Acsa

ACSA
AlienVault Certified Security Analyst
About this document
ACSA (AlienVault Certified Security Analyst)
Author: Juan Manuel Lorenzo (jmlorenzo@alienvault.com)
Document Version 3.0
Last revision: 01/2011
Product version used: 3.0
Copyright Alienvault 2010

All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying,
recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and publisher.
Any trademarks referenced herein are the property of their respective holders
Target Audience
Professionals from Security Information
Systems administrators
Security Operators
Requirements
Previous Knowledge
Networking
Security
Basic Linux Skills (Edit files on the command line)
Technical Requirements
Computer per assistant
Internet access
AlienVault Virtual Machine
Recommendations
Have you got any problem with AlienVault?
Is there something you always wanted to know about AlienVault?
Do you have any suggestion?
Think about your environment:
Do you have a network map?
How would you integrate this device or application?
What products would suit my needs?
Do I have any compliance requirement? (PCI? ISO?)?
If you have any questions, please tell us
ACSA - Contents
Introduction to AlienVault
AlienVault Web Interface
Components
User Management
Architecture
Policies
Installation
Logger
Configuration
Vulnerability Management
Network Security Tools
Security Analysis
Integrated Tools
Ticketing System
Basic Concepts
Reporting System
AlienVault
What is AlienVault?
10
AlienVault is a SIEM (Security Information and Event Management)
Data Aggregation
Correlation
Alerting
Dashboards
Compliance
Retention
AlienVault: Data Aggregation

Collection
Syslo
SCP
SQL
WMI
Other11supported collection methods: SNMP, SDEE, OPSEC, Socket...
Sensor
AlienVault: Data Aggregation

Normalization
plugin_id=4003 plugin_sid=2 username=root
date="1295472603" src_ip=192.168.2.2
Authentication Failed for user root from X
12.02.2009 12:02:21
DROP 192.168.1.1 21.2.2.2

Dec 02 2009 12:02:21
Sensor
plugin_id=4503 plugin_sid=21 date="1295472603"

src_ip=192.168.1.1 dst_ip=21.2.2.2
12
AlienVault: Correlation
SIEM
SSH Auth
failed event
from X to Y
SSH Auth
failed event
from X to Y
SSH Auth
failed event
from X to Y
SSH
Successful Auth
event from X
to Y
Sensor
Successful Brute Force Attack?

13
Brute Force Attack?
AlienVault: Alerting
DOS Attack Against
WebServer
No disk space left on the

SQL Server
Worm Detected on Port 80
Policy Violation: P2P Usage
14
Send a command to the firewall to isolate the attacker
Open a ticket in AlienVault or in any other

ticketing management system
Send an e-mail or an SMS to the IT Department
Disable the switch port used by the host

generating the P2P Traffic
AlienVault: Dashboards
15
AlienVault: Compliance
16
AlienVault: Retention
SAN
Logger
- Forensically secure-storage of RAW Data

- Massive Log-storage
- Can be configured to store information on existing NAS or SAN
NAS
17
And What Makes AlienVault Different?
18
All SIEM Products
AlienVault Unified SIEM
Data Aggregation
Data Aggregation
Correlation
Correlation
Alerting
Alerting
Dashboards
Dashboards
Compliance
Compliance
Retention
Retention
Situation Awareness
NIDS
HIDS
WIDS
Network Monitoring
Comprehensive Vulnerability Management
Centralized Reports
Compliance auditing
The remote host is missing the DSA-1996 security update
A vulnerable SMB server is running on the remote host.
Sensor
Default user and password enabled in the running service
19
Situation Awareness
Technology
Identity Monitoring
Active Directory
LDAP
Authentication Logs
Network Auto-Discovery
Topology Map
Recurrent SNMP Scans
Inventory
Active / Passive Fingerprinting
Profiling
Time-Service-Usage Profiling
Resource Monitoring
Network Monitoring
Network Availability
SNMP / Agent / Remote Requests
Host resources
SNMP / Agent / Remote Requests
Anomaly Detection
20
Flows
Events / Network Profiles / Active-Passive

Fingerprinting
NIDS
Network level IDS (Intrusion Detection System)
Monitor network traffic
No impact on the network

Policy Violations (Porn, P2P, IM...)
Ne
Router
tw
o
rk
Netwo
tra
ffic
Malware
rk traffi
Network anomalies
Switch
rk
two
Ne
fic
traf
Sensor
User activity
Network Tap
21
HIDS
Host-based IDS (Intrusion Detection System)
Monitors and analyzes the internals of a computing system
Clients for every major Operating Systems
Log analysis, rootkit detection, system integrity checking and

Windows registry monitoring.
Attempt to login using a non-existent user
Attempt to use mail server as relay (client host rejected).
Sensor
Logon failure: Account currently disabled
22
WIDS
Wireless Intrusion Detection System
Monitor Wireless Networks in multiple locations
Meet PCI Wireless Compliance requirements

Rogue AP
Suspicious Client
Sensor
running a WIDS
Wireless Network Traffic is analyzed in the AlienVault Sensor
23
Cloaked Networks with uncloaked APS
The Market
Large Vendors
Sold in combination with
other products
24
Pure SIEM
Pure Management Layer
Unified SIEM
Integrate other
Security Functions

The Unification of SIEM and Security Context Technologies
Management
Technologies
Security Context
Technologies
delivered in a single Product: AlienVault Unified SIEM
25
Data Abstraction
Risk
Incidents
High Level
Metrics
Medium Level
Tens of Incidents
Security Events
SecurityAlienVault
Events SIEM
AlienVault Logger
Logs
26
AlienVault Sensors
Low Level
Millions of Logs
Security Technology
Management
Unification of technologies
27
SIEM
Incident
Management
Risk
Intelligence
Storage
Detection
Prevention
Awareness
IDS / IPS / WIDS
HIDS
File integrity
Identity
Vulnerability
Assessment
Threat
Assessment
Inventory
Resources
AlienVault SIEM
Correlation
Dashboards
Events aggregation
Action / Response
Reports
Forensic Storage
Alerting system
AlienVault SIEM
Operating Systems
28
Security Devices
Applications
Network electronics
3 major components
Sensor
Event Collection
NIDS / WIDS / HIDS
Network monitoring
Vulnerability Scanning
Logger
Massive Log Storage
Legal evidence
Ensure integrity
SIEM
Correlation
Risk Assessment
Real-time Monitoring
29
How AlienVault works?
30
3 major components
Sensor
Events generated in the Network are collected by the AlienVault Sensor.
Applications running in the AlienVault Sensor generate security events
that are also collected by the AlienVault Sensor.
The AlienVault Sensor generates a normalized event that is sent to the
SIEM and to the Logger.
Logger
AlienVault Logger provides forensically-secure storage of all raw data.
This creates a court-admissible record of network activity.
SIEM
AlienVault SIEM processes all data provided by network devices and
AlienVault Sensors.
The AlienVault SIEM leverages the Network Inventory created by
AlienVault Sensors as well as external Threat Databases to CrossCorrelate events, weeding out False Positives and providing Actionable
Intelligence.
31
SIEM Challenges and Roadblocks
Challenges
32
Lack of control of security and

network
Risk management and
compliance
Inconsistency & lack of

reliability
Complexity & information

overload
Inefficient use of valuable

resources
Roadblocks
High vendor pricing
Convoluted licensing models
High implementation costs
Underperformance
Black box solutions with

limited customization
What is / is not Alienvault?
33
AlienVault is:
A tool that integrates more than 30 Open Source tools
A tool that can aggregate events from both Open Source and
Commercial tools
A tool that can be easily adaptable (Use what you need)
AlienVault is not:
A linux distribution integrating security tools (Backtrack, WifiSlax...)
A product designed for home use
A software package (deb, rpm, exe) that can easily be installed on

any operating system. (Agents can be installed to monitor every
single Operating System)
What makes us different? - Technically
Detection capabilities
Using Open Source tools (No extra cost)
Can replace tools that have already been deployed
Can co-exist with tools that have already been deployed
Adaptability
34
Enable / Disable functionality based on customer needs
Customization
Scalability
What makes us different?- Commercially
35
Low cost licensing
Licensed based on EPS (Events per second)
There is no license based on the number of monitored devices
Extra value with no additional cost
WIDS
NIDS
HIDS
Network Monitoring
Open Source vs Professional
36
Open Source
Professional SIEM
Support
Community
7x24
Quality Assurance
Community
Professional Q&A
Security
Not audited
Audited
Performance
Moderate
30 x Open Source, Assured
SIEM Intelligence
Logical Correlation
Simple Taxonomy
Cross Correlation
Rich Taxonomy
Logger
N/A
Unlimited Forensic Storage
Reports
< 25 + Jasper
> 2000 + Web Wizard
Scalability/HA
N/A
HA, Distributed ,Multi-tenant, Unlimited

Scale
Compliance
High Level Reports
High and Low Taxonomy-based
Updates
None
Daily rules and reports
User Management
Individual, simple controls
Templates and Granular Controls
The Company
37
AlienVault was founded in 2007 by the creators of OSSIM to

support OSSIM community and develop enhanced products
In 2011 AlienVault has a global presence and offers its services

worldwide through an extensive network of partners.
AlienVault leads the development of AlienVault Open Source SIEM

and AlienVault Professional SIEM
A little bit of history
38
2003: First release of OSSIM (Open Source Security Information

Management)
2007: AlienVault founded to support the OSSIM community and

develop enhanced products
2009: More than half all SIEM installations worldwide
2010: Offices in Spain, Germany, UK and Mexico
2010: HQ in Silicon Valley, California
The Offices
Sales & Operations

Sales
39
The products
40
AlienVault Open Source SIEM
AlienVault Professional Feed
The Appliances
41
The services
Performance
& Scalability
ACSA
Dimensioning
ACSE
On-site
Training
Consultative
Architecture
Consulting
Training
AlienVault Services
Basic
Support
Administration
Support
Implementation
Upgrades
Premium 8x5
Support
42
Premium
24x7 Support
Installtion
Configuration
References
43
Partners
44
Partners
45
Open Source
AlienVault Open Source SIEM is distributed under the GPL license.
AlienVault includes more than 30 well-known Open Source tools
AlienVault developed a system to connect and provide intelligence to

all these components
Extra functionality - No extra cost
46
Open Source - Help for the recession

"Open source software and solutions have a great opportunity to survive and benefit
in this economy as they provide better returns for the companies that are looking to save
huge licensing costs and greater availability of solutions and software that can be easily
adopted."
"Open-source consumption is in for a boom, and commercial open-source start-ups
should be able ride the wave...In this downturn, open source offers the best value for money,
and with more mature supported products, enterprises can continue to innovate while
budgets are frozen."
"In a down economy, open source has more appeal than ever, so volume will continue
to increase for open source, making the model even stronger over time.
"In these times you follow your grandparents wisdom: Make the best of what you have. That
means maximizing utilization of existing infrastructure. I expect open source and Linux,
systems management tools, and virtualization technology, all of which allow for better
utilization rates of existing infrastructure at a low cost, to do well in this market."
"...this recession will be great for free and open source because of the shortage of cash.
Last recession saw the mainstream legitimization of open source operating systems because it
was clear and away the most cost-effective choice."
47
Components
48
Sensor
AlienVault Sensors collect and normalize the events generated

by the tools and devices running in the monitored network
(Data Sources).
Normalized events are sent to the AlienVault SIEM, AlienVault

