Professional Documents
Culture Documents
Target Audience
Systems administrators
Security Operators
Requirements
Previous Knowledge
Networking
Security
Technical Requirements
Internet access
Recommendations
ACSA - Contents
Introduction to AlienVault
Components
User Management
Architecture
Policies
Installation
Logger
Configuration
Vulnerability Management
Security Analysis
Integrated Tools
Ticketing System
Basic Concepts
Reporting System
AlienVault
What is AlienVault?
10
Data Aggregation
Correlation
Alerting
Dashboards
Compliance
Retention
SCP
SQL
WMI
Sensor
12
AlienVault: Correlation
SIEM
SSH Auth
failed event
from X to Y
SSH Auth
failed event
from X to Y
SSH Auth
failed event
from X to Y
SSH
Successful Auth
event from X
to Y
Sensor
AlienVault: Alerting
DOS Attack Against
WebServer
14
AlienVault: Dashboards
15
AlienVault: Compliance
16
AlienVault: Retention
SAN
Logger
NAS
17
18
Data Aggregation
Data Aggregation
Correlation
Correlation
Alerting
Alerting
Dashboards
Dashboards
Compliance
Compliance
Retention
Retention
Vulnerability Management
Situation Awareness
NIDS
HIDS
WIDS
Network Monitoring
Vulnerability Management
Centralized Reports
Compliance auditing
Sensor
Default user and password enabled in the running service
19
Situation Awareness
Technology
Identity Monitoring
Active Directory
LDAP
Authentication Logs
Network Auto-Discovery
Topology Map
Inventory
Profiling
Time-Service-Usage Profiling
Resource Monitoring
Network Monitoring
Network Availability
Host resources
Anomaly Detection
20
Flows
NIDS
tw
o
rk
Netwo
tra
ffic
Malware
rk traffi
Network anomalies
Switch
rk
two
Ne
fic
traf
Sensor
User activity
Network Tap
21
HIDS
Sensor
Logon failure: Account currently disabled
22
WIDS
Suspicious Client
Sensor
running a WIDS
23
The Market
Large Vendors
Sold in combination with
other products
24
Pure SIEM
Pure Management Layer
Unified SIEM
Integrate other
Security Functions
Security Context
Technologies
25
Data Abstraction
Risk
Incidents
High Level
Metrics
Medium Level
Tens of Incidents
Security Events
SecurityAlienVault
Events SIEM
AlienVault Logger
Logs
26
AlienVault Sensors
Low Level
Millions of Logs
Security Technology
Management
Unification of technologies
27
SIEM
Incident
Management
Risk
Intelligence
Storage
Detection
Prevention
Awareness
HIDS
File integrity
Identity
Vulnerability
Assessment
Threat
Assessment
Inventory
Resources
AlienVault SIEM
Correlation
Dashboards
Events aggregation
Action / Response
Reports
Forensic Storage
Alerting system
Vulnerability Management
AlienVault SIEM
Operating Systems
28
Security Devices
Applications
Network electronics
3 major components
Sensor
Event Collection
NIDS / WIDS / HIDS
Network monitoring
Vulnerability Scanning
Logger
Massive Log Storage
Legal evidence
Ensure integrity
SIEM
Correlation
Risk Assessment
Vulnerability Management
Real-time Monitoring
29
30
3 major components
Sensor
Events generated in the Network are collected by the AlienVault Sensor.
Applications running in the AlienVault Sensor generate security events
that are also collected by the AlienVault Sensor.
The AlienVault Sensor generates a normalized event that is sent to the
SIEM and to the Logger.
Logger
AlienVault Logger provides forensically-secure storage of all raw data.
This creates a court-admissible record of network activity.
SIEM
AlienVault SIEM processes all data provided by network devices and
AlienVault Sensors.
The AlienVault SIEM leverages the Network Inventory created by
AlienVault Sensors as well as external Threat Databases to CrossCorrelate events, weeding out False Positives and providing Actionable
Intelligence.
