You are on page 1of 309

ACSA

AlienVault Certified Security Analyst

About this document

ACSA (AlienVault Certified Security Analyst)

Author: Juan Manuel Lorenzo (jmlorenzo@alienvault.com)

Document Version 3.0

Last revision: 01/2011

Product version used: 3.0

Copyright Alienvault 2010


All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying,
recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and publisher.
Any trademarks referenced herein are the property of their respective holders

Target Audience

Professionals from Security Information

Systems administrators

Security Operators

Requirements

Previous Knowledge

Networking

Security

Basic Linux Skills (Edit files on the command line)

Technical Requirements

Computer per assistant

Internet access

AlienVault Virtual Machine

Recommendations

Have you got any problem with AlienVault?

Is there something you always wanted to know about AlienVault?

Do you have any suggestion?

Think about your environment:

Do you have a network map?

How would you integrate this device or application?

What products would suit my needs?

Do I have any compliance requirement? (PCI? ISO?)?

If you have any questions, please tell us

ACSA - Contents

Introduction to AlienVault

AlienVault Web Interface

Components

User Management

Architecture

Policies

Installation

Logger

Configuration

Vulnerability Management

Network Security Tools

Security Analysis

Integrated Tools

Ticketing System

Basic Concepts

Reporting System

AlienVault

What is AlienVault?

10

AlienVault is a SIEM (Security Information and Event Management)

Data Aggregation

Correlation

Alerting

Dashboards

Compliance

Retention

AlienVault: Data Aggregation


Collection
Syslo

SCP

SQL

WMI

Other11supported collection methods: SNMP, SDEE, OPSEC, Socket...

Sensor

AlienVault: Data Aggregation


Normalization
plugin_id=4003 plugin_sid=2 username=root
date="1295472603" src_ip=192.168.2.2
Authentication Failed for user root from X
12.02.2009 12:02:21

DROP 192.168.1.1 21.2.2.2


Dec 02 2009 12:02:21
Sensor

plugin_id=4503 plugin_sid=21 date="1295472603"


src_ip=192.168.1.1 dst_ip=21.2.2.2

12

AlienVault: Correlation
SIEM
SSH Auth
failed event
from X to Y
SSH Auth
failed event
from X to Y
SSH Auth
failed event
from X to Y
SSH
Successful Auth
event from X
to Y

Sensor

Successful Brute Force Attack?


13

Brute Force Attack?

AlienVault: Alerting
DOS Attack Against
WebServer

No disk space left on the


SQL Server

Worm Detected on Port 80

Policy Violation: P2P Usage

14

Send a command to the firewall to isolate the attacker

Open a ticket in AlienVault or in any other


ticketing management system

Send an e-mail or an SMS to the IT Department

Disable the switch port used by the host


generating the P2P Traffic

AlienVault: Dashboards

15

AlienVault: Compliance

16

AlienVault: Retention

SAN

Logger

- Forensically secure-storage of RAW Data


- Massive Log-storage
- Can be configured to store information on existing NAS or SAN

NAS

17

And What Makes AlienVault Different?

18

All SIEM Products

AlienVault Unified SIEM

Data Aggregation

Data Aggregation

Correlation

Correlation

Alerting

Alerting

Dashboards

Dashboards

Compliance

Compliance

Retention

Retention

Vulnerability Management
Situation Awareness
NIDS
HIDS
WIDS
Network Monitoring

Vulnerability Management

Comprehensive Vulnerability Management

Centralized Reports

Compliance auditing

The remote host is missing the DSA-1996 security update

A vulnerable SMB server is running on the remote host.

Sensor
Default user and password enabled in the running service

19

Situation Awareness
Technology
Identity Monitoring

Active Directory
LDAP
Authentication Logs

Network Auto-Discovery
Topology Map

Recurrent SNMP Scans

Inventory

Active / Passive Fingerprinting

Profiling

Time-Service-Usage Profiling

Resource Monitoring
Network Monitoring
Network Availability

SNMP / Agent / Remote Requests

Host resources

SNMP / Agent / Remote Requests

Anomaly Detection

20

Flows

Events / Network Profiles / Active-Passive


Fingerprinting

NIDS

Network level IDS (Intrusion Detection System)

Monitor network traffic

No impact on the network


Policy Violations (Porn, P2P, IM...)
Ne
Router

tw
o

rk

Netwo

tra

ffic

Malware

rk traffi

Network anomalies

Switch

rk

two
Ne

fic
traf

Sensor

User activity
Network Tap

21

HIDS

Host-based IDS (Intrusion Detection System)

Monitors and analyzes the internals of a computing system

Clients for every major Operating Systems

Log analysis, rootkit detection, system integrity checking and


Windows registry monitoring.

Attempt to login using a non-existent user

Attempt to use mail server as relay (client host rejected).

Sensor
Logon failure: Account currently disabled

22

WIDS

Wireless Intrusion Detection System

Monitor Wireless Networks in multiple locations

Meet PCI Wireless Compliance requirements


Rogue AP

Suspicious Client

Sensor
running a WIDS

Wireless Network Traffic is analyzed in the AlienVault Sensor

23

Cloaked Networks with uncloaked APS

The Market

Large Vendors
Sold in combination with
other products

24

Pure SIEM
Pure Management Layer

Unified SIEM
Integrate other
Security Functions

AlienVault Unified SIEM


The Unification of SIEM and Security Context Technologies
Management
Technologies

Security Context
Technologies

delivered in a single Product: AlienVault Unified SIEM

25

Data Abstraction
Risk

Incidents

High Level
Metrics
Medium Level
Tens of Incidents

Security Events
SecurityAlienVault
Events SIEM

AlienVault Logger

Logs

26

AlienVault Sensors

Low Level

Millions of Logs

Security Technology

Management

Unification of technologies

27

SIEM
Incident
Management

Risk
Intelligence

Storage

Detection

Prevention

Awareness

IDS / IPS / WIDS

HIDS
File integrity

Identity
Vulnerability
Assessment
Threat
Assessment

Inventory
Resources

AlienVault SIEM
Correlation

Dashboards

Events aggregation

Action / Response

Reports

Forensic Storage

Alerting system

Vulnerability Management

AlienVault SIEM

Operating Systems

28

Security Devices

Applications

Network electronics

3 major components
Sensor
Event Collection
NIDS / WIDS / HIDS
Network monitoring
Vulnerability Scanning
Logger
Massive Log Storage
Legal evidence
Ensure integrity

SIEM
Correlation
Risk Assessment
Vulnerability Management
Real-time Monitoring

29

How AlienVault works?

30

3 major components
Sensor
Events generated in the Network are collected by the AlienVault Sensor.
Applications running in the AlienVault Sensor generate security events
that are also collected by the AlienVault Sensor.
The AlienVault Sensor generates a normalized event that is sent to the
SIEM and to the Logger.

Logger
AlienVault Logger provides forensically-secure storage of all raw data.
This creates a court-admissible record of network activity.

SIEM
AlienVault SIEM processes all data provided by network devices and
AlienVault Sensors.
The AlienVault SIEM leverages the Network Inventory created by
AlienVault Sensors as well as external Threat Databases to CrossCorrelate events, weeding out False Positives and providing Actionable
Intelligence.

31

SIEM Challenges and Roadblocks

Challenges

32

Lack of control of security and


network
Risk management and
compliance

Inconsistency & lack of


reliability

Complexity & information


overload

Inefficient use of valuable


resources

Roadblocks

High vendor pricing

Convoluted licensing models

High implementation costs

Underperformance

Black box solutions with


limited customization

What is / is not Alienvault?

33

AlienVault is:

A tool that integrates more than 30 Open Source tools

A tool that can aggregate events from both Open Source and
Commercial tools

A tool that can be easily adaptable (Use what you need)

AlienVault is not:

A linux distribution integrating security tools (Backtrack, WifiSlax...)

A product designed for home use

A software package (deb, rpm, exe) that can easily be installed on


any operating system. (Agents can be installed to monitor every
single Operating System)

What makes us different? - Technically

Detection capabilities

Using Open Source tools (No extra cost)

Can replace tools that have already been deployed

Can co-exist with tools that have already been deployed

Adaptability

34

Enable / Disable functionality based on customer needs

Customization

Scalability

What makes us different?- Commercially

35

Low cost licensing

Licensed based on EPS (Events per second)

There is no license based on the number of monitored devices

Extra value with no additional cost

WIDS

NIDS

HIDS

Vulnerability Management

Network Monitoring

Open Source vs Professional

36

Open Source

Professional SIEM

Support

Community

7x24

Quality Assurance

Community

Professional Q&A

Security

Not audited

Audited

Performance

Moderate

30 x Open Source, Assured

SIEM Intelligence

Logical Correlation
Simple Taxonomy

Cross Correlation
Rich Taxonomy

Logger

N/A

Unlimited Forensic Storage

Reports

< 25 + Jasper

> 2000 + Web Wizard

Scalability/HA

N/A

HA, Distributed ,Multi-tenant, Unlimited


Scale

Compliance

High Level Reports

High and Low Taxonomy-based

Updates

None

Daily rules and reports

User Management

Individual, simple controls

Templates and Granular Controls

The Company

37

AlienVault was founded in 2007 by the creators of OSSIM to


support OSSIM community and develop enhanced products

In 2011 AlienVault has a global presence and offers its services


worldwide through an extensive network of partners.

AlienVault leads the development of AlienVault Open Source SIEM


and AlienVault Professional SIEM

A little bit of history

38

2003: First release of OSSIM (Open Source Security Information


Management)

2007: AlienVault founded to support the OSSIM community and


develop enhanced products

2009: More than half all SIEM installations worldwide

2010: Offices in Spain, Germany, UK and Mexico

2010: HQ in Silicon Valley, California

The Offices

Sales & Operations


Sales

39

The products

40

AlienVault Unified SIEM

AlienVault Open Source SIEM

AlienVault Professional Feed

The Appliances

41

The services
Performance
& Scalability

ACSA

Dimensioning

ACSE

On-site
Training

Consultative
Architecture

Consulting

Training

AlienVault Services

Basic
Support

Administration
Support
Implementation

Upgrades

Premium 8x5
Support

42

Premium
24x7 Support

Installtion

Configuration

References

43

Partners

44

Partners

45

Open Source

AlienVault Open Source SIEM is distributed under the GPL license.

AlienVault includes more than 30 well-known Open Source tools

AlienVault developed a system to connect and provide intelligence to


all these components

Extra functionality - No extra cost

46

Open Source - Help for the recession


"Open source software and solutions have a great opportunity to survive and benefit
in this economy as they provide better returns for the companies that are looking to save
huge licensing costs and greater availability of solutions and software that can be easily
adopted."
"Open-source consumption is in for a boom, and commercial open-source start-ups
should be able ride the wave...In this downturn, open source offers the best value for money,
and with more mature supported products, enterprises can continue to innovate while
budgets are frozen."
"In a down economy, open source has more appeal than ever, so volume will continue
to increase for open source, making the model even stronger over time.
"In these times you follow your grandparents wisdom: Make the best of what you have. That
means maximizing utilization of existing infrastructure. I expect open source and Linux,
systems management tools, and virtualization technology, all of which allow for better
utilization rates of existing infrastructure at a low cost, to do well in this market."
"...this recession will be great for free and open source because of the shortage of cash.
Last recession saw the mainstream legitimization of open source operating systems because it
was clear and away the most cost-effective choice."

