Saturday, September 15, 2012

OSSIM hands-on 2: Configuring distributed profiles

This is the second hands-on exercise designed to help OSSIM users be able to distribute Server and Sensor profiles.

We will be using the current published release version (4.0.2) with IP 10.0.0.30 acting as the server, and IP 10.0.0.31 acting as a sensor.

Configuring server (10.0.0.30)

1.- Edit /etc/ossim/ossim_setup.conf and set these variables
server_ip= 10.0.0.30
framework_ip=10.0.0.30
hostname=server
vpn_infraestructure=yes
vpn_net=192.168.1 (defines vpn network range for server-sensor communications)

2.- Add new hostname to /etc/hosts and /etc/hostname

3.- Run ossim-reconfig and check server network socket
server:~# ossim-reconfig -c -v -d
server:~# netstat -nap | grep -i ossim-server
tcp        0      0 0.0.0.0:40001           0.0.0.0:*               LISTEN      16678/ossim-server

4.- Generate VPN configuration files for the new sensor
server:~# ossim-reconfig --add_vpnnode=10.0.0.31 (sensor IP)
server:~# scp /etc/openvpn/nodes/10.0.0.31.tar.gz root@10.0.0.31:/etc/openvpn/

Configuring sensor (10.0.0.31)

1.- Edit /etc/network/interfaces to use static IP 10.0.0.31
sensor:~# cat /etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 10.0.0.31
netmask 255.255.255.0
gateway 10.0.0.200
sensor:~#/etc/init.d/networking restart 

2.- Edit /etc/ossim/ossim_setup.conf (at the sensor)
admin_ip=10.0.0.31
admin_gateway=10.0.0.200
hostname=sensor
sensor:~# ossim-reconfig - c -v - d

3.- Add new hostname to /etc/hosts and /etc/hostname

4.- Uncompress VPN tar file and restart Openvpn
sensor:~# cd /etc/openvpn
sensor:~# tar -xvzf 10.0.0.31.tar.gz
sensor:~# /etc/init.d/openvpn restart

5.- Configure sensor settings at /etc/ossim/ossim_setup.conf
profile=Sensor
server_ip=192.168.1.1 (vpn server IP)
framework_ip=192.168.1.1 (framework server IP)
detectors=ossec, ssh (enabling ssh and ossec plugins)
sensor:~# ossim-reconfig -c -v -d

Check Sensor and Server communications

1.- Check log files
sensor:~# tail -f /var/log/ossim/agent.log
server:~# tail -f /var/log/ossim/server.log

2.- Insert sensor and check results
Go to Configuration -> Alienvault Components and insert sensor with ip 192.168.1.10 (sensor IP in the VPN). After that, try to log into the sensor through SSH to generate some new events. Then check the results in the GUI under Analysis -> SIEM.


4 comments:

  1. Replies
    1. Some times, specially when monitor large environments with multiple networks or locations, you need to deploy multiple sensors. This is done for multiple reasons, for example to analyze multiple span port/port mirroring sessions with the NIDS component, to run distributed vulnerability scans, or to collect data from sources in the same network (so those are not sent over non trusted networks).

      Delete
  2. i cannot add_vpnnode, command not found, why ??

    ReplyDelete
    Replies
    1. That option has been outdated, try running "alienvault-setup" or "ossim-setup" and look for "configure network" options. You should be able to find one named "configure vpn client". Other than that, I think the rest of the configuration steps remain the same.

      Delete