Logger or to both.
Syslo
SCP
Normalized events
SQL
WMI
49
Sensor
Logger
SIEM
Sensor
An AlienVault deployment can have as many sensors as

needed (There is no limit in the number of deployed Sensors)
The number of Sensors is determined based on the number

of monitored network and on the geographical distribution of
the corporation
Sensor 1
Sensor 1
Las Vegas Call Center

50
NY Headquarters
Sensor 3
New Jersey Data Center
Sensor: Data Source
51
Any Application or Device generating information subject to

be collected by AlienVault is a Data Source within the
AlienVault deployment. E.g.:
Security Devices: IDS, IPS, Firewall, Antivirus, Vulnerability

Scanner...
Network Devices: Routers, Switches, Wireless AP...
Servers: Domain Controller, Email server, LDAP...
Applications: Web Servers, Databases, Proxy...
Operating Systems: Linux, Windows, Solaris...
Sensor: Data Source Connectors
52
The AlienVault Sensors can aggregate events from new sources by

creating a Data Source Connector
Data Sources connectors include the information on how events

are stored and formatted and regular expressions to help the
Sensor understanding how the information should be collected
and normalized
Sensor
The AlienVault Sensor can aggregate events using multiple

collection methods
Collection Methods
Custom DS Connectors
OUTPUT
SYSLOG
WMI
SQL
SDEEE
SOCKET
SNMP
53
NORMALIZATION
SAMBA
FILTERING
SCP
CLASSIFICATION
FTP
LOGGER
SIEM
Sensor
54
AlienVault Sensor includes detection functionalities in its

Sensor using well-known Open Source Software
The AlienVault Data Sources can co-exist with the Data

Sources that have already been deployed on the monitored
network
In some scenarios these Data Sources can replace

commercial software that was used in the monitored network
Sensor
To get benefit of the detection capabilities of the AlienVault Sensor.

Networking on the Sensor must be configured to:
Have access to the network that is being monitored
55
Event collection (Syslog, FTP, SCP, Samba, WMI...)
Availability Monitoring...
Collect all traffic of the monitored network configuring or

using:
Port mirroring or port span
HUB
Network Tap
Logger
56
The Logger component stores events in raw format in the file

system.
Events are digitally signed and stored en masse ensuring their

admissibility as evidence in a court of law.
The logger component allows storage of an unlimited number of

events with forensic purpose.
For this purpose the logger is usually configured so that events are
stored in a NAS / SAN network storage system.
SIEM
57
The SIEM component provides the system with Security

Intelligence and Data Mining capacities, featuring:
-
Risk assessment
Correlation
Risk metrics
Vulnerability scanning
Data mining for events
Real-time monitoring
AlienVault SIEM uses a SQL database and stores information

normalized allowing strong analysis and data mining capacities.
SIEM
Events processing on the SIEM

SIEM
58
Correlation
Risk Assessment
Policy
Collection
EVENTS
New events generated during correlation
SQL Storage
SIEM
Events processing on the SIEM

SIEM
59
Events are correlated (Logical correlation,

Cross Correlation and Inventory Correlation)
A Risk value (0-10) is calculated for every

event
Policies configure how the SIEM will process

the events (To create exceptions)
SIEM collects events sent by the Sensors or by

other SIEM or Logger
EVENTS
Events are stored in the Database
Database
60
The AlienVault database runs on a MySQL server
SIEM Events, configurations, and inventory are stored in the

Database
Database is a required component in any AlienVault deployment,

even if only the Logger is been used
Web interface
61
The AlienVault Web Interfaces provides access to:
Inventory Management
Configuration
Reports and metrics
Real time monitoring
Forensic Analysis
Vulnerability scanning
Architecture
62
AlienVault Architecture
Web Interface
SQL Database
EVENTS
SIEM
Disk Storage
Logger
Sensor
Operating Systems
63
Security Devices
Applications
Network electronics
AlienVault Deployment: Scenario
64
65
SQL
SYSLOG
SNARE
SDEE
OPSEC
SYSLOG
SYSLOG
SAMBA
SCP
OPSEC
SYSLOG
FTP
WMI
SYSLOG
SYSLOG
WMI
Log collection
LOG COLLECTION
SDEE
SYSLOG
SDEE
SYSLOG
SNMP
Port mirroring
PORT MIRRORING
66
Vulnerability Scanning & Availability Monitoring
SENSOR 1
SENSOR 3
SENSOR 2
67
AlienVault Deployment
PORT MIRRORING
LOG COLLECTION
SDEE
FTP
WMI
SYSLOG
WMI
SYSLOG
ALIENVAULT INTERNAL
COMMUNICATIONS
OPSEC
SYSLOG
SYSLOG
SDEE
SENSOR 1
SYSLOG
SDEE
SENSOR 2
68
OPSEC
SYSLOG
SYSLOG
SQL
SYSLOG
SAMBA
SNARE
SCP
SNMP
SENSOR 3
Simple Deployment
69
A single Customer
A single location
Small amount of events to be collected
Small number of networks to be monitored (Events collection,

Availability Monitoring, Vulnerability Scanning...)
Low network throughput to be analyzed
Simple Deployment
Network 1
Web Interface
SQL Database
Network 2
Network 3
SIEM
fic
raf
T
k
or
w
t
e
Logger
Events
Sensor
Customer Premises
70
Simple Deployment II
71
A single Customer
Multiple locations
AlienVault Sensors reduce the data transferred between the

different locations:
Events are filtered
Vulnerability and Availability Scanners are done from multiple

locations (Each Sensor scans the closest networks)
Simple Deployment II
Logger
Sensor
SIEM
SQL Database
Web Interface
Headquarters
Sensor
Office 1
72
Sensor
Office 2
Sensor
Office 3
Complex Deployment
73
Multiple Customers
Multiple Locations
Some Customers multiple Sensors
Some Customers have their own Logger (E.g.: Compliance

Requirements)
Some Customers have a fully operational AlienVault Deployment
Correlation and Storage at different levels
Complex Deployment
Web Interface
Web Interface
SQL Database
SIEM
SIEM
SQL Datab
Logger
Logger
Logger
Sensor
Services Provider
74
Customer 1
Sensor
Customer 2
Sensor
Sensor
Customer 3
National Deployment
Some locations can have multiple Sensors, with or without a
Logger or SIEM, that can be used to consolidate at State
Level or to provide Storage or Correlation at multiple levels
Al Sensors send events to the Logger deployed in California
75
Some locations can have a fully functional AlienVault

deployment, with SIEM, Logger, Database and Web
interface. Although the Logger in Texas will also forward
events to California
World Deployment
Sensors in USA send event to the

Logger in USA. There is a fully
functional AlienVault deployment in
the USA.
Sensors deployed worldwide send

their events to the main Logger in
India.
US and Brazil have their own SIEM
and Logger so it is possible to
configure correlation at two levels
as well as creating forwarding
policies to decide what kind of
information is forwarded to India.
Sensors in Brazil send event to the Logger in Brazil. There is

a SIEM, Logger and Database in Brazil. The Logger and
SIEM deployed in Brazil could also be used to consolidate
events from some other countries (Argentina, Chile...)
76
Sensor
77
At least one Sensor in each Alienvault Deployment
As many Sensors as required
Usually one Sensor in each Customer Location
A Sensor can monitor multiple networks within the same location
AlienVault Sensors can send events to Logger and SIEM
AlienVault Sensors can be configured to send events to more than

one SIEM or Logger
Logger
There must be at least a Logger or a SIEM in each functional

deployment
The Logger can send events to another SIEM or Logger
The Logger stores raw data in the disk and it can be

configured to use a NAS or SAN storage system
As many Loggers as required
78
Performance
Requirements to store information securely in more than

one location
The Logger collects events sent by the AlienVault Sensors or

by another Logger or SIEM
SIEM
There must be at least a Logger or a SIEM in each functional

deployment
The SIEM can send events to another SIEM or Logger
The SIEM stores information in an SQL Database (Database

Component)
As many SIEMs as required
79
Performance
Multiple correlation level
The SIEM collects events sent by the AlienVault Sensors or by

another Logger or SIEM
Database
80
There must be at least a Database in each deployment
If multiple SIEM components have been deployed these SIEM may

use multiple Databases
SIEM, Logger and the Web Interface will access the information
stored in the Database
Some Custom Data Sources may also require access to the

Database
Web Interface
There must be at least a Web Interface in each functional

deployment
If there are multiple storage points in the deployment (SIEM and/or

Logger) multiple Web interfaces may also be deployed
A single Web Interface can show information stored in multiple

Databases and in multiple Loggers
81
Installation
82
Hardware recommendations
For a production system:
At least 4GB Ram
64 Processor
DUAL Core Processor
Depending on the amount of traffic being monitored and the

amount of data captured RAM has to be increased, always
avoiding SWAP memory usage.
If we dont have the appropriate hardware:
83
"Divide et vinces"
Network Requirements: Sensor
84
Port mirroring/Port Span/Network tap avoiding:
Duplicated traffic: May happen if we get the same traffic redirected

from two different port mirroring devices on the network
Non-analyzable traffic: It makes little sense to configure a port

mirror on a network segment where all the traffic will traverse a VPN
or be otherwise encrypted
Enough IP addresses and interfaces have to be reserved for:
AlienVault Inter-component communication
Sensor network access to targeted networks (OpenVas, Nmap,

Nagios, WMI, SCP require network access)
Provide an IP address for external devices to send data to (Syslog,

FTP, Samba, Snare, OSSEC)
Network Requirement: Sensor
The most problems when configuring AlienVault happen with the

Sensor profiles:
The red line represents a port mirroring thats

been setup on a switch for the Sensor profile
and its applications (Ntop, Snort, Pads, P0f
and Arpwatch) to passively analyze traffic.
85
Network Requirement: Sensor

This second case represents a sensor profile
where only log collection and analysis will be
performed, without listening to any traffic. No
listening application should be running on this
system since there is no configured port
mirroring.
This third case requires both an IP address as

well as a passively listening interface since our
sensor profile will be both capturing traffic
from a port mirror as well as collecting logs.
86
Recommendations
87
Always use the latest installation image
If you need performance you cant use any Hardware
Use only what you need (Disable unused Data Sources)
If you install your system in English youll have an easier time

finding help
For network traffic analysis ensure your NIC supports the e1000
driver.
Whenever possible setup a separate machine for the Database

profile
Recommendations II
88
It makes little sense to enable the listening applications (Snort,

Ntop, Arpwatch) if we dont have a port mirror setup.
64 Bits greatly improves performance
The best network cards should always be used for the listening
interfaces (promiscuous mode)
The not-so-good network cards can be used for administration or

collection (Syslog, OpenVas, Nagios)
Check List
89
Check List for an AlienVault Installation
Rack Space
Power
Network Configuration
Port mirroring
IP addresses
Professional Key
Internet Access (Required when installing the professional version)
Installation Profiles
90
Depending on the role of the new host within the AlienVault

deployment it is possible to configure the profile in use. This can
be configured during the installation process or after installation.
By default the Automated Installation will enable all profiles in the
same box.
Installation Profile: Sensor
91
The Sensor Profile will enable the Sensor functionality of AlienVault.
The following AlienVault Data Sources are enabled by default:
Snort (Network Intrusion Detection System)
Ntop (Network and usage Monitor)
OpenVAS (Vulnerability Scanning)
P0f (Passive operative system detection)
Pads (Passive Asset Detection System)
Arpwatch (Ethernet/Ip address parings monitor)
OSSEC (Host Intrusion Detection System)
Nagios (Availability Monitoring)
OCS (Inventory)
Installation Profile: Server
92
This installation profiles combines the SIEM and Logger

component. The Sensors will connect to the AlienVault Server to
send the normalized events.
Simple deployments will include a single Server in the deployment.

