AlienVault OSSIM Forums

Snort with registered rules

TheHoff — Fri, 24 May 2013 06:43:51 +0000

Hi folks

I've been doing some testing over the last few days and think I'm starting to get a working setup. It's a two part setup with one computer as dedicated sensor running snort and one VMware server running a full setup. Alienvault version is the latest 4.2.2 on both.

I get a lot of the Emerging rules from snort generating SIEM events but none of my subscriber rules. I've done the setups from this forum post https://www.alienvault.com/forum/index.php?t=rview&th=677&goto=4090 and rules are pulled OK byt oinkmaster on both servers and parsed into the database. There are a few snort.conf on /etc/snort and subfolders but none seems to affect the events generated so it feels like I'm missing a "master" .conf somewhere.

Can anyone help me out?

Regads

Fredrik

Vmware tools install (open source or vmware proper)

ilom — Fri, 26 Apr 2013 19:13:41 +0000

I must be blind as I find it hard to believe a product primarily deployed in vm's doesnt have a simple way to install vmware tools. I'm using 4.2, hopefully someone can enlighten me on my ignorance.

So far I've attempted to jailbreak then apt-get install build-essential...failed (pkg not found; likely sources)

Also tried alientvault_dpkg and wget individual files and was met with numerous errors.

As it appears I'm clearly going down the wrong road I figured I'd ask before breaking this install just to get vmware tools running.

Thanks in advance, ilom

Single Ascii Character in /var/ossec/logs/alerts/alerts.log file?

MarsAttack — Fri, 24 May 2013 19:09:54 +0000

All,

I'm curious if anyone has been finding this single ascii character in their logs: ò

I quick way to check would be to:
cat /var/ossec/logs/alerts/alerts.log | grep -v "AV"

I haven't tracked down the source yet, thought I'd ask.

OSSIM 4.2: OSSEC Agent Client Update Required Too?

MarsAttack — Fri, 24 May 2013 19:52:20 +0000

All,

Anyone having issues with their 2.5 agents working with OSSEC Server 2.7? I'm curious if there is any benefit to upgrading the ossec agents.

How to configure OSSEC agent for windows

Ruslan — Thu, 23 May 2013 06:21:17 +0000

Hi all. There is one problem with ossec agent. Agent is connected to the server. In the web consol it has active status, but there is no events from this host(( thanks in advance 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\Windows/win.ini'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\Windows/system.ini'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\autoexec.bat'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\config.sys'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\boot.ini'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/CONFIG.NT'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/AUTOEXEC.NT'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/at.exe'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/attrib.exe'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/cacls.exe'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/debug.exe'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/drwatson.exe'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/drwtsn32.exe'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/edlin.exe'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/eventcreate.exe'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/eventtriggers.exe'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/ftp.exe'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/net.exe'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/net1.exe'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/netsh.exe'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/rcp.exe'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/reg.exe'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\Windows/regedit.exe'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/regedt32.exe'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/regsvr32.exe'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/rexec.exe'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/rsh.exe'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/runas.exe'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/sc.exe'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/subst.exe'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/telnet.exe'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/tftp.exe'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/tlntsvr.exe'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\Windows/System32/drivers/etc'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\Documents and Settings/All Users/Start Menu/Programs/Startup'. 2013/05/23 07:59:27 ossec-agent: INFO: Monitoring directory: 'C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup'. 2013/05/23 07:59:27 ossec-agent: INFO: Started (pid: 412). 2013/05/23 07:59:28 ossec-agent(4102): INFO: Connected to the server (172.16.2.159:1514). 2013/05/23 07:59:28 ossec-agent Sending keep alive message.... There is agent log

Cisco ASA log to OSSIM

oelnak — Fri, 26 Apr 2013 17:39:18 +0000

Hi Community,

A newbie here, asking for some help on 'how to collect cisco ASA logs in OSSIM'.

I searched it in the discussions, but could not find the solution.

