Video Activity

How to Setup an AlienVault OSSIM System

Video Transcript

Welcome to our video on aux sous. I am architecture fundamentals. The objectives for this video are to go over some glossary terms view some of us A CM's main open source components you a couple different appointment architectures. Look at rationale for single versus multi sensor deployments. We're gonna go over my lab overview. To start, you'll see the three main components of a level a server, a sensor and a lager thes can either be separate machines were all combined into one machine, also known as an all in one solution. A sensor could perform multiple tasks such as roll log normalization, vulnerability scanning passive and active asset discovery on block forward into the asylum server.

A lager first with storage component In availing involved, loggers can be used for extended roll log retention, which is often needed for compliance. Please note that loggers cannot be separated out from the main Osa science server in O. C s. I am. This is a selling point of ailing bulls premium USM offering the server component performs and now assistant correlation on the normalize logs. This is also where in animals will connect to in order to view events and alarms kickoff vulnerability scans and perform other administrative tasks. An all in one solution simply combines all three pieces into one single server. Moving on to the next item. Roll logs are the UN normalized locks and two alien vault through ingesting raw logs and analyzing network traffic. Oasis I am creates events thes air used for correlation and alarm generation Alarms are triggered when certain event criteria are met. For example, a Windows failed log on my create one single event. But three of these events within 60 seconds might generate an alarm.

Thes alarms prompted analysts to perform further investigation. We'll be gone. A data source plug in is essentially a large part, sir, These air tied to specific service's or devices such as a Palo Alto firewall and CeCe Luck thes par sir's help normalize the log data. Sis Lock is a standardized protocol to send log and event information. As an example, we're going to learn how to send system logs for Mullinix Web server toe are oh society installation over sis log via Port 514 Oh, it's a sigh. AM relies on many different open source programs, but here are some of the most notable each are worth researching into individually. You could install these programs in a lab environment to learn more about them without being the overhead of a sim insulation. As an example, you may want to learn more about how to operate open boss. You can simply install open boss on a separate virtual machine and perform some skins. This knowledge will transfer directly into utilizing open boss in an oasis. I am insulation. Choosing a deployment setup relies on a couple of factors.

Firstly, if you need a network intrusion detection system at a remote branch, you're going to want a sense your own site with Sarah Cottle running. You also might want more than one sensor to help manage the load on the main aux sous I Am server. If you have a large corporate environment that is generating too many locks for your server to process, you can set up another sensor or two and haven't take a bit of load off the server. Another factor to consider is open Boss Open Boss Vulnerability scans can be performed through a specific sensor. This can help keep scans local to the target in question, which helps reduce span with work and activity limitations and more unreliable networks. Regarding a lab set up, you only need to have a single sensor.

However, in this course we're going to learn how to set up both a server at a sensor individually. This will help you learn to scale your lab is needed. Here is a pretty simplified example of a single sensor deployment. In this scenario, we have a network intrusion detection system monitoring the mere port of an internal network. We have complete visibility into our internal network with only a single sensor making this scenario a bit more complicated. We can see a basic layout of a multi sensor deployment. In this deployment, both the N A and you sensors are collecting log information from their respective branches.

Additionally, there tied into the switch is providing network intrusion detection visibility for each site. Note that the server is not marked inside a specific branch. The server can actually reside in either the n A or U branch. In this scenario, assuming that proper routing is in place, it doesn't matter where the servers and centers are located. This can potentially provide quite a bit of flexibility as you're pointing a deployment moving on to my lab set up, you can see the basic overview of what we'll be installing and configuring. While planning your own lab set up, I'd recommend documenting something similar to start Will Install and O's Asylum Server and Sensor. I'll start from the very first initial step and not assume any prior knowledge.

You know, if you have never installed the Knicks before, you'll be able to follow along just fine. Once installation is finished, we will perform further configuration on our society virtual machines. This will allow the two to communicate with each other properly. Our next step will be installing our limits Web server, which will include a lamp stack and open ssh server. Next, we'll be importing and updating our colleague directoral box image. Once that is completed, we'll have all our machines ready to go pushing forward. We can finish configuring our hostess. I am installation Our last step. We will be learning how to forward logs of the SS lock from Olynyk server.

We'll do this by sending all our locally generated logs from our Lennox Web server to R. O. S s. I am installation by the end of this course, you will have a fully functional alia ball. Oh, Jesus. I am lab set up. This could be a great environment to learn Other skills such as penetration testing, were writing I. D s rules before we dig into our lab creation. I do want to mention that alien vault has some wonderful documentation. Well, much of this is geared toward their paid offering. These documents can be a valuable resource. Is you go through this course or want to do something more complex afterwards. Now that you have some theory behind Simms and those asylum in particular, we can start getting our Bob ready.

Course link:
AlienVault OSSIM
This course will use AlienVault OSSIM to showcase a Security Information and Event Management (SIEM) system. A SIEM is used to aggregate logs for all sources in a network, analyze the logs through a correlation engine, and generating alarms on malicious indicators and activity.
Instructed by
Anthony Isherwood