More complex deployments could have more than one Server with
different roles or in case it is required to deploy the AlienVault
Server in high availability.
The server installation profile also comes with a Sensor with limited
functionality to monitor the Server itself
Installation Profile: Database
93
The Database profile will enable a MySQL database to store

configuration and events (If the SIEM functionality is in use). At
least one Database is required in each deployment.
Even if only the Logger profile is enabled (And not the SIEM) a
database will be required to store the inventory information and the
configuration parameters.
Installation Profile: Web Interface
94
The Web Interface profile will install and configure the Web
Management interface component. A single Web Management
interface will be deployed on every AlienVault installation. More
complex deployments with multiple AlienVault Servers may have
more than one box with the Web Interface profile enabled.
The AlienVault Web Interface is the installation profile that will use
the lowest amount of memory and CPU. For this reason, the Web
Interface is usually installed with the Server profile.
Installation Profile: All-in-one
95
The All-in-one profile will enable all profiles in a single box. This is
the default installation profile and it will be enabled if the user does
an automated installation
Installation Overview
Automated Installation
Custom Installation
1.Boot the installation system
1.Boot the installation system
2.Configure networking
2.Select the installation language
3.Create and mount the partitions on which AlienVault will be installed
3.Configure keyboard
4.Watch the automatic download/install/setup/update of the base
4.Configure location
system.
5.Set up users and passwords
6.Load the newly installed system for the first time
5.Select the installation AlienVault profiles for this installation

6.Configure networking
7.Create and mount the partitions on which AlienVault will be installed
8.Enter the professional license
9.Watch the automatic download/install/setup/update of the base
system.
10.Set up users and passwords
96
97
Configuration
98
Basic System Configuration
Changing the keyboard layout

To change the keyboard layout simply type this command:
Setting the Current System Date and Time

To display the current system time, enter the date command
# date
To set the current system time, use the following form of the date
command:
99
# dpkg-reconfigure console-data
# date MMDDhhmm[CC]YY[.ss]
Basic System Configuration
Set the date and time via NTP

To set the date using an NTP server type the following command in
the terminal
# ntpdate pool.ntp.org
pool.ntp.org can be replaced by the NTP server in your corporation or

by any other NTP server in the Internet.
Changing the time zone

To change the timezone just type this command:
100
# dpkg-reconfigure tzdata
AlienVault Basic Configuration
The centralized configuration is stored in the following file:
You can edit this file using any text editor (vim, nano, pico).
Inexperienced users should be using the following command to

edit this file:
# alienvault-setup
To apply the centralized configuration on every configuration file

you will have to run the following command:
101
/etc/ossim/ossim_setup.conf
# alienvault-reconfig
Enable / Disable Plugins (Data Sources)

To select the enabled Plugins (Data Sources) type the following
command:
102
# alienvault-setup
Then select the Option Change Sensor Settings, and then Enable/
Disable detector plugins, you will get a list of enabled and disabled
plugins, just click on space when over the name of the plugin to
enable or disable that plugin. To apply changes select Save & Exit
in the main menu.
Configure Plugins (Data Sources)
Once the plugin has been enabled you may need to configure some
plugins. Plugin configuration files are stored in the directory /etc/
ossim/agent/plugins. There you will find a .cfg file for each plugin.
You may need to edit the location parameter to point the AlienVault
collector to the file in which the log of that application are being
stored. If you modify the configuration file of one of your plugins type
the following command to restart the OSSIM Agent:
-
103
# /etc/init.d/ossim-agent restart
104
Configure listening interfaces
The alienvault-setup script allows configuring the network interfaces

in promiscuous mode. All the AlienVault detectors that require
analyzing all network traffic will be configured to work on these
network cards (Snort, Ntop, Fprobe, Pads...).
Select only those interfaces that are connected to a mirrored port, or

to a network tap, as these applications will be useless if they are not
analyzing all traffic in the network.
To select the listening interfaces type the following command

-
# alienvault-setup
and then choose Change Sensor Settings and then Select interfaces
in promiscuous mode, then select Save & Exit to apply changes.
alienvault-reconfig
/etc/snort*
/etc/default/ntop
/etc/rsyslog.conf
/etc/ossim/agent/config.cfg
/etc/ossim/ossim-setup.conf
/etc/network/interfaces
alienvault-reconfig
/etc/ossim/server/config.xml
/etc/ossim/framework.conf
/etc/mysql/my.cnf
/etc/logrotate*
.....
/etc/default/fprobe
105
VPN Configuration
106
When performing a custom installation in different the installer will

automatically configure a VPN Network to encrypt communication
between the different AlienVault components. This feature has been
implemented using OpenVPN.
The VPN Server will be configured in the machine running the Server
Profile. If we want to include another AlienVault component in the
VPN we have to run this command in the machine running the Server
Profile. We will use in the following examples the IP address
192.168.0.200, as if it were a box running the Collector profile:
# alienvault-reconfig --add_vpnnode 192.168.0.200
This command will generate a compressed file containing all required files
to configure the VPN network in the AlienVault component we want to put
inside the VPN network. This file will be stored in the following directory:
/etc/openvpn/nodes/
Setting the hostname

To change the hostname, simply modify the value of the parameter
hostname in the /etc/ossim/ossim_setup.conf and run the
command:
Setting up DNS
You can add hostname and IP addresses to the file /etc/hosts for
static lookups. To cause your machine to consult with a particular
server for name lookups you simply add their addresses to/etc/
resolv.conf.
For example a machine which should perform lookups from the DNS
server at IP address 192.168.1.200 would have a resolv.conf file
looking like this: search my.domain
nameserver 192.168.1.1
107
Setting up the IP address

-
The IP addresses associated with any network cards you might have
are read from the file /etc/network/interfaces. This file has
documentation you can read with:
# man interfaces
A sample entry for a machine with a static address (eth0) would look
like this:
allow-hotplug eth0
iface eth0 inet static
address 192.168.1.133
netmask 255.255.0.0
network 192.168.0.0
broadcast 192.168.255.255
gateway 192.168.1.1
dns-nameservers 192.168.1.100
If you make changes to this file you can cause them to take effect by
running:
108
# /etc/init.d/networking restart
Setting up a network card in promiscuous mode
If a network is going to be used to analyze all traffic in the network, it

should not have an assigned IP address. This will improve
considerably the performance of the network card. To do this you will
have to include a new entry in the file /etc/network/interfaces :
up ifconfig eth0 0.0.0.0 promisc -arp
109
Setting the default Gateway
The default route for a host with a static IP address can be set in/
etc/network/interfaces.
If you wish to view your current default route/gateway then you

can run:
To change your default route you must first remove the current
one:
110
# netstat -nr
# /sbin/route del default gw 192.168.0.1
In case you change the management IP address of one your AlienVault boxes you have to do
the following to make sure that all components using the old IP address are now using the new
one.
To do that, once you will have modified /etc/network/interfaces and restarted networking you
will need to edit the file /etc/ossim_setup.conf
In this file you could just do a search (Old IP Address) and replace (New IP Address) or take a
look to the following parameters:
admin_ip: Management IP (SSH and Web access)
db_ip: IP address of the host running the Database Profile
framework_ip: IP address of the host running the Web Management Interface
server_ip: IP address of the host running the Server Profile
Once you have set the correct ip addresses you can generate all configuration files by running:
111
Rename network interfaces
Rename network interfaces

-
# apt-get install ifrename
Edit the file /etc/iftab
Insert a line for each network interface with the following format :
eth0 mac 00:17:31:56:BC:2D
eth1 mac 00:16:3E:2F:0E:9C
Network cards with more than one interface usually have consecutives
MAC addresses
112
# ifconfig -a | grep HWaddr
AlienVault Local Firewall
AlienVault configures a firewall during the installation process. If

you want to disable or enable the firewall you can do that by
typing:
Select Change General Settings and then select Configure

Firewall. Then, in the main menu select Save & Exit.
If you want to add exceptions to that firewall write your own rules
(iptables firewall rules) in the following file:
/etc/ossim/firewall_include
and execute:
113
# alienvault-setup
114
Network Security Tools
115
Basic Tools
116
Ping: Check the connection status with a remote host or Gateway
Telnet: Communicate with another host using the TELNET

protocol.
Dig: Query a DNS server.
Traceroute: Prints the route packets take to a network host.
Whois: Looks up records in the databases maintained by several

Network Information Centers (NICs).
Netstat: The Netstat command symbolically displays the contents

of various network-related data structures.
Nslookup: Check whether a DNS server is resolving the

hostnames correctly or not.
Tcpdump
Tcpdump is a common packet analyzer that runs under the

command line. It allows the user to intercept and display TCP/IP
and other packets being transmitted or received over a network to
which the computer is attached.
See the list of interfaces on which tcpdump can listen:
Listen on interface eth0:
# tcpdump -i eth0
Listen on any available interface :
117
# tcpdump -D
# tcpdump -i any
Tcpdump (Usage Examples)
Display traffic from/to host 192.168.1.1
Display traffic in the port 22
# tcpdump port 22
Display all traffic but except the port 80
# tcpdump tcp and not port 80
Capture any packets where the destination host is 192.168.1.1. Display IP addresses and
port numbers:
# tcpdump -n dst host 192.168.1.1
Capture any packets where the source host is 192.168.1.1. Display IP addresses and port
numbers:
118
# tcpdump host 192.168.1.1
# tcpdump -n src host 192.168.1.1
Tcpdump (Usage Examples II)
Capture any packets where the destination network is 192.168.1.0/24. Display IP

