Setting Up AlienVault’s OSSIM

Note: I am not being endorsed in any way by AlienVault.  I just really 
like their product OSSIM.

Intro

AlienVault’s open source SIEM (Security Information and Event Manager) OSSIM is a fantastic tool for a number of different reasons. Not least of which is that it’s, as stated, open source. Now of course we all love free stuff, but think about this for a second. A for-profit company like AlienVault actually took the time to take one of their main products, USM, and tweak it and make it open source and share it with everyone. And OSSIM has a ton of great features (check out their website that make it really easy for even one person to start managing the security of a whole company. That’s a pretty great thing for them to do. Let’s look at some use cases that, because OSSIM is open source and freely available for you and I to use, we can utilize the power of a SIEM.

  • It’s an amazing learning tool for newbies or people just trying things out.
  • Have a full IDS for your home without paying a dime
    • Side note, IDSs are typically very expensive. AlienVault’s USM starts at $5,000. Not bad at all for enterprise, but ridiculous for home use trying to guard 5 – 10 systems.
  • Proof of Concept for using an IDS at work

I’m going to talk briefly about the last bullet for a moment because that’s how I got started on OSSIM. One of my managers said to me a while back that no one will argue with you that security is important. What they will argue with you about is the cost of these tools, the cost of dedicating engineers to run these tools, the cost of a dedicated security team, etc.

Now if you already work as a full time infosec specialist (and if you do, I’m jealous), congratulations because a lot of the business-case justification is done for you. All you need to argue is the cost of the tool. However, myself and many others aren’t so lucky. That’s why I really like OSSIM. I can spin OSSIM up on a server I have available, configure it, and start generating meaningful reports, vulnerability assessments, and warn other employees (sometimes high-level ones, even), that there’s suspicious traffic on the network, before anyone really notices what you’re doing.
To be clear, I am not saying to go behind people’s backs! When I did this myself, several people knew I was working on this and a few of them helped me out as well. But I didn’t need to prove a business case for it yet. It was free and the time I spent was, overall, minimal, since many of the vulnerability reports and analysis I did was off the clock in my free time anyway.

Alright, on to the guide!

This documentation goes over how to create a virtual machine using KVM on Ubuntu 14.04 LTS Server and install OSSIM

Step-by-step guide

This is best done from a Linux system.
If done on a Mac, you need to first install X11/XQuartz. A VM running Ubuntu Desktop in Mac works just as well.
If done on a Windows system… I am so sorry for you. (But really, just use a Linux VM in VirtualBox or something.)
The reason for this is we’ll be using virt-manager, a graphical tool for setting up VMs in KVM. (Trust me, it’s just easier.)
I won’t go through setting up Ubuntu Server in this, but if you’ve ever installed Ubuntu before, it’s not hard.
You first need to set up KVM:

  1. Log in to hypervisor and run the following command
# apt-get install qemu-kvm libvert-bin bridge-utils virtinst

You may want to disable KSM (Kernel Samepage Merging), a memory saving de-duplication feature.

  • Check in /etc/default/qemu-kvm for the line KSM_ENABLED=1 and switch it to 0

Once KVM is set up, you can continue setting up the VM for OSSIM

  1. Connect to the hypervisor
  2. Install virt-manager

# apt-get install virt-manager

  1. Download the ISO from AlienVault’s website. The easiest way to do this is:
    • Copy the download link from the download icon on their website.
    • Then use wget in the server (or copy the link I have below).

# wget http://downloads.alienvault.com/c/download?version=current_ossim_iso

Once virt-manager is installed and the ISO is downloaded, re-connect to the server using X forwarding

# ctrl-D
# ssh -X root@server
  1. Open virt-manager (must be done as root or sudo)

# virt-manager

  1. Create the new VM through the GUI, using the downloaded ISO.
    • Name the VM (if you have a DNS, make sure the names match).
    • Select “Local Install Media”.
    • Click “Forward”
  2. Select “Use ISO Image” and click “Browse” to find your downloaded ISO. Select “Generic” for OS type and Version. Click “Forward”
  3. Allocate RAM and CPU cores. Suggested specs can be found here. Click “Forward”
  4. Allocate space for a virtual hard drive. Click “Forward”
  5. Review VM resource specs and click Finish.

Once the ISO boots, continue through the OSSIM Installer:

  1. Select the correct Language, Location, and TimeZone.
  2. Set the Root password
  3. Provide the IP address for the system
  4. Wait for the system to install

After the system is done installing, pull up a web browser and go to the IP address (https://192.168.x.x) you assigned OSSIM.
Pretty much everything after this will be done via OSSIM’s web interface.  There will be an easy to navigate set up wizard that will get you finished and working in OSSIM.

And that’s it!

You now have OSSIM up and running on your network! If you are curious about how to really start utilizing OSSIM, AlienVault has a great resource area with webinars that can teach you how to get the most out of your new SIEM.

Questions? Comments? Leave me a note below and I’ll be happy to help (if I can!)
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s