This document provides an overview of setting up practical monitoring with the open source security information management (SIM) tool OSSIM. It discusses identifying assets and data sources, the OSSIM platform capabilities, architecture, requirements, and basic configuration steps. It also covers adding assets, configuring vulnerability assessment, setting up host and network intrusion detection systems, enabling plugins for integrating devices like CheckPoint firewalls, and configuring availability monitoring. The document provides details on key concepts like regular expressions, correlation rules, and using the OSSIM dashboard.
4. Contents
Practical Monitoring with OSSIM
Asset and Data Source Identification
OSSIM Platform
OSSIM Architecture
Minimum Requirements
Create OTX Account
Factors to Consider
Demo Environment
OSSIM Installation
Basic Configuration
AddingAssets & ConfiguringVA
IDS in OSSIM
Setting up HIDS
Setting up NIDS
Adding Devices Enabling Plugins
Plugins for CheckPoint Firewall
Availability Monitoring
5. Practical Monitoring with OSSIM
Cyber security is a challenge.
24 x 7 monitoring of critical networks.
OSSIM is a open source product.
PEOPLE PROCESSTECHNOLOGY
Strengths and weaknesses of OSSIM tool.
6. Asset and data source Identification
Asset –any device with an IP address.
Data Source – Assets Capable of creating and sending logs.
OSSIM support logs from databases, syslogs andWMI etc.
8. OSSIM Architecture
Sensor
Asset Discovery
Vulnerability Scanning
Event Collection
Server
Policy
RiskAssessment
Correlation
SQL Storage
Forwarding
Logger
Log Storage for OSSIM
Digitally Signed long term Storage
9. Minimum Requirements
Hardware requirement
8 CPU cores
16 Gb RAM
1TB of HDD
3 Network Interfaces
Additional requirement
VMware or Hyper-V
OSSIM ISO file
OTX key (I’ll guide you on how to get it)
11. Factors to Consider
Before the implementation of OSSIM it is necessary to check on the following areas.
EPS (Events Per Seconds)
Numbers of Assets
Bandwidth
Geographical locations
Network Boundaries
Time zones
Storage
15. Basic Configuration
Setting up the correct time zone
Configuring hostname
Setting up the correct time zone for the user
Configuring password for the configuration backup
16. Adding Assets & Configuring VA
Any device with an IP address is an asset.
Examples :-
Firewalls
servers
IP cameras
mobile device
network printers
17. IDS in OSSIM
HIDS – Host base intrusion detection system
NIDS – network base intrusion detection system
IDS
HIDS NIDS
18. Setting up HIDS
What is HIDS?
Host base intrusion detection system means put the agent to the
device and pull the device logs to the OSSIM and do the Correlations
part inside the OSSIM and generate the alarms.
Ossec
Nxlog
File beat
19. Setting up NIDS
Network base intrusion detections means it’s analyzed in and out
network traffic in the environment and analyzed the behavior of the
traffic generated. OSSIM is doing those part with out agent that’s
why it called NIDS.
20. Adding devices and Enabling Plugins
Next we’re going to integrate devices that send syslogs. So first ask
your network admin to forward syslogs towards UDP port 514 of the
log collector IP of OSSIM
23. Plugins for CheckPoint firewall
What is a plugin?
OSSIM has nearly 1000 plugins for different devices
For Example “Fw1.alt” is the plugin for CheckPoint
26. Regular Expressions
Operator Meaning
c A non special character matches itself
c Adds the special meaning of the character c; The $ matches with $
^ Indicates the position at the beginning of the line
$ Indicates the position at the end of the line
. Any individual character
[…] One or any of the characters …; accepts intervals of the type a-z, 0-9, A-Z
[^…] A character different from … ; accepts intervals of the type a-z, 0-9, A-Z
27. Regular Expressions - Combinations
Regular expression Matches with
a.b axb aab abb aSb a#b ...
a..b axxb aaab abbb a4$b ...
[abc] a b c (one character strings)
[aA] a (one character strings)
[aA][bB] ab aB AB (two character strings)
[0123456789] 0 1 2 3 4 5 6 7 8 9
[0-9] 0 1 2 3 4 5 6 7 8 9
[A-Za-z] A B C ... Z a b c ... z
[0-9][0-9][0-9] 000 001 .. 009 010 .. 019 100 .. 999
28. Regular Expressions — Occurrence
MatchesOperator Meaning
r* 0 or more occurrences of r
r+ 1 or more occurrences of r
r? 0 or 1 occurrence of r, and no more
r{n} n occurrences of r
r{,m} 0 or at most m occurrences of r
r{n,m} n or more occurrences of r, but at most m
r1|r2 r1 or r2
29. Regular Expressions — Special Characters
Regular expression Matches with Equals
d Any decimal character [0-9]
D Any non-decimal character [^0-9]
s Any space character [ tnrfv]
S Any non-space character [^ tnrfv]
w
Any alphanumeric character
and “_”
[a-zA-Z0-9_]
W Any non-alphanumeric character [^a-zA-Z0-9_]
Z End of line
31. Create a Simple Correlation
Logical correlation uses correlation directives to detect attacks.