addresses and port numbers:
Capture any packets where the source or destination network is 192.168.1.0/24. Display IP
# tcpdump -n net 192.168.1.0/24
Capture any packets where the destination port is 23. Display IP addresses and port
numbers:
# tcpdump -n dst port 23
Capture any packets where the destination port is is between 1 and 1023 inclusive. Display
IP addresses and port numbers:
119
# tcpdump -n dst net 192.168.1.0/24
# tcpdump -n dst portrange 1-1023
Tcpdump (Usage Examples III)
Capture any packets with destination IP 192.168.1.1 and destination port 23. Display IP
Capture any packets with destination IP 192.168.1.1 and destination port 80 or 443.
Display IP addresses and port numbers:
# tcpdump -n "dst host 192.168.1.1 and (dst port 80 or dst port 443)"
Capture only TCP packets where the destination port is is between 1 and 1023 inclusive.
Display IP addresses and port numbers:
# tcpdump -n tcp dst portrange 1-1023
Capture either ICMP or ARP packets:
# tcpdump -v "icmp or arp"
Capture any packets that are broadcast or multicast:
120
# tcpdump -n "dst host 192.168.1.1 and dst port 23"
# tcpdump -n "broadcast or multicast"
Tcpreplay
121
Tcpreplay is a tool for replaying network traffic from files saved with
tcpdump or other tools which write pcap files (Ngrep, WireShark,
Tshark...)
The basic operation of tcpreplay is to resend all packets from the

input file(s) at the speed at which they were recorded, or a
specified data rate, up to as fast as the hardware is capable.
Tcpreplay provides the ability to classify traffic as client or server,

edit packets at layers 2-4 and replay the traffic at arbitrary speeds
onto a network for sniffing or through a device.
Tcpreplay (Usage Examples)
Basic Usage: Replay sample.cap file (Send traffic out interface eth0)
To replay traffic as quickly as possible:
# tcpreplay --topspeed -i eth0 sample.pcap
To replay traffic at half-speed:
# tcpreplay --multiplier=0.5 --intf1=eth0 sample.pcap
To replay at 25 packets per second:
# tcpreplay --pps=25 --i eth0 sample.pcap
To replay the sample.pcap file 10 times:
122
# tcpreplay -i eth0 pcap.cap
# tcpreplay --loop=10 -i eth0 sample.pcap
Tcpreplay (Usage Examples II)
Capturing packets using Tcpdump
The default tcpdump parameters result in a capture file where

each packet is truncated. To ensure that you capture complete
packets, use the following command:
-
Capture all traffic in the port 53 (Interface eth0)

-
123
# tcpdump -i <interface> -s 65535 -w <some-file>
# tcpdump -i eth0 -s 65535 port 80 -w sample.cap
Download packet captures (PCAP):

-
http://www.pcapr.net/
https://www.evilfingers.com/repository/pcaps.php
http://sourceforge.net/projects/networkminer/
Ngrep
124
Ngrep strives to provide most of GNU greps common features,

applying them to the network layer.
Ngrep is a pcap-aware tool (Wireshark, Tcpdump...)
Ngrep allows you to specify extended regular expressions to

match against data payloads of packets.
Ngrep uses the same filtering syntax than Tcpdump
Ngrep (Usage Examples)
Monitor all activity crossing source or destination port 25 (SMTP). On any interface.
Monitor FTP activity searching for user|pass
# ngrep -wi -d any 'user|pass' port 21

Monitor syslog events searching for errors
# ngrep -d any 'error' port syslog

Monitor all outgoing web requests from machine 12.13.14.15 (Interface eth0):
# ngrep -d eth0 -q -t '^(GET|POST) ' 'src host 12.13.14.15 and tcp and dst port 80'
Determine client application that client host is running
125
# ngrep -d any port 25
# ngrep -q 'user-agent' tcp port 80
IPTraf
IPTraf is a console-based network statistics utility
It gathers a variety of figures such as TCP connection packet and

byte counts, interface statistics and activity indicators, TCP/UDP
traffic breakdowns, and LAN station packet and byte counts.
Usage:
126
#iptraf
Wireshark
127
Wireshark is a GUI network protocol analyzer. It lets you

interactively browse packet data from a live network or from a
previously saved capture file.
Wireshark is a pcap-aware tool
Wireshark is very similar to tcpdump, but has a graphical frontend, and many more information sorting and filtering options
Etherape
128
EtherApe is a packet sniffer/network traffic monitoring tool

developed for Unix.
Network traffic is displayed using a graphical interface. Each node

represents a specific host.
Links represent connections to hosts. Nodes and links are color

coded to represent different protocols forming the various types of
traffic on the network. Individual nodes and their connecting links
grow and shrink in size with increases and decreases in network
traffic.
Tshark
129
TShark is a network protocol analyzer. It lets you capture packet

data from a live network, or read packets from a previously saved
capture file, either printing a decoded form of those packets to the
standard output or writing the packets to a file.
TSharks native capture file format is libpcap format (Tcpdump,

Tcpreplay, Ngrep, Wireshark...).
Tshark (Usage Examples)
Display the source port of all tcp packets in the file /tmp/capture.cap.
Display the network packets of an IP address in the file /tmp/capture.cap
# tshark -R "ip.addr == 192.168.0.1" -r /tmp/capture.cap

Display http response codes
# tshark -o "tcp.desegment_tcp_streams:TRUE" -i eth0 -R "http.response" -T fields -e

http.response.code
Display MySQL queries sent to a MySQL Server
130
# tshark -z "proto,colinfo,tcp.srcport,tcp.srcport" -r /tmp/capture.cap
# tshark -i any -T fields -R mysql.query -e mysql.query
Ethtool / mii-tool
Ethtool
Ethtool displays or changes ethernet card settings (Link,

Negotiation info, Statistics...)
Usage (# ethtool <interface>)
# ethtool eth0
Mii-tool
Mii-tool checks or sets the status of a network interface

-
Usage
131
# mii-tool
Dsniff
132
Dsniff automatically detects and minimally parses each

application protocol, only saving the interesting bits, and uses
Berkeley DB as its output file format, only logging unique
authentication attempts.
tcpkill: Kills specified in-progress TCP connections
urlsnarf: Outputs all requested URLs sniffed from HTTP

traffic
msgsnarf: Records selected messages from AOL Instant

Messenger, ICQ 2000, IRC, MSN Messenger, or Yahoo
Messenger chat sessions.
filesnarf: Saves files sniffed from NFS traffic in the current

working directory.
Nmap
Nmap is a tool for network exploration and security auditing.

Basic IP scan
IP scan with OS and service detection
# nmap sV 172.18.1.1
Network scan
# nmap 172.18.1.*
# nmap 172.18.1.0/16
Scan port 22 of every host in the network
# nmap p22 192.168.1.0/16
Find unused IPS on a given Subnet
133
# nmap 172.18.1.1
# nmap -T4 -sP 192.168.2.0/24 && egrep "00:00:00:00:00:00" /proc/net/arp
Honeypots
A honeypot is a trap set to detect, deflect, or in some manner

counteract attempts at unauthorized use of information systems.
A honeypot consists of a computer, data, or a network site that

appears to be part of a network, but is actually isolated and
monitored, and which seems to contain information or a resource
of value to attackers.
Spam
Malware
Port Scans
Shellcodes
134
Vulnerability Scan
Honeypots
135
mwcollect
Mwcollect is a versatile malware collection daemon, uniting the

best features of nepenthes and honeytrap licensed under the
LGPL.
http://www.mwcollect.org
Dionaea
Dionaea is a malware collection honeypot focusing primarily on

SMB emulation. Dionaea uses Python as scripting language,
using libemu to detect shellcodes, supporting ipv6 and tls
http://www.mwcollect.org
Honeypots
136
Amun
Amun is a low-interaction honeypot designed to capture

autonomous spreading malware in an automated fashion.
Amun is written in Python and therefore allows easy integration
of new features.
http://amunhoney.sf.net
Omnivora
Omnivora is a low-interaction honeypot for systems running

Windows operating systems and is implemented using Borland
Delphi.
http://www.ohloh.net/p/omnivora
Websites - Security
http://www.shadowserver.org
http://isc.sans.edu
Analysis and warning Service against malicious attackers

http://www.osvdb.org
Open Source Vulnerability Database

http://www.securityfocus.org
Discussion on computer security related topics

http://www.exploit-db.com
137
Malware, Botnet activity, electronic fraud...
Archive of exploits and vulnerable software.
Websites - Malware
Malware samples
http://www.malwareurl.com
http://www.malwaredomainlist.com
WARNING: This sites contain samples of live malware. Use at your own risk.
138
Malware Analysis
http://www.virustotal.com
http://www.threatexpert.com
http://www.offensivecomputing.net
Backtrack
BackTrack is a Linux-based penetration testing arsenal that aids

security professionals in the ability to perform assessments in a
purely native environment dedicated to hacking.
139
http://www.backtrack-linux.org/
Metasploit
The Metasploit Framework is the open source penetration testing

framework with the world's largest database of public, tested
exploits.
Metasploit is part of the software included in BacTrack
140
http://www.metasploit.com
Metasploitable
141
Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5

image. A number of vulnerable packages are included, including
an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki,
twiki, and an older mysql.
http://blog.metasploit.com/2010/05/introducing-metasploitable.html
http://www.metasploit.com/documents/express/Metasploitable.zip.torrent
142
Integrated Tools
143
Tools Classification
Tools integrated in AlienVault can be classified into two categories

according to the behavior of these tools within the network being
monitored.
Active: They generate traffic within the Network that is being

monitored.
Passive: They analyze network traffic without generating any traffic

within the monitored network.
The passive tools require a port mirroring/port span configured in the network
equipment to be able to analyze all traffic of the monitored network/s.
144
Snort
NIDS
Snort is a free and open source network intrusion prevention

system (NIPS) and network intrusion detection system (NIDS).
145
PASSIVE TOOL
http://www.snort.org
Snort generates security events when analyzing the network traffic
Snort combines signature, protocol, and anomaly-based

inspection
Utility within AlienVault:
Port scans
Worms
Malware
Policy violations (P2P, IM, Porn, Games...)
Snort
PASSIVE TOOL
NIDS
Policy violations
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Megaupload file download service access";
flow:to_server,established; content:"GET "; depth: 4; uricontent:"/?d="; content:"|0d 0a|Host\: "; content:"megaupload.com"; within:25;
nocase; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009301; reference:url,www.emergingthreats.net/cgi-bin/
cvsweb.cgi/sigs/POLICY/POLICY_Download_Services; sid:2009301; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Porn-Sports-Gambling site designed to bypass
restrictions"; flow:to_server,established; content:"Host\:"; nocase; pcre:"/Host\:[^\n]+\.(bodog|bodogbeat|bodognation|bodogmusic|
bodogconference|bodogpokerchampionships)\.com/i"; reference:url,www.bodog.com; classtype:policy-violation;
reference:url,doc.emergingthreats.net/2003100; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/
POLICY_bodog.com; sid:2003100; rev:4;)
Malware
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Potential Malware Download,
rogue antivirus (IAInstall.exe)"; flow:established,to_server; uricontent:"/download/IAInstall.exe"; nocase; classtype:bad-unknown;
reference:url,malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/
CURRENT_Malwareurl_top_downloads; reference:url,doc.emergingthreats.net/2010447; sid:2010447; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET 1024: (msg:"ET MALWARE 404 Response with an EXE Attached - Likely
Malware Drop"; flow:established,from_server; content:"HTTP/1.1 404 Not Found|0d 0a|"; depth:24; content:"|0d 0a 0d 0a|MZ"; distance:
0; classtype:attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2009028; reference:url,www.emergingthreats.net/cgibin/cvsweb.cgi/sigs/POLICY/POLICY_404_EXE; sid:2009028; rev:2;)
146
Snort
PASSIVE TOOL
NIDS
Virus and Trojans

