reset by peer')2009-11-04 19:09:34,149 Conn [ERROR]: (104, 'Connection reset by peer')2009-11-04 19:09:35,155 Conn [ERROR]: (104, 'Connection reset by peer')2009-11-04 19:09:36,161 Conn [ERROR]: (104, 'Connection reset by peer')2009-11-04 19:09:37,166 Conn [ERROR]: (104, 'Connection reset by peer')2009-11-04 19:09:38,172 Conn [ERROR]: (104, 'Connection reset by peer')2009-11-04 19:09:39,177 Conn [ERROR]: (104, 'Connection reset by peer')2009-11-04 19:09:40,178 Conn [ERROR]: Error receiving data from server: (104, 'Connectionreset by peer')

and the ossim-server sensor give me X on my sensor when i remove snort from agent plugin itworks again but of course i still need snort alerts, any recommendation

Subject: Re: OSSEC Quick Start GuidePosted by jplee3 on Wed, 04 Nov 2009 19:18:48 GMTView Forum Message <> Reply to Message

Hey guys, will this still work with the latest versions of OSSEC and OSSIM? I was trying to tiethe two together but could not figure it out. I'll have to play around with it more when I have thetime.

Subject: Re: Set second OSSIM server as sensor/agent onlyPosted by dropadrop on Tue, 10 Nov 2009 20:59:02 GMTView Forum Message <> Reply to Message

Doesn't monit include mysql as one of the monitored applications? If yes, it should probably beremoved from there too.

Also what about the ossim-server / ossim-framework services, are they needed in such a setup?












Subject: Re: Install Oinkmaster and update snort rulesPosted by dropadrop on Tue, 10 Nov 2009 21:01:33 GMTView Forum Message <> Reply to Message

I was playing around with oinkmaster today, and it seemed very nice. The big question for mewas that it refused to modify / disable all the sids I wanted it to.

Are part of the rule sets included with ossim such that oinkmaster won't touch them(community / emerging threats)?

Subject: OSSIM Installation GuidePosted by juanma on Fri, 27 Nov 2009 16:38:48 GMTView Forum Message <> Reply to Message

English:

http://ossim.net/dokuwiki/doku.php?id=installation

Spanish:

http://ossim.net/dokuwiki/doku.php?id=installationES

If you want to help translating it to your own language please send an email to jmlorenzo atalienvault.com.

Juanma

Subject: Instalação do Ossim em Português (Brazilian) - Part IPosted by jailsonjan on Tue, 15 Dec 2009 14:10:55 GMTView Forum Message <> Reply to Message

Guia de Instalação do OSSIM (AlienVault Open Source SIM ) – Parte I

Link for JailsonJan Blog:http://www.previsioni.com.br/jailsonjan/?p=147

Introdução

O Ossim (Open Source AlienVault)












é um sistema de segurança detalhado que cobre do nível da deteção até um nível executivo,gerando métricas e relatórios. OSSIM é oferecido como um produto da segurança que permiteque você integre em um único console todos os dispositivos e ferramentas de segurançadisponíveis em sua rede, assim como a instalação de ferramentas de segurança prestigiadasde fonte aberta (open source) como Snort, OpenVas, Ntop and OSSEC.

Uma vez que os eventos gerados por ferramentas e por dispositivos diferentes são coletadospelo OSSIM, o sistema executa uma avaliação de risco para cada evento e a correlaçãodestes. Durante o processo de correlação, de uma série de testes padrões, o OSSIM geranovos eventos para detectar ataques ou problemas na sua rede.

Para acessar toda a informação coletada e gerada pelo sistema, o OSSIM inclui uma interfaceWeb que nós permite configurar todo o sistema e ver o estado total da rede em tempo real.

Antes de começar

OSSIM é um produto constantemente em desenvolvimento.Por este motivo nós usaremos a versão mais estável do instalador do OSSIM neste guia deinstalação.As versões as mais novas estão sempre disponíveis na Web no site do projeto OSSIM– http://www.AlienVault.com

Finalidades deste documento

A finalidade deste documento é fornecer um passo a passo, um guia de como instalar oOSSIM.Cobrindo conceitos básicos e uma breve explanação do papel de cada perfil que umainstalação de OSSIM pode adotar.

Por que um instalador?

OSSIM é um produto que integra mais de 30 ferramentas de Open Source. O sistemaoperacional (Linux – Debian) e muitas ferramentas internas foram modificados paramelhorar seu funcionamento dentro do sistema.Isso ocorre devido ao fato dque para instalar o OSSIM do código fonte exige um pouco maisde conhecimento e muito tempo para fazer a compilação de mais de 40 ferramentasdiferentes.

Para simplificar o processo complexo de compilação, instalação e configuração todas estasferramentas, a equipe de desenvolvimento distribui o instalador de OSSIM que inclui sistemaoperacional, todos os componentes e uma configuração poderosa e sistema a atualização.O instalador de OSSIM é baseado no sistema operacional Debian GNU/Linux e estádisponível em edições de 32 bits e 64-bit, edições 32 Bits vs 64 Bits

Se seu processador é de 64-bits então você pode aproveitar todo desempenho destaarquitetura.



Em determinadas estruturas (”backbones”), baseado na produção e no númerode eventos, você pode precisar de um “hardware” capaz de suportar grandesvolumes de dados.A arquitetura 64-bit igualmente permite o uso de uma quantidade maior de memória física.

OSSIM Operações Básicas

Os seguintes processos ocorrem dentro de OSSIM:

1. As aplicações geram eventos da segurança2. Os eventos são coletados e normalizados3. Os eventos são enviados a um servidor central4. Avaliação de risco5. Correlação do evento6. Armazenamento dos eventos7. Acesso aos eventos armazenados8. Acesso à configuração9. Alcance as métricas (medidores) e aos relatórios10. Informação em tempo real do status de sua rede

As aplicações e os dispositivos da rede geram eventos da segurança. Estes eventos sãocoletados e normalizados pelo agente do OSSIM, que é o responsável por enviá-los aoservidor do OSSIM.

Em uma instalação OSSIM pode-se ter quantos agentes forem necessários. Em alguns casos,se tem um agente em cada posição da rede da empresa, ou um agente dentro do DMZ ou umoutro agente dedicado para coletar todos os registros do “firewall”.

O agente do OSSIM inclui um jogo das ferramentas (Snort, Ntop, Tcptrack, Arpwatch), paraanalisar o tráfego de rede à procura dos problemas e das anomalias de segurança. Paraaproveitar-se desta funcionalidade do OSSIM, o agente do OSSIM deve receber todo otráfego na rede, usando uma conexão, configurar uma porta espelhada ou usando uma portade extensão nos dispositivos da rede.

Todos os agentes de OSSIM enviam seus eventos a um único servidor de OSSIM. Esteservidor carrega a avaliação de risco e a correlação. Uma vez que estes processos ocorreram,os eventos são armazenados na base de dados de OSSIM.

Para acessar estas informações, o OSSIM inclui uma interface gráfica (web), que pode serusada para modificar parâmetros da configuração e para gerar o métricas e os relatórios. Ainterface gráfica (web), igualmente, fornecerá o acesso as informações, em tempo real, de umgrande número de aplicações, que analisam o status global de nossa rede (Ntop, Nagios, etc).

Perfis

Uma vez que a instalação terminou, o OSSIM, permite mudar o perfil da instalação . Por



padrão o perfil completo será instalado automaticamente.

Perfil Completo

O perfil completo é uma combinação de todos os perfis em uma única máquina. Inclui ainterface do sensor, um servidor, uma base de dados e uma interface gráfica (web).

O sensor no perfil completo, habilitará o Snort, o OpenVas, o Ntop, o Arpwatch, o P0f e oPads.

O perfil completo é o padrão da instalação do Ossim.

Sensor

O Sensor é o responsável pela captura e pela normalização dos eventos. Para permitir acaptura e coleção de todos os registros (log) pelo Sensor, teremos que enviar todos oseventos ao Sensor usando Syslog, ftp, samba, Snare, etc.

Cada uma destas ferramentas está associada a um “plugin” no OSSIM, quedefine como coletar os eventos dos registros de logs. Os eventos normalizados são enviadosao servidor.

Snort, Ntop, Arpwatch, P0f e Pads são igualmente habilitados no perfil do Sensor somente.Para fazer estas ferramentas úteis, nós devemos usaar uma conexão, configurar uma portaespelhada ou usar uma porta de extensão nos dispositivos da rede (geralmente no Switch).

Servidor

O perfil do Servidor é preparar o OSSIM (box) para coletar os registros (logs) de todos osSensores OSSIM.

Uma vez que os eventos foram processados, todas as informações são armazenadas na basede dados. O Servidor incluirá um agente de OSSIM para monitorar a segurança do sistema(Pam Unix, SSH)

Banco de Dados

O “Servidor de Bancos de Dados”, possui uma base de dados MySQL paraarmazenar os eventos, configurações e informações de inventário.

