Note: I am not being endorsed in any way by AlienVault. I just really like their product OSSIM.
AlienVault’s open source SIEM (Security Information and Event Manager) OSSIM is a fantastic tool for a number of different reasons. Not least of which is that it’s, as stated, open source. Now of course we all love free stuff, but think about this for a second. A for-profit company like AlienVault actually took the time to take one of their main products, USM, and tweak it and make it open source and share it with everyone. And OSSIM has a ton of great features (check out their website that make it really easy for even one person to start managing the security of a whole company. That’s a pretty great thing for them to do. Let’s look at some use cases that, because OSSIM is open source and freely available for you and I to use, we can utilize the power of a SIEM.
- It’s an amazing learning tool for newbies or people just trying things out.
- Have a full IDS for your home without paying a dime
- Side note, IDSs are typically very expensive. AlienVault’s USM starts at $5,000. Not bad at all for enterprise, but ridiculous for home use trying to guard 5 – 10 systems.
- Proof of Concept for using an IDS at work
I’m going to talk briefly about the last bullet for a moment because that’s how I got started on OSSIM. One of my managers said to me a while back that no one will argue with you that security is important. What they will argue with you about is the cost of these tools, the cost of dedicating engineers to run these tools, the cost of a dedicated security team, etc.
This documentation goes over how to create a virtual machine using KVM on Ubuntu 14.04 LTS Server and install OSSIM
virt-manager, a graphical tool for setting up VMs in KVM. (Trust me, it’s just easier.)
- Log in to hypervisor and run the following command
# apt-get install qemu-kvm libvert-bin bridge-utils virtinst
You may want to disable KSM (Kernel Samepage Merging), a memory saving de-duplication feature.
- Check in
/etc/default/qemu-kvmfor the line
KSM_ENABLED=1and switch it to 0
Once KVM is set up, you can continue setting up the VM for OSSIM
- Connect to the hypervisor
- Install virt-manager
# apt-get install virt-manager
- Download the ISO from AlienVault’s website. The easiest way to do this is:
- Copy the download link from the download icon on their website.
- Then use wget in the server (or copy the link I have below).
# ctrl-D # ssh -X root@server
- Open virt-manager (must be done as root or sudo)
- Create the new VM through the GUI, using the downloaded ISO.
- Name the VM (if you have a DNS, make sure the names match).
- Select “Local Install Media”.
- Click “Forward”
- Select “Use ISO Image” and click “Browse” to find your downloaded ISO. Select “Generic” for OS type and Version. Click “Forward”
- Allocate RAM and CPU cores. Suggested specs can be found here. Click “Forward”
- Allocate space for a virtual hard drive. Click “Forward”
- Review VM resource specs and click Finish.
Once the ISO boots, continue through the OSSIM Installer:
- Select the correct Language, Location, and TimeZone.
- Set the Root password
- Provide the IP address for the system
- Wait for the system to install
After the system is done installing, pull up a web browser and go to the IP address (https://192.168.x.x) you assigned OSSIM.
Pretty much everything after this will be done via OSSIM’s web interface. There will be an easy to navigate set up wizard that will get you finished and working in OSSIM.
You now have OSSIM up and running on your network! If you are curious about how to really start utilizing OSSIM, AlienVault has a great resource area with webinars that can teach you how to get the most out of your new SIEM.