How to implement OSSIM (SIEM Solution)

Source

Hi Medium! Here we are again with a new article, today we will share a small tutorial where we will implement the OSSIM solution, so we will talk about :

Introduction
2.1 Work environment
2.1.1 Hardware environment
2.1.2 Software environment
2.2 Implementation and test
Conclusion

Introduction

In this chapter, we present the realization part of our platform. We begin by presenting the work environment and the tools used. The last part of this chapter will be devoted to testing the proper functioning of our solution and its hosting.

2.1 Work environment

The work environment consists of two parts named hardware environment and software environment

2.1.1 Hardware environment

This project was implemented on ESXi 6.0 server; we hosted our OSSIM machine in the following environment:

  • Server Model: DELL
  • Virtual Proc: 4 Go 2 vCPU
  • Virtual Memory: 8 Go
  • Virtual Hard disk: 90 Go

2.1.2 Software environment

+ OSSIM

OSSIM (Open Source Security Information Management) is open-source security information and event management system, integrating a selection of tools designed to aid network administrators in computer security, intrusion detection, and prevention.
The project began in 2003 as a collaboration between Dominique Karg, Julio Casal, and later Alberto Román. In 2008 it became the basis for their company AlienVault. Following the acquisition of the Eureka project label and completion of R&D, AlienVault began selling a commercial derivative of OSSIM (‘AlienVault Unified Security Management’). [Source Wikipedia]

+ Environment (ESXi)

To implement OSSIM we need a powerful PC, so we decided to implement it on an ESXi server.
VMware ESXi (formerly ESX) is an enterprise-class, type-1 hypervisor developed by VMware for deploying and serving virtual computers. As a type-1 hypervisor, ESXi is installed on an operating system (OS); instead, it includes and integrates vital OS components, such as a kernel. [Source Wikipedia]

2.2 Implementation and test

First, we need to download OSSIM.iso from their website LINK and then we install it on our Virtual machine.

In this simple installation, we will be asked to choose a language, user/password, time zone and to configure the network (IP address, gateway, domain name).

After it completes we wait for our Alien Vault product to start:

When it starts we will be automatically redirected to this interface (or when we connect with SSH) where we will configure the IP address of the OSSIM agent (Web interface), choose the plugin that we want to add (a plugin that will help to detect vulnerabilities), save a backup, access to the terminal (Jailbreak), reset mode, configure VPN and Firewall.

After OSSIM agent configuration we will connect from the web interface to accomplish our work:

As we already in; we need to scan our network to detect all the devices.

After detecting all the hosts we need to install the OSSEC agent on our endpoints and run a vulnerability scan.

This graph shows a scan report about a specific host (we can download this report in a different format)

The best part of OSSIM is that we can see what happens on our network (real-time) after we install IDS (Intrusion Detection System) on our devices.

In configuration mode, we can manage attacks that our OSSIM must detect, and then we can set alarms for those attacks.

Conclusion

This chapter was dedicated to the presentation of the various tasks carried out in this project. To accomplish our mission, we began by describing the work environment. Then we implemented the OSSIM solution and we test it.

I hope that you enjoyed this article as always, if you have something to add don’t hesitate to write a comment ^^

Cyber Security Architect