Saturday, September 15, 2012

OSSIM hands-on 2: Configuring distributed profiles

This is the second hands-on exercise designed to help OSSIM users be able to distribute Server and Sensor profiles.

We will be using the current published release version (4.0.2) with IP acting as the server, and IP acting as a sensor.

Configuring server (

1.- Edit /etc/ossim/ossim_setup.conf and set these variables
vpn_net=192.168.1 (defines vpn network range for server-sensor communications)

2.- Add new hostname to /etc/hosts and /etc/hostname

3.- Run ossim-reconfig and check server network socket
server:~# ossim-reconfig -c -v -d
server:~# netstat -nap | grep -i ossim-server
tcp        0      0 *               LISTEN      16678/ossim-server

4.- Generate VPN configuration files for the new sensor
server:~# ossim-reconfig --add_vpnnode= (sensor IP)
server:~# scp /etc/openvpn/nodes/ root@

Configuring sensor (

1.- Edit /etc/network/interfaces to use static IP
sensor:~# cat /etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
sensor:~#/etc/init.d/networking restart 

2.- Edit /etc/ossim/ossim_setup.conf (at the sensor)
sensor:~# ossim-reconfig - c -v - d

3.- Add new hostname to /etc/hosts and /etc/hostname

4.- Uncompress VPN tar file and restart Openvpn
sensor:~# cd /etc/openvpn
sensor:~# tar -xvzf
sensor:~# /etc/init.d/openvpn restart

5.- Configure sensor settings at /etc/ossim/ossim_setup.conf
server_ip= (vpn server IP)
framework_ip= (framework server IP)
detectors=ossec, ssh (enabling ssh and ossec plugins)
sensor:~# ossim-reconfig -c -v -d

Check Sensor and Server communications

1.- Check log files
sensor:~# tail -f /var/log/ossim/agent.log
server:~# tail -f /var/log/ossim/server.log

2.- Insert sensor and check results
Go to Configuration -> Alienvault Components and insert sensor with ip (sensor IP in the VPN). After that, try to log into the sensor through SSH to generate some new events. Then check the results in the GUI under Analysis -> SIEM.


  1. Replies
    1. Some times, specially when monitor large environments with multiple networks or locations, you need to deploy multiple sensors. This is done for multiple reasons, for example to analyze multiple span port/port mirroring sessions with the NIDS component, to run distributed vulnerability scans, or to collect data from sources in the same network (so those are not sent over non trusted networks).

  2. i cannot add_vpnnode, command not found, why ??

    1. That option has been outdated, try running "alienvault-setup" or "ossim-setup" and look for "configure network" options. You should be able to find one named "configure vpn client". Other than that, I think the rest of the configuration steps remain the same.