Here is what i did so far:

-----------------------------------------

1) Download the ISO V4.2, deploy it into a Virtual Machine "ossim - 10.0.0.10";

2) Ssh into 10.0.0.10, in the AlienValut setup, enable 'cisco-asa' in the 'Configure Sensor' section, then apply changes;

3) Ssh into 10.0.0.10, choose 'Jailbrea this Appliance' in order to update the files;

4) in the folder /etc/rsyslog.d, create a new file 'cisco-asa.conf' with the following 2 lines:

if $fromhost-ip == 10.0.0.1 then -/var/log/cisco-asa.log

if $fromhost-ip == 10.0.0.1 then ~

5) in the folder /etc/ossim/agent/plugins, edit 'cisco-asa.cfg' to the following:

...

location=/var/log/cisco-asa.log

create_file=true

...

6) log rotation: edit the file '/etc/logrotate.d/rsyslog', and add '/var/log/cisco-asa.log' right under '/var/log/syslog';

7) go to my cisco ASA firewall 10.0.0.1, set the syslog server 10.0.0.10;

8) in the 'ossim - 10.0.0.10', i can see the logs from Cisco ASA 10.0.0.1 in the file /var/log/syslog, but not in the /var/log/cisco-asa.log;

-------------------------------------------

Questions:

-Did i do something wrong?

-Did i miss any steps needed?

-Why the cisco ASA's logs kept going into /var/log/syslog instead of /var/log/cisco-asa.log?

Thanks much in advance for all the help!

AlienVault - USM OSSEC Error

Jared — Thu, 16 May 2013 17:58:45 +0000

When attempting the following command:

alienvault4sim:/# /var/ossec/bin/ossec-authd -p 1515

I receive the following error:

ERROR: Not compiled. Missing OpenSSL support.

Upgrading the libssl-dev, reinstalling the ossec-hids package causes the AlienVault USM server GIU some significant issues. I recovered the server from backup and would now like to use ossec-authd to register agents.

What is the process to recompile OSSEC on the USM now that OpenSSL packages are present? Everything that I have tried has failed and I am still waiting on an answer from the support ticket system.

Thank you,

Jared

Using OSSIM vs Alienvault Pro in Production

cshrimpt — Wed, 22 May 2013 17:01:13 +0000

Alienvault says the OSSIM product is for testing an not suitable for production. Is anyone using OSSIM in production? I have about a dozen sites mostly with 2 MB Internet connections that I'd like to monitor. Even using the base Pro version would be prohibitively expensive for so many small sites.

What's the max traffic/events the free version will support?

Thanks

Suricata or Snort

ngiannoulis — Thu, 16 May 2013 12:37:39 +0000

On my new install of OSSIM 4.2 it looks as Suricata is enabled by default and Snort is disabled ( confusing by the way that Suricata events come under the snort category though ) so my question is shall i leave the current config as it is or would Snort better?

External OCS

clems — Fri, 24 May 2013 15:13:33 +0000

Hello,

We have an ocs server with all our assets, I would like to use his DB for OSSIM.

I try this:
1. edit /etc/apache2/conf.d/ocsinventory.conf to put the DB information
2. edit /usr/share/ossim/www/ocsreports/dbconfig.inc.php to put the DB information

But none asset was add to OSSIM and when i do ossim-reconfig both files are back with default informations.

Question: How to use an external ocsinventory to populate all assets in OSSIM.

Regards,

Any luck with automatic ossec deployment?

kilgore — Thu, 23 May 2013 17:28:49 +0000

Has anyone had any success with the automated ossec deployment feature released in 4.2?
I have tried with a brand new windows 7 machine, and get the following errors:

Error! Task could not be completed.
Error stopping the ossec-agent

and

Ossec installation failed. Please make sure that:
xp or above, credentials, etc, etc....

I had AV support look into it for me and they suspect it's a bug, but I'm wondering if anyone else has the same issue.

Thanks!

Problems with Email - Some go, some don't - OSSIM 4.2

aegis — Thu, 02 May 2013 15:18:04 +0000

Hello to anyone that can help me. I'm certainly not a noob, but by no means a Linux Novice. I have the AV 4.2 Server setup, and I'm having email issues. Here is what is working, and what is not:

Email Alerts from Nagios - Yes - from root@localhost though.... :|

Email Alerts for CRON - Yes - from root@localhost though...