Requirementos

Requirementos de Hardware

As exigências de hardware do OSSIM dependerão basicamente do número de eventos porsegundo e da produção da rede que queremos proteger.



A exigência mínima aconselhad, é ter pelo menos 2GB da ram. É possível que se tenha queaumentar a memória de RAM disponível, baseada na produção da rede, no número deeventos que o Servidor OSSIM está processando e na quantidade de dados que precisam deser armazenados na base de dados. Para um melhor desempenho é essencial usar somenteas aplicações e componentes que serão úteis em cada caso ou na sua rede.

Em termos de desempenho, há uma diferença enorme entre processadores de 32 bit and 64bit, se você estiver comprando um novo hardware, escolha o de 64-Bits. A maioria decomponentes do OSSIM suportam “multithreading”, fazendo com que osservidores que usam os processadores de 64-Bits, obtenham uma grande melhoria nodesempenho.

Ao falar sobre placas de rede, você deve tentar escolher aqueles suportados pelo“driver” e1000. O modelo do desenvolvimento de Open Source deste“drive” assegura a boa compatibilidade destas placas com o DebianGNU/Linux.

As placas de rede de menor desempenho podem ser usadas nos OSSIM (box) para coletareventos de outros dispositivos ou como interfaces de gerênciamento.

Requerimentos de Rede

A fim de apresentar o OSSIM corretamente, você deverá ter um grande conhecimento dosdispositivos da sua rede. Você terá que configurar uma porta espelhada naqueles dispositivosde rede que suportem esta característica. Para configurar uma porta espelhada corretamente,você terá que manter na mente que deve evitar estas duas situações:

* Tráfego de rede duplicado: Isto aconteceu quando nós estamos enviando o mesmo tráfegode rede mais de uma vez em diferentes dispositivos da rede.

* Tráfego de rede criptografado: Em alguns casos não tem nenhum sentido configurar umaporta espelhada naqueles dispositivos que mostram somente o tráfego criptografado (VPN,SSH), porque este tráfego não pode ser facilmente analizedo por algumas aplicações.

Ainda sobre porta espelhada, nós precisamos ter endereços de IP prontos para todas osOSSIM (box). Alguns OSSIM (box), que funcionam como Sensores podem exigir mais de umaplaca de rede, porque o Sensor poderá ter acesso à redes diferentes (Nessus, Nagios, Nmap)

Como exemplo, OpenVas (exploração da vulnerabilidades), terá que ter acesso para alcançaras “redes alvo”, quando a varredura acontecer. Ao usar OpenVas, Nagios ouNmap nós igualmente temos que nos certificar de que nossos “firewalls” estãoconfigurados corretamente, permitindo o acesso de nossos sensores às redes ou aosservidores das “redes alvo”.

Os eventos têm que ser normalizados antes de processados pelo Servidor OSSIM, o sensor



do OSSIM exigirá o acesso ao servidor de DNS da rede local .

Fonte Original: http://ossim.net/dokuwiki/doku.php?id=installationArtigo Original: Juan Manuel Lorenzo (jmlorenzo at AlienVault dot com)Tradução e complementos: Jailson Jan (jailsonjan at yahoo dot com dot br / jailsonjan atprevisioni dot com dot br)

Jailson Jan é o tradutor do Ossim para o português do Brasil (pt_BR)

Subject: Instalação do Ossim em Português (Brazilian) - Part IIPosted by jailsonjan on Tue, 15 Dec 2009 14:17:12 GMTView Forum Message <> Reply to Message

Guia de Instalação do OSSIM (AlienVault Open Source SIM ) – Parte II

Fonte: Jailson Jan Blog (http://www.previsioni.com.br/jailsonjan/?p=153)

Visão geral da instalação

1- Você terá que certificar-se de que seu computador pode ser inicializado pelo CDROM/DVD(boot). Procure pela documentação do sistema para mais informações. Isto pode exigir aalteração das configurações do BIOS. Para começar o programa de instalação, inicialize ocomputador e aguarde o boot pelo CDROM.Atenção: O instalador APAGARÁ todos os dados armazenados em seu disco rígido.

2-Escolha a língua usada para o processo de instalação. A língua escolhida será usadatambém para o sistema instalado.

3-Escolha sua localização

4-Escolha o layout de teclado

5-Neste ponto você terá que configurar a placa de rede. Se você tem mais de uma placa derede, terá que escolher qual será usada como a interface de gerenciamento. Em caso de termúltiplas placas de rede, o instalador perguntará que placa de rede deverá ser usada como ainterface de gerenciamento. Esta interface deve ter acesso à Internet durante o processo dainstalação.

Entre com o endereço IP para continuar

6-Insira a máscara do endereço






7-Insira o endereço IP do gateway. Todo tráfego que vai para fora da sua LAN será enviadoatravés desta rota.

8-Entre com os endereços IP dos servidores de nomes (DNS), separados por espaços. Sevocê tem um servidor de nomes (DNS) local em sua rede deverá ser o primeira nestaconfiguração. Você pode entrar com quantos servidores de nomes (DNS) que desejar.

9-Entre com um nome para o servidor do OSSIM (hostname)

10-If you are using a domain name in the computers of your network, enter the domain name

10-Se você está usando um servidores de nomes (DNS) nos computadores de sua rede, entrecom as informações do servidores de nomes (DNS)

11-Selecione o fuso horário (timezone)

12-Ocorre neste momento o particionamento do disco. Selecione a primeira opção: Usar odisco inteiro.

13-Selecione “Guiado: Use a partição inteira do disco”, isto apagará todos osdados armazenados em seu disco rígido.

14 -Neste momento você escolhe se deseja armazenar tudos os arquivos da instalação emuma só partição ou em partições separadas. Selecione todos os arquivos em uma só partição.

15-Agora o instalador mostrará a partição sugerida. Aplique as mudanças e continue.

16-Todos os pacotes do software serão configurados agora. O Postfix (software de correioeletrônico) perguntará sobre a configuração do servidor de email, configure-o conforme assuas necessidades.

Se você não tem um servidor de email na sua rede ou se você deseja ter um próprio noOSSIM Box, selecionamos “Site de Internet”.Se você já tem um servidor de email na sua rede, pode selecionar o “SistemaSatélite”.

17-Aceite o contrato de licência de Java.

18-Uma vez que todo o software esteja instalado e configurado (isto poderá demorar algunsminutos), o sistema pedirá a senha da raiz (senha de root). Você terá que digitar duas vezes asenha da raiz (senha de root).

19-Antes de terminar o processo de instalação, o sistema Ossim verificará se há novasversões do software disponíveis ou novas correções. É muito importante que você tenha umaconexão com a internet durante o processo de instalação, para que seu sistema possa seratualizado.



A máquina será recarregada automaticamente (rebotada). Uma vez iniciado, o sistemacarregará todas as aplicações que estarão configuradas de acordo com os ajustes padrões.

Para terminar o processo de instalação, espere a carga automática da Ossim. Uma vez quevocê termina o processo de carga, poderá prosseguir, configurando todas as aplicações deacordo com os ajustes necessários para a sua rede e conforme a suas vontades.

Fonte original: http://ossim.net/dokuwiki/doku.php?id=installationArtigo Original: Juan Manuel Lorenzo (jmlorenzo at AlienVault dot com)Tradução e complementos: Jailson Jan (jailsonjan at yahoo dot com dot br / jailsonjan atprevisioni dot com dot br)


Subject: Guia de Instalação do OSSIM – Parte III (Brazilian)Posted by jailsonjan on Mon, 21 Dec 2009 15:22:21 GMTView Forum Message <> Reply to Message

Guia de Instalação do OSSIM (AlienVault Open Source SIM ) – Parte III

Configuração do Sistema

Para simplificar a configuração do grande número de ferramentas incluídas no OSSIM, aconfiguração é centralizada em um único arquivo.Cada vez que você modificar esta configuração, deverá rodar um comando para atualizá-la,atualizando assim, a configuração de cada aplicação baseada na configuração centralizada(principal).

A configuração centralizada é armazenada na seguinte arquivo:

/etc/ossim/ossim_setup.conf

Nós podemos editar este arquivo usando um editor de texto (vim, nano, pico, kate). osusuários inexperimentes devem usar o seguinte comando para editar este arquivo:

ossim-setup

Para aplicar a configuração centralizada em um arquivo de configuração você terá rodar oseguinte comando:

ossim-reconfig






Trocando o perfil

Todos os perfis são habilitados por padrão, após ter funcionado o instalador. Você poderámudar o perfil usando o “ossim-setup” (script de configuração) da instalação doOssim, selecionando a segunda opção (”Trocar Configurações doPerfil”/”Change Profile Settings”)

Baseado no perfil escolhido você terá que configurar diferentes parâmetros de configuração:completo

* Escolha interfaces: Entre com todas as interfaces (separadas pela vírgula) que estãorecebendo todo o tráfego da sua rede.

