Time
1 hour 18 minutes
Difficulty
Beginner
CEU/CPE
2

Video Transcription

00:00
in this video we will complete our oasis I am server configuration.
00:06
To start,
00:08
we need to power on all of our BM.
00:26
This might take a little bit of time depending on your system.
00:38
Ah, headless start starts the server without user interaction
01:30
to access. The Web interface will be using our colleague machine.
02:00
Remember, Default user and password is root and tour T o r.
02:14
Now that we have all our vm started, we can start working on our colleague box
02:17
to start weaken
02:21
thing are their servers to make sure we can activity.
02:27
That is our time server.
02:31
This is our oasis. I am sensor
02:37
and that's our Web server
02:44
Firefox
02:53
and navigate to Are those asylum server
03:01
might be propped it with security exception because there's no certificate. But you can just accept and bypass that
03:08
entering our full name
03:12
password.
03:15
Andi Mail.
03:22
Given that there's no Internet access, really doesn't matter because it's not gonna be sending any data. Alien vote
03:37
log in with our credentials. Just created
03:46
alien vault of this. I am has it getting started wizard
03:59
for server, but only have one interface. It is our management interface, so there's nothing to do here,
04:05
***. That discovery
04:09
this is our gateway
04:12
One or two will be our colleague machine.
04:15
You know, this is a Lennox device.
04:17
We know this is a Lennox device.
04:20
Also manually added an asset
04:36
hit. Next.
04:46
At this point, we have to enter in our credentials to the servers.
04:55
If you have a different set of credentials, you have to do them separately.
05:00
I use the same username and password for both my server and sensor.
05:05
This deploys a Lennox, his agent,
05:09
which can detect security events
05:11
locally on a machine and send them back daily involved.
05:43
Once that's complete, we could hit next.
05:53
We're skipping this step.
05:57
Ordinarily, if you're installing this in any kind of production environment, we're really use case you're gonna want to sign up for O T X
06:03
ot exes. Alien fall open threat exchange.
06:06
It's a community resource
06:10
where multiple vendors and community members post IOC's That alien vault will actively scan for
06:19
Since this is a live environment and we don't have Internet access, we're gonna skip this step
06:28
and we're gonna hit finish,
06:36
then explore alien vote Oasis. I am
06:50
welcome to the family of all It was signed Web interface.
06:54
You're an analyst. This is where you do most of your work.
06:58
But for now, we have some more administrative tasks to do.
07:00
We have our over configuration.
07:02
Good. A deployment
07:09
sensors.
07:14
What if the insert are always a science sensor
07:21
entering that? Sensors password.
07:26
Keep in mind if this is different in the system you're on, you're gonna enter in the password of the sensor and not the server.
07:43
Given the system requirements. If I was a sigh am and that we're in a test lab environment,
07:47
this will be much slower than it would in a normal production environment.
07:50
Okay. You know, we have our sensor link to our server. We can continue.
07:57
Go back to the ailing bold center.
08:03
Our next objective is to make sure our network intrusion detection system is running.
08:15
May take some time to retrieve some data from the sensor.
08:20
Now that the data has returned, we can click in a system detail
08:26
we're gonna go to since your configuration.
08:33
This might also take a bit of time.
08:39
Next we click detection,
08:43
we can see that Keith wants are listening in her face,
08:46
which we set
08:46
in our server configuration.
08:50
We can see here that the only of alternates is up and running
08:56
Beautiful. And it won't use a sir kata as its intrusion detection system
09:01
on a lot of sir collar rules rely on external and internal I p addressing.
09:07
Given that this lab is entirely internally address, we're gonna have to allow only a vault to recognize internalized dresses as external addresses.
09:18
To start with our tests, we can get a configuration
09:22
threat, intelligence
09:26
and then directives.
09:28
Correlation directors are a set of rules
09:31
that only about uses to analyze lugs.
09:37
For example, if we start sneaked up,
09:43
we could see a nikto where vulnerability assessment, tool usage.
09:48
This is a wet vulnerability scanner.
09:54
If you look in the rule
09:58
we see from and to
10:01
exclamation point home, that and home yet
10:05
exclamation point home. That is another way to say, not home yet.
10:09
We have to add it this to say from home that to home that
10:13
to do this,
10:15
we can call in this directive to user
10:20
Yes,
10:22
this will disable the eligible policy and create our own custom. One
10:30
hit plus signed to edit.
10:48
As you can see here and for making specific custom rules, you can select specific hosts
10:54
and networks
10:58
for our case where it's gonna click home that
11:01
click Modify.
11:03
You could see that the exclamation point is gone.
11:07
We could reload the directive.
11:16
And that's step one to get on. It's working.
11:28
Step two,
11:30
we have to go into our lowest time sensor
11:33
were refusing an all in one solution. The O S S I n server
11:45
log in.
11:48
Make this well, bigger for ease of Ewing.
11:54
We got the jail break into the system
11:58
To start, we can go into our Sarah Connor directory.
12:03
Betsy
12:05
Sarah Kata.
12:07
Now we can add it. Are Sir Kana Yano file
12:13
to do that?
12:16
Not a
12:18
sir. Counter that camel.
12:22
We have to find our external net variable.
12:26
You can hit control. W to search.
12:33
You could search for external net.
12:39
Here we can see all the variables that are. Sir. Kata installation takes advantage of
12:45
instead of not home net for external net
12:48
were changes to any.
12:50
This helps sir Qatar recognize more threats than just external to internal traffic or internal the external
12:58
and the scenario where someone breeches your network and is moving internally.
13:03
You have a chance of missing some alarms. That ordinarily would see,
13:07
I recommend sitting certain it to any
13:09
keep in mind that still create a lot of false positives within your network that you'll have to tune out later.
13:16
Given that this is a test environment, it shouldn't be a problem.
13:20
Control X.
13:22
Why
13:24
enter
13:30
now that the file saved with the restart, our sir caught a process
13:33
topping and service.
13:35
Sarah Cottle,
13:39
restart.
13:48
No, that's done.
13:50
Go back to our colleague machine.
13:54
A bit of our alarm stab,
14:01
which at the moment is empty.
14:05
We're gonna change that.
14:09
Could open up a terminal
14:13
by default. Kali has many penetration testing tools installed.
14:18
One of these tools is Nick. Go
14:22
to scan our Web server
14:26
type and nikto Dass H
14:33
and then the i p address of our bond to Web server.
15:03
But this prompt you could hit No
15:05
on. Our scan is complete.
15:11
You could see right here
15:16
that we have one unresolved alarm.
15:22
If it doesn't pop up immediately, you can reload the page.
15:31
And here we can see our alarm.
15:35
This confirms that our network intrusion detection system is running properly
15:41
For more Kali box. We ran a web application vulnerability scanner on our open to Web server.
15:48
This traffic was picked up by the nits interface
15:52
on Roos Asylum Centre.
16:00
You can go into the alarm and see the exact event
16:03
triggered.
16:06
We see our nick to the user agent
16:17
at this point, are always assigned server, and it's a science sensor are fully configured.

Up Next

AlienVault OSSIM

This course will use AlienVault OSSIM to showcase a Security Information and Event Management (SIEM) system. A SIEM is used to aggregate logs for all sources in a network, analyze the logs through a correlation engine, and generating alarms on malicious indicators and activity.

Instructed By

Instructor Profile Image
Anthony Isherwood
Instructor