31
Challenges
32
Roadblocks
Underperformance
33
AlienVault is:
A tool that can aggregate events from both Open Source and
Commercial tools
AlienVault is not:
Detection capabilities
Adaptability
34
Customization
Scalability
35
WIDS
NIDS
HIDS
Vulnerability Management
Network Monitoring
36
Open Source
Professional SIEM
Support
Community
7x24
Quality Assurance
Community
Professional Q&A
Security
Not audited
Audited
Performance
Moderate
SIEM Intelligence
Logical Correlation
Simple Taxonomy
Cross Correlation
Rich Taxonomy
Logger
N/A
Reports
< 25 + Jasper
Scalability/HA
N/A
Compliance
Updates
None
User Management
The Company
37
38
The Offices
39
The products
40
The Appliances
41
The services
Performance
& Scalability
ACSA
Dimensioning
ACSE
On-site
Training
Consultative
Architecture
Consulting
Training
AlienVault Services
Basic
Support
Administration
Support
Implementation
Upgrades
Premium 8x5
Support
42
Premium
24x7 Support
Installtion
Configuration
References
43
Partners
44
Partners
45
Open Source
46
47
Components
48
Sensor
Syslo
SCP
Normalized events
SQL
WMI
49
Sensor
Logger
SIEM
Sensor
Sensor 1
Sensor 1
NY Headquarters
Sensor 3
51
52
Sensor
Collection Methods
Custom DS Connectors
OUTPUT
SYSLOG
WMI
SQL
SDEEE
SOCKET
SNMP
53
NORMALIZATION
SAMBA
FILTERING
SCP
CLASSIFICATION
FTP
LOGGER
SIEM
Sensor
54
Sensor
55
Vulnerability Scanning
Availability Monitoring...
HUB
Network Tap
Logger
56
For this purpose the logger is usually configured so that events are
stored in a NAS / SAN network storage system.
SIEM
57
Risk assessment
Correlation
Risk metrics
Vulnerability scanning
Real-time monitoring
SIEM
58
Correlation
Risk Assessment
Policy
Collection
EVENTS
SQL Storage
SIEM
59
EVENTS
Database
60
Web interface
61
Inventory Management
Configuration
Forensic Analysis
Vulnerability scanning
Architecture
62
AlienVault Architecture
Web Interface
SQL Database
EVENTS
SIEM
Disk Storage
Logger
Sensor
Operating Systems
63
Security Devices
Applications
Network electronics
64
65
SQL
SYSLOG
SNARE
SDEE
OPSEC
SYSLOG
SYSLOG
SAMBA
SCP
OPSEC
SYSLOG
FTP
WMI
SYSLOG
SYSLOG
WMI
Log collection
LOG COLLECTION
SDEE
SYSLOG
SDEE
SYSLOG
SNMP
Port mirroring
PORT MIRRORING
66
SENSOR 1
SENSOR 3
SENSOR 2
67
AlienVault Deployment
PORT MIRRORING
LOG COLLECTION
SDEE
FTP
WMI
SYSLOG
WMI
SYSLOG
ALIENVAULT INTERNAL
COMMUNICATIONS
OPSEC
SYSLOG
SYSLOG
SDEE
SENSOR 1
SYSLOG
SDEE
SENSOR 2
68
OPSEC
SYSLOG
SYSLOG
SQL
SYSLOG
SAMBA
SNARE
SCP
SNMP
SENSOR 3
Simple Deployment
69
A single Customer
A single location
Simple Deployment
Network 1
Web Interface
SQL Database
Network 2
Network 3
SIEM
fic
raf
T
k
or
w
t
e
Logger
Events
Sensor
Customer Premises
70
Simple Deployment II
71
A single Customer
Multiple locations
Simple Deployment II
Logger
Sensor
SIEM
SQL Database
Web Interface
Headquarters
Sensor
Office 1
72
Sensor
Office 2
Sensor
Office 3
Complex Deployment
73
Multiple Customers
Multiple Locations
Complex Deployment
Web Interface
Web Interface
SQL Database
SIEM
SIEM
SQL Datab
Logger
Logger
Logger
Sensor
Services Provider
74
Customer 1
Sensor
Customer 2
Sensor
Sensor
Customer 3
National Deployment
Some locations can have multiple Sensors, with or without a
Logger or SIEM, that can be used to consolidate at State
Level or to provide Storage or Correlation at multiple levels
75
World Deployment
76
Sensor
77
Logger
78
Performance
SIEM
79
Performance
Database
80
SIEM, Logger and the Web Interface will access the information
stored in the Database
Web Interface
81
Installation
82
Hardware recommendations
64 Processor
83
"Divide et vinces"
84
85
86
Recommendations
87
For network traffic analysis ensure your NIC supports the e1000
driver.
Recommendations II
88
The best network cards should always be used for the listening
interfaces (promiscuous mode)
Check List
89
Rack Space
Power
Network Configuration
Port mirroring
IP addresses
Professional Key
Installation Profiles
90
91
OCS (Inventory)
92
The server installation profile also comes with a Sensor with limited
functionality to monitor the Server itself
93
Even if only the Logger profile is enabled (And not the SIEM) a
database will be required to store the inventory information and the
configuration parameters.