* Perfil de redes: Entre com as redes (redes locais) no formato CIDR, separado por vírgula,estas redes são as que o Sensor poderá ver (acessar) em sua interface de escuta (porexemplo: 192.168.0.0 /24, 10.0.0.0 /8)

* Nome do Sensor do OSSIM: Dê um nome para o Sensor instalado na máquina.

* Escolha os plugins: Selecione aqueles plugins que devem ser habilitados neste Sensor. Osplugins do monitor somente serão habilitados sob pedidos (requisições) do Servidor doOSSIM, durante a correlação. Os plugins do detetor estarão coletando eventos em tempo realdos arquivos, bases de dados e soquetes.

Sensores

* Nome do Sensor do OSSIM: Dê um nome para o Sensor instalado na máquina.

* Escolha interfaces: Entre com todas as interfaces (separadas pela vírgula) que estãorecebendo todo o tráfego da sua rede.

* Perfil de Redes: Entre com as redes (redes locais) no formato CIDR, separado por vírgula,estas redes são as que o Sensor poderá ver (acessar) em sua interface de escuta (porexemplo: 192.168.0.0 /24, 10.0.0.0 /8)

* Endereço IP do Servidor do OSSIM: Entre com o Endereço IP do Servidor do OSSIM estáescutando.

* Escolha os plugins: Selecione aqueles plugins que devem ser habilitados neste Sensor. Osplugins do monitor somente serão habilitados sob pedidos (requisições) do Servidor doOSSIM, durante a correlação. Os plugins do detetor estarão coletando eventos em tempo realdos arquivos, bases de dados e soquetes.

Servidor



* Endereço IP do servidor de banco de dados do OSSIM (Mysql): Entre com o Endereço IP doServidor OSSIM que está rodando a base de dados (servidor MySql). Certifique-se de quevocê tem as permissão corretas para acessar o servidor da base de dados e que podeconectar de uma máquina do remota.

* Porta do servidor de banco de dados do MySql: Porta de escuta para o MySql. (A portapadrão é 3306)

* Usuário do servidor de banco de dados do MySql: O padrão no Ossim é o“root” (usuário principal)

* Senha do servidor de banco de dados do MySql: Senha para o “root” (usuárioprincipal) no servidor de banco de dados do Mysql.

Danco de Dados

* Senha do servidor de banco de dados do MySql: Senha para o usuário “root”do servidor de banco de dados do Mysql.

Se você precisar somente reconfigurar o perfil em uso, selecione-o e você será questionado àentrar com os parâmetros da configuração.

Para aplicar as alterações que você selecionou, clique em “aplique e salve todas asmudanças / Apply and save all changes” ou rode o comando da reconfiguração doOssim “ossim-reconfig”.

Configuração de Rede

Aquelas máquinas que rodam o OSSIM exigem um cuidado especial ao configurar a rede.Those machines running OSSIM require special care when configuring networking.

A configuração de rede é definida no seguinte arquivo:

/etc/network/interfaces

Se a configuração de rede foi modificada, para aplicar-lhe as mudanças use o seguintecomando:

/etc/init.d/networking restart

Cada OSSIM Box deve ter pelo menos um endereço IP estático, assim os componentesdiferentes do OSSIM podem comunicar-se entre si e o administrador pode ter o acessoremoto às máquinas.

Cada interface (placa de rede) com um endereço IP válido, deve ter uma entrada no arquivo/etc/network/interfaces usando o seguinte esquema:



allow-hotplug eth0iface eth0 inet staticaddress 192.168.1.133netmask 255.255.0.0network 192.168.0.0broadcast 192.168.255.255gateway 192.168.1.1dns-nameservers 192.168.1.100

Aquelas interface (placa de rede) usadas para coletar todo o tráfego de rede nunca devem terum endereço IP. As interface (placa de rede) em modo promíscuos (promiscuous mode) nãoexigem nenhuma configuração especial no arquivo de configuração da rede.

Atualizando o OSSIM

Os seguintes comandos atualizarão o sistema OSSIM:

apt-get update; apt-get dist-upgrade;

O software que atualiza o sistema, usado no instalador do OSSIM, foi projetado paraassegurar-se que as versões corretas sejam usadas. Permite aos colaboradores de OSSIMbloquearem ou forçar atualizações de determinado software no sistema. Por este motivo, vocênunca deve incluir repositórios de software novos em seu /etc/apt/sources.list. Estainformação é muito importante.

Fonte: http://ossim.net/dokuwiki/doku.php?id=installationArtigo Original: Juan Manuel Lorenzo (jmlorenzo at AlienVault dot com)Tradução e complementos: Jailson Jan (jailsonjan at yahoo dot com dot br / jailsonjan atprevisioni dot com dot br)

http://www.previsioni.com.br/jailsonjan/


Subject: Guia de Instalação do OSSIM – Parte IVPosted by jailsonjan on Mon, 21 Dec 2009 15:25:37 GMTView Forum Message <> Reply to Message

Guia de Instalação do OSSIM (AlienVault Open Source SIM ) – Parte IV






Ossim na versão profissional

Além de conduzir o desenvolvimento de OSSIM, a AlienVault está desenvolvendo uma versãoprofissional “AlienVault Professional SIEM” que oferece importantes recursospara ambientes de muita demanda.A versão comercial, possui:

* SEM: armazenamento de alto volume* Escalabilidade: distribuídas, hierárquicas* Desempenho: performance 30 vezes maior* Confiabilidade: Redundância e alta disponibilidade

Recomendações Gerais

* Em ambientes de produção é recomendado sempre usar arquiteturas de 64-bit, já que háuma grande diferença em termos de desempenho se comparados com a versão de 32 bits.

* Nunca instale um Sensor de OSSIM em um ambiente virtualizado se este sensor está indocoletar enormes quantidades de tráfego de rede. Por causa da maneira que estas ferramentasda virtualização controlam as interfaces de rede virtual, uma grande quantidade do tráfego darede é perdido, sem ser analisada.

* Nunca instale softwares no OSSIM Box, que necessitem de alteração dos repositórios deDebian no arquivo “/etc/apt/sources.list”.

* O OSSIM sempre terá suporte para a versão mais estável do Debian GNU/Linux. Quandouma versão nova de Debian for liberada os colaboradores fornecerão um guia em comoatualizar o o Ossim instalado para a versão mais nova.

* Não há nenhuma limitação de instalação de software que possa ser instalado nas máquinas(desde que estejam no sources.list original do Ossim), mas lembre-se que um elevadoconsumo de memória ou de processador (cpu) de algumas aplicações, podem prejudicar aperformance da mesma.Como exemplo, você nunca deve instalar um ambiente desktop nas máquinas OSSIM.

Fonte: http://ossim.net/dokuwiki/doku.php?id=installation

Artigo Original: Juan Manuel Lorenzo (jmlorenzo at AlienVault dot com)

Tradução e complementos: Jailson Jan (jailsonjan at yahoo dot com dot br / jailsonjan atprevisioni dot com dot br)

Blog: http://www.previsioni.com.br/jailsonjan/




Subject: Ossim - PerfisPosted by jailsonjan on Mon, 21 Dec 2009 15:30:12 GMTView Forum Message <> Reply to Message

Geralmente, uma distribuição típica do ossim consiste:

* Um servidor de banco de banco de dados (normalmente MySql).

* Um servidor que hospede o motor da avaliação de correlação, da qualificação e do risco.

* Os N servidores dos agentes fazem a coleta de informação e que se encarregam de umnúmero de dispositivos.Para uma lista de “plugins” veja em:http://www.alienvault.com/community.php?section=Plugins

* Um controle automático (daemon), que faça algum trabalho de manutenção e anexealgumas partes. Isto é chamado de “frameworkd”.

* O frontend (interface), baseado em web, unificando toda a informação recolhida, fornecendoa habilidade de controlar cada um dos componentes.

