SIEM (Security information and event management) is the union of two terms denoting the application areas Security Information Management (SIM) and Security Event Management (SEM). The SIEM technology provides real-time analysis of events (alarms), security emanating from network devices, and applications.
SIEM solutions allows security experts to track security events and to better correlate the actions of the simulated attacker and security specialist.
The field of knowledge about SIEM is very broad and requires several tutorials. In this tutorial, I will only touch on this subject and show how to install the popular free solution OSSIM.
OSSIM (Open Source Security Information Management)
OSSIM (Open Source Security Information Management) is a management, control, and information security system. Out of the box, OSSIM includes the following functionality:
- The collection, analysis, and correlation of events — SIEM
- The host intrusion detection system (HIDS) — OSSEC
- Network intrusion detection system (NIDS) — Suricata
- Wireless Intrusion Detection System (WIDS) — Kismet
- Monitoring sites networks — Nagios
- An analysis of network anomalies — P0f, PADS, FProbe, Arpwatch, and others
- Vulnerability scanner — OpenVAS
- A powerful system of exchange of information about threats among users OSSIM—OTX
- More than 200 plugins for parsing and correlating logs from various external devices and services
Distribution of OSSIM
OSSIM is distributed in the form of a distribution image on a CD and at the same time, it only uses the 64-bit version of the software.
The distribution ISO image can be downloaded from the official website at https://www.alienvault.com/products/ossim.
An OSSIM system is installed with the help of the installation image containing a complete Debian system and all the necessary components and modules.
The system requires a fairly productive machine with multiple processors and at least 3 GB of RAM. After creating the VM and connecting the downloaded ISO image, we can start the VM.
The installation is not different from installing Debian: just insert the OSSIM disk image into the DVD drive of your virtual machine, boot from it and follow the installation guide. Upon completion of the installation, a console window will appear.
Let's go to the link printed in the console and enter user credentials. After these steps, installing OSSIM is complete.
So, let's configure OSSIM. For this purpose, enter the credentials specified in the previous step. Again, we will get the configuration wizard.
First of all, we need to configure network interfaces with the IP setting of the server where you installed OSSIM.
On the next tab, OSSIM will automatically scan the network and prompts us to specify the types of the found hosts.
In the next step, we can automatically install the host intrusion detection system (OSSIM provides OSSEC). Let's try to install it on Windows hosts. To do this, we have to select the host name and credentials (for example, a domain administrator) and click on Deploy.
After these steps, OSSIM will congratulate us with a message for successfully installing and configuring it.
To configure HIDS, go to Environment | Detection | HIDS | Agents and you will see two hosts. The first host is OSSIM itself and the second one is a Windows Server, which we deployed by clicking on Deploy HIDS in the Setup Wizard. So, go to the menu HIDS agents.
Agent installation on a Windows host is performed automatically and requires no additional input or any information. A setting on a Linux host fully corresponds to the previously described process in the OSSEC section.
The HIDS installation is finished now, so go to Environment | Detection and you can see the logs of OSSEC now.
Published on Mon 02 January 2012 by Sandra Michaels in Security with tag(s): event management security siem