Home or Small Office SIEM with OSSIM

March 30, 2011
Tags: , , ,

For the past couple of weeks, I have been working with OSSIM (Open Source Security Information Management). OSSIM is a collection of tools, which provide a detailed view of the network. These tools include IDS, vulnerability scanner, up-time monitor, and more. I installed the 32-bit version of OSSIM (the 64-bit did not work on my hardware) on an old 2.0 GHz P4 I took out of a Sony Viao PCV-RX752. For my small network (less than 20 hosts) this older hardware has worked great. The first hurdle to overcome when setting up an OSSIM installation is the listening interface. In order for OSSIM to do its job, it needs to be able to listen to all the traffic going in and out of the network. The Mikrotik Routerboard RB250GS is an affordable network switch that is able to mirror traffic from one Ethernet port to another. You can purchase one from Data-Alliance for about $40. The switch includes a web interface that allows you to configure the device. Here is a link to a screen shot of the web interface: MikroTik. By placing the switch behind the firewall but in front of the rest of the network, the switch is able to see all the traffic going into and out of the network. One Ethernet cable goes to the firewall another to the next network switch and a third to the OSSIM listening interface. Here is a great picture. With this basic network setup you are ready to install OSSIM and start listening for events.

The installer for OSSIM is very user-friendly. After OSSIM is installed, run apt-get update, apt-get dist-upgrade, and ossim-reconfig to update the OS software and the OSSIM software.  Once the installation and upgrade are complete you should be able to login to the web interface (default username and password: admin/admin). If things are working properly you will be able to see new events under the Analysis -> SIEM section. The OSSIM guys have cleverly use the Snort BASE web interface for the event manager. Next, start defining hosts in the Assets -> Assets section. Hosts represent the different computers on your network. Be sure to have a list of computer names and IP addresses before you start adding hosts. If you have assets that you want Nagios to monitor for up-time, be sure to check the Nagios box under the advanced section. I also like to add the OS and MAC under the inventory section. Do not attempt to add or remove monitored hosts under the Monitors -> Availability (Nagios) section. OSSIM handles all the hard work for you in the Assets section. After you have created an asset that you want to monitor with Nagios, modify it in OSSIM and select what ports you want monitored. OSSIM can use Nmap to scan the host for you or you can manually choose the ports.

After my OSSIM installation was running for a few days, I notice a large number of false positives in the SIEM. OSSIM handles the reduction of false positives through its Policies. OSSIM uses policies to decide what to do with an event. You can create a new policy that modifies OSSIM’s default event behavior. To reduce false positives that were occurring with the Snort plugin, I created a new policy to suppress specific snort alerts. I created a new Policy with any source, destination, or port. I also created a new plugin group called Snort Suppress that uses the snort plugin and the signature ID (SID) of the offending snort rule. OSSIM makes it very easy to verify that you have the correct SID by clicking on the magnifying glass with a plus sign in it. This will bring up a description of the SID you have entered. Once the plugin group has been created, the policy consequences can be adjusted. The consequences section refers to the actions OSSIM takes when the event is detected. To stop the event from registering in the SIEM click on the “No” next to the SIEM. This will suppress the event. Be sure to leave the Active option to Yes. This indicates if the Policy is active or not. The Actions option allows for you to setup a custom action (send email or execute a Linux command) to occur when the event is detected. I have an action setup that will send me an email. I can attach this action to any policy.

This OSSIM configuration is great for monitoring network traffic, but what about individual hosts? OSSIM comes with the ability to do this. A tool called OSSEC is included with OSSIM. OSSEC is an Open Source Host-based Intrusion Detection System (HIDS). Where Snort is a network-based IDS (NIDS), OSSEC is a host-based IDS. This means it resides on and monitors individual hosts. I have used OSSEC in the past for a basic SSH honeypot exercise. Setting up OSSEC on your host is very simple. First, run the manage_agents script under /var/ossec/bin/ on the OSSIM/OSSEC server. Then install the OSSEC agent on the target host. For Windows 7 be sure to install the OSSEC agent program under an administrator account. When the agent prompts for the client key run the mange_agent script and extract the key. Input this key into the agent along with the IP address of the OSSEC server. On the OSSIM machine run list_agents to see if the agent was able to connect successfully. Once the agent has connected you will see events in the SIEM based on the OSSEC plugin.

With this basic setup guide, an old computer, and a $40 switch anyone can monitor their own traffic and get an idea of the security of their network. I have included some helpful links below:

OSSIM Installation Guide

OSSIM Introduction

OSSEC Help

 

4 Responses to “Home or Small Office SIEM with OSSIM”

  1. I am curious, when running ossim-reconfig which devices type are you using on your single host?

    Is it a server? a sensor? or is it install initially to be all the the available device types?

  2. According to the installation documentation, OSSIM has 4 different profiles. Sensor, Server, Framework, and Database. My setup includes all the profiles on one machine. This helps reduce the cost of the needed hardware. I have noticed that when I update the machine with ossim-reconfig the hardware has a hard time keeping up. My CPU runs at 100% for a few minutes.

  3. It’s been a couple of years since this was posted so are you still using this setup?

    What about IPS? This is all new to me but from what I can tell, your setup detects issues but what do you have in place that reacts? Do you have something set up that uses OSSIM to prevent/block intrutions?

    I have a Windows box with a web, email and FTP server. None of the servers are Microsoft products. What’s the best way to secure them all with intusion detection and prevention?

    Thanks,

    Jeff

  4. Jeff,

    No, I am not using this setup anymore. I repurposed the hardware for a minecraft server :-). The basic principles still apply. The need for a way to capture the traffic is the starting point. The Mikrotik switch is still around. This setup is not intended to support an intrusion prevention solution only a detection solution. Once the intrusion is detected it would be up to you to handle the incident response.

    Network based intrusion prevention systems are going to be expensive. Try OSSEC for a free host based alternative.

Leave a Reply