Email Reports from the Reports Section - No

Email Alerts from OSSEC - No

I use MS Exchange 2010 SP2 - I have a receive connector setup for the AV Server to relay through, but I'm not sure which authentication mechanisms to enable, and I have never heard of SASL authentication before.

I have to edit the Postfix Main.cf and turn off authentication to get the Nagios and Cron to work, and after changing /etc/aliases and SASL_password file, things still don't work.

My Questions:

Are there other places to configure the email connection for OSSEC and Reports Section?

How do I get this SASL authentication to work with Exchange?

How can I make this device send as HOSTNAME@MYDOMAIN.COM rather than root@localhost?

Thanks for anyone that will help me with this, your assistance is greatly appreciated!

Here is Main.cf:

smtpd_banner = $myhostname ESMTP $mail_name (Alienvault/OSSIM)
biff = no
append_dot_mydomain = no
readme_directory = no
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = loopback-only

smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=no
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_note_starttls_offer = yes
tls_random_source = dev:/dev/urandom

myhostname = tron.lab.local

myorigin = $myhostname
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

Here is OSSIM_Setup.conf

admin_dns=10.10.10.200
admin_gateway=10.10.10.250
admin_ip=10.10.10.219
admin_netmask=255.255.255.0
domain=joelsitlab.com
email_notify=joel@joelsitlab.com
hostname=tron
interface=eth0
mailserver_relay=10.10.10.200
mailserver_relay_passwd=**omitted-for-security**
mailserver_relay_port=25
mailserver_relay_user=tron
ntp_server=no
profile=Server,Sensor,Framework,Database

[database]
db_ip=127.0.0.1
pass=***********
user=root

OSSEC detect account management like password change etc.

shad — Fri, 24 May 2013 08:31:49 +0000

I've setup OSSIM 4.2 and latest OSSEC 2.7 on a windows 2003 domain controller, i already see the event in my siem console comming from this agent.

I only see events like user sucessfully logged in/out. I would like to see other event like passwords changed, user account added, user account deleted, user added to group etc. Where can i set all these parameters ?

Current config contatins security log:

...

Security
eventlog

...

I presumed that this would foerward all the events, but it doesn't.

Any help is great. Thank you in advance.

test - delete me

iamfromit — Fri, 24 May 2013 11:35:43 +0000

please delete me

How to setup IP Reputation policy?

morpheusc — Tue, 14 May 2013 03:23:38 +0000

How to setup IP Reputation policy? Where I can find the Severity of the event?

Correlation using timeout (absence) of a log event

fredrik — Mon, 20 May 2013 11:52:05 +0000

Hello!

I am wondering if it is possible to setup AV-USM / OSSIM to correlate on the absence of an expected event using a timeout.

Say for instance I'm monitoring a log file and log event "First" shows up. Then I'm expecting log event "Second" to show up within a given time, and if it doesn't, I'd like to generate an alarm/ticket.

I can't see Snort as a Data Source in the Security Events

Seif — Thu, 23 May 2013 19:58:14 +0000

Hi again,

i had a little problem with my UI.

I activated Snort from the terminal, and i can see that it's activated in my UI (Deployement -> Sensor Configuration -> Detection) but when i go to the Security Events, i can't see it in the Data Sources .. and i have 0 events from snort ..

credentialed scan in AD

iworkhere — Tue, 14 May 2013 14:05:38 +0000

Hello everyone

I have setup OSSIM in an AD environment and am trying to do a credentialed vulnerability scan and it doesnt seem to work. After sniffing the traffic it seems that its using a work group (seems like workgroupalienvault or something like that. i have tried to do a few different things to authenticate my credentials "domain\user" "user" etc and nothing works.

Does anyone have any fixes for this?

exclude Host operating system change

iworkhere — Thu, 23 May 2013 20:19:31 +0000

Hello everyone, i have multiple events called

Host operating system change

and would like to filter them out of the SIEM view. I tried to do this through the policy but cant find how. Can anyone show me how to simply filter this please?

Thank you,

Hardware requirements

Max — Thu, 23 May 2013 16:58:30 +0000

Hi Community,

A newbie here, asking for some help on what hardware config is necessary for the following load,

Siem 'office core' - 1300 hosts

Remote Sensor 'office 2' - 850 hosts

Remote Sensor 'office 3' - 450 hosts

Remote Sensor 'offcie 4' - 250 hosts

We want to do it with the correct hard so we dont get any problems later,

If you can give me an idea I would be grateful.