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET VIRUS Bugbear@MM virus via SMTP"; flow: established; content:"uv
+LRCQID7dIDFEECggDSLm9df8C/zSNKDBBAAoGA0AEUQ+FEN23f7doqAT/dCQk/xWcEQmDxCTD";
reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; classtype: misc-activity;
reference:url,doc.emergingthreats.net/2001764; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_BugBear;
sid: 2001764; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM UPX encrypted file download - possible worm"; flow: established;
content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE";
distance: 0; content:"|00|code|00|"; content:"|00 C0|text|00|"; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001047;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_Suspicious_Extensions; sid: 2001047; rev:6;)
Scans
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET SCAN Unusually Fast 403 Error Messages, Possible Web
Application Scan"; flow:from_server,established; content:"HTTP/1.1 403"; depth:13; threshold: type threshold, track by_dst, count 35,
seconds 60; classtype:attempted-recon; reference:url,www.checkupdown.com/status/E403.html; reference:url,doc.emergingthreats.net/
2009749; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_403; sid:2009749; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"ET SCAN Rapid POP3 Connections - Possible Brute Force Attack"; flags: S,
12; threshold: type both, track by_src, count 10, seconds 120; classtype: misc-activity; reference:url,doc.emergingthreats.net/2002992;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_General_Services; sid: 2002992; rev:5;)
147
Ntop
Network Monitor
Ntop is a network probe that shows network usage in a way

similar to what top does for processes. Ntop is a network and use
monitor.
148
PASSIVE TOOL
http://www.ntop.org
Ntop provides information (Real-time and historical) of the network

usage
Usage network statistics
Assets information
Time and activity matrixes
Real-time session monitoring
Ntop - RRD Aberrant Behaviour
149
PASSIVE TOOL
Network Anomalies
Analyzing the historical data, Ntop uses the RRD Aberrant

Behaviour algorithm to draw predictions of future behaviour of
our assets and networks.
If the prediction differs from the real traffic an event is generated

in AlienVault
PASSIVE TOOL
Fprobe
NetFlows generator
Fprobe is a tool that collects network traffic data and emits it as

NetFlow flows towards the specified collector (NFdump in
AlienVault).
-
http://fprobe.sf.net
NetFlows
AlienVault Sensor running Fprobe emits NetFlows when collecting

the network traffic (Port mirroring / HUB / Network tap...)
The AlienVault Web Interface (Framework) runs the Netflow collector.

NetFlows
The major manufacturers implement into their devices the ability to

150Netflows. in this case is not necessary using Fprobe.
send
PASSIVE TOOL
NFDump
Netflows collection
The nfdump tools collect and process netflow data

-
http://nfdump.sourceforge.net/
NetFlows
NFDump runs in the box running the AlienVault Web Interface

NetFlows
151
NFSen
NFSen is a graphical web based front end for the nfdump

netflow tools.
-
152
Web Based Tool
http://nfsen.sourceforge.net/
NetFlow is a network protocol developed by Cisco Systems to run on Cisco IOSenabled equipment for collecting IP traffic information.
It is supported by platforms other than IOS such as Juniper, Linux, FreeBSD or

OpenBSD.
OCS
Inventory
Agent
Open Computer and Software Inventory Next Generation (OCS

inventory NG) is free software that enables users to inventory their
IT assets.
153
ACTIVE TOOL
http://www.ocsinventory-ng.org
OCS-NG collects information about the hard- and software of

networked machines running the OCS client program ("OCS
Inventory Agent").
Utility within AlienVault
Inventory Management (Software & Hardware)
Policy violations
Hardware monitoring
Nagios
Availability Monitor
Agent - Web
Nagios is a computer system and network monitoring software

application.
It watches hosts and services, alerting users when things go

wrong and again when they get better.
154
ACTIVE TOOL
http://www.nagios.org
Multiple checks (Different complexity) can be configured in Nagios.

E.g.: MySQL Server
Check whether the host is up or not
Check whether the MySQL port is opened or closed
Check whether there is a MySQL listening in that port
Do a query and check the result
Nagios
155
ACTIVE TOOL
Agent - Web
Availability monitoring (As any other Data Source)
Availability monitoring by request (During Logical Correlation)
Nagios can do checks remotely or with agent deployed on the

host that is being monitored.
Nagios has a wide number of plugins to monitor different devices

and applications.
OpenVas
OpenVAS (Open Vulnerability Assessment System) is a framework

of several services and tools offering a vulnerability scanning and
vulnerability management solution.
156
ACTIVE TOOL
http://www.openvas.org
OpenVas uses signatures to identify vulnerabilities in the host of

our network.
Utility within AlienVault
Attacks prevention (We know what is vulnerable)
Is the network policy being violated?
Shared folders, forbidden activities...
Compliance monitoring
OpenVas
Some vulnerabilities can only be verified after actually exploiting

them (E.g.: DOS)
OpenVas allows scanning aggressiveness fine-tuning.
OpenVas is able to perform local scans on remote machines if

valid credentials for them are provided.
The OpenVas component scanning the network is installed by

default in each AlienVault Sensor
Mis-configured scans may severely impact the scanned network. After installation,
the first scanning profiles have to be defined and watched over very carefully.
157
ACTIVE TOOL
Nikto
158
Nikto is an Open Source (GPL) web server scanner which

performs comprehensive tests against web servers for multiple
items
ACTIVE TOOL
http://cirt.net/nikto2
Nikto scans web servers to find potential problems and security

vulnerabilities, including:
Server and software misconfigurations
Default files and programs
Insecure files and programs
Outdated servers and programs
OSVDB
159
Database
OSVDB is an independent and open source database created by

and for the security community.
The goal of the project is to provide accurate, detailed, current and

unbiased technical information on security vulnerabilities.
http://www.osvdb.org
Usage within AlienVault

-
Correlation rule creation
Vulnerability identifier cross-relation
Complements OpenVas scanning information
OSVDB
160
Vulnerability Description
Indicators and references
Database
OSVDB
161
Tool relationships
CVSSv2 Score (Common Vulnerability Scoring System):
Database
ACTIVE TOOL
OSSEC
http://www.ossec.org
OSSEC requires an agent to be installed for monitoring. (Except

ssh-accesible systems)
OSSEC Agent-less collection

SSH-accessible system
OSSEC Agent for Windows System
The OSSEC Server runs in the AlienVault Sensor
OSSEC Agent for MacOSX
162
Agents
OSSEC is a HIDS (Host-level Intrusion Detection System) that

features log analysis, rootkit detection, system integrity checking
and Windows registry monitoring.
HIDS
OSSEC
163
ACTIVE TOOL
OSSEC is based on a client -> server architecture, AlienVault

collects events from the OSSEC server (Installed in the AlienVault
Sensor).
OSSEC provides its own plugin system used for Windows and
UNIX tool analysis.
Utility within OSSIM:
Windows and Unix log collection
Application log collection
Registry, file and folder monitor (DLP)
HIDS
Agents
Kismet
164
PASSIVE TOOL
WIDS
Kismet is an 802.11 layer2 wireless network detector, sniffer, and

intrusion detection system.
http://www.kismetwireless.net
Kismet will work with any wireless card which supports raw
monitoring (rfmon) mode, and (with appropriate hardware) can sniff
802.11b, 802.11a, 802.11g, and 802.11n traffic.
Securing WIFI network.
Rogue AP detection
Compliance enforcement (PCI Wireless requirements)
Nmap
Nmap is a security scanner used to discover hosts and services

on a computer network
165
ACTIVE TOOL
http://www.nmap.org
Nmap provides customizable options for host and network

scanning (Speed, range, precision)
Asset Discovery
Open port discovery
Service version discovery
Operating System manufacturer and version discovery
Scanner
P0f
P0f is a versatile passive OS fingerprinting tool
166
http://lcamtuf.coredump.cx/p0f.shtml
Passive Operating System detection based on traffic pattern

analysis.
Operating System changes
Unauthorized network access
PASSIVE TOOL
OS Fingerprinting
Pads
167
Services Fingerprinting
PADS is a signature based detection engine used to passively

detect network assets.
PASSIVE TOOL
http://passive.sourceforge.net
Service version changes
Policy violations
Inventory correlation
Arpwatch
168
MAC Fingerprinting
Arpwatch is an ethernet monitor program that keeps tracks of

ethernet/ip address pairing
PASSIVE TOOL
http://ee.lbl.gov
IP address change detection
ARPSpoofing
Nedi
169
Network Discovery
NeDi is an open source network management framework which

uses scheduled discovery to examine your network.
ACTIVE TOOL
http://nedi.ch
NeDI requires SNMP read access for all network hardware.
170
Basic Concepts
171
Detection
The process of identifying behaviour that leads to the generation of

an event is called Detection.
Multiple elements are used by AlienVault to provide detection

capabilities:
Snort, Ntop, Arpwatch (Data Sources included in AlienVault)
Existing corporate applications/tools
Tools that have been deployed prior to AlienVault installation

(Firewalls, Antivirus)
139
Firewall
Traffic Dropped Port 139
172
ET VIRUS W32.Opaserv Worm Infection
Collection
The task that determines which events shall be collected into

AlienVault is called Collection. Collection is done by the AlienVault
Sensors
AlienVault can collect events using multiple methods, some of

them require configuring the Data Source to send events to the
AlienVault Sensor (E.g.: Syslog, FTP...). When other collection
methods are use the AlienVault Sensor gathers the events from the
application or device (WMI, SQL, SCP...)
AlienVault uses regular expressions to determine the format in

which the events will be arriving at the system
Syslog
SQL
WMI
173
The Regular Expression in the AlienVault

Sensor determines filters the events that
have to be collected.
Normalization
The process of translating the events generated by different tools

into an unique and normalized format is called Normalization
Normalization is done in the AlienVault Sensor
Information is normalized using regular expressions
Mar 22 20:40:15 ossim-A su[27992]: Successful su for root by root
event type="detector" date="2008-03-22 20:40:15" sensor="192.168.1.109" interface="eth0"

plugin_id="4005" plugin_sid="2" src_ip="192.168.1.109" dst_ip="192.168.1.109" username="root"
log="Mar 22 20:40:15 ossim-A su[27992]: Successful su for root by root"
174
Data Source
175
A Data Source is any application or device that generates

information collected by AlienVault
The AlienVault Sensor includes a number of applications that are

used as Data Sources within the AlienVault Deployment
AlienVault can collect events from any Data Source by using a

Data Source Connector
Data Source Connector
A Data Source Connector (Formerly called Plugins) is a piece of

data complementing the agent and allowing it to normalize and
understand a certain type of Data Source (Application or device)
Two files make up a Data Source Connector:

.cfg:
Event location (Filename, Database)
Regular expressions
Normalization rules
.sql:
176
Contains the generator plugin_id and a plugin_sid for each of the

normalized events which well later use within the system.
Correlation
177
Correlation is the process of transforming various input data into a

new output data element
Using AlienVault we can transform two or more input events into a

more reliable output event
Event
178
Any log entry generated by any Data Source at application, system

or network level will be called an event.
For AlienVault it is important to know:
When has the event been generated?
What is involved? (Systems, users, )
Which application generated the event?
Whats the event type?
Data Source ID
The Data Source ID (Formerly known as Plugin_id) is a unique

number used by AlienVault to identify each of the Data Source
types that send events to AlienVault
This number is used in correlation rules and when defining Policy