94
The Web Interface profile will install and configure the Web
Management interface component. A single Web Management
interface will be deployed on every AlienVault installation. More
complex deployments with multiple AlienVault Servers may have
more than one box with the Web Interface profile enabled.
The AlienVault Web Interface is the installation profile that will use
the lowest amount of memory and CPU. For this reason, the Web
Interface is usually installed with the Server profile.
95
The All-in-one profile will enable all profiles in a single box. This is
the default installation profile and it will be enabled if the user does
an automated installation
Installation Overview
Automated Installation
Custom Installation
2.Configure networking
3.Configure keyboard
4.Configure location
system.
5.Set up users and passwords
6.Load the newly installed system for the first time
96
97
Configuration
98
# date
To set the current system time, use the following form of the date
command:
99
# dpkg-reconfigure console-data
# date MMDDhhmm[CC]YY[.ss]
# ntpdate pool.ntp.org
100
# dpkg-reconfigure tzdata
You can edit this file using any text editor (vim, nano, pico).
# alienvault-setup
101
/etc/ossim/ossim_setup.conf
# alienvault-reconfig
102
# alienvault-setup
Then select the Option Change Sensor Settings, and then Enable/
Disable detector plugins, you will get a list of enabled and disabled
plugins, just click on space when over the name of the plugin to
enable or disable that plugin. To apply changes select Save & Exit
in the main menu.
Once the plugin has been enabled you may need to configure some
plugins. Plugin configuration files are stored in the directory /etc/
ossim/agent/plugins. There you will find a .cfg file for each plugin.
You may need to edit the location parameter to point the AlienVault
collector to the file in which the log of that application are being
stored. If you modify the configuration file of one of your plugins type
the following command to restart the OSSIM Agent:
-
103
# /etc/init.d/ossim-agent restart
104
# alienvault-setup
and then choose Change Sensor Settings and then Select interfaces
in promiscuous mode, then select Save & Exit to apply changes.
alienvault-reconfig
/etc/snort*
/etc/default/ntop
/etc/rsyslog.conf
/etc/ossim/agent/config.cfg
/etc/ossim/ossim-setup.conf
/etc/network/interfaces
alienvault-reconfig
/etc/ossim/server/config.xml
/etc/ossim/framework.conf
/etc/mysql/my.cnf
/etc/logrotate*
.....
/etc/default/fprobe
105
VPN Configuration
106
The VPN Server will be configured in the machine running the Server
Profile. If we want to include another AlienVault component in the
VPN we have to run this command in the machine running the Server
Profile. We will use in the following examples the IP address
192.168.0.200, as if it were a box running the Collector profile:
This command will generate a compressed file containing all required files
to configure the VPN network in the AlienVault component we want to put
inside the VPN network. This file will be stored in the following directory:
/etc/openvpn/nodes/
Network Configuration
# alienvault-reconfig
Setting up DNS
You can add hostname and IP addresses to the file /etc/hosts for
static lookups. To cause your machine to consult with a particular
server for name lookups you simply add their addresses to/etc/
resolv.conf.
For example a machine which should perform lookups from the DNS
server at IP address 192.168.1.200 would have a resolv.conf file
looking like this: search my.domain
nameserver 192.168.1.1
107
Network Configuration
The IP addresses associated with any network cards you might have
are read from the file /etc/network/interfaces. This file has
documentation you can read with:
# man interfaces
A sample entry for a machine with a static address (eth0) would look
like this:
allow-hotplug eth0
iface eth0 inet static
address 192.168.1.133
netmask 255.255.0.0
network 192.168.0.0
broadcast 192.168.255.255
gateway 192.168.1.1
dns-nameservers 192.168.1.100
If you make changes to this file you can cause them to take effect by
running:
108
# /etc/init.d/networking restart
Network Configuration
109
Network Configuration
The default route for a host with a static IP address can be set in/
etc/network/interfaces.
To change your default route you must first remove the current
one:
110
# netstat -nr
Network Configuration
In case you change the management IP address of one your AlienVault boxes you have to do
the following to make sure that all components using the old IP address are now using the new
one.