By default, OSSIM includes almost 80 built-in directives.
Users can customize existing directives or create custom ones.
32. Availability Monitoring
The last option to enable in OSSIM will be the Availability monitoring.
As the word means, it simply checks whether the resource/service is
available or not.
Service Available Monitoring
Device Available Monitoring
I have been working soc analyst in past year and did
Cyber security is the key challenge for any kind or any size of a company . Because of the rapid development of new technology
There are multiple solutions to overcome this challenge. But when considering effectiveness of these solutions, Security operating center or we simply called SOC, leads the industry, with it’s continues monitoring capability.
You know when it’s come to soc people believe it as an expensive solution . But to overcome this any one can go for an open solutions
So let me introduce you a world recognize open source tool with many useful features
Cyber security is a challenge for many organization today. Rapid Changes in the threat landscape forces many organizations to adopt expensive security solutions even when the organizations is not ready for such solution.
Establishing an organization wide security operation center (SOC) is perceived as a solution to meet the challenges of cyber security by introducing 24 x 7 monitoring of critical networks.
OSSIM is a open source product with many useful features that will allow you to take the first steps towards establishing a SOC. It will also allow you to adopt PEOPLE PROCESS TECHNOLOGY approach for your cyber security solution.
It is important to understand the strengths and weaknesses of OSSIM tool.
Anything that has any IP address can be declared as an Asset. If those assets are capable of creating and sending any type of logs in to an SIEM, then it is a data source.
OSSIM support logs from databases, syslogs and WMI etc. In addition to that we also forward a copy of the network traffic (SPAN) towards OSSIM. I’ve seen some Antivirus engines do not support syslogs , but it dumps it’s events in local database. In such cases we configure the OSSIM to manually login to those databases and fetch logs at regular intervals.
Anything that has any IP address can be declared as an Asset. If those assets are capable of creating and sending any type of logs in to an SIEM, then it is a data source.
OSSIM support logs from databases, syslogs and WMI etc. In addition to that we also forward a copy of the network traffic (SPAN) towards OSSIM. I’ve seen some Antivirus engines do not support syslogs , but it dumps it’s events in local database. In such cases we configure the OSSIM to manually login to those databases and fetch logs at regular intervals.
Anything that has any IP address can be declared as an Asset. If those assets are capable of creating and sending any type of logs in to an SIEM, then it is a data source.
OSSIM support logs from databases, syslogs and WMI etc. In addition to that we also forward a copy of the network traffic (SPAN) towards OSSIM. I’ve seen some Antivirus engines do not support syslogs , but it dumps it’s events in local database. In such cases we configure the OSSIM to manually login to those databases and fetch logs at regular intervals.
To perform the basic ossime functionality these are the requirement
Anything that has any IP address can be declared as an Asset. If those assets are capable of creating and sending any type of logs in to an SIEM, then it is a data source.
OSSIM support logs from databases, syslogs and WMI etc. In addition to that we also forward a copy of the network traffic (SPAN) towards OSSIM. I’ve seen some Antivirus engines do not support syslogs , but it dumps it’s events in local database. In such cases we configure the OSSIM to manually login to those databases and fetch logs at regular intervals.
Anything that has any IP address can be declared as an Asset. If those assets are capable of creating and sending any type of logs in to an SIEM, then it is a data source.
OSSIM support logs from databases, syslogs and WMI etc. In addition to that we also forward a copy of the network traffic (SPAN) towards OSSIM. I’ve seen some Antivirus engines do not support syslogs , but it dumps it’s events in local database. In such cases we configure the OSSIM to manually login to those databases and fetch logs at regular intervals.
Anything that has any IP address can be declared as an Asset. If those assets are capable of creating and sending any type of logs in to an SIEM, then it is a data source.
OSSIM support logs from databases, syslogs and WMI etc. In addition to that we also forward a copy of the network traffic (SPAN) towards OSSIM. I’ve seen some Antivirus engines do not support syslogs , but it dumps it’s events in local database. In such cases we configure the OSSIM to manually login to those databases and fetch logs at regular intervals.
Anything that has any IP address can be declared as an Asset. If those assets are capable of creating and sending any type of logs in to an SIEM, then it is a data source.
OSSIM support logs from databases, syslogs and WMI etc. In addition to that we also forward a copy of the network traffic (SPAN) towards OSSIM. I’ve seen some Antivirus engines do not support syslogs , but it dumps it’s events in local database. In such cases we configure the OSSIM to manually login to those databases and fetch logs at regular intervals.
Any body know what is plugin?
Let’s move to the simple correlation
I’ll show simple dashboard and let’s try to understand it