47

Components

48

Sensor

AlienVault Sensors collect and normalize the events generated


by the tools and devices running in the monitored network
(Data Sources).

Normalized events are sent to the AlienVault SIEM, AlienVault


Logger or to both.

Syslo

SCP

Normalized events
SQL

WMI

49

Sensor

Logger

SIEM

Sensor

An AlienVault deployment can have as many sensors as


needed (There is no limit in the number of deployed Sensors)

The number of Sensors is determined based on the number


of monitored network and on the geographical distribution of
the corporation

Sensor 1

Sensor 1

Las Vegas Call Center


50

NY Headquarters

Sensor 3

New Jersey Data Center

Sensor: Data Source

51

Any Application or Device generating information subject to


be collected by AlienVault is a Data Source within the
AlienVault deployment. E.g.:

Security Devices: IDS, IPS, Firewall, Antivirus, Vulnerability


Scanner...

Network Devices: Routers, Switches, Wireless AP...

Servers: Domain Controller, Email server, LDAP...

Applications: Web Servers, Databases, Proxy...

Operating Systems: Linux, Windows, Solaris...

Sensor: Data Source Connectors

52

The AlienVault Sensors can aggregate events from new sources by


creating a Data Source Connector

Data Sources connectors include the information on how events


are stored and formatted and regular expressions to help the
Sensor understanding how the information should be collected
and normalized

Sensor

The AlienVault Sensor can aggregate events using multiple


collection methods

Collection Methods

Custom DS Connectors

OUTPUT

SYSLOG

WMI
SQL
SDEEE
SOCKET
SNMP

53

NORMALIZATION

SAMBA

FILTERING

SCP

CLASSIFICATION

FTP

LOGGER

SIEM

Sensor

54

AlienVault Sensor includes detection functionalities in its


Sensor using well-known Open Source Software

The AlienVault Data Sources can co-exist with the Data


Sources that have already been deployed on the monitored
network

In some scenarios these Data Sources can replace


commercial software that was used in the monitored network

Sensor

To get benefit of the detection capabilities of the AlienVault Sensor.


Networking on the Sensor must be configured to:

Have access to the network that is being monitored

55

Event collection (Syslog, FTP, SCP, Samba, WMI...)

Vulnerability Scanning

Availability Monitoring...

Collect all traffic of the monitored network configuring or


using:

Port mirroring or port span

HUB

Network Tap

Logger

56

The Logger component stores events in raw format in the file


system.

Events are digitally signed and stored en masse ensuring their


admissibility as evidence in a court of law.

The logger component allows storage of an unlimited number of


events with forensic purpose.

For this purpose the logger is usually configured so that events are
stored in a NAS / SAN network storage system.

SIEM

57

The SIEM component provides the system with Security


Intelligence and Data Mining capacities, featuring:
-

Risk assessment

Correlation

Risk metrics

Vulnerability scanning

Data mining for events

Real-time monitoring

AlienVault SIEM uses a SQL database and stores information


normalized allowing strong analysis and data mining capacities.

SIEM

Events processing on the SIEM


SIEM

58

Correlation
Risk Assessment
Policy
Collection

EVENTS

New events generated during correlation

SQL Storage

SIEM

Events processing on the SIEM


SIEM

59

Events are correlated (Logical correlation,


Cross Correlation and Inventory Correlation)

A Risk value (0-10) is calculated for every


event

Policies configure how the SIEM will process


the events (To create exceptions)

SIEM collects events sent by the Sensors or by


other SIEM or Logger

EVENTS

New events generated during correlation

Events are stored in the Database

Database

60

The AlienVault database runs on a MySQL server

SIEM Events, configurations, and inventory are stored in the


Database

Database is a required component in any AlienVault deployment,


even if only the Logger is been used

Web interface

61

The AlienVault Web Interfaces provides access to:

Inventory Management

Configuration

Reports and metrics

Real time monitoring

Forensic Analysis

Vulnerability scanning

Architecture

62

AlienVault Architecture
Web Interface
SQL Database

EVENTS

SIEM

Disk Storage

Logger
Sensor
Operating Systems

63

Security Devices

Applications

Network electronics

AlienVault Deployment: Scenario

64

65
SQL

SYSLOG

SNARE

SDEE
OPSEC

SYSLOG

SYSLOG

SAMBA

SCP

OPSEC

SYSLOG

FTP

WMI

SYSLOG

SYSLOG

WMI

Log collection
LOG COLLECTION

SDEE

SYSLOG

SDEE

SYSLOG

SNMP

Port mirroring
PORT MIRRORING

66

Vulnerability Scanning & Availability Monitoring

SENSOR 1

SENSOR 3

SENSOR 2
67

AlienVault Deployment
PORT MIRRORING
LOG COLLECTION

SDEE

FTP

WMI

SYSLOG

WMI

SYSLOG

ALIENVAULT INTERNAL
COMMUNICATIONS

OPSEC

SYSLOG

SYSLOG

SDEE

SENSOR 1

SYSLOG

SDEE

SENSOR 2
68

OPSEC

SYSLOG

SYSLOG
SQL

SYSLOG

SAMBA

SNARE

SCP

SNMP

SENSOR 3

Simple Deployment

69

A single Customer

A single location

Small amount of events to be collected

Small number of networks to be monitored (Events collection,


Availability Monitoring, Vulnerability Scanning...)

Low network throughput to be analyzed

Simple Deployment
Network 1
Web Interface
SQL Database

Network 2

Network 3
SIEM

fic

raf
T
k

or
w
t
e

Logger

Events

Sensor

Customer Premises

70

Simple Deployment II

71

A single Customer

Multiple locations

AlienVault Sensors reduce the data transferred between the


different locations:

Events are filtered

Vulnerability and Availability Scanners are done from multiple


locations (Each Sensor scans the closest networks)

Simple Deployment II

Logger

Sensor

SIEM

SQL Database

Web Interface

Headquarters

Sensor

Office 1

72

Sensor

Office 2

Sensor

Office 3

Complex Deployment

73

Multiple Customers

Multiple Locations

Some Customers multiple Sensors

Some Customers have their own Logger (E.g.: Compliance


Requirements)

Some Customers have a fully operational AlienVault Deployment

Correlation and Storage at different levels

Complex Deployment
Web Interface

Web Interface

SQL Database

SIEM
SIEM

SQL Datab

Logger

Logger

Logger

Sensor

Services Provider

74

Customer 1

Sensor

Customer 2

Sensor

Sensor

Customer 3

National Deployment
Some locations can have multiple Sensors, with or without a
Logger or SIEM, that can be used to consolidate at State
Level or to provide Storage or Correlation at multiple levels

Al Sensors send events to the Logger deployed in California

75

Some locations can have a fully functional AlienVault


deployment, with SIEM, Logger, Database and Web
interface. Although the Logger in Texas will also forward
events to California

World Deployment

Sensors in USA send event to the


Logger in USA. There is a fully
functional AlienVault deployment in
the USA.

Sensors deployed worldwide send


their events to the main Logger in
India.
US and Brazil have their own SIEM
and Logger so it is possible to
configure correlation at two levels
as well as creating forwarding
policies to decide what kind of
information is forwarded to India.

Sensors in Brazil send event to the Logger in Brazil. There is


a SIEM, Logger and Database in Brazil. The Logger and
SIEM deployed in Brazil could also be used to consolidate
events from some other countries (Argentina, Chile...)

76

Sensor

77

At least one Sensor in each Alienvault Deployment

As many Sensors as required

Usually one Sensor in each Customer Location

A Sensor can monitor multiple networks within the same location

AlienVault Sensors can send events to Logger and SIEM

AlienVault Sensors can be configured to send events to more than


one SIEM or Logger

Logger

There must be at least a Logger or a SIEM in each functional


deployment

The Logger can send events to another SIEM or Logger

The Logger stores raw data in the disk and it can be


configured to use a NAS or SAN storage system

As many Loggers as required

78

Performance

Requirements to store information securely in more than


one location

The Logger collects events sent by the AlienVault Sensors or


by another Logger or SIEM

SIEM

There must be at least a Logger or a SIEM in each functional


deployment

The SIEM can send events to another SIEM or Logger

The SIEM stores information in an SQL Database (Database


Component)

As many SIEMs as required

79

Performance

Multiple correlation level

The SIEM collects events sent by the AlienVault Sensors or by


another Logger or SIEM

Database

80

There must be at least a Database in each deployment

If multiple SIEM components have been deployed these SIEM may


use multiple Databases

SIEM, Logger and the Web Interface will access the information
stored in the Database

Some Custom Data Sources may also require access to the


Database

Web Interface

There must be at least a Web Interface in each functional


deployment

If there are multiple storage points in the deployment (SIEM and/or


Logger) multiple Web interfaces may also be deployed

A single Web Interface can show information stored in multiple


Databases and in multiple Loggers

81

Installation

82

Hardware recommendations

For a production system:

At least 4GB Ram

64 Processor

DUAL Core Processor

Depending on the amount of traffic being monitored and the


amount of data captured RAM has to be increased, always
avoiding SWAP memory usage.

If we dont have the appropriate hardware:

83

"Divide et vinces"

Network Requirements: Sensor

84

Port mirroring/Port Span/Network tap avoiding:

Duplicated traffic: May happen if we get the same traffic redirected


from two different port mirroring devices on the network

Non-analyzable traffic: It makes little sense to configure a port


mirror on a network segment where all the traffic will traverse a VPN
or be otherwise encrypted

Enough IP addresses and interfaces have to be reserved for:

AlienVault Inter-component communication

Sensor network access to targeted networks (OpenVas, Nmap,


Nagios, WMI, SCP require network access)

Provide an IP address for external devices to send data to (Syslog,


FTP, Samba, Snare, OSSEC)

Network Requirement: Sensor

The most problems when configuring AlienVault happen with the


Sensor profiles:

The red line represents a port mirroring thats


been setup on a switch for the Sensor profile
and its applications (Ntop, Snort, Pads, P0f
and Arpwatch) to passively analyze traffic.

85

Network Requirement: Sensor


This second case represents a sensor profile
where only log collection and analysis will be
performed, without listening to any traffic. No
listening application should be running on this
system since there is no configured port
mirroring.

This third case requires both an IP address as


well as a passively listening interface since our
sensor profile will be both capturing traffic
from a port mirror as well as collecting logs.

86

Recommendations

87

Always use the latest installation image

If you need performance you cant use any Hardware

Use only what you need (Disable unused Data Sources)

If you install your system in English youll have an easier time


finding help

For network traffic analysis ensure your NIC supports the e1000
driver.