Fonte: http://ossim.net/dokuwiki/doku.php?id=installation

Artigo Original: Juan Manuel Lorenzo (jmlorenzo at AlienVault dot com)

Tradução e complementos: Jailson Jan (jailsonjan at yahoo dot com dot br / jailsonjan atprevisioni dot com dot br)

Blog: http://www.previsioni.com.br/jailsonjan/Jailson Jan é o tradutor do Ossim para o português do Brasil (pt_BR)

Subject: Sensor do OSSIM - Os agentes - Parte IPosted by jailsonjan on Mon, 21 Dec 2009 18:37:40 GMTView Forum Message <> Reply to Message

Sensor do OSSIM - Os agentes - Parte I


Subject: Sensor do OSSIM – Os agentes – Parte II Posted by jailsonjan on Mon, 21 Dec 2009 19:47:06 GMTView Forum Message <> Reply to Message












Sensor do OSSIM – Os agentes – Parte II

(Brazilian portuguese and English)


Subject: Ossim – Configuração Principal do Ossim – Parte IPosted by jailsonjan on Tue, 22 Dec 2009 18:54:45 GMTView Forum Message <> Reply to Message

Ossim – Configuração Principal do Ossim – Parte I

(Brazilian portuguese and English)


Subject: Re: OSSIM Password listingPosted by TMG1980 on Wed, 13 Jan 2010 18:03:41 GMTView Forum Message <> Reply to Message

You can always use the following command to find the tomcat-users.xml file which contains thedefault pwd for admin and manager:

$ find / -name 'tomcat-users.xml'

Once you find the file path and navigate to it, you can use an editor(i.e. pico) to open and editthe file.

Cheers

Subject: Ossim - Incidentes (brazilian portuguese)Posted by jailsonjan on Thu, 14 Jan 2010 12:24:59 GMTView Forum Message <> Reply to Message

Translation for the Brasilian Portuguese and Complements, for Jailson Jan (translating of theOssim for pt_BR)












http://www.previsioni.com.br/jailsonjan/?p=278

Subject: Re: HOWTO: Get Snort 2.8.X on Ubuntu feeding to OSSIMPosted by jlambrecht on Fri, 15 Jan 2010 17:11:41 GMTView Forum Message <> Reply to Message

my set-up is ossim (oss) image runningcentos with snort configured, logging to mysql

Since so far i did not have time to delve into ossim-configuration and set-up i'm a bit lost.

Is there a simple way to have ossim read the mysql-db on the centos-snort machine ? Sincethis set-up is experimental i assumed this would be read by setting the db in theconfiguration(advanced) but no luck.

Please advise as the support mailbox does not answer at all.

tnx

Subject: Re: OSSEC Quick Start GuidePosted by punkrokk on Thu, 21 Jan 2010 19:29:21 GMTView Forum Message <> Reply to Message

FYI -- I just did this with OSSEC 2.3 on a win 2k3 machine and the windows instructionsworked great.

jplee3 wrote on Wed, 04 November 2009 12:18Hey guys, will this still work with the latestversions of OSSEC and OSSIM? I was trying to tie the two together but could not figure it out.I'll have to play around with it more when I have the time.

Subject: Re: HOWTO: Get Snort 2.8.X on Ubuntu feeding to OSSIMPosted by kristian_paul on Mon, 25 Jan 2010 15:01:21 GMTView Forum Message <> Reply to Message

I think that for non-patech snort on the wild, ossec could help to get those logs and then send itback to ossim

Or you can patch snort to work with ossim agen using the unified stuff and get better speed if isneeded












regards

Subject: Re: Install Oinkmaster and update snort rulesPosted by punkrokk on Fri, 29 Jan 2010 19:05:23 GMTView Forum Message <> Reply to Message

I have made a cron job out of this:

#/bin/sh

/usr/share/oinkmaster/makesidex.pl /etc/snort/rules/ >autodisable.confoinkmaster -C /etc/oinkmaster.conf -C /etc/autodisable.conf -o /etc/snort/rulesperl /usr/share/ossim/scripts/create_sidmap.pl /etc/snort/rules/etc/init.d/ossim-server restart

Works great, run once every 24 hours or whatever. :d

Subject: Re: Install Oinkmaster and update snort rulesPosted by rossonr on Mon, 01 Feb 2010 16:00:29 GMTView Forum Message <> Reply to Message

Wouldn't this also need to be piped to mysql to update the database?

Subject: Re: Install Oinkmaster and update snort rulesPosted by punkrokk on Mon, 01 Feb 2010 16:03:09 GMTView Forum Message <> Reply to Message

Nope, (at least not that I can tell)

The line:

perl /usr/share/ossim/scripts/create_sidmap.pl /etc/snort/rules

runs an OSSIM script that updates the db and correlates everything.

Subject: Re: Install Oinkmaster and update snort rulesPosted by juanma on Mon, 01 Feb 2010 16:09:35 GMT














create-sidmap.pl updates the database, is oinkmaster restarting snort?

If not, you should also have to restart snort.

juanma

Subject: Re: Install Oinkmaster and update snort rulesPosted by rossonr on Mon, 01 Feb 2010 16:47:48 GMTView Forum Message <> Reply to Message

I am using pulledpork. :) which can be reconfigured to restart snort

Subject: Re: Install Oinkmaster and update snort rulesPosted by punkrokk on Mon, 01 Feb 2010 18:21:29 GMTView Forum Message <> Reply to Message

Just to make sure, I added /etc/init.d/snort restart to the end of my script.

Leaving me with:

#/bin/sh

/usr/share/oinkmaster/makesidex.pl /etc/snort/rules/ >autodisable.confoinkmaster -C /etc/oinkmaster.conf -C /etc/autodisable.conf -o /etc/snort/rulesperl /usr/share/ossim/scripts/create_sidmap.pl /etc/snort/rules/etc/init.d/snort restart/etc/init.d/ossim-server restart

Note that if you subscribe to the snort rules your oinkmaster.conf path to grab the snort ruleswill be different.

Here's some reading on the oinkmaster in debian topic:http://www.cyberarmy.net/library/article/1728

Now to figure out how to get Nessus to auto update :)

Subject: Re: Install Oinkmaster and update snort rulesPosted by rossonr on Tue, 02 Feb 2010 13:13:46 GMTView Forum Message <> Reply to Message














I have this in a script that I execute from cron

/usr/local/bin/alienvault-feed-sync openvas/etc/init.d/openvas-server restart

P.S. For restart to work for openvas you need to edit /etc/init.d/openvas-server script to add thepath for start-stop-daemon

Subject: Re: Install Oinkmaster and update snort rulesPosted by punkrokk on Tue, 02 Feb 2010 21:34:37 GMTView Forum Message <> Reply to Message

Is this required for OpenVAS correlation?

rossonr wrote on Tue, 02 February 2010 06:13I have this in a script that I execute from cron

/usr/local/bin/alienvault-feed-sync openvas/etc/init.d/openvas-server restart

P.S. For restart to work for openvas you need to edit /etc/init.d/openvas-server script to add thepath for start-stop-daemon

Subject: Re: Install Oinkmaster and update snort rulesPosted by rossonr on Wed, 03 Feb 2010 12:52:58 GMTView Forum Message <> Reply to Message

After the execution of this "/usr/local/bin/alienvault-feed-sync openvas" it tells you theopenvasd needs to be restarted.

Subject: Re: OSSEC Quick Start GuidePosted by s00pcan on Wed, 03 Feb 2010 19:04:43 GMTView Forum Message <> Reply to Message

On an ubuntu agent:root@ubuntu-vm:/var/ossec/bin# ./ossec-control start...2010/02/03 14:46:48 ossec-agentd(4105): ERROR: No valid server IP found.2010/02/03 14:46:48 ossec-agentd(1215): ERROR: No client configured. Exiting.












How do I configure the server IP then?

Subject: Re: Use HTTPS instead of HTTPPosted by dropadrop on Sat, 06 Feb 2010 20:14:54 GMTView Forum Message <> Reply to Message

Maybe a silly question, but would'nt it be easier to just install a second apache in front as aproxy?

Subject: Re: Use HTTPS instead of HTTPPosted by juanma on Sun, 07 Feb 2010 12:53:45 GMTView Forum Message <> Reply to Message

This will come by default in OSSIM 2.2

Subject: Re: Use HTTPS instead of HTTPPosted by dropadrop on Tue, 09 Feb 2010 08:29:02 GMTView Forum Message <> Reply to Message

Great, then I won't waste time configuring it now. :)

Subject: how to set ossim server and ossim sensorPosted by manean on Fri, 12 Feb 2010 18:12:56 GMTView Forum Message <> Reply to Message

Hi, Kindly give me an guidance and steps for to implement ossim server and ossim sensor.

Mainly how to connect and use the database .

Early help is appreciated.

Thanks in advance. :p

with regards.,manean.kvs.















Subject: Re: Install Oinkmaster and update snort rulesPosted by nokster on Fri, 12 Feb 2010 19:55:37 GMTView Forum Message <> Reply to Message

punkrokk wrote on Mon, 01 February 2010 13:21 Now to figure out how to get Nessus to auto update :)

"usr/local/bin/alienvault-feed-sync" apparently also accepts nessus as a parameter? tried it outand I'm not sure if it works though because it ends with an error...

thanks for the cron script.