To do that, once you will have modified /etc/network/interfaces and restarted networking you
will need to edit the file /etc/ossim_setup.conf
In this file you could just do a search (Old IP Address) and replace (New IP Address) or take a
look to the following parameters:
Once you have set the correct ip addresses you can generate all configuration files by running:
111
# alienvault-reconfig
Insert a line for each network interface with the following format :
eth0 mac 00:17:31:56:BC:2D
eth1 mac 00:16:3E:2F:0E:9C
Network cards with more than one interface usually have consecutives
MAC addresses
112
If you want to add exceptions to that firewall write your own rules
(iptables firewall rules) in the following file:
/etc/ossim/firewall_include
and execute:
113
# alienvault-setup
# alienvault-reconfig
114
115
Basic Tools
116
Tcpdump
# tcpdump -i eth0
Listen on any available interface :
117
# tcpdump -D
# tcpdump -i any
# tcpdump port 22
Capture any packets where the destination host is 192.168.1.1. Display IP addresses and
port numbers:
Capture any packets where the source host is 192.168.1.1. Display IP addresses and port
numbers:
118
Capture any packets where the source or destination network is 192.168.1.0/24. Display IP
addresses and port numbers:
Capture any packets where the destination port is 23. Display IP addresses and port
numbers:
Capture any packets where the destination port is is between 1 and 1023 inclusive. Display
IP addresses and port numbers:
119
Capture any packets with destination IP 192.168.1.1 and destination port 23. Display IP
addresses and port numbers:
Capture any packets with destination IP 192.168.1.1 and destination port 80 or 443.
Display IP addresses and port numbers:
# tcpdump -n "dst host 192.168.1.1 and (dst port 80 or dst port 443)"
Capture only TCP packets where the destination port is is between 1 and 1023 inclusive.
Display IP addresses and port numbers:
120
Tcpreplay
121
Tcpreplay is a tool for replaying network traffic from files saved with
tcpdump or other tools which write pcap files (Ngrep, WireShark,
Tshark...)
Basic Usage: Replay sample.cap file (Send traffic out interface eth0)
122
123
http://www.pcapr.net/
https://www.evilfingers.com/repository/pcaps.php
http://sourceforge.net/projects/networkminer/
Ngrep
124
Monitor all activity crossing source or destination port 25 (SMTP). On any interface.
# ngrep -d eth0 -q -t '^(GET|POST) ' 'src host 12.13.14.15 and tcp and dst port 80'
Determine client application that client host is running
125
IPTraf
Usage:
126
#iptraf
Wireshark
127
Wireshark is very similar to tcpdump, but has a graphical frontend, and many more information sorting and filtering options
Etherape
128
Tshark
129
Display the source port of all tcp packets in the file /tmp/capture.cap.
130
Ethtool / mii-tool
Ethtool
# ethtool eth0
Mii-tool
Usage
131
# mii-tool
Dsniff
132
Nmap
# nmap sV 172.18.1.1
Network scan
# nmap 172.18.1.*
# nmap 172.18.1.0/16
133
# nmap 172.18.1.1
Honeypots
Spam
Malware
Port Scans
Shellcodes
134
Vulnerability Scan
Honeypots
135
mwcollect
http://www.mwcollect.org
Dionaea
http://www.mwcollect.org
Honeypots
136
Amun
http://amunhoney.sf.net
Omnivora
http://www.ohloh.net/p/omnivora
Websites - Security
http://www.shadowserver.org
http://isc.sans.edu
137
Websites - Malware
Malware samples
http://www.malwareurl.com
http://www.malwaredomainlist.com
WARNING: This sites contain samples of live malware. Use at your own risk.
138
Malware Analysis
http://www.virustotal.com
http://www.threatexpert.com
http://www.offensivecomputing.net
Backtrack
139
http://www.backtrack-linux.org/
Metasploit
140
http://www.metasploit.com
Metasploitable
141
http://blog.metasploit.com/2010/05/introducing-metasploitable.html
http://www.metasploit.com/documents/express/Metasploitable.zip.torrent
142
Integrated Tools
143
Tools Classification
The passive tools require a port mirroring/port span configured in the network
equipment to be able to analyze all traffic of the monitored network/s.