Is Open OSSIM supported by vmware?

Thanks in advance

Regards

eth0 and eth1 problem

Seif — Wed, 22 May 2013 23:00:36 +0000

Well, hi all
I was using ossim 4.1 and it was Ok .. the port mirroring, snort ..etc

I decided to install ossim 4.2 and then i had a big problem.
In the installation, i can only choose only one interface for the administration and the promisc mode ..
I explain, in the first step i choosed eth0 for the administration interface .. and when it asks me to choose the interface for snort and promisc mode, i tried eth1 .. but i got an error message, a message like : "Snort try to use an inexisting or inactive interface, he's using a default value or the adress is invalid" ..
So i can only pass this step if i choose eth0 ..

I'm using Vmware Workstation, and i have 2 Network Adapter (Bridged mode) ..
I tried a manual configuration but i got this error :

New LDAP Error After Applying Updates Today

mrhaag — Fri, 21 Dec 2012 15:03:33 +0000

Warning: ldap_search(): Search: Operations error in /usr/share/ossim/include/classes/Session.inc on line 1169 Warning: ldap_get_entries() expects parameter 2 to be resource, boolean given in /usr/share/ossim/include/classes/Session.inc on line 1170

The above warning happens after I attempt to log in with an LDAP account. I can no longer use LDAP accounts to log in to the web interface. Before updating this morning, I was able to authenticate via LDAP.

current version :

ii ossim-framework 1:4.1.2-127

Can OSSIM be installed on an already built Windows 7 system without wiping the disk?

carwin — Wed, 22 May 2013 10:34:35 +0000

Can OSSIM be installed on an already built Windows 7 system without wiping the disk?

Feature Request

gio_martins — Thu, 23 May 2013 14:05:06 +0000

Hi guys,

I don't know if its possible, but i'd like to create an automation for spam response using OSSIM. I use Request Tracker for Incident Response Teams (Best Practice's RTIR) to receive abuse messages and report to our local spam team. Do you have expectations to integrate OSSIM and RTIR (as a plugin or adding its features in OSSIM) in a near future?

Thanks

Is there a 32 bit versin of OSSIM?

carwin — Wed, 22 May 2013 10:35:37 +0000

Is there a 32 bit versin of OSSIM?

Clearing database

zoneranger — Mon, 25 Feb 2013 14:34:27 +0000

Hello all

I don't really want to rebuild my AlienVault box from scratch,
but the DB is quite full - especially after a mishap with sending too many Cisco events to it.

Rather than use the web interface, is there a quick way of removing the following:

- all of the hosts in the asset database
- all of the alarms
- potentially all of the event logs.

Thanks!

Alienvault Center is showing my sensor twice

derDuffy — Mon, 25 Feb 2013 10:27:12 +0000

I'm pretty sure the questions was discussed before, but I can't find it in the forums anymore.

My Alienvault Center is showing my sensor twice (see attached screenshot)

How can I get rid of that and how can I prevent it form happening again ?

Thanks in advance!

how to solve this ??? ossec analysisd testing rules failed. configuration error. exiting

IRFAN — Thu, 23 May 2013 06:15:41 +0000

Hi Everyone !

I am quite new to ossim need some help.

I am interested to get logs from a windows machine on ossim(all in one) via ossec.I have two Virtual machines properly communicating with each other.
I had successfully configured both ossec on ossim side and ossec agent manager on windows side. Now after doing all configurations I do this:
# cd /var/ossec/bin/

# ./ossec-control stop
# ./ossec-control start

After last command I got this : OSSEC analysisd: Testing rules failed. Configuration error. Exiting.

Waiting for asap response!

Thanks

No SIEM events from Juniper-SRX plugin after Upgrade 4.2

infosecq — Wed, 15 May 2013 07:34:06 +0000

After upgrading to 4.2. SIEM events dashboard not showing any data from source juniper-srx plugin. I tried to access SFTP through WinScp, connection refused. Can login through SSH and tail to check log reception which shows. But nothing on SIEM page.
Can anyone assist me on this issue.

Thanks