Rules
Range reserved for user created Data Source connectors:

9000-10000
Data Source ID = 1001-1500
179
Data Source ID = 1501
Event Type
The Event Type (Formerly known as Plugin_sid) is a unique number

(WIthin each Data Source) that identifies the different events a Data
Source is able to generate.
The Event Type always has to be associated to a Data Source ID,

since multiple Data Source ID can share common Event Types.
(E.g.: 404 Event Type in Apache and IIS)
Whenever possible we recommend using the error code (If it is

numeric) of the event as the Event Type ID.
404 Apache Event

Data Source ID = 1501
Event Type = 404
180
Asset
An Asset is any device available on a network that is being

monitored by AlienVault
Assets in AlienVault have a value (0-5). Each Asset will have a

different value depending on their task within the network
Assets in AlienVault:
Network Group
Network
Host Group
Host
181
Asset Value
Every Asset in AlienVault has an Asset Value (0-5)
Assets not defined within the AlienVault Inventory have a default

Asset Value of 2
Assets will have different values depending on their role within the
monitored network
E.g.: A printing company
E.g.: A company offering Web hosting
182
Printers will be a very high asset value
Web servers and database servers will be a valuable asset while

printers on the other hand wont be so important.
Asset Value
While the events are being processed the AlienVault system needs
to know the Asset Value of every Asset (Correlation and Policy
rules)
If the Asset has not been defined in the AlienVault Inventory, the
AlienVault system will try to get the Asset value of biggest Assets
this host may belong to
1st - Host
3rd - Network
Asset value of the Host if it has

been inventoried in the AlienVault
Asset value of the Network The

Asset belongs to (If any)
183
Default Asset Value

If the system can not find the value
of the Asset it will take 2 as Asset
2nd - Host Group
4th - Network Group
Asset value of the Host Group the

Asset belongs to (If any)
Asset value of the Network Group

The Asset belongs to (If any)
Event Priority
184
Priority is the importance of the event itself, it is a measure which

tries to determine the relative impact an event could have in our
network.
Priority is a value between 0 and 5
0 No importance
1 Very Low
2 Low
3 Average
4 Important
5 Very Important
Event reliability
Reliability determines the probability of an attack being real or not.
At this time were not determining if the event is a false

positive or not (Think about the event as part of an attack or
problem)
185
E.g.: A single authentication failure. Would yo be able to determine if

it is a real attack (Brute Force attack) using a single event?
Reliability can be a value between 0 and 10
0 False Positive
1 10% chance of being an attack
2 20% chance of being an attack
10 Real attack
Event Risk
The SIEM calculates a risk for each event processed in the SIEM
The Event Risk is a numeric value (0-10)
Event Priority = 2
Source
Destination
Event Reliability = 10
Source Asset Value = 2
Destination Asset Value = 5
RISK = (ASSET VALUE * EVENT PRIORITY * EVENT RELIABILITY)/25

In events having two different Asset Values (Source and Destination) we will always take the highest one
186
Asset Value = 0-5

Priority = 0-5
Reliability = 0-10
Event Risk = 0-10
Alarm
187
Any event whose risk is greater or equal than 1 will become an

alarm.
An alarm is a special type of event since it can have more than one
event originating it.
Correlation doesnt generate alarms per se, it will generate new

events that may or may not become alarms.
Aggregated Risk
Apart from calculating a risk value for each event, the AlienVault
SIEM also maintains an Aggregated risk indicator for each asset of
our network
This aggregated risk risk is stored in two properties of each asset

within AlienVault
Compromise: Compromise means a network element is generating

lots of events as source, this is, its behaving like if its been
compromised
Attack: Attack is a value that measures the level of attack an

element has received in our network, that is, how much it has been
attacked
C
188
A
Attacker
Target
Compromise
Compromise value is increased by taking into account the risk of

the event calculated using the Asset Value of the source (The
Asset value of the destination is ignored even it is higher)
This value increases the compromise value of the host, the

compromise value of the host groups, networks and network
groups the host belongs to, as well as the global compromise
value
Event Priority = 2
Source
Destination
Compromise level increase = (Source Asset Value * Event Priority * Event Reliability) / 25
Compromise level increase = (2*2*10) / 25 = 1.6
189
Attack
Attack value is increased by taking into account the risk of the

event calculated using the Asset Value of the destination (The
Asset value of the source is ignored even it is higher)
This value increases the attack value of the host, the attack value
of the host groups, networks and network groups the host
belongs to, as well as the global attack value
Event Priority = 2
Source
Destination
Attack level increase = (Destination Asset Value * Event Priority * Event Reliability) / 25
Attack level increase = (5*2*10) / 25 = 4
190
Recovery
191
No event ever reduces the level of attack and compromise
The attack and compromises level is reduced every 15 seconds by

subtracting a number of units
The number of units subtracted every 15 seconds is called

Recovery Value
This value is a custom value in each deployment and can be

adjusted using the configuration
This value is used to maintain a constant level of Compromise and

Attack for the system to alert when something weird is happening
Compromise and Attack
The vast majority of events has a certain risk, thats why its
common for our asset to have a certain attack and compromise
level.
E.g.: A web server exposed to the network will always have a high
attack value.
Its important to determine and configure which attack and

compromise levels we deem acceptable for each of our assets as
well as for the total of our system (Configure the threshold)
C
192
SIEM & Logger
193
AlienVault Server Role
Collecting events sent by the AlienVault Sensors
Risk assessment for each event
Aggregated Risk calculation
Correlation
Events storage (SIEM & Logger)
Multilevel
194
Information exchange with other servers (Events, alarms, policies,

inventory objects...)
SIEM & Logger

Logger
SIEM
SQL Storage
195
EVENTS
Risk Assessment
Log Signature
Policy
Policy
Collection
Collection
EVENTS
Disk Storage
Correlation
SIEM: Correlation
196
Correlation: From many input data we obtain new output data.
The correlation engine uses multiple events to generate new

eventswith higher reliability
AlienVault implements 3 types of correlation:
SIEM: Correlation
197
The correlation engine generates new events that are re-injected to

the SIEM and processed as if they were coming from a Sensor
(Policies can be applied to those events)
During correlation no alarms are generated, only events
The events generated during the correlation process can become

alarms once the risk assessment is done for these events.
SIEM: Correlation
SIEM
198
Correlation
Risk Assessment
Policy
Collection
EVENTS
SQL Storage
Logical Correlation
199
Using the logical correlation new events are generated using the
information provided by the detectors and monitors.
Logical correlation is configured using Correlation directives.
The events generated during this type of correlation will have and
new prirority and reliability values.
Logical Correlation
Directives are defined through logical trees in which the horizontal

axis defines an OR operation and the vertical one defines an AND
operation.
First Correlation level
Second Correlation level
Third Correlation level
200
Logical Correlation
201
Logical Correlation
202
Types of DS Connectors
203
Two types of events feed the Logical Correlation Engine
Detectors: They offer events (Snort, Firewalls, Antivirus, Web

servers, OS events..)
Monitors: They offer indicators (Ntop, Tcptrack, Nmap, Webs,

Compromise & Attack...)
Logical Correlation
204
The Detectors are constantly sending information to the

correlation engine.
The Monitors offer information to the correlation engine in request

by the AlienVault SIEM during the correlation process.
Some applications can be used with both detectors and monitors

functionalities
Vulnerability Scanner
Active Directory
...
Cross-correlation
The Cross-correlation relates two different types of events
When the related events are in the database within the same host
involved, the cross correlation will generate a new event.
E.g.: A and B are two events linked using the cross-correlation
The cross-correlated event will have as priority the sum of the

priorities of the related events. Same happens with the reliability.
(Max priority 5, Max reliability 10)
Priority
Event A
Reliability
Event A
205
+
+
Priority
Event B
Reliability
Event B
Priority
of the new event
generated during
cross-correlation
Reliability
of the new event
generated during
cross-correlation
Cross-Correlation
Vulnerability: IIS Remote Command Execution
Vulnerability Scan
Host A
Sensor
Cross-correlated Event
Attack
Attacker
Host A
Attack: WEB-IIS multiple decode attempt
206
Cross-correlation
207
Most of the cross correlation rules relate IDS events (Snort) with
vulnerabilities (OpenVas, Nessus...)
New Cross-correlation rules can be defined in the Web interface:

Intelligence & Actions -> Cross Correlation
Inventory Correlation
208
The Inventory Correlation executes the following tasks:

1.
For each attack the system checks whether it has information of the
attacked host within the AlienVault inventory.
2.
Using the OSVDB database the SIEM knows the OS, services, and
versions that
Multilevel Correlation
Distributed Correlation
Correlation Level 3
SIEM
Correlation Level 2
SIEM
SIEM
Correlation Level 1
SIEM
SIEM
Sensor
209
Sensor
Sensor
Sensor
Multilevel Correlation
In multilevel deployments such as SOC or MSSP it may be

interesting to correlate events from different corporations to detect
global infections.
Correlation level 4!
Global infection !
National infection!
Corporate infection!
Department infection!
210
AlienVault Web interface
211
212
In case you have installed a Web Interface Profile or an all-in-one

profile you will be able to connect to the AlienVault Management
interface by pointing your favorite internet browser to the IP
Address of your AlienVault system
Default user and password is admin/admin
Default User - Password
Default User - Password
AlienVault is installed by default with a single user. This user will always
keep special permissions within the AlienVault system (Permissions to
monitor all assets and all menu options enabled).
The default user is admin with admin as password.
Reset Default User - Password

To reset the admin type this command in the linux console.
213
# ossim-reset-password admin
This command can be used to change the password of any user from the
console. Anyway, an administrator user will always be able to change the
password of another user using the AlienVault Web Interface.