144
Snort
NIDS
145
PASSIVE TOOL
http://www.snort.org
Port scans
Worms
Malware
Snort
PASSIVE TOOL
NIDS
Policy violations
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Megaupload file download service access";
flow:to_server,established; content:"GET "; depth: 4; uricontent:"/?d="; content:"|0d 0a|Host\: "; content:"megaupload.com"; within:25;
nocase; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009301; reference:url,www.emergingthreats.net/cgi-bin/
cvsweb.cgi/sigs/POLICY/POLICY_Download_Services; sid:2009301; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Porn-Sports-Gambling site designed to bypass
restrictions"; flow:to_server,established; content:"Host\:"; nocase; pcre:"/Host\:[^\n]+\.(bodog|bodogbeat|bodognation|bodogmusic|
bodogconference|bodogpokerchampionships)\.com/i"; reference:url,www.bodog.com; classtype:policy-violation;
reference:url,doc.emergingthreats.net/2003100; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/
POLICY_bodog.com; sid:2003100; rev:4;)
Malware
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Potential Malware Download,
rogue antivirus (IAInstall.exe)"; flow:established,to_server; uricontent:"/download/IAInstall.exe"; nocase; classtype:bad-unknown;
reference:url,malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/
CURRENT_Malwareurl_top_downloads; reference:url,doc.emergingthreats.net/2010447; sid:2010447; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET 1024: (msg:"ET MALWARE 404 Response with an EXE Attached - Likely
Malware Drop"; flow:established,from_server; content:"HTTP/1.1 404 Not Found|0d 0a|"; depth:24; content:"|0d 0a 0d 0a|MZ"; distance:
0; classtype:attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2009028; reference:url,www.emergingthreats.net/cgibin/cvsweb.cgi/sigs/POLICY/POLICY_404_EXE; sid:2009028; rev:2;)
146
Snort
PASSIVE TOOL
NIDS
Scans
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET SCAN Unusually Fast 403 Error Messages, Possible Web
Application Scan"; flow:from_server,established; content:"HTTP/1.1 403"; depth:13; threshold: type threshold, track by_dst, count 35,
seconds 60; classtype:attempted-recon; reference:url,www.checkupdown.com/status/E403.html; reference:url,doc.emergingthreats.net/
2009749; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_403; sid:2009749; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"ET SCAN Rapid POP3 Connections - Possible Brute Force Attack"; flags: S,
12; threshold: type both, track by_src, count 10, seconds 120; classtype: misc-activity; reference:url,doc.emergingthreats.net/2002992;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_General_Services; sid: 2002992; rev:5;)
147
Ntop
Network Monitor
148
PASSIVE TOOL
http://www.ntop.org
Assets information
149
PASSIVE TOOL
Network Anomalies
PASSIVE TOOL
Fprobe
NetFlows generator
http://fprobe.sf.net
NetFlows
PASSIVE TOOL
NFDump
Netflows collection
http://nfdump.sourceforge.net/
NetFlows
151
NFSen
152
http://nfsen.sourceforge.net/
NetFlow is a network protocol developed by Cisco Systems to run on Cisco IOSenabled equipment for collecting IP traffic information.
OCS
Inventory
Agent
153
ACTIVE TOOL
http://www.ocsinventory-ng.org
Vulnerability Management
Policy violations
Hardware monitoring
Nagios
Availability Monitor
Agent - Web
154
ACTIVE TOOL
http://www.nagios.org
Nagios
155
ACTIVE TOOL
Availability Monitor
Agent - Web
OpenVas
Vulnerability Scanning
156
ACTIVE TOOL
http://www.openvas.org
Compliance monitoring
OpenVas
Vulnerability Scanning
Mis-configured scans may severely impact the scanned network. After installation,
the first scanning profiles have to be defined and watched over very carefully.
157
ACTIVE TOOL
Nikto
158
Vulnerability Scanning
ACTIVE TOOL
http://cirt.net/nikto2
OSVDB
159
Database
http://www.osvdb.org
OSVDB
160
Vulnerability Description
Database
OSVDB
161
Tool relationships
Database
ACTIVE TOOL
OSSEC
http://www.ossec.org
162
Agents
HIDS
OSSEC
163
ACTIVE TOOL
OSSEC provides its own plugin system used for Windows and
UNIX tool analysis.
HIDS
Agents
Kismet
164
PASSIVE TOOL
WIDS
http://www.kismetwireless.net
Kismet will work with any wireless card which supports raw
monitoring (rfmon) mode, and (with appropriate hardware) can sniff
802.11b, 802.11a, 802.11g, and 802.11n traffic.