Subject: Re: Install Oinkmaster and update snort rulesPosted by punkrokk on Fri, 12 Feb 2010 20:07:39 GMTView Forum Message <> Reply to Message

haha, you're welcome! :)

Subject: Re: OSSIM Password listingPosted by pettiet on Wed, 17 Feb 2010 14:07:10 GMTView Forum Message <> Reply to Message

I'm new to OSSIM and just made a proof of concept intall yesterday. As recommended, I resetthe Admin password but was unable to login today. How can the Admin password be reset ifyou cannot log in? Thanks for the help.

Subject: Re: OSSIM Password listingPosted by TMG1980 on Wed, 17 Feb 2010 14:37:04 GMTView Forum Message <> Reply to Message

Default uid and pwd is Admin Admin when you login on the frontend (use the IP you assignedto OSSIM). Try that first.


Yes, that is what worked after installing yesterday. However, I thought I changed the passwordbut it does not work today. Any suggestions for resetting a lost Admin password without


















having to reinstall everything?

Subject: Re: OSSIM Password listingPosted by TMG1980 on Wed, 17 Feb 2010 15:32:40 GMTView Forum Message <> Reply to Message

ssh or logon to the OSSIM box as root.find the tomcat-users.xml file and edit that file. There should be a line that contains the Adminand Manger accounts. Change the pwd there.

Quick way to find the file:

$ find / -name 'tomcat-users.xml'


Thanks, got it going now. I appreciate the help.

Subject: Re: Use HTTPS instead of HTTPPosted by stlist on Thu, 04 Mar 2010 21:41:42 GMTView Forum Message <> Reply to Message

Juanma,

OSSIM 2.2 is out. I don't see any straightforward way to setup https for the OSSIM webpages.Could you point us to the right direction?

Thanks,Sam

Subject: Re: Set second OSSIM server as sensor/agent onlyPosted by TrevorBenson on Thu, 18 Mar 2010 01:15:01 GMTView Forum Message <> Reply to Message

In step three it says:Quote:Check on sensor ossim_setup.conf so it will act as sensor

In my file I have:ocs_db=ocswebossim_db=ossim















osvdb_db=osvdbpass=<something>type=mysqluser=root

[expert]profile=server

[sensor]detectors=snare, p0f, osiris, arpwatch, snortunified, pads, ssh, pam_unix, rrd, sudo, iptables, nagiosinterfaces=eth0ip=monitors=nmap-monitor, ntop-monitor, ossim-monitorname=ossimpriority=5

[server]server_ip=server_plugins=osiris, pam_unix, ssh, snare, sudoserver_port=40001

Does this refer to changing the expert profile setting to sensor instead of server? Not reallysure what it means to 'check on sensor', if eth0 is the configuration in the/etc/network/interfaces, then would this ossim_setup.conf already be a working configuration?

Also mentioned in step 4: Quote: Check sensor's interface(s) in /etc/network/interfaces so it'sconfiguration is consistent with /etc/ossim/ossim_setup.conf, one as default, other set inpromiscuous mode if it have more than 1 interface

I assume this means if you have 2 interfaces in the same network, use 1 as defaultmanagement and 1 as promiscuous for snort etc.? Otherwise if you have multiple interfaces indifferent subnets wouldn't you want it promiscuous on all interfaces?

Thanks,Trevor

Subject: Re: Method to check and see what OSSEC is logging (without the webgui)Posted by kristian_paul on Thu, 25 Mar 2010 19:32:52 GMTView Forum Message <> Reply to Message

I used to activay temporally logall option in the ossec config so i can debug what are logs are






been received from agents

Subject: Guide: Nessus 4.0.2 on OSSIM 2.2.1Posted by fable on Wed, 31 Mar 2010 06:51:31 GMTView Forum Message <> Reply to Message

I have been trying to Make NESSUS work on OSSIM 2.2.1 for a few days now and I have toadmit it was hell! From what I discovered it OSSIM will most likeley not work with NESSUS4.2.x and a HomeFeed (as I posted here too: https://www.alienvault.com/forum/index.php?t=msg&th=2107&start=0&S=dbf97230c72cc76508327ff1afae4e76). That was not the only problem though. Imade this guide to collecting what I found in the forum and what I discovered myself.

Use this a step-by-step guide to make NESSUS 4.0.2 work on a fresh OSSIM 2.2.1 install.

1. Download version 4.0.2

Navigate to http://www.nessus.org/download/. Go the the bottom of the page, there is a linkthere. While you are there you can register for a Feed Code as well.

Upload the file to your OSSIM server using SCP.I uploaded it to the /home directory.

2. Update OSSIM

run: /ossim-update. Answer "yes" to all questions

3. Disable the firewall

run: ossim-setup go to Change General Setting --> Configure Firewall. Highlight "No" and hit space.Hit OK and then "Save $ Exit". This step is not necessarily needed if you have correctlyconfigured your firewall.

4. Install NESSUS

run: dpkg -i /home/Nessus-4.0.2-debian5_i386

5. Update Plugins

run /opt/nessus/bin/nessus-fetch --register <code>. Replace <code> with your HomeFeed orProfessionalFeed code.






6. Configure the OSSIM database for NESSUS

(From "DK's" post on this thread)

run:ossim-dbTRUNCATE `vuln_nessus_category`;TRUNCATE `vuln_nessus_family`;TRUNCATE `vuln_nessus_plugins`;TRUNCATE `vuln_nessus_preferences`;TRUNCATE `vuln_nessus_preferences_defaults`;TRUNCATE `vuln_nessus_settings`;TRUNCATE `vuln_nessus_settings_category`;TRUNCATE `vuln_nessus_settings_family`;TRUNCATE `vuln_nessus_settings_plugins`;exit

7. Configure NESSUS

a. Change Listening IP:

run: nano /opt/nessus/etc/nessus/nessusd.conf and change the "listening ip" to your local IP.ATTENTION: This is the IP assigned to your NIC (e.g. 192.168.1.1), NOT LOCALHOST

b. Create a user

run:/opt/nessus/sbin/nessus-adduser. Use pass instead of cert and make user an admin

c. Create a cert

run: /opt/nessus/sbin/nessus-mkcert. Choose all the defaults

8. Configure OSSIM

a. Edit the web interface

go to Configuration-->Main-->Advanced-->Vulnerability Scanner. Enter the user name andpassword of the user you just created. For IP enter the IP assigned to your NIC (the one youentered on step 7a). Port: 1241, location: /opt/nessus/bin/nessus

9. Start NESSUS



run: /opt/nessus/sbin/nessus-service . Wait until you get the All plugins loaded message. Leave thiswindow open and start a new ssh session to your OSSIM server. (I haven't found a way tomake this run in the background yet)

10. Configure the OSSIM database

Run:cd /usr/share/ossim/scripts/vulnmeter/./updateplugins.plcd /usr/share/ossim/scripts/vulnmeter/./update_nessus_ids.pl

Your NESSUS setup is now completed!

You can initiate new scans by going to OSSIM's web interface underAnalysis-->Vulnerabilities-->Scan Jobs

Subject: Re: Guide: Nessus 4.0.2 on OSSIM 2.2.1Posted by jmalbarracin on Wed, 31 Mar 2010 07:47:45 GMTView Forum Message <> Reply to Message

Hi,

PleaseTRUNCATE `vuln_nessus_settings_preferences`;TRUNCATE `vuln_settings`;Not necesary!!

Thx

Subject: Re: Guide: Nessus 4.0.2 on OSSIM 2.2.1Posted by fable on Wed, 31 Mar 2010 08:09:49 GMTView Forum Message <> Reply to Message

hello jmalbarracin,

thanx for your input, but could you briefly explain why? I merely copy-pasted those lines fromDK's post, don't know much about their functionality other than they change settings in thedatabase.

fable









Subject: Re: Guide: Nessus 4.0.2 on OSSIM 2.2.1Posted by jmalbarracin on Wed, 31 Mar 2010 08:20:34 GMTView Forum Message <> Reply to Message

I know, but updateplugins.pl doesn't modify those tables.Analisys->Vulnerabilities->Settings

Thx

Subject: Re: Guide: Nessus 4.0.2 on OSSIM 2.2.1Posted by fable on Wed, 31 Mar 2010 08:24:59 GMTView Forum Message <> Reply to Message

gotcha! I updated the guide. Thank you!

Subject: Re: Method to check and see what OSSEC is logging (without the webgui)Posted by link on Wed, 31 Mar 2010 10:55:57 GMTView Forum Message <> Reply to Message

I see all the logs of my devices in ossec.log but when I go to check this logs in SIEM gui, I can'tsee all these logs.

Where is the problem if ossec receive all logs correctly?

Subject: Re: Method to check and see what OSSEC is logging (without the webgui)Posted by juanma on Wed, 31 Mar 2010 11:01:49 GMTView Forum Message <> Reply to Message

hi link,

please use the support forum and open a new thread for that issue.