Whenever possible setup a separate machine for the Database


profile

Recommendations II

88

It makes little sense to enable the listening applications (Snort,


Ntop, Arpwatch) if we dont have a port mirror setup.

64 Bits greatly improves performance

The best network cards should always be used for the listening
interfaces (promiscuous mode)

The not-so-good network cards can be used for administration or


collection (Syslog, OpenVas, Nagios)

Check List

89

Check List for an AlienVault Installation

Rack Space

Power

Network Configuration

Port mirroring

IP addresses

Professional Key

Internet Access (Required when installing the professional version)

Installation Profiles

90

Depending on the role of the new host within the AlienVault


deployment it is possible to configure the profile in use. This can
be configured during the installation process or after installation.
By default the Automated Installation will enable all profiles in the
same box.

Installation Profile: Sensor

91

The Sensor Profile will enable the Sensor functionality of AlienVault.

The following AlienVault Data Sources are enabled by default:

Snort (Network Intrusion Detection System)

Ntop (Network and usage Monitor)

OpenVAS (Vulnerability Scanning)

P0f (Passive operative system detection)

Pads (Passive Asset Detection System)

Arpwatch (Ethernet/Ip address parings monitor)

OSSEC (Host Intrusion Detection System)

Nagios (Availability Monitoring)

OCS (Inventory)

Installation Profile: Server

92

This installation profiles combines the SIEM and Logger


component. The Sensors will connect to the AlienVault Server to
send the normalized events.

Simple deployments will include a single Server in the deployment.


More complex deployments could have more than one Server with
different roles or in case it is required to deploy the AlienVault
Server in high availability.

The server installation profile also comes with a Sensor with limited
functionality to monitor the Server itself

Installation Profile: Database

93

The Database profile will enable a MySQL database to store


configuration and events (If the SIEM functionality is in use). At
least one Database is required in each deployment.

Even if only the Logger profile is enabled (And not the SIEM) a
database will be required to store the inventory information and the
configuration parameters.

Installation Profile: Web Interface

94

The Web Interface profile will install and configure the Web
Management interface component. A single Web Management
interface will be deployed on every AlienVault installation. More
complex deployments with multiple AlienVault Servers may have
more than one box with the Web Interface profile enabled.

The AlienVault Web Interface is the installation profile that will use
the lowest amount of memory and CPU. For this reason, the Web
Interface is usually installed with the Server profile.

Installation Profile: All-in-one

95

The All-in-one profile will enable all profiles in a single box. This is
the default installation profile and it will be enabled if the user does
an automated installation

Installation Overview
Automated Installation

Custom Installation

1.Boot the installation system

1.Boot the installation system

2.Configure networking

2.Select the installation language

3.Create and mount the partitions on which AlienVault will be installed

3.Configure keyboard

4.Watch the automatic download/install/setup/update of the base

4.Configure location

system.
5.Set up users and passwords
6.Load the newly installed system for the first time

5.Select the installation AlienVault profiles for this installation


6.Configure networking
7.Create and mount the partitions on which AlienVault will be installed
8.Enter the professional license
9.Watch the automatic download/install/setup/update of the base
system.
10.Set up users and passwords

96

97

Configuration

98

Basic System Configuration

Changing the keyboard layout


To change the keyboard layout simply type this command:

Setting the Current System Date and Time


To display the current system time, enter the date command

# date

To set the current system time, use the following form of the date
command:

99

# dpkg-reconfigure console-data

# date MMDDhhmm[CC]YY[.ss]

Basic System Configuration

Set the date and time via NTP


To set the date using an NTP server type the following command in
the terminal

# ntpdate pool.ntp.org

pool.ntp.org can be replaced by the NTP server in your corporation or


by any other NTP server in the Internet.

Changing the time zone


To change the timezone just type this command:

100

# dpkg-reconfigure tzdata

AlienVault Basic Configuration

The centralized configuration is stored in the following file:

You can edit this file using any text editor (vim, nano, pico).

Inexperienced users should be using the following command to


edit this file:

# alienvault-setup

To apply the centralized configuration on every configuration file


you will have to run the following command:

101

/etc/ossim/ossim_setup.conf

# alienvault-reconfig

AlienVault Basic Configuration

Enable / Disable Plugins (Data Sources)


To select the enabled Plugins (Data Sources) type the following
command:

102

# alienvault-setup

Then select the Option Change Sensor Settings, and then Enable/
Disable detector plugins, you will get a list of enabled and disabled
plugins, just click on space when over the name of the plugin to
enable or disable that plugin. To apply changes select Save & Exit
in the main menu.

AlienVault Basic Configuration

Configure Plugins (Data Sources)

Once the plugin has been enabled you may need to configure some
plugins. Plugin configuration files are stored in the directory /etc/
ossim/agent/plugins. There you will find a .cfg file for each plugin.

You may need to edit the location parameter to point the AlienVault
collector to the file in which the log of that application are being
stored. If you modify the configuration file of one of your plugins type
the following command to restart the OSSIM Agent:
-

103

# /etc/init.d/ossim-agent restart

AlienVault Basic Configuration

104

Configure listening interfaces

The alienvault-setup script allows configuring the network interfaces


in promiscuous mode. All the AlienVault detectors that require
analyzing all network traffic will be configured to work on these
network cards (Snort, Ntop, Fprobe, Pads...).

Select only those interfaces that are connected to a mirrored port, or


to a network tap, as these applications will be useless if they are not
analyzing all traffic in the network.

To select the listening interfaces type the following command


-

# alienvault-setup

and then choose Change Sensor Settings and then Select interfaces
in promiscuous mode, then select Save & Exit to apply changes.

alienvault-reconfig
/etc/snort*
/etc/default/ntop
/etc/rsyslog.conf
/etc/ossim/agent/config.cfg

/etc/ossim/ossim-setup.conf
/etc/network/interfaces

alienvault-reconfig

/etc/ossim/server/config.xml
/etc/ossim/framework.conf
/etc/mysql/my.cnf
/etc/logrotate*
.....
/etc/default/fprobe

105

VPN Configuration

106

When performing a custom installation in different the installer will


automatically configure a VPN Network to encrypt communication
between the different AlienVault components. This feature has been
implemented using OpenVPN.

The VPN Server will be configured in the machine running the Server
Profile. If we want to include another AlienVault component in the
VPN we have to run this command in the machine running the Server
Profile. We will use in the following examples the IP address
192.168.0.200, as if it were a box running the Collector profile:

# alienvault-reconfig --add_vpnnode 192.168.0.200

This command will generate a compressed file containing all required files
to configure the VPN network in the AlienVault component we want to put
inside the VPN network. This file will be stored in the following directory:

/etc/openvpn/nodes/

Network Configuration

Setting the hostname


To change the hostname, simply modify the value of the parameter
hostname in the /etc/ossim/ossim_setup.conf and run the
command:

# alienvault-reconfig

Setting up DNS

You can add hostname and IP addresses to the file /etc/hosts for
static lookups. To cause your machine to consult with a particular
server for name lookups you simply add their addresses to/etc/
resolv.conf.

For example a machine which should perform lookups from the DNS
server at IP address 192.168.1.200 would have a resolv.conf file
looking like this: search my.domain
nameserver 192.168.1.1

107

Network Configuration

Setting up the IP address


-

The IP addresses associated with any network cards you might have
are read from the file /etc/network/interfaces. This file has
documentation you can read with:

# man interfaces

A sample entry for a machine with a static address (eth0) would look
like this:
allow-hotplug eth0
iface eth0 inet static
address 192.168.1.133
netmask 255.255.0.0
network 192.168.0.0
broadcast 192.168.255.255
gateway 192.168.1.1
dns-nameservers 192.168.1.100

If you make changes to this file you can cause them to take effect by
running:

108

# /etc/init.d/networking restart

Network Configuration

Setting up a network card in promiscuous mode

If a network is going to be used to analyze all traffic in the network, it


should not have an assigned IP address. This will improve
considerably the performance of the network card. To do this you will
have to include a new entry in the file /etc/network/interfaces :
up ifconfig eth0 0.0.0.0 promisc -arp

109

Network Configuration

Setting the default Gateway

The default route for a host with a static IP address can be set in/
etc/network/interfaces.

If you wish to view your current default route/gateway then you


can run:

To change your default route you must first remove the current
one:

110

# netstat -nr

# /sbin/route del default gw 192.168.0.1

Network Configuration

In case you change the management IP address of one your AlienVault boxes you have to do
the following to make sure that all components using the old IP address are now using the new
one.

To do that, once you will have modified /etc/network/interfaces and restarted networking you
will need to edit the file /etc/ossim_setup.conf

In this file you could just do a search (Old IP Address) and replace (New IP Address) or take a
look to the following parameters:

admin_ip: Management IP (SSH and Web access)

db_ip: IP address of the host running the Database Profile

framework_ip: IP address of the host running the Web Management Interface

server_ip: IP address of the host running the Server Profile

Once you have set the correct ip addresses you can generate all configuration files by running:

111

# alienvault-reconfig

Rename network interfaces

Rename network interfaces


-

# apt-get install ifrename

Edit the file /etc/iftab

Insert a line for each network interface with the following format :
eth0 mac 00:17:31:56:BC:2D
eth1 mac 00:16:3E:2F:0E:9C

Network cards with more than one interface usually have consecutives
MAC addresses

112

# ifconfig -a | grep HWaddr

AlienVault Local Firewall

AlienVault configures a firewall during the installation process. If


you want to disable or enable the firewall you can do that by
typing:

Select Change General Settings and then select Configure


Firewall. Then, in the main menu select Save & Exit.

If you want to add exceptions to that firewall write your own rules
(iptables firewall rules) in the following file:

/etc/ossim/firewall_include

and execute:

113

# alienvault-setup

# alienvault-reconfig

114

Network Security Tools

115

Basic Tools

116

Ping: Check the connection status with a remote host or Gateway

Telnet: Communicate with another host using the TELNET


protocol.

Dig: Query a DNS server.

Traceroute: Prints the route packets take to a network host.

Whois: Looks up records in the databases maintained by several


Network Information Centers (NICs).

Netstat: The Netstat command symbolically displays the contents


of various network-related data structures.

Nslookup: Check whether a DNS server is resolving the


hostnames correctly or not.

