This lesson covers: 1. The glossary:
- Server: allows a analyst to log on so they can view events and alarms
- Sensor: able to perform many tasks such as vulnerability scanning.
- Logger: the storage component of Alien Vault
- All-in-one solution: This combines the three components of the OSSIM which are the server, sensor and logger.
- Raw logs: The unnormalized logs of the AlienVault to create events.
- Alarms: prompt an analyst to take action if a trend is detected.
- Data source/Plugin: a log parser tied to specific devices such as a Palo Alto Firewall.
- Syslog: a standardized protocol to send log and data information.
- OSSIM's open source components:
- PRADS: passive asset discovery
- NMAP: active asset discovery
- OpenVAS: vulnerability scanner
- Suricata: NIDS
- Nagios: network monitoring
- OSSEC: HIDS
- Deployment architecture: Consists of the two options.
- Single Sensor: good for low traffic needs. Some environments, such as a lab set up only need a single sensor.
- Multiple sensor: better for high traffic needs
- Single vs multi sensor deployments: multi sensor systems provide more flexibility during the deployment preparation process.
- Lab overview: in this section of the course, participants will receive step by step instructions in the installation and configuration of:
- OSSIM Sensor
- OSSIM Server
- Linux Web Server
- Kali Machine
As this course assumes no prior knowledge, participants should be able to follow along without any comprehension issues as the instructor breaks down the process and offers basic, from the ground up step by step instructions. Upon completion of this course, participants will have a fully functional Alien Vault OSSIM set up. This will offer a great environment to learn other skills such as penetration testing or writing IDS rules.
This course will use AlienVault OSSIM to showcase a Security Information and Event Management (SIEM) system. A SIEM is used to aggregate logs for all sources in a network, analyze the logs through a correlation engine, and generating alarms on malicious indicators and activity.