Subject: Re: Guide: Nessus 4.0.2 on OSSIM 2.2.1Posted by whitehat on Thu, 01 Apr 2010 08:24:44 GMTView Forum Message <> Reply to Message


















I've removed old nessus by running apt-get remove nessus nessusd nessus-plugins

and followed your manual - and now all works great! Thank You!

Subject: Re: Guide: Nessus 4.0.2 on OSSIM 2.2.1Posted by jchristmas on Mon, 05 Apr 2010 16:40:52 GMTView Forum Message <> Reply to Message

Great tutorial I am going to try it out now with my server and settings but I have a few quickquestions for everyone if they have time to think about it.I have a nessus system thats not a part of ossim at all... I want to use this system to scan. Myenvironment is a bit different. I have 1 dedicated manager no sensors on it and 2 dedicatedsensors no manager on them. My question is do I need to install nessus 4.x on the manager in order to use my externalnessus machine? Or will the client on the nessus system work just the same to connect andpull the data over?


To answer my own question for my custom setup to get the update scripts for plugins working Ineeded to install at least the client for nessus 4.0.2 on my system so I uninstalled nessusnessusd etc... and installed the nessus client package from the site.Seems to be loading the plugins correctly now.


Found a minor bug in all of this or at least an issue I am having. After updating the plugins theyall show they are Serious level vulnerabilities. There are 2 lows and the rest of serious...Did something fail?

Subject: Re: Guide: Nessus 4.0.2 on OSSIM 2.2.1Posted by fable on Tue, 06 Apr 2010 04:48:19 GMTView Forum Message <> Reply to Message















Hello jchristmas,

Thank you for your comments. I run this tutorial on a clean OSSIM 2.2.1 install and I noticedsomething similar to what you did. If I run a scan job and try to open the report that appearsnext to my scan under the "scan jobs" tab, I have a much different report from the one underthe "vulnerabilities" tab. The "scan jobs" tab report though is the same as the one under the"reports" tab.

The report under "vulnerabilities" tab didn't have nearly as many vulnerabilities as the oneunder "scan jobs" and "reports" tab, which were much more spread out (serious,high,medium,info etc).

My guess is that the reports under the "scan jobs" and "reports" tabs are actually the "raw"Nessus scans with just the Alienvault logo in them. The report under "vulnerabilities" tabthough, are processed by OSSIM. Over there OSSIM actually presents what vulnerabilities itthinks were present (based on the way it processes Nessus reports).

What's weird though is that OSSIM is generating as many tickets as vulnerabilities found in thereport under "scan jobs".

Can you check to see if there are any differences on the various reports available?

Also, could you run a credentiated scan towards an unpatched pc (e.g. windows xp) just soyou know you will normal get a lengthy report.

Subject: Re: Guide: Nessus 4.0.2 on OSSIM 2.2.1Posted by fable on Tue, 06 Apr 2010 07:27:49 GMTView Forum Message <> Reply to Message

I actually just noticed that when I go to "assets-->assets" and click on the host I just scanned(OSSIM ganerates the "general report") in the "vulnerabilities" "window" OSSIM reports "Novulnerabilities found for <host_ip>". This is very ironic because a few windows over there is abunch of tickets oppened that say "Vulnerability:Unknown".

Could someone shed some light on why OSSIM isn't actually intergratting the NESSUS scans?Because the way I see it right now, it NESSUS is just a way to generate reports. Somethingthat I can do by installing nessus on a windows xp machine and run the scan from there?

I think the vulnerability management capability of OSSIM is very important to its generalpurpose as a Security Information Management System.

fable






Subject: Re: Use HTTPS instead of HTTPPosted by traz on Wed, 07 Apr 2010 10:29:07 GMTView Forum Message <> Reply to Message

stlist wrote on Thu, 04 March 2010 14:41Juanma,

OSSIM 2.2 is out. I don't see any straightforward way to setup https for the OSSIM webpages.Could you point us to the right direction?

Thanks,Samtruth

Subject: Re: Guide: Nessus 4.0.2 on OSSIM 2.2.1Posted by jchristmas on Wed, 07 Apr 2010 17:28:24 GMTView Forum Message <> Reply to Message

So let me clarify a few things and also say something else. I am trying to use a nessus 4professional feed on a ubuntu box that I installed the ossim agent on. If I click in the vulnerabilities tab and select threat database I show almost all the vulnerabilitieslisted under critical... Tried to update the plugins again and didnt fix it.

The new problem I just started to notice is that even though I updated the settings to point tothe new nessus scanner it does not want to show up as an option to scan with. So I checkedthings out in the database and sure enough in the vuln_nessus_servers the new server isntshowing up. I could add it manually I suppose but I wanted to know where it was suppose to be added fromi.e. script or web interface that inserts it into the mysql table.

I am actually thinking I will rebuild all my systems soon and re-install them all virtually on eachbox so that I can make snapshots as well as have another group of "testing servers" that I canuse before upgrading to production. But I want to make sure that before I do that everythingelse is in good working order. I also can't do it until roughly may due to some projectobligations I have.

So DK or Jamie or anyone else have any idea why its not inserting the nessus server in thereand also any idea why its not doing what I am expecting? I can work with you more outside ofthe forums if you guys like. Thanks,

Subject: Re: Use HTTPS instead of HTTPPosted by portstats on Fri, 16 Apr 2010 16:02:43 GMT











Any update on this ?

Subject: Re: OSSIM Password listingPosted by manulpz on Mon, 03 May 2010 19:22:53 GMTView Forum Message <> Reply to Message

I need reset de password to acces via web. but i edit the archive - ossim(/etc/ossim/framework/ossim.conf) but no take effect.

the user is admin by the password no can reset.

thanks.

Subject: Re: OSSIM Password listingPosted by bvand on Mon, 17 May 2010 09:36:47 GMTView Forum Message <> Reply to Message

The password to access ossim web interface is not in "/etc/ossim/framework/ossim.conf"

You can access the web interface by

login admimpassword admin

Subject: Re: Install Oinkmaster and update snort rulesPosted by bvand on Wed, 26 May 2010 15:01:11 GMTView Forum Message <> Reply to Message

Hi,I tried to update snort rules with the current version of snort in OSSIM (2.8.5.2) so with the url :

url = http://www.snort.org/pub-bin/oinkmaster.cgi/MY-oinkcode/snortrules-snapshot-2852.tar.gz

But the file doesn't exist

The url :

url = http://www.snort.org/pub-bin/oinkmaster.cgi/MY-oinkcode/snor trules-snapshot-2.8.tar.gz














Doesn't work either...

Can I update snort to the official version, or is it another way to update the rules ?

Regards

Subject: ossec&asteriskPosted by jabi on Fri, 28 May 2010 09:43:15 GMTView Forum Message <> Reply to Message

I've written two posts about protecting Asterisk with OSSEC.

http://sysbrain.wordpress.com/2010/04/22/asterisk-ossec-part -1/ http://sysbrain.wordpress.com/2010/05/24/asterisk-ossec-part -ii/

I hope it will help you and if you see any error or improvement, tell me.

Subject: Re: Guide: Nessus 4.0.2 on OSSIM 2.2.1Posted by temon on Fri, 11 Jun 2010 08:04:03 GMTView Forum Message <> Reply to Message

Hello,

I'm new in OSSIM and now i'm curious with OSSIM and NESSUS. I've installed Nessus 4.0.2and yes I got same problems like any of you got there. Here's the problems :

1. Threats Database is showing Serious risk there (value == 7)2. Cross Correlation with SNORT is not working because of some issue that i'll explain below.3. Assets info shows no vulnerabilities there.