Rogue AP detection
Nmap
165
ACTIVE TOOL
http://www.nmap.org
Asset Discovery
Scanner
P0f
166
http://lcamtuf.coredump.cx/p0f.shtml
Inventory Management
PASSIVE TOOL
OS Fingerprinting
Pads
167
Services Fingerprinting
PASSIVE TOOL
http://passive.sourceforge.net
Inventory Management
Policy violations
Inventory correlation
Arpwatch
168
MAC Fingerprinting
PASSIVE TOOL
http://ee.lbl.gov
Inventory Management
ARPSpoofing
Nedi
169
Network Discovery
ACTIVE TOOL
http://nedi.ch
170
Basic Concepts
171
Detection
172
Collection
173
Normalization
174
Data Source
175
Regular expressions
Normalization rules
.sql:
176
Correlation
177
Event
178
Data Source ID
179
Event Type
180
Asset
Assets in AlienVault:
Network Group
Network
Host Group
Host
181
Asset Value
Assets will have different values depending on their role within the
monitored network
182
Asset Value
While the events are being processed the AlienVault system needs
to know the Asset Value of every Asset (Correlation and Policy
rules)
If the Asset has not been defined in the AlienVault Inventory, the
AlienVault system will try to get the Asset value of biggest Assets
this host may belong to
1st - Host
3rd - Network
183
Event Priority
184
0 No importance
1 Very Low
2 Low
3 Average
4 Important
5 Very Important
Event reliability
185
0 False Positive
10 Real attack
Event Risk
The SIEM calculates a risk for each event processed in the SIEM
Event Priority = 2
Source
Destination
Event Reliability = 10
186
Alarm
187
An alarm is a special type of event since it can have more than one
event originating it.
Aggregated Risk
Apart from calculating a risk value for each event, the AlienVault
SIEM also maintains an Aggregated risk indicator for each asset of
our network
C
188
A
Attacker
Target
Compromise
Destination
Event Reliability = 10
Compromise level increase = (Source Asset Value * Event Priority * Event Reliability) / 25
Compromise level increase = (2*2*10) / 25 = 1.6
189
Attack
This value increases the attack value of the host, the attack value
of the host groups, networks and network groups the host
belongs to, as well as the global attack value
Event Priority = 2
Source
Destination
Event Reliability = 10
Attack level increase = (Destination Asset Value * Event Priority * Event Reliability) / 25
Attack level increase = (5*2*10) / 25 = 4
190
Recovery
191
The vast majority of events has a certain risk, thats why its
common for our asset to have a certain attack and compromise
level.
E.g.: A web server exposed to the network will always have a high
attack value.
C
192
193
Correlation
Multilevel
194
SIEM
SQL Storage
195
EVENTS
Risk Assessment
Log Signature
Policy
Policy
Collection
Collection
EVENTS
Disk Storage
Correlation
SIEM: Correlation
196
SIEM: Correlation
197
SIEM: Correlation
SIEM
198
Correlation
Risk Assessment
Policy
Collection
EVENTS
SQL Storage
Logical Correlation
199
Using the logical correlation new events are generated using the
information provided by the detectors and monitors.
The events generated during this type of correlation will have and
new prirority and reliability values.
Logical Correlation
200
Logical Correlation
201
Logical Correlation
202
Types of DS Connectors
203
Logical Correlation
204
Vulnerability Scanner
Availability Monitor
Active Directory
...
Cross-correlation
When the related events are in the database within the same host
involved, the cross correlation will generate a new event.
Priority
Event A
Reliability
Event A
205
+
+
Priority
Event B
Reliability
Event B
Priority
of the new event
generated during
cross-correlation
Reliability
of the new event
generated during
cross-correlation
Cross-Correlation
Vulnerability: IIS Remote Command Execution
Vulnerability Scan
Host A
Sensor
Cross-correlated Event
Attack
Attacker
Host A
206
Cross-correlation
207
Most of the cross correlation rules relate IDS events (Snort) with
vulnerabilities (OpenVas, Nessus...)
Inventory Correlation
208
For each attack the system checks whether it has information of the
attacked host within the AlienVault inventory.
2.
Using the OSVDB database the SIEM knows the OS, services, and
versions that
Multilevel Correlation
Distributed Correlation
Correlation Level 3
SIEM
Correlation Level 2
SIEM
SIEM
Correlation Level 1
SIEM
SIEM
Sensor
209
Sensor
Sensor
Sensor
Multilevel Correlation
Correlation level 4!
Global infection !
Correlation level 3!
National infection!
Correlation level 2!
Corporate infection!
Correlation level 1!
Department infection!
210
211
212
AlienVault is installed by default with a single user. This user will always
keep special permissions within the AlienVault system (Permissions to
monitor all assets and all menu options enabled).
213
# ossim-reset-password admin
This command can be used to change the password of any user from the
console. Anyway, an administrator user will always be able to change the
password of another user using the AlienVault Web Interface.