Tcpdump

Tcpdump is a common packet analyzer that runs under the


command line. It allows the user to intercept and display TCP/IP
and other packets being transmitted or received over a network to
which the computer is attached.
See the list of interfaces on which tcpdump can listen:

Listen on interface eth0:

# tcpdump -i eth0
Listen on any available interface :

117

# tcpdump -D

# tcpdump -i any

Tcpdump (Usage Examples)

Display traffic from/to host 192.168.1.1

Display traffic in the port 22

# tcpdump port 22

Display all traffic but except the port 80

# tcpdump tcp and not port 80

Capture any packets where the destination host is 192.168.1.1. Display IP addresses and
port numbers:

# tcpdump -n dst host 192.168.1.1

Capture any packets where the source host is 192.168.1.1. Display IP addresses and port
numbers:

118

# tcpdump host 192.168.1.1

# tcpdump -n src host 192.168.1.1

Tcpdump (Usage Examples II)

Capture any packets where the destination network is 192.168.1.0/24. Display IP


addresses and port numbers:

Capture any packets where the source or destination network is 192.168.1.0/24. Display IP
addresses and port numbers:

# tcpdump -n net 192.168.1.0/24

Capture any packets where the destination port is 23. Display IP addresses and port
numbers:

# tcpdump -n dst port 23

Capture any packets where the destination port is is between 1 and 1023 inclusive. Display
IP addresses and port numbers:

119

# tcpdump -n dst net 192.168.1.0/24

# tcpdump -n dst portrange 1-1023

Tcpdump (Usage Examples III)

Capture any packets with destination IP 192.168.1.1 and destination port 23. Display IP
addresses and port numbers:

Capture any packets with destination IP 192.168.1.1 and destination port 80 or 443.
Display IP addresses and port numbers:

# tcpdump -n "dst host 192.168.1.1 and (dst port 80 or dst port 443)"

Capture only TCP packets where the destination port is is between 1 and 1023 inclusive.
Display IP addresses and port numbers:

# tcpdump -n tcp dst portrange 1-1023

Capture either ICMP or ARP packets:

# tcpdump -v "icmp or arp"

Capture any packets that are broadcast or multicast:

120

# tcpdump -n "dst host 192.168.1.1 and dst port 23"

# tcpdump -n "broadcast or multicast"

Tcpreplay

121

Tcpreplay is a tool for replaying network traffic from files saved with
tcpdump or other tools which write pcap files (Ngrep, WireShark,
Tshark...)

The basic operation of tcpreplay is to resend all packets from the


input file(s) at the speed at which they were recorded, or a
specified data rate, up to as fast as the hardware is capable.

Tcpreplay provides the ability to classify traffic as client or server,


edit packets at layers 2-4 and replay the traffic at arbitrary speeds
onto a network for sniffing or through a device.

Tcpreplay (Usage Examples)

Basic Usage: Replay sample.cap file (Send traffic out interface eth0)

To replay traffic as quickly as possible:

# tcpreplay --topspeed -i eth0 sample.pcap

To replay traffic at half-speed:

# tcpreplay --multiplier=0.5 --intf1=eth0 sample.pcap

To replay at 25 packets per second:

# tcpreplay --pps=25 --i eth0 sample.pcap

To replay the sample.pcap file 10 times:

122

# tcpreplay -i eth0 pcap.cap

# tcpreplay --loop=10 -i eth0 sample.pcap

Tcpreplay (Usage Examples II)

Capturing packets using Tcpdump

The default tcpdump parameters result in a capture file where


each packet is truncated. To ensure that you capture complete
packets, use the following command:
-

Capture all traffic in the port 53 (Interface eth0)


-

123

# tcpdump -i <interface> -s 65535 -w <some-file>

# tcpdump -i eth0 -s 65535 port 80 -w sample.cap

Download packet captures (PCAP):


-

http://www.pcapr.net/

https://www.evilfingers.com/repository/pcaps.php

http://sourceforge.net/projects/networkminer/

Ngrep

124

Ngrep strives to provide most of GNU greps common features,


applying them to the network layer.

Ngrep is a pcap-aware tool (Wireshark, Tcpdump...)

Ngrep allows you to specify extended regular expressions to


match against data payloads of packets.

Ngrep uses the same filtering syntax than Tcpdump

Ngrep (Usage Examples)

Monitor all activity crossing source or destination port 25 (SMTP). On any interface.

Monitor FTP activity searching for user|pass

# ngrep -wi -d any 'user|pass' port 21


Monitor syslog events searching for errors

# ngrep -d any 'error' port syslog


Monitor all outgoing web requests from machine 12.13.14.15 (Interface eth0):

# ngrep -d eth0 -q -t '^(GET|POST) ' 'src host 12.13.14.15 and tcp and dst port 80'
Determine client application that client host is running

125

# ngrep -d any port 25

# ngrep -q 'user-agent' tcp port 80

IPTraf

IPTraf is a console-based network statistics utility

It gathers a variety of figures such as TCP connection packet and


byte counts, interface statistics and activity indicators, TCP/UDP
traffic breakdowns, and LAN station packet and byte counts.

Usage:

126

#iptraf

Wireshark

127

Wireshark is a GUI network protocol analyzer. It lets you


interactively browse packet data from a live network or from a
previously saved capture file.

Wireshark is a pcap-aware tool

Wireshark is very similar to tcpdump, but has a graphical frontend, and many more information sorting and filtering options

Etherape

128

EtherApe is a packet sniffer/network traffic monitoring tool


developed for Unix.

Network traffic is displayed using a graphical interface. Each node


represents a specific host.

Links represent connections to hosts. Nodes and links are color


coded to represent different protocols forming the various types of
traffic on the network. Individual nodes and their connecting links
grow and shrink in size with increases and decreases in network
traffic.

Tshark

129

TShark is a network protocol analyzer. It lets you capture packet


data from a live network, or read packets from a previously saved
capture file, either printing a decoded form of those packets to the
standard output or writing the packets to a file.

TSharks native capture file format is libpcap format (Tcpdump,


Tcpreplay, Ngrep, Wireshark...).

Tshark (Usage Examples)

Display the source port of all tcp packets in the file /tmp/capture.cap.

Display the network packets of an IP address in the file /tmp/capture.cap

# tshark -R "ip.addr == 192.168.0.1" -r /tmp/capture.cap


Display http response codes

# tshark -o "tcp.desegment_tcp_streams:TRUE" -i eth0 -R "http.response" -T fields -e


http.response.code
Display MySQL queries sent to a MySQL Server

130

# tshark -z "proto,colinfo,tcp.srcport,tcp.srcport" -r /tmp/capture.cap

# tshark -i any -T fields -R mysql.query -e mysql.query

Ethtool / mii-tool

Ethtool

Ethtool displays or changes ethernet card settings (Link,


Negotiation info, Statistics...)
Usage (# ethtool <interface>)

# ethtool eth0

Mii-tool

Mii-tool checks or sets the status of a network interface


-

Usage

131

# mii-tool

Dsniff

132

Dsniff automatically detects and minimally parses each


application protocol, only saving the interesting bits, and uses
Berkeley DB as its output file format, only logging unique
authentication attempts.

tcpkill: Kills specified in-progress TCP connections

urlsnarf: Outputs all requested URLs sniffed from HTTP


traffic

msgsnarf: Records selected messages from AOL Instant


Messenger, ICQ 2000, IRC, MSN Messenger, or Yahoo
Messenger chat sessions.

filesnarf: Saves files sniffed from NFS traffic in the current


working directory.

Nmap

Nmap is a tool for network exploration and security auditing.


Basic IP scan

IP scan with OS and service detection

# nmap sV 172.18.1.1

Network scan

# nmap 172.18.1.*

# nmap 172.18.1.0/16

Scan port 22 of every host in the network

# nmap p22 192.168.1.0/16

Find unused IPS on a given Subnet

133

# nmap 172.18.1.1

# nmap -T4 -sP 192.168.2.0/24 && egrep "00:00:00:00:00:00" /proc/net/arp

Honeypots

A honeypot is a trap set to detect, deflect, or in some manner


counteract attempts at unauthorized use of information systems.

A honeypot consists of a computer, data, or a network site that


appears to be part of a network, but is actually isolated and
monitored, and which seems to contain information or a resource
of value to attackers.

Spam

Malware

Port Scans

Shellcodes

134

Vulnerability Scan

Honeypots

135

mwcollect

Mwcollect is a versatile malware collection daemon, uniting the


best features of nepenthes and honeytrap licensed under the
LGPL.

http://www.mwcollect.org

Dionaea

Dionaea is a malware collection honeypot focusing primarily on


SMB emulation. Dionaea uses Python as scripting language,
using libemu to detect shellcodes, supporting ipv6 and tls

http://www.mwcollect.org

Honeypots

136

Amun

Amun is a low-interaction honeypot designed to capture


autonomous spreading malware in an automated fashion.
Amun is written in Python and therefore allows easy integration
of new features.

http://amunhoney.sf.net

Omnivora

Omnivora is a low-interaction honeypot for systems running


Windows operating systems and is implemented using Borland
Delphi.

http://www.ohloh.net/p/omnivora

Websites - Security

http://www.shadowserver.org

http://isc.sans.edu

Analysis and warning Service against malicious attackers


http://www.osvdb.org

Open Source Vulnerability Database


http://www.securityfocus.org

Discussion on computer security related topics


http://www.exploit-db.com

137

Malware, Botnet activity, electronic fraud...

Archive of exploits and vulnerable software.

Websites - Malware

Malware samples

http://www.malwareurl.com

http://www.malwaredomainlist.com
WARNING: This sites contain samples of live malware. Use at your own risk.

138

Malware Analysis

http://www.virustotal.com

http://www.threatexpert.com

http://www.offensivecomputing.net

Backtrack

BackTrack is a Linux-based penetration testing arsenal that aids


security professionals in the ability to perform assessments in a
purely native environment dedicated to hacking.

139

http://www.backtrack-linux.org/

Metasploit

The Metasploit Framework is the open source penetration testing


framework with the world's largest database of public, tested
exploits.

Metasploit is part of the software included in BacTrack

140

http://www.metasploit.com

Metasploitable

141

Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5


image. A number of vulnerable packages are included, including
an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki,
twiki, and an older mysql.

http://blog.metasploit.com/2010/05/introducing-metasploitable.html

http://www.metasploit.com/documents/express/Metasploitable.zip.torrent

142

Integrated Tools

143

Tools Classification

Tools integrated in AlienVault can be classified into two categories


according to the behavior of these tools within the network being
monitored.

Active: They generate traffic within the Network that is being


monitored.

Passive: They analyze network traffic without generating any traffic


within the monitored network.

The passive tools require a port mirroring/port span configured in the network
equipment to be able to analyze all traffic of the monitored network/s.

144

Snort

NIDS

Snort is a free and open source network intrusion prevention


system (NIPS) and network intrusion detection system (NIDS).

145

PASSIVE TOOL

http://www.snort.org

Snort generates security events when analyzing the network traffic

Snort combines signature, protocol, and anomaly-based


inspection

Utility within AlienVault:

Port scans

Worms

Malware

Policy violations (P2P, IM, Porn, Games...)