The positive issue is scan jobs and results (at vulnerability --> scan jobs) show us actual info :)

About the problems, here I try to find out why (from updateplugins.pl) :

1. Risk level value is 7 (all serious) is caused by this :if ( !defined( $plugin_crisk ) || $plugin_crisk eq "" ) { $plugin_crisk = "NULL"; }

my $risk=7; $risk=1 if ($pdescription =~ m/Risk [fF]actor\s*:\s*(\\n)*Serious/s);









$risk=1 if ($pdescription =~ m/Risk [fF]actor\s*:\s*(\\n)*Critical/s); $risk=2 if ($pdescription =~ m/Risk [fF]actor\s*:\s*(\\n)*High/s); $risk=3 if ($pdescription =~ m/Risk [fF]actor\s*:\s*(\\n)*Medium/s); $risk=4 if ($pdescription =~ m/Risk [fF]actor\s*:\s*(\\n)*Medium\/Low/s); $risk=5 if ($pdescription =~ m/Risk [fF]actor\s*:\s*(\\n)*Low\/Medium/s); $risk=6 if ($pdescription =~ m/Risk [fF]actor\s*:\s*(\\n)*Low/s); $risk=7 if ($pdescription =~ m/Risk [fF]actor\s*:\s*(\\n)*Info/s); $risk=7 if ($pdescription =~ m/Risk [fF]actor\s*:\s*(\\n)*[nN]one/s);

not really sure about that..but by default the risk will set to 7 if..bla bla bla..and if risk factorvalue is NONE then it will set to 7 :d. From another thread of openVAS, the problem looks likenot happened, i'll check the scripts later (openVAS is terribly slower than NESSUS) :(

2. next..about cross correlation and customation there not working, why? Here i try to find out :

mysql> select * from host_plugin_sid where plugin_id='3001';+------------+-----------+------------+| host_ip | plugin_id | plugin_sid |+------------+-----------+------------+| 2886731465 | 3001 | 10114 | | 2886731465 | 3001 | 10150 | | 2886731465 | 3001 | 10287 | | 2886731465 | 3001 | 10394 | | 2886731465 | 3001 | 10395 | | 2886731465 | 3001 | 10397 | -----------------skip-------------------178 rows in set (0.00 sec)

Here's the place where NESSUS store IP and its Vulnerabilities (from scanning result).

mysql> select * from plugin_sid where plugin_id='3001';+-----------+-------+-------------+----------+-------------+----------+------------------------------------------------------------------------+--------+| plugin_id | sid | category_id | class_id | reliability | priority | name | aro |+-----------+-------+-------------+----------+-------------+----------+------------------------------------------------------------------------+--------+| 3001 | 10048 | NULL | NULL | 2 | 7 | nessus: CommuniGate Pro HTTPConfiguration Port Remote Overflow | 0.0000 | | 3001 | 11351 | NULL | NULL | 2 | 7 | nessus: Sendmail < 8.10.0mail.local Newline Handling Remote DoS | 0.0000 | | 3001 | 11458 | NULL | NULL | 2 | 7 | nessus: SMB Registry : Dial InEnabled | 0.0000 | | 3001 | 11606 | NULL | NULL | 2 | 7 | nessus: WebLogic Crafted GETRequest Hostname Disclosure | 0.0000 | | 3001 | 14446 | NULL | NULL | 2 | 7 | nessus: [GLSA-200402-02] XFree86



Font Information File Buffer Overflow | 0.0000 | | 3001 | 16468 | NULL | NULL | 2 | 7 | nessus: Sami HTTP Server MultipleRemote Vulnerabilities | 0.0000 | | 3001 | 29898 | NULL | NULL | 2 | 7 | nessus: Novell Client nicm.sys LocalPrivilege Escalation | 0.0000 | | 3001 | 35388 | NULL | NULL | 2 | 7 | nessus: Fedora 9 2009-0059: xterm | 0.0000 | | 3001 | 35391 | NULL | NULL | 2 | 7 | nessus: Fedora 8 2009-0154: xterm | 0.0000 | | 3001 | 36641 | NULL | NULL | 2 | 7 | nessus: Fedora 10 2009-0091:xterm | 0.0000 | | 3001 | 42468 | NULL | NULL | 2 | 7 | nessus: CUPS < 1.4.2 kerberosParameter XSS | 0.0000 | +-----------+-------+-------------+----------+-------------+----------+------------------------------------------------------------------------+--------+11 rows in set (0.00 sec)

mine just showing 11 results there..hehehe..and still don't know why..if we trace back fromupdate_nessus_ids.pl :

--snip--

$query = "INSERT INTO plugin_sid(plugin_id, sid, category_id, class_id, reliability, priority,name) VALUES ";

if(keys %plugin_rel_hash){print "Updating...\n";foreach $key (keys %plugin_rel_hash){print "$key:$plugin_rel_hash{$key}:$plugin_prio_hash{$key}\n";#$plugin_rel_hash{$key} =~ s/'/''/; $plugin_rel_hash{$key} =~ s/'/\\'/gs;$plugin_rel_hash{$key} =~ s/"/\\"/gs;

my $sid = $key;if ($key =~ /\./){ my @tmp = split(/\./, $key); $sid = $tmp[$#tmp];}

$query .= "(3001, $sid, NULL, NULL, $plugin_prio_hash{$key}, 7, 'nessus:$plugin_rel_hash{$key}'),";}



--snip--

it must be load data from somewhere, process, then insert to this table :(

Next about 'plugin_reference' table (used for correlate with another plugins by default) :

mysql> select * from plugin_reference where reference_id='3001';+-----------+------------+--------------+---------------+| plugin_id | plugin_sid | reference_id | reference_sid |+-----------+------------+--------------+---------------+| 1001 | 103 | 3001 | 10024 | | 1001 | 103 | 3001 | 10409 | | 1001 | 107 | 3001 | 10024 | | 1001 | 107 | 3001 | 10409 | ------------------------skip-----------------------------7294 rows in set (0.05 sec)

Another tables which need to be checked is 'vuln_nessus_plugins' that shows completeinformation of those plugins:

mysql> select count(*) from vuln_nessus_plugins;+----------+| count(*) |+----------+| 35979 | +----------+1 row in set (0.00 sec)

Now we try to manually correlate both of them :)

1. We try to find out one result (nessus plugin sid) from scanning activity :

mysql> select inet_ntoa('2886731465');+-------------------------+| inet_ntoa('2886731465') |+-------------------------+| 172.16.6.201 | +-------------------------+1 row in set (0.00 sec)

mysql> select * from host_plugin_sid where plugin_id='3001' and host_ip='2886731465' limit1,5;



+------------+-----------+------------+| host_ip | plugin_id | plugin_sid |+------------+-----------+------------+| 2886731465 | 3001 | 10150 | | 2886731465 | 3001 | 10287 | | 2886731465 | 3001 | 10394 | | 2886731465 | 3001 | 10395 | | 2886731465 | 3001 | 10397 | +------------+-----------+------------+5 rows in set (0.00 sec)

mysql> select id,name from vuln_nessus_plugins where id='10150';+-------+----------------------------------------------------------+| id | name |+-------+----------------------------------------------------------+| 10150 | Windows NetBIOS / SMB Remote Host Information Disclosure | +-------+----------------------------------------------------------+1 row in set (0.00 sec)

mysql> select id,name from vuln_nessus_plugins where id='10287';+-------+------------------------+| id | name |+-------+------------------------+| 10287 | Traceroute Information | +-------+------------------------+1 row in set (0.01 sec)

mysql> select id,name from vuln_nessus_plugins where id='10394';+-------+---------------------+| id | name |+-------+---------------------+| 10394 | SMB Log In Possible | +-------+---------------------+1 row in set (0.02 sec)

mysql> select id,name from vuln_nessus_plugins where id='10395';+-------+------------------------+| id | name |+-------+------------------------+| 10395 | SMB Shares Enumeration | +-------+------------------------+1 row in set (0.01 sec)

mysql> select id,name from vuln_nessus_plugins where id='10397';+-------+-------------------------------------------+| id | name |



+-------+-------------------------------------------+| 10397 | SMB LanMan Pipe Server Listing Disclosure | +-------+-------------------------------------------+1 row in set (0.01 sec)

mysql> select id,name,description from vuln_nessus_plugins where id='10150';+-------+----------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| id | name | description |+-------+----------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| 10150 | Windows NetBIOS / SMB Remote Host Information Disclosure | ;Synopsis :;;It ispossible to obtain the network name of the remote host.;;Description :;;The remote host listenson UDP port 137 or TCP port 445 and replies to ;NetBIOS nbtscan or SMB requests.;;Note thatthis plugin gathers information to be used in other vuln_plugins;but does not itself generate areport.;;Solution :;;n/a;;Risk factor :;;None;; | +-------+----------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+1 row in set (0.00 sec)

mysql>

enough for the first part, i try to lookup the vulnerability information from 'host_plugin_sid' thentry to find out what is the vulnerability shown there (show by plugin_sid) at'vuln_nessus_plugins' in 'id' field.

next try to find out the plugin_sid at correlation tables (plugin_reference and plugin_sid) :

mysql> select * from host_plugin_sid where plugin_id='3001' and host_ip='2886731465' limit1,5;+------------+-----------+------------+| host_ip | plugin_id | plugin_sid |+------------+-----------+------------+| 2886731465 | 3001 | 10150 | | 2886731465 | 3001 | 10287 | | 2886731465 | 3001 | 10394 | | 2886731465 | 3001 | 10395 | | 2886731465 | 3001 | 10397 |



+------------+-----------+------------+5 rows in set (0.00 sec)

mysql> select * from plugin_reference where reference_sid='10150';Empty set (0.00 sec)





can't find the correlation between snort and nessus sid there, so i have tocustomize/define/create it first :p need to check another table :

mysql> select * from host_plugin_sid where plugin_id='3001' and host_ip='2886731465' limit1,5;+------------+-----------+------------+| host_ip | plugin_id | plugin_sid |+------------+-----------+------------+| 2886731465 | 3001 | 10150 | | 2886731465 | 3001 | 10287 | | 2886731465 | 3001 | 10394 | | 2886731465 | 3001 | 10395 | | 2886731465 | 3001 | 10397 | +------------+-----------+------------+5 rows in set (0.00 sec)








see, just like what i've said at first..in this table, i just got 11 (eleven) entries, so i can donothing except manually insert reference from vuln_nessus_plugins to this plugin_sid :( (whichshould've be done by script "update_nessus_ids.pl".