Main Window
Main
Menu
User Profile and Session Information

214
Status Bar
Dashboards
215
Content:
Customizable dashboards and metrics
Customizable Maps (Availability, Risk and Vulnerability Indicators)
Risk Metrics
Menu Options:
Dashboards
Risk
-
Risk Maps
Risk Metrics
Incidents
Content:
Alarms (Security Incidents)
AlienVault ticketing system
Knowledge DB
Menu Options:
Alarms
Alarms
Reports
Tickets
Tickets
Reports
Knowledge DB
216
Knowledge DB
Analysis
Content:
SIEM and Logger Forensic Console
AlienVault Detection Utilities
Menu Options:
SIEM
SIEM
Statistics
Logger
Vulnerabilities
Vulnerabilities
Reports
Scan Jobs
Threats Database
Detection
217
Logs
NIDS
HIDS
Wireless IDS
Anomalies
Reports
Content:
AlienVault reporting system
Menu Options:
Reports
218
Reports
Modules
Layouts
Scheduler
FOSS Reports
Assets
Content:
Asset Search
Asset Discovery
Menu Options:
Assets
Structure
Hosts
Host Groups
Network
Network Groups
Ports
Asset Search
Asset Search
Asset Categories
Asset Discovery
219
Spot Scan
Intelligence
Content:
Policy rules - Responses configuration
Correlation Rules
Compliance
Cross Correlation rules
Menu Options:
Policy & Actions
Policy
Actions
Correlation Directives
Directives
Properties
Backlog
Compliance Mapping
ISO 27001
PCI DSS
Cross Correlation
220
Rules
Situational Awareness
Content:
Network monitoring
Netflow management
Network Profiles
Availability Monitoring
Inventory Summary
Menu Options:
Network
Traffic
Profiles
Availability
221
Monitoring
Reporting
Inventory
Inventory
Configuration
Content:
AlienVault Configuration
User Management
Collection Configuration
Backup Management
Menu Options:
Main
Collection
Simple
Data Sources
Advanced
DS Groups
Customize Wizard
Custom Collectors
Taxonomy
Downloads
Users
Configuration
User activity
SIEM Components
Network Discovery
Passive Network Discovery
Sensors
Nedi
Servers
Active Directory
Databases
Software Upgrade
Backup
222
Upgrade Notification
SIEM Backup
User Management
223
Multi-tenant Architecture
Entities Definition: Groups, Departments, Companies
Assign user permissions to entities (Templates)
Simplifies AlienVault User Management
AlienVault Admin users for each entity
Open Source SIEM
AlienVault SIEM
Hosts
Hosts
Host Groups
Host Groups
Networks
Networks
Network Groups
Network Groups
Departments
Corporations
Assets!
224
Users!
AlienVault
Components!
Entity !
Your own entity
Multi-tenant Architecture
Alienvault!
UNIFIED SIEM!
Development!
Web
development!
R&D !
OPEN !
SOURCE!
225
10.0.0.0/24!
Sales!
192.168.3.0/24!
172.18.1.0/24!
210.2.2.2!
EMEA!
APAC!
192.168.8.0/24 !
192.168.2.0/24 !
Entities
226
An entity is a virtual grouping of objects within the AlienVault

inventory (Hosts, Host Groups, Networks and Network Groups...).
Entities can be used to create departments, organizations,

companies or whatever kind of group is needed to simplify the
asset management.
Templates
227
Open Source SIEM: Permissions assigned directly to users
Unified SIEM: Permissions assigned using templates. Templates

assigned to entities the users belong to
Templates
Template definition:
1. Assign user permissions
2. Link the user template with an entity
228
The same Template can be used in multiple entities
Users can inherit permissions from higher entities
User permissions
229
Permissions are assigned using
Sensors
Networks
Sections in the Web Interface the user will have access to
User permissions: Inventory
230
Link the Assets to the Sensor or Sensors that will collect

events or traffic of the Asset
Assets -> Assets -> Host
Assets -> Assets -> Host Groups
Assets -> Assets -> Network
Assets -> Assets -> Network Groups
Admin Users
231
The Admin Users will always keep special permissions
Visibility over all assets
No Menu restrictions
Access to
Manage users (Delete, Modify and create users)
Access to some menu options only available for Admin users
Admin users within each entity can only manage users within the entity they
belong to
User configuration
232
Configuration -> Users -> Password Policy
Compliant User Mangement
Policies
233
AlienVault Policies
234
Policy -> Intelligence & Actions -> Policy
Policy section allows you to configure how the system will process
the events once they arrive to the AlienVault Server
Policy rules are used to create exceptions. E.g.:
Do not store in the SQL Database
Do not correlate
Correlate and forward to another SIEM. Do not store in the SQL

Database
AlienVault Policies
By default the all the events arriving to the AlienVault Server are
processed by both SIEM and Logger.
In the case of SIEM the system provides extra intelligence and

data-mining capabilities processing the events by performing the
following tasks:
235
Risk assessment
Correlation
Forwarding
SQL Storage
In the case of Logger the system will sign the events to ensure
integrity so that they can be used as an evidence in trial.
When are the policies applied?

Logger
SIEM
SQL Storage
236
EVENTS
Risk Assessment
Log Signature
Policy
Policy
Collection
Collection
EVENTS
Disk Storage
Correlation
Policy Conditions
237
Source: Host, host groups, networks, or network groups as the

source in the events that have to match the policy
Destination: Host, host groups, networks, or network groups as

the destination in the events that have to match the policy
Ports: Port in which the event have been collected
DS groups: Types of event matching the policy rules
Sensors: Sensors that have collected the events
Install in: Servers in which the policy will be installed (Multilevel

topologies)
Policy Consequences
Actions:
Send an e-mail
Execute a Command
Change priority of the events
SIEM
Qualify events (Calculate a risk for the events)
Correlate events (Logical correlation)
Cross Correlate events (Cross-correlation)
Store events (SQL Storage)
Logger
238
Sign
Multilevel
Forward alarms
Forward events
Actions
239
Once the conditions defined in a policy have been met, the system
can execute an action (Or multiple actions)
Sending an e-mail or running a command can be configured using

some keywords that will be replaced with the values of the events
that have matched that policy.(PLUGIN_ID, SRC_IP, DATE...)
Policy order
240
Policy rules are applied in descending order and when an event

matches a rule, the system will stop processing that event, so that
it will not be able to match any other policy rule defined
subsequently.
The generic policy rules should be always defined after the policy
rules used to configure exceptions for certain events.
Examples of Policy rules
241
Apache events
All events are stored in the Logger
All events go to to the correlation engine (SIEM)
Only some events are stored in the database
Firewall events
All events are stored in the Logger
All events go to to the correlation engine (SIEM)
Only DROP, DENY and configuration changes events are stored in

the database
242
Logger
243
AlienVault Logger
244
The Logger allows for storage of large volumes of data while

ensuring its admissibility as evidence in a court of law.
The Logger provides an additional database specifically geared for

massive, long-term forensic archiving.
The Logger collects data in its native format, digitally signs and
time-stamps the data, and securely stores it preserving data
integrity; whereas the SIEM database is designed for the rapid and
versatile analysis required for attack detection and response.
Logger Console
Time frame selection clicking
on the graph
Custom Time Frame

selection
Events in the Logger
245
Logger Search Box
Predefined Time
Frame selection
Remote Loggers
246
If multiple Loggers are deployed it is possible to manage them

remotely using a single Web Interface
Make sure the Logger is configured at Configuration -> SIEM Components -> Servers
Select the Logger or Loggers you want to query in the Logger Console at Analysis ->
Logger -> Logs
In the events view, each Logger will be identified by a different color
Query the Logger
247
The search for events stored in the Logger implements auto-completion based on the text that
you type. For example, if you enter a host name, the system will suggest to search for that value
in the host field of the events.
The following syntax can be used when searching over the events in the Logger:
sensor: Ip address or name of the AlienVault Collector that collected the event. E.g.:
sensor=Vegas sensor=172.2.2.1
src: Source of the event in IPV4 format or name of the host used in the AlienVault inventory.
E.g.: src=192.168.2.1 src=Web_2000
dst: Destination of the event in IPV4 format or name of the host used in the AlienVault
inventory. E.g.: dst=192.168.1.1 dst=gateway
plugin: Name of the plugin (Data Source connector). E.g.: plugin=snort
plugingroup: Name of the plugin group. E.g.: sourcetype=Facebook_events
src_port: Source Port. E.g.: src_port=34000
dst_port: Destination Port. E.g.: dst_port=80
sourcetype: Filter by product type (Taxonomy based filters) E.g.: sourcetype=Firewall
data: Searches the value associated to this variable in the text of the original event. E.g.:
data=Failed Password
Export data
248
To use the data stored in the Logger as an evidence in court it is

required exporting the data to be analyzed using a 3rd party tool
Query the Logger after entering the search criteria and click on
Exports
Logger Stats
249
Shows the stored events separated by Sensors, Event types, Data

sources and Destination.
Logger troubleshooting
250
Any Policy rule not sending all events to the Logger?
Logger enabled in Configuration -> SIEM Components -> Logger
Logger signature configuration at /etc/ossim/server/config.xml
Vulnerability
Management
251
Vulnerability
252
A vulnerability is a weakness which allows an attacker to reduce a

system's information assurance.
Vulnerability is the intersection of three elements: a system

susceptibility or flaw, attacker access to the flaw, and attacker
capability to exploit the flaw.
Objectives
253
Feed the cross

correlation
engine!
Metrics of the
vulnerability
level!
Prevention of
possible
attacks!
Feed the logical

correlation
engine!
OpenVas
254
Architecture based on plugins
Own language to write rules
Own programming language rules
Comprehensive database of vulnerabilities
Scalable
Does not require installing any software on the scanned hosts
Simultaneous scans
Scheduled scans
Nessus
255
Nessus Vulnerability Scanner is also supported by AlienVault (Up to

4.0.2)
Nessus is a proprietary comprehensive vulnerability scanning

program
It is free of charge for personal use in a non-enterprise

environment
Scanning Operation
1. Port scanning against every target within the scan.
2. The scanner does a series of tests to verify whether the existing
services at each port are particularly vulnerable to attack
The remote host is missing the DSA-1996 security update
A vulnerable SMB server is running on the remote host.
Sensor
Default user and password enabled in the running service
256
It is important to maintain good OpenVas configuration because

some of the tests may cause service falls in some applications or
devices
Security Analysis
257
Analysis Process
Metrics
258
Incidents
Events
Vulnerabilities
Inventory
Analysis Process
1. Dashboard -> Dashboard
2. Dashboard -> Risk
3. Incidents -> Alarms
4. Incidents -> Tickets
5. Analysis -> SIEM
6. Analysis -> Logger
7. Analysis -> Vulnerabilities
8. Assets -> Asset search
9. Report -> Reports
259
Status Bar
Global Status of the
Monitored Networks (Red,
Orange or Green)
Number of opened Tickets
Number of unresolved
Alarms (Opened Alarms)
Higher priority within the

opened tickets
Higher risk within the

opened alarms
Service Level: Decreases

while the Attack and
Correlation level increase
If the service level remains at 100 we should check the recovery value and
whether the events are being collected or not.
260
Executive Panel
Executive
Security
Taxonomy
Tickets
Metrics and graphs that

provide an overview of the
network.
Information about alarms and

events stored in the system.
Statistics based on the

taxonomy of the events stored
in the SIEM.
Statistics based on the

AlienVault ticketing System.
Important to pay attention to

the volume of alarms and
events generated in the day
compared to previous days.
The Top 10 Events and Alarms
is also a interesting indicator as
we can easily know the types
of events and alarms that are
generating the highest volume
of occurrences.
The graph showing the
cumulative risk (C & A) for the
most conflicting hosts.
261
Important to pay attention to

host with many events and to
those host that have a
promiscuous behavior.
This page displays events

grouped by Data Source,
events grouped by Device or
Tool.
Pay attention to the graph
showing Authentication Login
vs Failed Login events. as well
as the graphs showing events
providing information about
hosts infected by some kind of
malware or exploit.
Pay attention to the amount of

automatically generated tickets
Executive Panel
Vulnerabilities
Compliance
Network
Report of performed
vulnerability scans.
Graphs generated using

information of compliance
reports, mainly PCI DSS and
ISO 27001.
Graphs and statistics on the

use of the network.
Pay attention to the hosts and

network with more
vulnerabilities.
Most of these charts are taken

from the network and usage
monitor (Ntop).
Important to monitor that no
abrupt changes have occurred
and compare the data
provided with the prediction
made by the tool.
262
Dashboards
263
Pay attention to:
Big changes in graphs
Service loss
Events with a lot of occurrences
Conflicting hosts
Compromise & Attack
Big change in graph
Risk Maps
264
Dashboards -> Risk -> Risk Maps
Shows the risk, vulnerability and availability levels for any asset in
the AlienVault inventory
Risk
Vulnerability
Availability
Risk Metrics
265
Dashboards -> Risk -> Risk Metrics
Asset with high Aggregated risk (Compromise and Attack Level)
Risk Metrics
Time Frame selection (Last day, Last
Week, Last Month, or Last Year)
Historical data of the global