Snort

PASSIVE TOOL
NIDS

Policy violations
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Megaupload file download service access";
flow:to_server,established; content:"GET "; depth: 4; uricontent:"/?d="; content:"|0d 0a|Host\: "; content:"megaupload.com"; within:25;
nocase; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009301; reference:url,www.emergingthreats.net/cgi-bin/
cvsweb.cgi/sigs/POLICY/POLICY_Download_Services; sid:2009301; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Porn-Sports-Gambling site designed to bypass
restrictions"; flow:to_server,established; content:"Host\:"; nocase; pcre:"/Host\:[^\n]+\.(bodog|bodogbeat|bodognation|bodogmusic|
bodogconference|bodogpokerchampionships)\.com/i"; reference:url,www.bodog.com; classtype:policy-violation;
reference:url,doc.emergingthreats.net/2003100; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/
POLICY_bodog.com; sid:2003100; rev:4;)

Malware
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Potential Malware Download,
rogue antivirus (IAInstall.exe)"; flow:established,to_server; uricontent:"/download/IAInstall.exe"; nocase; classtype:bad-unknown;
reference:url,malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/
CURRENT_Malwareurl_top_downloads; reference:url,doc.emergingthreats.net/2010447; sid:2010447; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET 1024: (msg:"ET MALWARE 404 Response with an EXE Attached - Likely
Malware Drop"; flow:established,from_server; content:"HTTP/1.1 404 Not Found|0d 0a|"; depth:24; content:"|0d 0a 0d 0a|MZ"; distance:
0; classtype:attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2009028; reference:url,www.emergingthreats.net/cgibin/cvsweb.cgi/sigs/POLICY/POLICY_404_EXE; sid:2009028; rev:2;)

146

Snort

PASSIVE TOOL
NIDS

Virus and Trojans


alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET VIRUS Bugbear@MM virus via SMTP"; flow: established; content:"uv
+LRCQID7dIDFEECggDSLm9df8C/zSNKDBBAAoGA0AEUQ+FEN23f7doqAT/dCQk/xWcEQmDxCTD";
reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; classtype: misc-activity;
reference:url,doc.emergingthreats.net/2001764; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_BugBear;
sid: 2001764; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM UPX encrypted file download - possible worm"; flow: established;
content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE";
distance: 0; content:"|00|code|00|"; content:"|00 C0|text|00|"; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001047;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_Suspicious_Extensions; sid: 2001047; rev:6;)

Scans
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET SCAN Unusually Fast 403 Error Messages, Possible Web
Application Scan"; flow:from_server,established; content:"HTTP/1.1 403"; depth:13; threshold: type threshold, track by_dst, count 35,
seconds 60; classtype:attempted-recon; reference:url,www.checkupdown.com/status/E403.html; reference:url,doc.emergingthreats.net/
2009749; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_403; sid:2009749; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"ET SCAN Rapid POP3 Connections - Possible Brute Force Attack"; flags: S,
12; threshold: type both, track by_src, count 10, seconds 120; classtype: misc-activity; reference:url,doc.emergingthreats.net/2002992;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_General_Services; sid: 2002992; rev:5;)

147

Ntop

Network Monitor

Ntop is a network probe that shows network usage in a way


similar to what top does for processes. Ntop is a network and use
monitor.

148

PASSIVE TOOL

http://www.ntop.org

Ntop provides information (Real-time and historical) of the network


usage

Utility within AlienVault:

Usage network statistics

Assets information

Time and activity matrixes

Real-time session monitoring

Ntop - RRD Aberrant Behaviour

149

PASSIVE TOOL
Network Anomalies

Analyzing the historical data, Ntop uses the RRD Aberrant


Behaviour algorithm to draw predictions of future behaviour of
our assets and networks.

If the prediction differs from the real traffic an event is generated


in AlienVault

PASSIVE TOOL

Fprobe

NetFlows generator

Fprobe is a tool that collects network traffic data and emits it as


NetFlow flows towards the specified collector (NFdump in
AlienVault).
-

http://fprobe.sf.net
NetFlows

AlienVault Sensor running Fprobe emits NetFlows when collecting


the network traffic (Port mirroring / HUB / Network tap...)

The AlienVault Web Interface (Framework) runs the Netflow collector.


NetFlows

The major manufacturers implement into their devices the ability to


150Netflows. in this case is not necessary using Fprobe.
send

PASSIVE TOOL

NFDump

Netflows collection

The nfdump tools collect and process netflow data


-

http://nfdump.sourceforge.net/

NetFlows

NFDump runs in the box running the AlienVault Web Interface


NetFlows

151

NFSen

NFSen is a graphical web based front end for the nfdump


netflow tools.
-

152

Web Based Tool

http://nfsen.sourceforge.net/

NetFlow is a network protocol developed by Cisco Systems to run on Cisco IOSenabled equipment for collecting IP traffic information.

It is supported by platforms other than IOS such as Juniper, Linux, FreeBSD or


OpenBSD.

OCS

Inventory
Agent

Open Computer and Software Inventory Next Generation (OCS


inventory NG) is free software that enables users to inventory their
IT assets.

153

ACTIVE TOOL

http://www.ocsinventory-ng.org

OCS-NG collects information about the hard- and software of


networked machines running the OCS client program ("OCS
Inventory Agent").

Utility within AlienVault

Inventory Management (Software & Hardware)

Vulnerability Management

Policy violations

Hardware monitoring

Nagios

Availability Monitor
Agent - Web

Nagios is a computer system and network monitoring software


application.

It watches hosts and services, alerting users when things go


wrong and again when they get better.

154

ACTIVE TOOL

http://www.nagios.org

Multiple checks (Different complexity) can be configured in Nagios.


E.g.: MySQL Server

Check whether the host is up or not

Check whether the MySQL port is opened or closed

Check whether there is a MySQL listening in that port

Do a query and check the result

Nagios

155

ACTIVE TOOL
Availability Monitor
Agent - Web

Utility within AlienVault:

Availability monitoring (As any other Data Source)

Availability monitoring by request (During Logical Correlation)

Nagios can do checks remotely or with agent deployed on the


host that is being monitored.

Nagios has a wide number of plugins to monitor different devices


and applications.

OpenVas

Vulnerability Scanning

OpenVAS (Open Vulnerability Assessment System) is a framework


of several services and tools offering a vulnerability scanning and
vulnerability management solution.

156

ACTIVE TOOL

http://www.openvas.org

OpenVas uses signatures to identify vulnerabilities in the host of


our network.

Utility within AlienVault

Attacks prevention (We know what is vulnerable)

Is the network policy being violated?

Shared folders, forbidden activities...

Compliance monitoring

OpenVas

Vulnerability Scanning

Some vulnerabilities can only be verified after actually exploiting


them (E.g.: DOS)

OpenVas allows scanning aggressiveness fine-tuning.

OpenVas is able to perform local scans on remote machines if


valid credentials for them are provided.

The OpenVas component scanning the network is installed by


default in each AlienVault Sensor

Mis-configured scans may severely impact the scanned network. After installation,
the first scanning profiles have to be defined and watched over very carefully.

157

ACTIVE TOOL

Nikto

158

Vulnerability Scanning

Nikto is an Open Source (GPL) web server scanner which


performs comprehensive tests against web servers for multiple
items

ACTIVE TOOL

http://cirt.net/nikto2

Nikto scans web servers to find potential problems and security


vulnerabilities, including:

Server and software misconfigurations

Default files and programs

Insecure files and programs

Outdated servers and programs

OSVDB

159

Database

OSVDB is an independent and open source database created by


and for the security community.

The goal of the project is to provide accurate, detailed, current and


unbiased technical information on security vulnerabilities.

http://www.osvdb.org

Usage within AlienVault


-

Correlation rule creation

Vulnerability identifier cross-relation

Complements OpenVas scanning information

OSVDB

160

Vulnerability Description

Indicators and references

Database

OSVDB

161

Tool relationships

CVSSv2 Score (Common Vulnerability Scoring System):

Database

ACTIVE TOOL

OSSEC

http://www.ossec.org

OSSEC requires an agent to be installed for monitoring. (Except


ssh-accesible systems)

OSSEC Agent-less collection


SSH-accessible system

OSSEC Agent for Windows System

The OSSEC Server runs in the AlienVault Sensor

OSSEC Agent for MacOSX

162

Agents

OSSEC is a HIDS (Host-level Intrusion Detection System) that


features log analysis, rootkit detection, system integrity checking
and Windows registry monitoring.

HIDS

OSSEC

163

ACTIVE TOOL

OSSEC is based on a client -> server architecture, AlienVault


collects events from the OSSEC server (Installed in the AlienVault
Sensor).

OSSEC provides its own plugin system used for Windows and
UNIX tool analysis.

Utility within OSSIM:

Windows and Unix log collection

Application log collection

Registry, file and folder monitor (DLP)

HIDS
Agents

Kismet

164

PASSIVE TOOL
WIDS

Kismet is an 802.11 layer2 wireless network detector, sniffer, and


intrusion detection system.

http://www.kismetwireless.net

Kismet will work with any wireless card which supports raw
monitoring (rfmon) mode, and (with appropriate hardware) can sniff
802.11b, 802.11a, 802.11g, and 802.11n traffic.

Utility within AlienVault:

Securing WIFI network.

Rogue AP detection

Compliance enforcement (PCI Wireless requirements)

Nmap

Nmap is a security scanner used to discover hosts and services


on a computer network

165

ACTIVE TOOL

http://www.nmap.org

Nmap provides customizable options for host and network


scanning (Speed, range, precision)

Utility within AlienVault:

Asset Discovery

Open port discovery

Service version discovery

Operating System manufacturer and version discovery

Scanner

P0f

P0f is a versatile passive OS fingerprinting tool

166

http://lcamtuf.coredump.cx/p0f.shtml

Passive Operating System detection based on traffic pattern


analysis.

Utility within AlienVault:

Operating System changes

Inventory Management

Unauthorized network access

PASSIVE TOOL
OS Fingerprinting

Pads

167

Services Fingerprinting

PADS is a signature based detection engine used to passively


detect network assets.

PASSIVE TOOL

http://passive.sourceforge.net

Utility within AlienVault:

Inventory Management

Service version changes

Policy violations

Inventory correlation

Arpwatch

168

MAC Fingerprinting

Arpwatch is an ethernet monitor program that keeps tracks of


ethernet/ip address pairing

PASSIVE TOOL

http://ee.lbl.gov

Utility within AlienVault:

Inventory Management

IP address change detection

ARPSpoofing

Nedi

169

Network Discovery

NeDi is an open source network management framework which


uses scheduled discovery to examine your network.

ACTIVE TOOL

http://nedi.ch

NeDI requires SNMP read access for all network hardware.

170

Basic Concepts

171

Detection

The process of identifying behaviour that leads to the generation of


an event is called Detection.

Multiple elements are used by AlienVault to provide detection


capabilities:

Snort, Ntop, Arpwatch (Data Sources included in AlienVault)

Existing corporate applications/tools

Tools that have been deployed prior to AlienVault installation


(Firewalls, Antivirus)
139
Firewall
Traffic Dropped Port 139

172

ET VIRUS W32.Opaserv Worm Infection

Collection

The task that determines which events shall be collected into


AlienVault is called Collection. Collection is done by the AlienVault
Sensors

AlienVault can collect events using multiple methods, some of


them require configuring the Data Source to send events to the
AlienVault Sensor (E.g.: Syslog, FTP...). When other collection
methods are use the AlienVault Sensor gathers the events from the
application or device (WMI, SQL, SCP...)