Any info from developers? Oh I forgot, I also realized about the "alienvault_feed_sync.sh"script, have tried it but failed. Looks like alienvault rsync server is now down.

siem:/usr/share/ossim/scripts/vulnmeter# ../alienvault-feed-sync.sh nessusAlienVault NVT Feed Sync Configured Scanner: nessusConfigured NVT Feed: rsync://feed.alienvault.com:/nvt-feedSynchronized into: /opt/nessus/lib/nessus/plugins/ Searching for required system tools ...Synchonizing NVTs via RSYNC ...rsync: failed to connect to feed.alienvault.com: Connection refused (111)rsync error: error in socket IO (code 10) at clientserver.c(122) [receiver=3.0.3]Error: rsync failed. Your NVT collection might be broken now.siem:/usr/share/ossim/scripts/vulnmeter# cat /etc/services | grep rsyncrsync873/tcprsync873/udpsiem:/usr/share/ossim/scripts/vulnmeter# telnet feed.alienvault.com rsyncTrying 207.158.15.208...telnet: Unable to connect to remote host: Connection refusedsiem:/usr/share/ossim/scripts/vulnmeter# telnet feed.alienvault.com 873Trying 207.158.15.208...telnet: Unable to connect to remote host: Connection refusedsiem:/usr/share/ossim/scripts/vulnmeter#

Any advance? Thank you before :)

Subject: Re: Guide: Nessus 4.0.2 on OSSIM 2.2.1



Posted by temon on Fri, 18 Jun 2010 04:48:08 GMTView Forum Message <> Reply to Message

just want to update

after waiting for several days and got no reply here, so i tried to find out the problems and nowit's all fixed..next step is to make sure that snort <-> nessus correlation will work :d

1. Analysis --> Vulnerabilities --> Threats Database Problem, all vulnerabilities/plugins have'serious' risk factor.

2. Intelligence --> Cross Correlation --> Correlation Rules, nessus plugins not loaded/insertedwell into ossim.plugin_sid table in database.

Here the new scripts to fix the problems (rename it to .pl, run updateplugins.pl first thenupdate_nessus_ids.pl):

1. http://temon.banget.de/ossim/updateplugins.txt2. http://temon.banget.de/ossim/update_nessus_ids.txt

thx to fabe for update_nessus_ids.pl patch :)Toggle Spoiler https://www.alienvault.com/forum/index.php?t=msg&S=739e31dbae2442b0334ec6e41e5d8d3e&th=1973&goto=6712#msg_67 12

Subject: Re: Guide: Nessus 4.0.2 on OSSIM 2.2.1Posted by whitehat on Fri, 18 Jun 2010 10:13:37 GMTView Forum Message <> Reply to Message

temon wrote on Fri, 18 June 2010 07:48

1. http://temon.banget.de/ossim/updateplugins.txt2. http://temon.banget.de/ossim/update_nessus_ids.txt

Can You please upload theese files to another server? Or to this forum?









try to attach those files here... :d

File Attachments1) ossim_nessus_dbupdate.tar.gz, downloaded 36 times

Subject: Re: OSSEC Quick Start GuidePosted by Lorax on Fri, 18 Jun 2010 12:59:44 GMTView Forum Message <> Reply to Message

Look inside ossec.conf in /var/ossec/etc/ and edit the server IP at the top:

<ossec_config> <client> <server-ip>10.1.1.8</server-ip> </client>

<syscheck>  <frequency>79200</frequency>

Subject: OSSIM integration with an existing OCS Inventory installPosted by westie5017 on Mon, 21 Jun 2010 16:37:05 GMTView Forum Message <> Reply to Message

Good Afternoon,

I hope you are well.

We have an existing OCS Inventory install that has data on all of our existing assets. It is alsointegrated with our CMDB System (CMDBuild) and ITSM system.

I'm wanting to deploy an OSSIM server (initially in a development lab) so I can test the systemand prepare it for a production environment.

Is it possible to integrate OSSIM with an existing OCS Inventory installation? Be it via an API,Database synchronisation or by simply point the OSSIM to the existing build?

Any assistance would be greatly appreciated...as I'm keen to demonstrate the ROI on thissystem and get the project off the ground.

Kind Regards

Harry West

Subject: Re: Guide: Nessus 4.0.2 on OSSIM 2.2.1Posted by bcarty on Tue, 22 Jun 2010 20:15:28 GMTView Forum Message <> Reply to Message

I can not connect to port 1241 with both OSSIM and the Nessus Client (for giggles) which ledme to do the google. Here is a link to the forum I found it in. The thread started back inDecember of 2009

https://discussions.nessus.org/message/4293#4293

Thoughts?


have you checked that nessus is running and port 1241 is opened? 1241 is NTP that used tocommunicate between nessus-client and nessus-scanner (server).

netstat -plant | grep nessusps ax | grep nessus

if port 1241 opened, then try to connect to port 1241 using telnet from another machine

telnet machine-running-nessus-server 1241

if you get connection refused, try to flush iptables first

iptables -F ; iptables -X

try to telnet again, if you get escape character is ^] means you've successfully connected andtry to connect using nessus-client again. Don't forget to allow port 1241 on ossim-firewall.

NOTE : Nessus 4.2 is not support NTP (port 1241) for homefeed, only professional feed









support NTP, that's why in here we use nessus 4.0 for our env ;)

Subject: Re: OSSIM integration with an existing OCS Inventory installPosted by NicoArias on Tue, 29 Jun 2010 16:37:57 GMTView Forum Message <> Reply to Message

you should edit these 2 files in order to use the already populated database:

/etc/apache2/conf.d/ocsinventory.conf/usr/share/ossim/www/ocsreports/dbconfig.inc.php

Subject: Re: OSSIM Password listingPosted by mattspierce on Wed, 30 Jun 2010 14:23:19 GMTView Forum Message <> Reply to Message

I've locked myself out of the admin interface for the website. Modifying the tomcat users filedoesn't do anything to help as the password there is set to admin:admin. From the tutorial Ifigured the password is stored in the ossim.users table and sure enough I see the string. I'vtried nulling that value to get back in but no such luck. I'm guessing that the salt is beingapplied to the null value. Is there anyway to determine what the salt is? Better yet, is there away to reset the web admin password?

What I did:logged into mysqlmysql -pused password extracted via the first post.use ossim;update users set pass=NULL where login='admin';

*Another thread pointed out the fix*update users set pass='21232f297a57a5a743894a0e4a801fc3' where login='admin'

This sets the password back to admin:admin

Subject: Re: Use HTTPS instead of HTTPPosted by nhirst100 on Fri, 02 Jul 2010 22:11:35 GMTView Forum Message <> Reply to Message












This has not worked for me. I followed the steps listed above and then when I try to connect tothe server over https I receive the following error in firefox

(Error code: ssl_error_rx_record_too_long)

I am running OSSIM 2.2.1

TIA,Nathan

Subject: Re: Installing the OSSEC Web Interface on OSSIMPosted by aimar on Wed, 07 Jul 2010 10:39:44 GMTView Forum Message <> Reply to Message

hidoa wrote on Fri, 13 February 2009 23:03I followed the instructions and I get the error belowwhen I try to browse to the site....My step 5 was ossec:x:113:www-datanotossec:x:1002:www-data.Not sure if that matters or not...

Warning: opendir(/var/ossec) [function.opendir]: failed to open dir: Permission denied in/var/www/ossec-wui/lib/os_lib_handle.php on line 94Unable to access ossec directory.

Then do the following:# nano /etc/group..From:ossec:x:109: To:ossec:x:109:www-data

Worked for me :p (OSSIM 2.2.4)

Subject: Re: Osiris - Quick GuidePosted by aimar on Thu, 08 Jul 2010 10:06:03 GMTView Forum Message <> Reply to Message

With my OSSIM 2.2, I needed to run the following command before playing around with osiris:









apt-get install osiris osirismd

Otherwise, very nice tutorial, cheers ;)

Subject: Re: Use HTTPS instead of HTTPPosted by nhirst100 on Mon, 19 Jul 2010 18:35:19 GMTView Forum Message <> Reply to Message

It looks like this can be done in version 2.2.1 by running

a2ensite default-ssl

a2dissite default

/etc/init.d/apache2 reload






ossec

Documents

ossim server

shutdown ntop

use https

https open ntop

messagechange ntop

ntop admin password

ossim configuration

ossim update script