Because every network environment is different, OSSIM offers flexibile configuration options to adapt to the needs of different environments. Whether you are just getting started with OSSIM, or have been using it for years, thinking through the configuration options availble will help you get the most out of your installation. Join us for this customer training webcast where our OSSIM experts will walk through: How to deploy & configure OSSEC agents Best practices for configuring syslog and enabling plugins Scanning your network for assets and vulnerabilities

1. Title

2. Introductions
Mark Allen
Technical Sales Engineer
Garrett Gross
Sr. Technical PMM

3. Resources for OSSIM Users
AlienVault Forums:
https://www.alienvault.com/forums/discussions/tagged/ossim
LinkedIn Group: https://www.linkedin.com/groupInvitation?gid=3793
USM & OSSIM On-Demand Training Archives:
https://www.alienvault.com/product-training
AlienVault Blog – Analysis from the AlienVault Labs research team, practical
tips to secure your environment & industry trends

4. Agenda
How to deploy & configure OSSEC agents
Best practices for configuring syslog and
enabling plugins
Scanning your network for assets and
vulnerabilities

5. Lets get started!

6. Host IDS Configuration

7. OSSIM comes with OSSEC host-based IDS, which
provides:
• Log monitoring and collection
• Rootkit detection
• File integrity checking
• Windows registry integrity checking
• Active response
OSSEC uses authenticated server/agent architecture.
Host IDS
OSSIM Sensor
OSSEC Server
Servers
OSSEC Agent
OSSIM Server
UDP 1514
Normalized events

8. Deploying HIDS
1. Add an agent in OSSIM
2. Deploy HIDS agent to the target system.
3. Optionally change configuration file on the agent.
4. Verify HIDS operations.

9. Add an
agent.
Save agent.
Specify name
and IP address.
Add Agent in OSSIM
Required task for
all operating
systems
Can also be
added through the
manage_agents
script
Environment > Detection > HIDS > Agents

10. Specify domain, username and
password of the target system.
Download preconfigured
agent for Windows.
Automatic deployment
for Windows.
Extract key.
Deploy HIDS Agent to Target System
Automated
deployment for
Windows
machines
Manual
installation for
other OS
Key extraction
is required for
manual
installation

11. Configuration
file.
Log
file.
Change Configuration File on Agent
OSSEC
configuration is
controlled by a
text file.
Agent needs to
be restarted after
configuration
changes.
Log file is
available for
troubleshooting.

12. Agent status
should be active.
Verify HIDS Operations
Displays overview of
OSSEC events and
agent information
Environment > Detection > HIDS > Overview

13. OSSEC events.
Verify HIDS Operations (Cont.)
Verify if OSSEC events
are displayed in the
SIEM console.
Utilize search filter to
display only events
from OSSEC data
source.
Analysis > Security Events (SIEM) > SIEM

14. Verify HIDS Operations (Cont.)
Environment > Detection > HIDS > Agents > Agent Control
Verify registry
integrity.
Verify presence
of rootkits.
Verify file
integrity.

15. Syslog & Plugins

16. Syslog Forwarding
Syslog configuration will vary based on
source device/application but, usually,
the necessary parameters are:
• Destination IP
• Source IP
• Port (default is UDP 514)

17. Enabling Plugins
Enable plugin at the
asset level
General > Plugins > Edit
Plugins
Green light under
“Receiving Data” will
confirm successful log
collection

18. Vulnerability Assessment

19. Vulnerability Assessment
Uses a built-in OpenVAS scanner
Detects vulnerabilities in assets
• Vulnerabilities are correlated with
events‘ cross-correlation rules
• Useful for compliance reports and
auditing
Managed from the central SIEM
console:
• Running and scheduling
vulnerability scans
• Examining reports
• Updating vulnerability signatures

20. Advanced Options
Vulnerability assessment can be:
• Authenticated (SSH and SMB)
• Unauthenticated
Predefined profiles can be selected:
• Non destructive full and slow scan
• Non destructive full and fast scan
• Full and fast scan including destructive tests
Custom profiles can be created.

21. Vulnerability Assessment Config
1. (Optionally) tune global vulnerability assessment settings.
2. (Optionally) create a set of credentials.
3. (Optionally) create a scanning profile.
4. Create a vulnerability scan job.
5. Examine scanning results.
6. Optionally create a vulnerability or compliance report.

22. Update
configuration.
Select vulnerability
ticket threshold.
Tune Global Vulnerability Assessment Settings
The vulnerability
assessment
system opens a
ticket for found
vulnerabilities.
Start with a high
threshold and fix
important
vulnerabilities first.
Configuration > Administration > Main

23. Specify login
username.
Specify credential
set name.
Select
authentication type.
Click settings.
Create Set of Credentials
Used to log into a
machine for
authenticated scan
Supports the
DOMAIN/USER
username
Environment > Vulnerabilities > Overview

24. Examine 3 default
profiles.
Enable/disable
plugin family.
Create a
new profle.
Edit profiles.
Create Scanning Profile
Enable profiles that
apply to assets you
are scanning.
Environment > Vulnerabilities > Overview

25. Create a new
scan job.
Import Nessus
scan report.
Select schedule
method.
Specify scan
job name.
Select profile.
Select server.
Select assets.
Select credential set for
authenticated scan.
Save job.
Create Vulnerability Scan Job
Environment > Vulnerabilities > Scan Jobs

26. Examine vulnerability
statistics.
View vulnerability
report for all assets.
Examine reports for
all scan jobs.
Examine Vulnerabilities Results
Environment > Vulnerabilities > Overview

27. OSSIM vs. USM

28. How is USM different?
Correlation Directives: Over 2,000 built-in correlation directives developed by the
AlienVault Labs Threat Research Team, and updated weekly
Reporting: 150+ Customizable Reports, including compliance-specific reports
Log Management: Robust Log Management, Log Search & Long-Term Log
Retention
Professional Support via phone & email as well as customer support portal
And more…view comparison chart here:
https://www.alienvault.com/products/compare-ossim-to-alienvault-usm
“I started out with OSSIM and I didn’t fully realize how much value I would get out of USM until I started using it.
The reporting is awesome, it’s been a big benefit for me. And, having a fully supported solution means I can get
answers to my questions much more quickly than before.”
– Matthew Frederickson, Director of Information Technology, Council Rock School District

29. USM + Free Installation Services
http://www.alienvault.com/marketing/smb-bundles

30. 888.613.6023
ALIENVAULT.COM
CONTACT US
HELLO@ALIENVAULT.COM
Now for some Q&A
Resources for OSSIM Users
OSSIM vs. USM Comparison Chart
https://www.alienvault.com/products/compare-ossim-to-alienvault-usm
AlienVault Forum
https://www.alienvault.com/forums/discussions/tagged/ossim
LinkedIn Group
https://www.linkedin.com/groupInvitation?gid=3793
Subscribe to the AlienVault Blog
https://www.alienvault.com/blogs
Hands-on 5-day Training Classes, in-person or “Live on-line”
https://www.alienvault.com/support/classroom-training