AlienVault uses regular expressions to determine the format in


which the events will be arriving at the system
Syslog
SQL
WMI

173

The Regular Expression in the AlienVault


Sensor determines filters the events that
have to be collected.

Normalization

The process of translating the events generated by different tools


into an unique and normalized format is called Normalization

Normalization is done in the AlienVault Sensor

Information is normalized using regular expressions

Mar 22 20:40:15 ossim-A su[27992]: Successful su for root by root

event type="detector" date="2008-03-22 20:40:15" sensor="192.168.1.109" interface="eth0"


plugin_id="4005" plugin_sid="2" src_ip="192.168.1.109" dst_ip="192.168.1.109" username="root"
log="Mar 22 20:40:15 ossim-A su[27992]: Successful su for root by root"

174

Data Source

175

A Data Source is any application or device that generates


information collected by AlienVault

The AlienVault Sensor includes a number of applications that are


used as Data Sources within the AlienVault Deployment

AlienVault can collect events from any Data Source by using a


Data Source Connector

Data Source Connector

A Data Source Connector (Formerly called Plugins) is a piece of


data complementing the agent and allowing it to normalize and
understand a certain type of Data Source (Application or device)

Two files make up a Data Source Connector:


.cfg:

Event location (Filename, Database)

Regular expressions

Normalization rules

.sql:

176

Contains the generator plugin_id and a plugin_sid for each of the


normalized events which well later use within the system.

Correlation

177

Correlation is the process of transforming various input data into a


new output data element

Using AlienVault we can transform two or more input events into a


more reliable output event

Event

178

Any log entry generated by any Data Source at application, system


or network level will be called an event.

For AlienVault it is important to know:

When has the event been generated?

What is involved? (Systems, users, )

Which application generated the event?

Whats the event type?

Data Source ID

The Data Source ID (Formerly known as Plugin_id) is a unique


number used by AlienVault to identify each of the Data Source
types that send events to AlienVault

This number is used in correlation rules and when defining Policy


Rules

Range reserved for user created Data Source connectors:


9000-10000

Data Source ID = 1001-1500

179

Data Source ID = 1501

Event Type

The Event Type (Formerly known as Plugin_sid) is a unique number


(WIthin each Data Source) that identifies the different events a Data
Source is able to generate.

The Event Type always has to be associated to a Data Source ID,


since multiple Data Source ID can share common Event Types.
(E.g.: 404 Event Type in Apache and IIS)

Whenever possible we recommend using the error code (If it is


numeric) of the event as the Event Type ID.

404 Apache Event


Data Source ID = 1501
Event Type = 404

180

Asset

An Asset is any device available on a network that is being


monitored by AlienVault

Assets in AlienVault have a value (0-5). Each Asset will have a


different value depending on their task within the network

Assets in AlienVault:

Network Group
Network
Host Group
Host

181

Asset Value

Every Asset in AlienVault has an Asset Value (0-5)

Assets not defined within the AlienVault Inventory have a default


Asset Value of 2

Assets will have different values depending on their role within the
monitored network

E.g.: A printing company

E.g.: A company offering Web hosting

182

Printers will be a very high asset value

Web servers and database servers will be a valuable asset while


printers on the other hand wont be so important.

Asset Value

While the events are being processed the AlienVault system needs
to know the Asset Value of every Asset (Correlation and Policy
rules)

If the Asset has not been defined in the AlienVault Inventory, the
AlienVault system will try to get the Asset value of biggest Assets
this host may belong to

1st - Host

3rd - Network

Asset value of the Host if it has


been inventoried in the AlienVault

Asset value of the Network The


Asset belongs to (If any)

183

Default Asset Value


If the system can not find the value
of the Asset it will take 2 as Asset

2nd - Host Group

4th - Network Group

Asset value of the Host Group the


Asset belongs to (If any)

Asset value of the Network Group


The Asset belongs to (If any)

Event Priority

184

Priority is the importance of the event itself, it is a measure which


tries to determine the relative impact an event could have in our
network.

Priority is a value between 0 and 5

0 No importance

1 Very Low

2 Low

3 Average

4 Important

5 Very Important

Event reliability

Reliability determines the probability of an attack being real or not.

At this time were not determining if the event is a false


positive or not (Think about the event as part of an attack or
problem)

185

E.g.: A single authentication failure. Would yo be able to determine if


it is a real attack (Brute Force attack) using a single event?

Reliability can be a value between 0 and 10

0 False Positive

1 10% chance of being an attack

2 20% chance of being an attack

10 Real attack

Event Risk

The SIEM calculates a risk for each event processed in the SIEM

The Event Risk is a numeric value (0-10)

Event Priority = 2
Source

Destination
Event Reliability = 10

Source Asset Value = 2

Destination Asset Value = 5

RISK = (ASSET VALUE * EVENT PRIORITY * EVENT RELIABILITY)/25


In events having two different Asset Values (Source and Destination) we will always take the highest one

186

Asset Value = 0-5


Priority = 0-5
Reliability = 0-10
Event Risk = 0-10

Alarm

187

Any event whose risk is greater or equal than 1 will become an


alarm.

An alarm is a special type of event since it can have more than one
event originating it.

Correlation doesnt generate alarms per se, it will generate new


events that may or may not become alarms.

Aggregated Risk

Apart from calculating a risk value for each event, the AlienVault
SIEM also maintains an Aggregated risk indicator for each asset of
our network

This aggregated risk risk is stored in two properties of each asset


within AlienVault

Compromise: Compromise means a network element is generating


lots of events as source, this is, its behaving like if its been
compromised

Attack: Attack is a value that measures the level of attack an


element has received in our network, that is, how much it has been
attacked

C
188

A
Attacker

Target

Compromise

Compromise value is increased by taking into account the risk of


the event calculated using the Asset Value of the source (The
Asset value of the destination is ignored even it is higher)

This value increases the compromise value of the host, the


compromise value of the host groups, networks and network
groups the host belongs to, as well as the global compromise
value
Event Priority = 2
Source

Destination
Event Reliability = 10

Source Asset Value = 2

Destination Asset Value = 5

Compromise level increase = (Source Asset Value * Event Priority * Event Reliability) / 25
Compromise level increase = (2*2*10) / 25 = 1.6
189

Attack

Attack value is increased by taking into account the risk of the


event calculated using the Asset Value of the destination (The
Asset value of the source is ignored even it is higher)

This value increases the attack value of the host, the attack value
of the host groups, networks and network groups the host
belongs to, as well as the global attack value
Event Priority = 2
Source

Destination
Event Reliability = 10

Source Asset Value = 2

Destination Asset Value = 5

Attack level increase = (Destination Asset Value * Event Priority * Event Reliability) / 25
Attack level increase = (5*2*10) / 25 = 4
190

Recovery

191

No event ever reduces the level of attack and compromise

The attack and compromises level is reduced every 15 seconds by


subtracting a number of units

The number of units subtracted every 15 seconds is called


Recovery Value

This value is a custom value in each deployment and can be


adjusted using the configuration

This value is used to maintain a constant level of Compromise and


Attack for the system to alert when something weird is happening

Compromise and Attack

The vast majority of events has a certain risk, thats why its
common for our asset to have a certain attack and compromise
level.

E.g.: A web server exposed to the network will always have a high
attack value.

Its important to determine and configure which attack and


compromise levels we deem acceptable for each of our assets as
well as for the total of our system (Configure the threshold)

C
192

SIEM & Logger

193

AlienVault Server Role

Collecting events sent by the AlienVault Sensors

Risk assessment for each event

Aggregated Risk calculation

Correlation

Events storage (SIEM & Logger)

Multilevel

194

Information exchange with other servers (Events, alarms, policies,


inventory objects...)

SIEM & Logger


Logger

SIEM
SQL Storage

195

EVENTS

Risk Assessment

Log Signature

Policy

Policy

Collection

Collection

EVENTS

Disk Storage

Correlation

SIEM: Correlation

196

Correlation: From many input data we obtain new output data.

The correlation engine uses multiple events to generate new


eventswith higher reliability

AlienVault implements 3 types of correlation:

SIEM: Correlation

197

The correlation engine generates new events that are re-injected to


the SIEM and processed as if they were coming from a Sensor
(Policies can be applied to those events)

During correlation no alarms are generated, only events

The events generated during the correlation process can become


alarms once the risk assessment is done for these events.

SIEM: Correlation
SIEM

198

Correlation
Risk Assessment
Policy
Collection

EVENTS

New events generated during correlation

SQL Storage

Logical Correlation

199

Using the logical correlation new events are generated using the
information provided by the detectors and monitors.

Logical correlation is configured using Correlation directives.

The events generated during this type of correlation will have and
new prirority and reliability values.

Logical Correlation

Directives are defined through logical trees in which the horizontal


axis defines an OR operation and the vertical one defines an AND
operation.

First Correlation level

Second Correlation level

Third Correlation level

200

Logical Correlation

201

Logical Correlation

202

Types of DS Connectors

203

Two types of events feed the Logical Correlation Engine

Detectors: They offer events (Snort, Firewalls, Antivirus, Web


servers, OS events..)

Monitors: They offer indicators (Ntop, Tcptrack, Nmap, Webs,


Compromise & Attack...)

Logical Correlation

204

The Detectors are constantly sending information to the


correlation engine.

The Monitors offer information to the correlation engine in request


by the AlienVault SIEM during the correlation process.

Some applications can be used with both detectors and monitors


functionalities

Vulnerability Scanner

Availability Monitor

Active Directory

...

Cross-correlation

The Cross-correlation relates two different types of events

When the related events are in the database within the same host
involved, the cross correlation will generate a new event.

E.g.: A and B are two events linked using the cross-correlation

The cross-correlated event will have as priority the sum of the


priorities of the related events. Same happens with the reliability.
(Max priority 5, Max reliability 10)

Priority
Event A

Reliability
Event A

205

+
+

Priority
Event B

Reliability
Event B

Priority
of the new event
generated during
cross-correlation

Reliability
of the new event
generated during
cross-correlation

Cross-Correlation
Vulnerability: IIS Remote Command Execution

Vulnerability Scan
Host A

Sensor

Cross-correlated Event

Attack
Attacker

Host A

Attack: WEB-IIS multiple decode attempt

206

Cross-correlation

207

Most of the cross correlation rules relate IDS events (Snort) with
vulnerabilities (OpenVas, Nessus...)

New Cross-correlation rules can be defined in the Web interface:


Intelligence & Actions -> Cross Correlation

Inventory Correlation

208

The Inventory Correlation executes the following tasks:


1.

For each attack the system checks whether it has information of the
attacked host within the AlienVault inventory.

2.

Using the OSVDB database the SIEM knows the OS, services, and
versions that

Multilevel Correlation

Distributed Correlation

Correlation Level 3

SIEM

Correlation Level 2

SIEM

SIEM

Correlation Level 1

SIEM

SIEM

Sensor

209

Sensor

Sensor

Sensor

Multilevel Correlation

In multilevel deployments such as SOC or MSSP it may be


interesting to correlate events from different corporations to detect
global infections.