Main
Menu
Status Bar
Dashboards
215
Content:
Risk Metrics
Menu Options:
Dashboards
Risk
-
Risk Maps
Risk Metrics
Incidents
Content:
Knowledge DB
Menu Options:
Alarms
Alarms
Reports
Tickets
Tickets
Reports
Knowledge DB
216
Knowledge DB
Analysis
Content:
Vulnerability Management
Menu Options:
SIEM
SIEM
Statistics
Logger
Vulnerabilities
Vulnerabilities
Reports
Scan Jobs
Threats Database
Detection
217
Logs
NIDS
HIDS
Wireless IDS
Anomalies
Reports
Content:
AlienVault reporting system
Menu Options:
Reports
218
Reports
Modules
Layouts
Scheduler
FOSS Reports
Assets
Content:
Inventory Management
Asset Search
Asset Discovery
Menu Options:
Assets
Structure
Hosts
Host Groups
Network
Network Groups
Ports
Asset Search
Asset Search
Asset Categories
Asset Discovery
219
Spot Scan
Intelligence
Content:
Correlation Rules
Compliance
Menu Options:
Policy & Actions
Policy
Actions
Correlation Directives
Directives
Properties
Backlog
Compliance Mapping
ISO 27001
PCI DSS
Cross Correlation
220
Rules
Situational Awareness
Content:
Network monitoring
Netflow management
Network Profiles
Availability Monitoring
Inventory Summary
Menu Options:
Network
Traffic
Profiles
Availability
221
Monitoring
Reporting
Inventory
Inventory
Configuration
Content:
AlienVault Configuration
User Management
Collection Configuration
Backup Management
Menu Options:
Main
Collection
Simple
Data Sources
Advanced
DS Groups
Customize Wizard
Custom Collectors
Taxonomy
Downloads
Users
Configuration
User activity
SIEM Components
Network Discovery
Sensors
Nedi
Servers
Active Directory
Databases
Software Upgrade
Backup
222
Upgrade Notification
SIEM Backup
User Management
223
Multi-tenant Architecture
AlienVault SIEM
Hosts
Hosts
Host Groups
Host Groups
Networks
Networks
Network Groups
Network Groups
Departments
Corporations
Assets!
224
Users!
AlienVault
Components!
Entity !
Multi-tenant Architecture
Alienvault!
UNIFIED SIEM!
Development!
Web
development!
R&D !
OPEN !
SOURCE!
225
10.0.0.0/24!
Sales!
192.168.3.0/24!
172.18.1.0/24!
210.2.2.2!
EMEA!
APAC!
192.168.8.0/24 !
192.168.2.0/24 !
Entities
226
Templates
227
Templates
Template definition:
1. Assign user permissions
2. Link the user template with an entity
228
User permissions
229
Sensors
Networks
230
Admin Users
231
No Menu restrictions
Access to
Admin users within each entity can only manage users within the entity they
belong to
User configuration
232
Policies
233
AlienVault Policies
234
Policy section allows you to configure how the system will process
the events once they arrive to the AlienVault Server
Do not correlate
AlienVault Policies
By default the all the events arriving to the AlienVault Server are
processed by both SIEM and Logger.
235
Risk assessment
Correlation
Forwarding
SQL Storage
In the case of Logger the system will sign the events to ensure
integrity so that they can be used as an evidence in trial.
SIEM
SQL Storage
236
EVENTS
Risk Assessment
Log Signature
Policy
Policy
Collection
Collection
EVENTS
Disk Storage
Correlation
Policy Conditions
237
Policy Consequences
Actions:
Send an e-mail
Execute a Command
SIEM
Logger
238
Sign
Multilevel
Forward alarms
Forward events
Actions
239
Once the conditions defined in a policy have been met, the system
can execute an action (Or multiple actions)
Policy order
240
The generic policy rules should be always defined after the policy
rules used to configure exceptions for certain events.
241
Apache events
Firewall events
242
Logger
243
AlienVault Logger
244
The Logger collects data in its native format, digitally signs and
time-stamps the data, and securely stores it preserving data
integrity; whereas the SIEM database is designed for the rapid and
versatile analysis required for attack detection and response.
Logger Console
Time frame selection clicking
on the graph
245
Predefined Time
Frame selection
Remote Loggers
246
Make sure the Logger is configured at Configuration -> SIEM Components -> Servers
Select the Logger or Loggers you want to query in the Logger Console at Analysis ->
Logger -> Logs
247
The search for events stored in the Logger implements auto-completion based on the text that
you type. For example, if you enter a host name, the system will suggest to search for that value
in the host field of the events.