Compromise and attack values
(Red = Attack, Blue = Compromise)
266
Service level (It decreases while the

Global Compromise and Attack is
increasing) Shows the service level of
the last 24 hours.
Access the attack and compromise

level in real-time
Risk Metrics
Internal attack (Symmetry between
Red and Blue areas) between assets
or network with the same value
The historical C & A values is calculated for

those objects defined within the AlienVault
inventory. If an attack is coming from an
outside network, we would only see the red
area.
267
Risk Metrics
We can click in the red/blue area of the
global graph to see in detail what happened
at that moment.
The system will show the disaggregated

graphs for every IP address that was
involved in generating the global graph
268
Risk Metrics
Every object in the AlienVault inventory has an Attack and

Compromise Threshold
The table shows those hosts or network that have overcome their
threshold
Metric over 100% threshold

269
Risk Metrics
270
Pay attention to:
Those hosts and networks that have overcome their threshold
Anomalies in Compromise and Attack Graphs
Internal attacks
Attacks from your network
Service level falls
Service level always at 100%:

-
Recovery value too high?
Is AlienVault collecting events?
Alarms
271
Incidents -> Alarms
An alarm is a special event that may depend on other event (When

the event becoming alarm was generated during Logical
Correlation)
Alarms
Filters and actions
Filter by alarm name, sensor and

directive ID
Time Frame selection (Last day, Last

Week, Last Month, or Last Year) and
alarms shown per page
272
Delete and close alarms (
Alarms
Date of the first and last event
belonging to the alarm
Close the alarm
Risk of the Alarm
Name of the Alarm

Sensors that have collected
events that have generated
this alarm
273
Source and
Destination IPS
Open a ticket in the

Ticket Management
system
Alarms
The IP address
belongs to the
AlienVault Inventory
The IP address does not

belong to the AlienVault
Inventory and it belongs to
an US network
274
The IP address belongs to

the AlienVault Inventory and
it is a Linux host
Alarms
More than 4000 events
were correlated within the
Correlation rule that
generated this alarm
275
Alarms
Click to display the events

that matched each
correlation level
276
Alarms
Clicking on an event, the

system will show the original
event stored in the database
277
Alarms
278
Pay attention to:
Alarms with higher risk
Repeated Alarms
Unique Alarms -> New types of alarms
Alarms with lots of host involved
Sources of attacks (Geolocation)

-
IP addresses from countries that dont work with our corporation
Host having contact with many different countries (P2P? Worm?)
Alarms
Where do the Alarms come from?

Events generated during correlation process
The alarm may depend on many alarms
Unique event (Event with high priority and reliability)
Only an event
Host with
many
alarms
279
Check the
events from that
host in the SIEM
and Logger
Define new
Correlation
rules
SIEM Events
280
Analysis -> SIEM
Shows the SIEM Events stored in the database
SIEM Events
Predefined time frames
Today
Last 24 hours
Last week
Last two weeks
Last month
All
Time Frame selection

281
SIEM Events
282
Custom time frame
SIEM Events
Event trends (Different graph based on the selected time frame)
No events in the SIEM

before this date
283
Maximum number of events

in the SIEM
SIEM Events
Search Events by:
Timeline analysis
Signature: Name of the event

Payload: Original Log or Payload in Snort events
IP Address (As source or destination)
No events in the SIEM

before this date
Filter by Data Source

Filter by Risk (0-10)
Filter by extra data fields

userdata1-9, username,
password and filename
Access taxonomy filters

Timeline analysis
Filter by DS Group
Filter by Network Group
284
Filter to see only those events whose

source or destination belongs to our
Home Network (It is in the inventory)
SIEM Events
Active filters
Events Statistics
285
Clear all filters
Show all filters
Sensors: Events grouped by sensor
Unique Events: Events grouped by type of event
Unique Data Sources: Events grouped by Data Source
Unique addresses: Events grouped by source/destination
Source/Destination Port: Events grouped by port
Unique country Events: Events grouped by country
SIEM Events
IP search with logical operators (OR & AND)
When clicking on some fields new filters can be applied
When clicking on the IP address

new filters can be applied
286
SIEM Events
287
Trends
Trends will be generated based on the current time frame
SIEM Events
Events per country
You can click in the number of events per

country to access to those events
288
SIEM Events
The values shown in each column can be ordered by clicking in

the column name (Double clicking for reverse order)
Source IP
Name of the event (Event Type)
Date of the
original event
Risk of the
event
Destination IP
Reliability
Priority
Protocol
RIsk
How was the event was originated:

- Logical Correlation
- Cross-correlation
- Event Collection
289
SIEM Events
Clicking in the name of the event gives you access to the original
event (Log or payload)
Event name
Sensor and network interface used to collect the event

Context in which the event was generated
Extra fields
Raw Log
290
SIEM Events
291
In Events generated by Snort some extra information (Ex: TCP

Headers) will be stored.
SIEM Events
292
In Snort events the payload can be downloaded as a pcap file

(Tcpdump, Tcpreplay, Ngrep, Wireshark...)
SIEM Events
293
Analyzing the payload we can check whether it is a false positive

or not
When analyzing Shellcode events (From Snort) we can use the

Shellcode analyzer
SIEM Events
294
Snort Events Payload
The system uses TShark to show low level information about the
capture file
Logger
295
Analysis -> Logger
In the Logger, the events are stored in the file system, using an
AlienVault specific schema of directories and files
Events are stored digitally signed, so they can be used as

evidences in trials
Events are signed using RSA
Defining policies we can configure what goes to the SIEM and

what goes to the Logger
Logger
Time frame selection clicking
on the graph
Custom Time Frame

selection
Events in the Logger
296
Logger Search Box
Predefined Time
Frame selection
Logger
297
The system will automatically generate stats based on the events

stored in the Logger
Analysis Procedures (SIEM)

1. Events with a high risk
2. Events with the highest number of occurrences
3. Hosts with the highest number of events
4. Hosts with a promiscuous behaviour
5. Virus, Trojan, Malware, Spam events
6. Hosts involved in generating alarms
7. Events per country
8. Events per service
9. Strange events (Few occurrences)
298
Analysis Procedure
299
Events with a high risk
Order by risk (Risk column)
Double click for reverse order
Analysis Procedure
Events with the highest number of occurrences
300
Click on Unique events and click on the column named Total
Analysis Procedure
301
Hosts with the highest number of occurrences (As source or

destination
Click on Unique Source or Unique Destination and order by

number of occurrences clicking on the column named Total
If we only want to see those host belonging to our network click on

Home networks Filter by source/Destination
Analysis Procedure
Host with a promiscuous behaviour
In Unique events compare the columns Src. Addr and Dst. Addr.
Many Sources and always the
same destination IP
Just a few sources and many destination IPs

(Worm? P2P?)
302
Analysis Procedure
Host with a promiscuous behaviour
303
Click on Unique source or Unique Destination and order using

the column Dest Addr or Src Addr respectively
Analysis Procedure
304
In the search field (By signature) we can search the following

string: virus OR trojan OR malware OR spam. Once the
search is done, we can click on Unique Events to see all event
types that match this criteria.
Analysis Procedure
305
Hosts matching correlation rules (Events that will probably become

alarm)
Search directive_event (signature search) and click on Unique

Source/Destination to group by host.
Analysis Procedure
Events per country
306
Click on Unique Country Events and the click on the Total of the
countries that seem suspicious.
Analysis Procedure
Events per service
307
Click on Destination Port (TCP | UDP) and the click in the

Occurrences field or Unique Events of those port that seem
suspicious in your network.
Analysis Procedure
Strange Events (Few occurrences)
308
Click on Unique events and order by double-clicking on Total (From

low to high)
Host Information
309
When clicking on any IP address in SIEM events, new filters can

be applied.
External information can be retrieved regarding the IP address

(Whois information, DNS, Blacklists...)

Acsa - Ossim

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Acsa - Ossim

Uploaded by

Copyright:

Available Formats

AlienVault Certified Security Analyst

About this document

ACSA (AlienVault Certified Security Analyst)

Author: Juan Manuel Lorenzo (jmlorenzo@alienvault.com)

Document Version 3.0

Last revision: 01/2011

Product version used: 3.0

Copyright Alienvault 2010

Professionals from Security Information

Basic Linux Skills (Edit files on the command line)

Computer per assistant

AlienVault Virtual Machine

Have you got any problem with AlienVault?

Is there something you always wanted to know about AlienVault?

Do you have any suggestion?

Think about your environment:

Do you have a network map?

How would you integrate this device or application?

What products would suit my needs?

Do I have any compliance requirement? (PCI? ISO?)?

If you have any questions, please tell us

AlienVault Web Interface

Network Security Tools

AlienVault is a SIEM (Security Information and Event Management)

AlienVault: Data Aggregation

Other11supported collection methods: SNMP, SDEE, OPSEC, Socket...

AlienVault: Data Aggregation

DROP 192.168.1.1 21.2.2.2

plugin_id=4503 plugin_sid=21 date="1295472603"

Successful Brute Force Attack?

Brute Force Attack?

No disk space left on the

Worm Detected on Port 80

Policy Violation: P2P Usage

Send a command to the firewall to isolate the attacker

Open a ticket in AlienVault or in any other

Send an e-mail or an SMS to the IT Department

Disable the switch port used by the host

- Forensically secure-storage of RAW Data

And What Makes AlienVault Different?

All SIEM Products

AlienVault Unified SIEM

Comprehensive Vulnerability Management

The remote host is missing the DSA-1996 security update

A vulnerable SMB server is running on the remote host.

Recurrent SNMP Scans

Active / Passive Fingerprinting

SNMP / Agent / Remote Requests

SNMP / Agent / Remote Requests

Events / Network Profiles / Active-Passive

Network level IDS (Intrusion Detection System)

Monitor network traffic

No impact on the network

Host-based IDS (Intrusion Detection System)

Monitors and analyzes the internals of a computing system

Clients for every major Operating Systems

Log analysis, rootkit detection, system integrity checking and

Attempt to login using a non-existent user

Attempt to use mail server as relay (client host rejected).

Wireless Intrusion Detection System

Monitor Wireless Networks in multiple locations

Meet PCI Wireless Compliance requirements