Analyze Network Events with OSSIM Toolset

It’s nearly impossible to keep track of every event that occurs on a network, much less determine whether each event is a security risk or not. But this tool can help: the comprehensive Security Information Management (SIM) application called Open Source Security Information Management (OSSIM). It provides both active and passive information-gathering capabilities to help you get a security-focused view of your network.

OSSIM is certainly not alone in the SIM field, but as an open-source framework, it provides a very powerful, scalable, and inexpensive solution that can analyze events from various sources (e.g., network scanning and asset information) and determine whether a security event has occurred. I’d like to show you OSSIM, run through a test installation, and discuss the first few steps you should take after installation. You’ll learn about defining network and host policies, running a manual scan against a host, and configuring an automatic network probe.

OSSIM is actually many tools combined into a single application (see Table 1 [PDF] for a list of specific tools). OSSIM’s main components are a database, a correlation- and risk-assessment engine, collectors, sensors, a control daemon, and a web-based front end. The database stores all of the events OSSIM detects on the network, whether the event is found via passive or active scanning. The correlation- and risk-assessment engine is what helps to set OSSIM apart from other open-source security management solutions, as it provides a way to define rules for determining when a security incident has occurred. Collectors provide the capability to aggregate log information from Linux, UNIX, and Windows hosts as well as from applications and network devices, while sensors actively probe hosts and networks with tools such as the Nessus security scanner. The control daemon ties this process together, including providing the capability to control many of these tools in the background. Finally, the web interface provides administrators with a way to both configure OSSIM and to view reports and security incidents detected by the application.

OSSIM can be installed on a single host, but in larger deployments it can be split into each of the components mentioned above. Furthermore, collectors and sensors can be distributed across an entire network, letting you scale this important activity and also locate OSSIM components geographically closer to monitored devices.

Because OSSIM includes so many components, it was tedious to install. However, OSSIM is now available as an ISO image preloaded on an instance of Linux so that you can easily take it out for a test run. To try it, download the ISO image from the OSSIM download page. You can install OSSIM on a hardware server or as a Virtual Machine (VM) under VMware, Microsoft Virtual PC, or Xen. Regardless of whether you choose a hardware server or a VM, you need to boot from the ISO, follow the on-screen instructions (for supplying the OSSIM server’s IP, DNS, gateway, and other related settings), then perform a final reboot.

After you install and boot OSSIM, you should be able to access the web interface for initial configuration. Go to the URL ossim-ip and you should see a logon screen. When installed from the ISO, OSSIM has a default administrative account with the username “admin” and the password “admin.” Log on using these credentials to start configuration.

At this point, you should see the Executive Panel, which provides a dashboard-like view highlighting key information about your network, such as the most recent and common security events. The dashboard is configurable, and you can update or replace the elements of this page later after you’re more comfortable with OSSIM and after OSSIM has started to collect useful information about your network.

Feel free to click all of the menu items to get used to navigating OSSIM. Unfortunately, OSSIM can be unwieldy because of the many features it provides, and it’s not unusual to be a little bewildered at first. That’s okay, because we walk through an initial OSSIM configuration next.

Now that you’ve clicked around within OSSIM, it’s time to provide the initial configuration so you can get some useful data. Let’s walk through how to define the policies that drive OSSIM’s actions, inventory example servers on your network, and configure network and individual hosts Then, I’ll show you how to initiate a manual security scan against one of those servers and schedule automatic scans to alert you of new problems.

Policies in OSSIM are groups of settings that drive OSSIM’s behavior. Essentially, policies are configuration parameters specifying networks, hosts, alert types, scanning actions, and more. Like much of OSSIM, policies can be rather confusing, especially because of the sheer quantity available. Because of this, I simply focus on the minimum number of policies that need to be defined so that you can start using OSSIM. Later on, you can begin experimenting with policies to see all of the capabilities that OSSIM actually provides.

The first configuration step is to specify every network you own. OSSIM contains many tools that can passively detect hosts (e.g., p0f, which detects OSs being used on a network), but it won’t store all the information it detects about these systems unless the host’s network is defined. This makes sense: You don’t want your OSSIM database trying to store information about every network it detects. In addition, when defining a network, you can define which OSSIM sensors should be assigned to that network, which allows you to allocate sensors by capacity or geography as needed. You define your initial OSSIM-monitored network by following the steps below:

1. Click Policy, Networks.
2. Click Insert new network.
3. For Name, choose a name for your network, such as LAN.
4. Enter the network range, such as 192.168.222.0/24.
5. Leave Threshold C and Threshold A at their defaults.
6. Choose Default for the RRD Profile.
7. Choose 192.168.222.99 (ossim) as your Sensor.
8. Leave all the other options alone.
9. Click OK.