Correlation level 4!
Global infection !

Correlation level 3!
National infection!

Correlation level 2!
Corporate infection!

Correlation level 1!
Department infection!

210

AlienVault Web interface

211

AlienVault Web Interface

212

In case you have installed a Web Interface Profile or an all-in-one


profile you will be able to connect to the AlienVault Management
interface by pointing your favorite internet browser to the IP
Address of your AlienVault system

Default user and password is admin/admin

Default User - Password

Default User - Password

AlienVault is installed by default with a single user. This user will always
keep special permissions within the AlienVault system (Permissions to
monitor all assets and all menu options enabled).

The default user is admin with admin as password.

Reset Default User - Password


To reset the admin type this command in the linux console.

213

# ossim-reset-password admin
This command can be used to change the password of any user from the
console. Anyway, an administrator user will always be able to change the
password of another user using the AlienVault Web Interface.

AlienVault Web Interface


Main Window

Main
Menu

User Profile and Session Information


214

Status Bar

Dashboards

215

Content:

Customizable dashboards and metrics

Customizable Maps (Availability, Risk and Vulnerability Indicators)

Risk Metrics

Menu Options:

Dashboards

Risk
-

Risk Maps

Risk Metrics

Incidents

Content:

Alarms (Security Incidents)

AlienVault ticketing system

Knowledge DB

Menu Options:
Alarms

Alarms

Reports

Tickets

Tickets

Reports

Knowledge DB

216

Knowledge DB

Analysis

Content:

SIEM and Logger Forensic Console

Vulnerability Management

AlienVault Detection Utilities

Menu Options:
SIEM

SIEM

Statistics

Logger

Vulnerabilities

Vulnerabilities

Reports

Scan Jobs

Threats Database
Detection

217

Logs

NIDS

HIDS

Wireless IDS

Anomalies

Reports

Content:
AlienVault reporting system

Menu Options:
Reports

218

Reports

Modules

Layouts

Scheduler

FOSS Reports

Assets

Content:

Inventory Management

Asset Search

Asset Discovery

Menu Options:
Assets

Structure

Hosts

Host Groups

Network

Network Groups

Ports
Asset Search

Asset Search

Asset Categories
Asset Discovery

219

Spot Scan

Intelligence

Content:

Policy rules - Responses configuration

Correlation Rules

Compliance

Cross Correlation rules

Menu Options:
Policy & Actions

Policy

Actions

Correlation Directives

Directives

Properties

Backlog
Compliance Mapping

ISO 27001

PCI DSS

Cross Correlation

220

Rules

Situational Awareness

Content:
Network monitoring

Netflow management

Network Profiles

Availability Monitoring

Inventory Summary

Menu Options:
Network

Traffic

Profiles

Availability

221

Monitoring

Reporting

Inventory
Inventory

Configuration

Content:

AlienVault Configuration

User Management

Collection Configuration

Backup Management

Menu Options:
Main

Collection

Simple

Data Sources

Advanced

DS Groups

Customize Wizard

Custom Collectors

Taxonomy

Downloads

Users

Configuration

User activity

SIEM Components

Network Discovery

Passive Network Discovery

Sensors

Nedi

Servers

Active Directory

Databases

Software Upgrade

Backup

222

Upgrade Notification
SIEM Backup

User Management

223

Multi-tenant Architecture

Entities Definition: Groups, Departments, Companies

Assign user permissions to entities (Templates)

Simplifies AlienVault User Management

AlienVault Admin users for each entity

Open Source SIEM

AlienVault SIEM

Hosts

Hosts

Host Groups

Host Groups

Networks

Networks

Network Groups

Network Groups
Departments
Corporations

Assets!

224

Users!

AlienVault
Components!

Entity !

Your own entity

Multi-tenant Architecture

Alienvault!

UNIFIED SIEM!

Development!

Web
development!

R&D !

OPEN !
SOURCE!

225

10.0.0.0/24!

Sales!

192.168.3.0/24!

172.18.1.0/24!

210.2.2.2!

EMEA!

APAC!

192.168.8.0/24 !

192.168.2.0/24 !

Entities

226

An entity is a virtual grouping of objects within the AlienVault


inventory (Hosts, Host Groups, Networks and Network Groups...).

Entities can be used to create departments, organizations,


companies or whatever kind of group is needed to simplify the
asset management.

Templates

227

Open Source SIEM: Permissions assigned directly to users

Unified SIEM: Permissions assigned using templates. Templates


assigned to entities the users belong to

Templates

Template definition:
1. Assign user permissions
2. Link the user template with an entity

228

The same Template can be used in multiple entities

Users can inherit permissions from higher entities

User permissions

229

Permissions are assigned using

Sensors

Networks

Sections in the Web Interface the user will have access to

User permissions: Inventory

230

Link the Assets to the Sensor or Sensors that will collect


events or traffic of the Asset

Assets -> Assets -> Host

Assets -> Assets -> Host Groups

Assets -> Assets -> Network

Assets -> Assets -> Network Groups

Admin Users

231

The Admin Users will always keep special permissions

Visibility over all assets

No Menu restrictions

Access to

Manage users (Delete, Modify and create users)

Access to some menu options only available for Admin users

Admin users within each entity can only manage users within the entity they
belong to

User configuration

232

Configuration -> Users -> Password Policy

Compliant User Mangement

Policies

233

AlienVault Policies

234

Policy -> Intelligence & Actions -> Policy

Policy section allows you to configure how the system will process
the events once they arrive to the AlienVault Server

Policy rules are used to create exceptions. E.g.:

Do not store in the SQL Database

Do not correlate

Correlate and forward to another SIEM. Do not store in the SQL


Database

AlienVault Policies

By default the all the events arriving to the AlienVault Server are
processed by both SIEM and Logger.

In the case of SIEM the system provides extra intelligence and


data-mining capabilities processing the events by performing the
following tasks:

235

Risk assessment

Correlation

Forwarding

SQL Storage

In the case of Logger the system will sign the events to ensure
integrity so that they can be used as an evidence in trial.

When are the policies applied?


Logger

SIEM
SQL Storage

236

EVENTS

Risk Assessment

Log Signature

Policy

Policy

Collection

Collection

EVENTS

Disk Storage

Correlation

Policy Conditions

237

Source: Host, host groups, networks, or network groups as the


source in the events that have to match the policy

Destination: Host, host groups, networks, or network groups as


the destination in the events that have to match the policy

Ports: Port in which the event have been collected

DS groups: Types of event matching the policy rules

Sensors: Sensors that have collected the events

Install in: Servers in which the policy will be installed (Multilevel


topologies)

Policy Consequences

Actions:

Send an e-mail

Execute a Command

Change priority of the events

SIEM

Qualify events (Calculate a risk for the events)

Correlate events (Logical correlation)

Cross Correlate events (Cross-correlation)

Store events (SQL Storage)

Logger

238

Sign

Multilevel

Forward alarms

Forward events

Actions

239

Once the conditions defined in a policy have been met, the system
can execute an action (Or multiple actions)

Sending an e-mail or running a command can be configured using


some keywords that will be replaced with the values of the events
that have matched that policy.(PLUGIN_ID, SRC_IP, DATE...)

Policy order

240

Policy rules are applied in descending order and when an event


matches a rule, the system will stop processing that event, so that
it will not be able to match any other policy rule defined
subsequently.

The generic policy rules should be always defined after the policy
rules used to configure exceptions for certain events.

Examples of Policy rules

241

Apache events

All events are stored in the Logger

All events go to to the correlation engine (SIEM)

Only some events are stored in the database

Firewall events

All events are stored in the Logger

All events go to to the correlation engine (SIEM)

Only DROP, DENY and configuration changes events are stored in


the database

242

Logger

243

AlienVault Logger

244

The Logger allows for storage of large volumes of data while


ensuring its admissibility as evidence in a court of law.

The Logger provides an additional database specifically geared for


massive, long-term forensic archiving.

The Logger collects data in its native format, digitally signs and
time-stamps the data, and securely stores it preserving data
integrity; whereas the SIEM database is designed for the rapid and
versatile analysis required for attack detection and response.

Logger Console
Time frame selection clicking
on the graph

Custom Time Frame


selection

Events in the Logger

245

Logger Search Box

Predefined Time
Frame selection

Remote Loggers

246

If multiple Loggers are deployed it is possible to manage them


remotely using a single Web Interface

Make sure the Logger is configured at Configuration -> SIEM Components -> Servers

Select the Logger or Loggers you want to query in the Logger Console at Analysis ->
Logger -> Logs

In the events view, each Logger will be identified by a different color

Query the Logger

247

The search for events stored in the Logger implements auto-completion based on the text that
you type. For example, if you enter a host name, the system will suggest to search for that value
in the host field of the events.

The following syntax can be used when searching over the events in the Logger:

sensor: Ip address or name of the AlienVault Collector that collected the event. E.g.:
sensor=Vegas sensor=172.2.2.1

src: Source of the event in IPV4 format or name of the host used in the AlienVault inventory.
E.g.: src=192.168.2.1 src=Web_2000

dst: Destination of the event in IPV4 format or name of the host used in the AlienVault
inventory. E.g.: dst=192.168.1.1 dst=gateway

plugin: Name of the plugin (Data Source connector). E.g.: plugin=snort

plugingroup: Name of the plugin group. E.g.: sourcetype=Facebook_events

src_port: Source Port. E.g.: src_port=34000

dst_port: Destination Port. E.g.: dst_port=80

sourcetype: Filter by product type (Taxonomy based filters) E.g.: sourcetype=Firewall

data: Searches the value associated to this variable in the text of the original event. E.g.:
data=Failed Password

Export data

248

To use the data stored in the Logger as an evidence in court it is


required exporting the data to be analyzed using a 3rd party tool

Query the Logger after entering the search criteria and click on
Exports

Logger Stats

249

Shows the stored events separated by Sensors, Event types, Data


sources and Destination.

Logger troubleshooting

250

Any Policy rule not sending all events to the Logger?

Logger enabled in Configuration -> SIEM Components -> Logger

Logger signature configuration at /etc/ossim/server/config.xml

Vulnerability
Management

251

Vulnerability

252

A vulnerability is a weakness which allows an attacker to reduce a


system's information assurance.

Vulnerability is the intersection of three elements: a system


susceptibility or flaw, attacker access to the flaw, and attacker
capability to exploit the flaw.

Objectives

253

Feed the cross


correlation
engine!

Metrics of the
vulnerability
level!

Prevention of
possible
attacks!

Feed the logical


correlation
engine!

OpenVas

254

Architecture based on plugins

Own language to write rules

Own programming language rules

Comprehensive database of vulnerabilities

Scalable

Does not require installing any software on the scanned hosts

Simultaneous scans

Scheduled scans

Nessus

255

Nessus Vulnerability Scanner is also supported by AlienVault (Up to


4.0.2)

Nessus is a proprietary comprehensive vulnerability scanning


program

It is free of charge for personal use in a non-enterprise


environment

Scanning Operation
1. Port scanning against every target within the scan.
2. The scanner does a series of tests to verify whether the existing
services at each port are particularly vulnerable to attack
The remote host is missing the DSA-1996 security update

A vulnerable SMB server is running on the remote host.

