Time
1 hour 18 minutes
Difficulty
Beginner
CEU/CPE
2

Video Description

This lesson covers: 1. The glossary:

  1. Server: allows a analyst to log on so they can view events and alarms
  2. Sensor: able to perform many tasks such as vulnerability scanning.
  3. Logger: the storage component of Alien Vault
  4. All-in-one solution: This combines the three components of the OSSIM which are the server, sensor and logger.
  5. Raw logs: The unnormalized logs of the AlienVault to create events.
  6. Events
  7. Alarms: prompt an analyst to take action if a trend is detected.
  8. Data source/Plugin: a log parser tied to specific devices such as a Palo Alto Firewall.
  9. Syslog: a standardized protocol to send log and data information.
  10. OSSIM's open source components:
  11. PRADS: passive asset discovery
  12. NMAP: active asset discovery
  13. OpenVAS: vulnerability scanner
  14. Suricata: NIDS
  15. Nagios: network monitoring
  16. OSSEC: HIDS
  17. Deployment architecture: Consists of the two options.
  18. Single Sensor: good for low traffic needs. Some environments, such as a lab set up only need a single sensor.
  19. Multiple sensor: better for high traffic needs
  20. Single vs multi sensor deployments: multi sensor systems provide more flexibility during the deployment preparation process.
  21. Lab overview: in this section of the course, participants will receive step by step instructions in the installation and configuration of:
  22. OSSIM Sensor
  23. OSSIM Server
  24. Linux Web Server
  25. Kali Machine

As this course assumes no prior knowledge, participants should be able to follow along without any comprehension issues as the instructor breaks down the process and offers basic, from the ground up step by step instructions. Upon completion of this course, participants will have a fully functional Alien Vault OSSIM set up. This will offer a great environment to learn other skills such as penetration testing or writing IDS rules.