The following syntax can be used when searching over the events in the Logger:
sensor: Ip address or name of the AlienVault Collector that collected the event. E.g.:
sensor=Vegas sensor=172.2.2.1
src: Source of the event in IPV4 format or name of the host used in the AlienVault inventory.
E.g.: src=192.168.2.1 src=Web_2000
dst: Destination of the event in IPV4 format or name of the host used in the AlienVault
inventory. E.g.: dst=192.168.1.1 dst=gateway
data: Searches the value associated to this variable in the text of the original event. E.g.:
data=Failed Password
Export data
248
Query the Logger after entering the search criteria and click on
Exports
Logger Stats
249
Logger troubleshooting
250
Vulnerability
Management
251
Vulnerability
252
Objectives
253
Metrics of the
vulnerability
level!
Prevention of
possible
attacks!
OpenVas
254
Scalable
Simultaneous scans
Scheduled scans
Nessus
255
Scanning Operation
1. Port scanning against every target within the scan.
2. The scanner does a series of tests to verify whether the existing
services at each port are particularly vulnerable to attack
The remote host is missing the DSA-1996 security update
Sensor
Default user and password enabled in the running service
256
Security Analysis
257
Analysis Process
Metrics
258
Incidents
Events
Vulnerabilities
Inventory
Analysis Process
1. Dashboard -> Dashboard
2. Dashboard -> Risk
3. Incidents -> Alarms
4. Incidents -> Tickets
5. Analysis -> SIEM
6. Analysis -> Logger
7. Analysis -> Vulnerabilities
8. Assets -> Asset search
9. Report -> Reports
259
Status Bar
Global Status of the
Monitored Networks (Red,
Orange or Green)
Number of opened Tickets
Number of unresolved
Alarms (Opened Alarms)
If the service level remains at 100 we should check the recovery value and
whether the events are being collected or not.
260
Executive Panel
Executive
Security
Taxonomy
Tickets
261
Executive Panel
Vulnerabilities
Compliance
Network
Report of performed
vulnerability scans.
262
Dashboards
263
Service loss
Conflicting hosts
Risk Maps
264
Shows the risk, vulnerability and availability levels for any asset in
the AlienVault inventory
Risk
Vulnerability
Availability
Risk Metrics
265
Risk Metrics
Time Frame selection (Last day, Last
Week, Last Month, or Last Year)
266
Risk Metrics
Internal attack (Symmetry between
Red and Blue areas) between assets
or network with the same value
267
Risk Metrics
We can click in the red/blue area of the
global graph to see in detail what happened
at that moment.
268
Risk Metrics
The table shows those hosts or network that have overcome their
threshold
269
Risk Metrics
270
Internal attacks
Alarms
271
Alarms
272
Alarms
Date of the first and last event
belonging to the alarm
Source and
Destination IPS
Alarms
The IP address
belongs to the
AlienVault Inventory
274
Alarms
More than 4000 events
were correlated within the
Correlation rule that
generated this alarm
275
Alarms
276
Alarms
277
Alarms
278
Repeated Alarms
Alarms
Only an event
Host with
many
alarms
279
Check the
events from that
host in the SIEM
and Logger
Define new
Correlation
rules
SIEM Events
280
SIEM Events
Today
Last 24 hours
Last week
Last month
All
SIEM Events
282
SIEM Events
283
SIEM Events
Search Events by:
Timeline analysis
Filter by DS Group
Filter by Network Group
284
SIEM Events
Active filters
Events Statistics
285
SIEM Events
286
SIEM Events
287
Trends
SIEM Events
288
SIEM Events
Source IP
Date of the
original event
Risk of the
event
Destination IP
Reliability
Priority
Protocol
RIsk
289
SIEM Events
Clicking in the name of the event gives you access to the original
event (Log or payload)
Event name
Extra fields
Raw Log
290
SIEM Events
291
SIEM Events
292
SIEM Events
293
SIEM Events
294
The system uses TShark to show low level information about the
capture file
Logger
295
In the Logger, the events are stored in the file system, using an
AlienVault specific schema of directories and files
Logger
Time frame selection clicking
on the graph
296
Predefined Time
Frame selection
Logger
297
298
Analysis Procedure
299
Analysis Procedure
300
Analysis Procedure
301
Analysis Procedure
In Unique events compare the columns Src. Addr and Dst. Addr.
Many Sources and always the
same destination IP
302
Analysis Procedure
303
Analysis Procedure
304
Analysis Procedure
305
Analysis Procedure
306
Click on Unique Country Events and the click on the Total of the
countries that seem suspicious.
Analysis Procedure
307
Analysis Procedure
308
Host Information
309