Sensor
Default user and password enabled in the running service

256

It is important to maintain good OpenVas configuration because


some of the tests may cause service falls in some applications or
devices

Security Analysis

257

Analysis Process
Metrics

258

Incidents

Events

Vulnerabilities

Inventory

Analysis Process
1. Dashboard -> Dashboard
2. Dashboard -> Risk
3. Incidents -> Alarms
4. Incidents -> Tickets
5. Analysis -> SIEM
6. Analysis -> Logger
7. Analysis -> Vulnerabilities
8. Assets -> Asset search
9. Report -> Reports

259

Status Bar
Global Status of the
Monitored Networks (Red,
Orange or Green)
Number of opened Tickets

Number of unresolved
Alarms (Opened Alarms)

Higher priority within the


opened tickets

Higher risk within the


opened alarms

Service Level: Decreases


while the Attack and
Correlation level increase

If the service level remains at 100 we should check the recovery value and
whether the events are being collected or not.

260

Executive Panel
Executive

Security

Taxonomy

Tickets

Metrics and graphs that


provide an overview of the
network.

Information about alarms and


events stored in the system.

Statistics based on the


taxonomy of the events stored
in the SIEM.

Statistics based on the


AlienVault ticketing System.

Important to pay attention to


the volume of alarms and
events generated in the day
compared to previous days.
The Top 10 Events and Alarms
is also a interesting indicator as
we can easily know the types
of events and alarms that are
generating the highest volume
of occurrences.
The graph showing the
cumulative risk (C & A) for the
most conflicting hosts.

261

Important to pay attention to


host with many events and to
those host that have a
promiscuous behavior.

This page displays events


grouped by Data Source,
events grouped by Device or
Tool.
Pay attention to the graph
showing Authentication Login
vs Failed Login events. as well
as the graphs showing events
providing information about
hosts infected by some kind of
malware or exploit.

Pay attention to the amount of


automatically generated tickets

Executive Panel
Vulnerabilities

Compliance

Network

Report of performed
vulnerability scans.

Graphs generated using


information of compliance
reports, mainly PCI DSS and
ISO 27001.

Graphs and statistics on the


use of the network.

Pay attention to the hosts and


network with more
vulnerabilities.

Most of these charts are taken


from the network and usage
monitor (Ntop).
Important to monitor that no
abrupt changes have occurred
and compare the data
provided with the prediction
made by the tool.

262

Dashboards

263

Pay attention to:

Big changes in graphs

Service loss

Events with a lot of occurrences

Conflicting hosts

Compromise & Attack

Big change in graph

Risk Maps

264

Dashboards -> Risk -> Risk Maps

Shows the risk, vulnerability and availability levels for any asset in
the AlienVault inventory

Risk

Vulnerability

Availability

Risk Metrics

265

Dashboards -> Risk -> Risk Metrics

Asset with high Aggregated risk (Compromise and Attack Level)

Risk Metrics
Time Frame selection (Last day, Last
Week, Last Month, or Last Year)

Historical data of the global


Compromise and attack values
(Red = Attack, Blue = Compromise)

266

Service level (It decreases while the


Global Compromise and Attack is
increasing) Shows the service level of
the last 24 hours.

Access the attack and compromise


level in real-time

Risk Metrics
Internal attack (Symmetry between
Red and Blue areas) between assets
or network with the same value

The historical C & A values is calculated for


those objects defined within the AlienVault
inventory. If an attack is coming from an
outside network, we would only see the red
area.

267

Risk Metrics
We can click in the red/blue area of the
global graph to see in detail what happened
at that moment.

The system will show the disaggregated


graphs for every IP address that was
involved in generating the global graph

268

Risk Metrics

Every object in the AlienVault inventory has an Attack and


Compromise Threshold

The table shows those hosts or network that have overcome their
threshold

Metric over 100% threshold


Metric over 300% threshold
Metric over 500% threshold

269

Risk Metrics

270

Pay attention to:

Those hosts and networks that have overcome their threshold

Anomalies in Compromise and Attack Graphs

Internal attacks

Attacks from your network

Service level falls

Service level always at 100%:


-

Recovery value too high?

Is AlienVault collecting events?

Alarms

271

Incidents -> Alarms

An alarm is a special event that may depend on other event (When


the event becoming alarm was generated during Logical
Correlation)

Alarms

Filters and actions

Filter by alarm name, sensor and


directive ID

Time Frame selection (Last day, Last


Week, Last Month, or Last Year) and
alarms shown per page

272

Delete and close alarms (

Alarms
Date of the first and last event
belonging to the alarm

Close the alarm

Risk of the Alarm

Name of the Alarm


Sensors that have collected
events that have generated
this alarm
273

Source and
Destination IPS

Open a ticket in the


Ticket Management
system

Alarms

The IP address
belongs to the
AlienVault Inventory

The IP address does not


belong to the AlienVault
Inventory and it belongs to
an US network

274

The IP address belongs to


the AlienVault Inventory and
it is a Linux host

Alarms
More than 4000 events
were correlated within the
Correlation rule that
generated this alarm

275

Alarms

Click to display the events


that matched each
correlation level

276

Alarms

Clicking on an event, the


system will show the original
event stored in the database

277

Alarms

278

Pay attention to:

Alarms with higher risk

Repeated Alarms

Unique Alarms -> New types of alarms

Alarms with lots of host involved

Sources of attacks (Geolocation)


-

IP addresses from countries that dont work with our corporation

Host having contact with many different countries (P2P? Worm?)

Alarms

Where do the Alarms come from?


Events generated during correlation process

The alarm may depend on many alarms

Unique event (Event with high priority and reliability)

Only an event

Host with
many
alarms

279

Check the
events from that
host in the SIEM
and Logger

Define new
Correlation
rules

SIEM Events

280

Analysis -> SIEM

Shows the SIEM Events stored in the database

SIEM Events

Predefined time frames

Today

Last 24 hours

Last week

Last two weeks

Last month

All

Time Frame selection


281

SIEM Events

282

Custom time frame

SIEM Events

Event trends (Different graph based on the selected time frame)

No events in the SIEM


before this date

283

Maximum number of events


in the SIEM

SIEM Events
Search Events by:
Timeline analysis

Signature: Name of the event


Payload: Original Log or Payload in Snort events
IP Address (As source or destination)

No events in the SIEM


before this date

Filter by Data Source


Filter by Risk (0-10)

Filter by extra data fields


userdata1-9, username,
password and filename

Access taxonomy filters


Timeline analysis

Filter by DS Group
Filter by Network Group

284

Filter to see only those events whose


source or destination belongs to our
Home Network (It is in the inventory)

SIEM Events
Active filters

Events Statistics

285

Clear all filters

Show all filters

Sensors: Events grouped by sensor

Unique Events: Events grouped by type of event

Unique Data Sources: Events grouped by Data Source

Unique addresses: Events grouped by source/destination

Source/Destination Port: Events grouped by port

Unique country Events: Events grouped by country

SIEM Events

IP search with logical operators (OR & AND)

When clicking on some fields new filters can be applied

When clicking on the IP address


new filters can be applied

286

SIEM Events

287

Trends

Trends will be generated based on the current time frame

SIEM Events

Events per country

You can click in the number of events per


country to access to those events

288

SIEM Events

The values shown in each column can be ordered by clicking in


the column name (Double clicking for reverse order)

Source IP

Name of the event (Event Type)

Date of the
original event

Risk of the
event

Destination IP

Reliability

Priority

Protocol

RIsk

How was the event was originated:


- Logical Correlation
- Cross-correlation
- Event Collection

289

SIEM Events

Clicking in the name of the event gives you access to the original
event (Log or payload)

Event name

Sensor and network interface used to collect the event


Context in which the event was generated

Extra fields
Raw Log

290

SIEM Events

291

In Events generated by Snort some extra information (Ex: TCP


Headers) will be stored.

SIEM Events

292

In Snort events the payload can be downloaded as a pcap file


(Tcpdump, Tcpreplay, Ngrep, Wireshark...)

SIEM Events

293

Analyzing the payload we can check whether it is a false positive


or not

When analyzing Shellcode events (From Snort) we can use the


Shellcode analyzer

SIEM Events

294

Snort Events Payload

The system uses TShark to show low level information about the
capture file

Logger

295

Analysis -> Logger

In the Logger, the events are stored in the file system, using an
AlienVault specific schema of directories and files

Events are stored digitally signed, so they can be used as


evidences in trials

Events are signed using RSA

Defining policies we can configure what goes to the SIEM and


what goes to the Logger

Logger
Time frame selection clicking
on the graph

Custom Time Frame


selection

Events in the Logger

296

Logger Search Box

Predefined Time
Frame selection

Logger

297

The system will automatically generate stats based on the events


stored in the Logger

Analysis Procedures (SIEM)


1. Events with a high risk
2. Events with the highest number of occurrences
3. Hosts with the highest number of events
4. Hosts with a promiscuous behaviour
5. Virus, Trojan, Malware, Spam events
6. Hosts involved in generating alarms
7. Events per country
8. Events per service
9. Strange events (Few occurrences)

298

Analysis Procedure

299

Events with a high risk

Order by risk (Risk column)

Double click for reverse order

Analysis Procedure

Events with the highest number of occurrences

300

Click on Unique events and click on the column named Total

Analysis Procedure

301

Hosts with the highest number of occurrences (As source or


destination

Click on Unique Source or Unique Destination and order by


number of occurrences clicking on the column named Total

If we only want to see those host belonging to our network click on


Home networks Filter by source/Destination

Analysis Procedure

Host with a promiscuous behaviour

In Unique events compare the columns Src. Addr and Dst. Addr.
Many Sources and always the
same destination IP

Just a few sources and many destination IPs


(Worm? P2P?)

302

Analysis Procedure

Host with a promiscuous behaviour

303

Click on Unique source or Unique Destination and order using


the column Dest Addr or Src Addr respectively

Analysis Procedure

304

In the search field (By signature) we can search the following


string: virus OR trojan OR malware OR spam. Once the
search is done, we can click on Unique Events to see all event
types that match this criteria.

Analysis Procedure

305

Hosts matching correlation rules (Events that will probably become


alarm)

Search directive_event (signature search) and click on Unique


Source/Destination to group by host.

Analysis Procedure

Events per country

306

Click on Unique Country Events and the click on the Total of the
countries that seem suspicious.

Analysis Procedure

Events per service

307

Click on Destination Port (TCP | UDP) and the click in the


Occurrences field or Unique Events of those port that seem
suspicious in your network.

Analysis Procedure

Strange Events (Few occurrences)

308

Click on Unique events and order by double-clicking on Total (From


low to high)

Host Information

309

When clicking on any IP address in SIEM events, new filters can


be applied.

External information can be retrieved regarding the IP address


(Whois information, DNS, Blacklists...)