Video Transcription

00:05
Welcome to our video on aux sous. I am architecture fundamentals.
00:11
The objectives for this video are to go over some glossary terms
00:15
view some of us A CM's main open source components
00:19
you a couple different appointment architectures.
00:22
Look at rationale for single versus multi sensor deployments.
00:26
We're gonna go over my lab overview.
00:31
To start, you'll see the three main components of a level
00:35
a server, a sensor and a lager
00:38
thes can either be separate machines were all combined into one machine,
00:42
also known as an all in one solution.
00:46
A sensor could perform multiple tasks such as roll log normalization, vulnerability scanning
00:52
passive and active asset discovery
00:54
on block forward into the asylum server.
00:59
A lager first with storage component In availing involved,
01:02
loggers can be used for extended roll log retention, which is often needed for compliance.
01:07
Please note that loggers cannot be separated out from the main Osa science server
01:11
in O. C s. I am.
01:14
This is a selling point of ailing bulls premium USM offering
01:19
the server component performs and now assistant correlation on the normalize logs.
01:23
This is also where in animals will connect to in order to view events and alarms kickoff vulnerability scans and perform other administrative tasks.
01:34
An all in one solution simply combines all three pieces into one single server.
01:42
Moving on to the next item. Roll logs are the UN normalized locks and two alien vault
01:48
through ingesting raw logs and analyzing network traffic. Oasis I am creates events
01:53
thes air used for correlation and alarm generation
02:00
Alarms are triggered when certain event criteria are met.
02:02
For example, a Windows failed log on my create one single event.
02:08
But three of these events within 60 seconds might generate an alarm.
02:13
Thes alarms prompted analysts to perform further investigation.
02:20
We'll be gone.
02:21
A data source plug in is essentially a large part, sir,
02:24
These air tied to specific service's or devices such as a Palo Alto firewall
02:30
and CeCe Luck
02:31
thes par sir's help normalize the log data.
02:37
Sis Lock is a standardized protocol to send log and event information.
02:42
As an example, we're going to learn how to send system logs for Mullinix Web server toe are oh society installation over sis log via Port 514
02:53
Oh, it's a sigh. AM relies on many different open source programs, but here are some of the most notable
03:00
each are worth researching into individually.
03:04
You could install these programs in a lab environment to learn more about them without being the overhead of a sim insulation.
03:10
As an example, you may want to learn more about how to operate open boss.
03:15
You can simply install open boss on a separate virtual machine and perform some skins. This knowledge will transfer directly into utilizing open boss in an oasis. I am insulation.
03:29
Choosing a deployment setup relies on a couple of factors.
03:32
Firstly, if you need a network intrusion detection system at a remote branch, you're going to want a sense your own site with Sarah Cottle running.
03:40
You also might want more than one sensor to help manage the load on the main aux sous I Am server.
03:46
If you have a large corporate environment that is generating too many locks for your server to process, you can set up another sensor or two and haven't take a bit of load off the server.
03:58
Another factor to consider is open Boss
04:00
Open Boss Vulnerability scans can be performed through a specific sensor.
04:05
This can help keep scans local to the target in question,
04:09
which helps reduce span with work and activity limitations and more unreliable networks.
04:16
Regarding a lab set up, you only need to have a single sensor.
04:20
However, in this course we're going to learn how to set up both a server at a sensor individually.
04:27
This will help you learn to scale your lab is needed.
04:31
Here is a pretty simplified example of a single sensor deployment.
04:36
In this scenario, we have a network intrusion detection system monitoring the mere port of an internal network.
04:45
We have complete visibility into our internal network with only a single sensor
04:49
making this scenario a bit more complicated. We can see a basic layout of a multi sensor deployment.
04:57
In this deployment, both the N A and you sensors are collecting log information from their respective branches.
05:03
Additionally, there tied into the switch is providing network intrusion detection visibility for each site.
05:11
Note that the server is not marked inside a specific branch.
05:15
The server can actually reside in either the n A or U branch. In this scenario, assuming that proper routing is in place, it doesn't matter where the servers and centers are located.
05:26
This can potentially provide quite a bit of flexibility as you're pointing a deployment
05:32
moving on to my lab set up, you can see the basic overview of what we'll be installing and configuring.
05:40
While planning your own lab set up, I'd recommend documenting something similar
05:46
to start Will Install and O's Asylum Server and Sensor.
05:49
I'll start from the very first initial step and not assume any prior knowledge.
05:56
You know, if you have never installed the Knicks before, you'll be able to follow along just fine.
06:00
Once installation is finished, we will perform further configuration on our society virtual machines.
06:08
This will allow the two to communicate with each other properly.
06:12
Our next step will be installing our limits Web server, which will include a lamp stack and open sshh server.
06:18
Next, we'll be importing and updating our colleague directoral box image.
06:24
Once that is completed, we'll have all our machines ready to go
06:28
pushing forward. We can finish configuring our hostess. I am installation
06:32
Our last step. We will be learning how to forward logs of the SS lock from Olynyk server.
06:38
We'll do this by sending all our locally generated logs from our Lennox Web server to R. O. S s. I am installation
06:46
by the end of this course, you will have a fully functional alia ball. Oh, Jesus. I am lab set up.
06:51
This could be a great environment to learn Other skills such as penetration testing, were writing I. D s rules
07:01
before we dig into our lab creation. I do want to mention that alien vault has some wonderful documentation.
07:09
Well, much of this is geared toward their paid offering. These documents can be a valuable resource. Is you go through this course or want to do something more complex afterwards.
07:19
Now that you have some theory behind Simms and those asylum in particular, we can start getting our Bob ready.

Up Next

AlienVault OSSIM

This course will use AlienVault OSSIM to showcase a Security Information and Event Management (SIEM) system. A SIEM is used to aggregate logs for all sources in a network, analyze the logs through a correlation engine, and generating alarms on malicious indicators and activity.

Instructed By

Instructor Profile Image
Anthony Isherwood
Instructor