In this tutorial, we are going to learn how to install and set up AlienVault OSSIM 5.5 SIEM on VirtualBox.
If you are a Blue Team security analyst, in one way or another you must have heard of or interact with not one, not two SIEM (Security Information and Event Management) solutions. Well, AlienVault is one of the leading SIEM solutions. AlienVault OSSIM is the open source version of AlienVault SIEM. It comes enriched with features like event collection, normalization and correlation. What crosses your mind when we talk about event collection, normalization and correlation? Let us put this in black and white:
- Event collection: AlienVault has the ability to collect logs from various sources in your environment, host servers and systems, applications running on servers, network devices, such as firewalls and routers, name them endpoints in your environment.
- Event normalization: The attributes of the collected logs are extracted and stored in the common data fields hat define an event such as IP addresses, hostnames, usernames, interfac- names, ports, programs etc. This allows analysts to run queries across collected events for better and quicker analysis.
- Event correlation: This involves analyzing relationships between the collected events to identify the pattern of events.
OSSIM provides a unified platform that bundles together security capabilities such as Asset discovery, Host Intrusion Detection, Network Intrusion Detection, Behavioral monitoring, Asset Discovery, Vulnerability Assessment, Log management. It also leverages the power of the AlienVault Open Threat Exchange (OTX), the open threat intelligence community delivers community-generated threat data, enables collaborative research, and automates the process of updating your security infrastructure with threat data from any source.
Without much theory, let’s get to installation of OSSIM. In our environment, we will be installing our siem on VirtualBox. Since this is just a demonstration, the minimum system requirements are:
- 2 CPU cores
- 8GB RAM
- 32GB Disk Space
- Two NICs (You can have multiple NICs for Management, Network Monitoring or Log Collection and Scanning)
You can download the OSSIM installation iso from here
1.Create new vm
2.Assign a memory of 8GB
3.Assign a storage of 30GB and click create button to create a VM
4.Once a VM is created, open settings and adjust the number of CPU cores
5.On storage, add OSSIM iso to IDE controller.
6.On Networks, add a second NIC as Host-Only adapter.
7.Launch the installation. When OSSIM VM boots with iso image,an installation wizard as shown below welcomes you.
Choose the first option Install AlienVault OSSIM 5.5.1 (64 Bit) to install OSSIM server.
8.On the next steps, choose the appropriate language, location and keyboard settings.
9.On configure Network, select the first interface as the primary network interface (the NATed interface).
On the sub-sequent configurations, assign appropriate IPv4 address, the netmask, the gateway, and the DNS. In this case, assign the default NAT network details as 10.0.2.15, 255.255.255.0, 10.0.2.2, 10.0.2.3 respectively.
10.Once the network is set up, configure users and passwords. Set the root password and keep it as it will be required for the root login account in the AlienVault OSSIM console.
11.Click continue to proceed with OSSIM installation. If the Installation is successful, you should be able to see a screen similar to the one shown below.
- As seen on the screenshot above, we can access OSSIM web interface via the address. https://10.0.2.15/. However, since this is a NATed IP, we won’t be able to access our OSSIM via this address.
- To access our OSSIM server via browser, we need to assign a static IP address to the Host-Only interface we added above and make it our management Interface.
- To do this, login to the SIEM as root with the password set previously. Once you login, AlienVault Setup Menu welcomes you.
- Click on System Preferences > Configure Network > Setup Management Network > eth1 > IP address > Netmask > Gateway
- Replace the NAT address and netmask with Host-Only address and mask
- Go back to AlienVault Setup Menu and click Apply all Changes.
- Once the changes are applied, we need to configure the NAT IP address on first interface so we can be able to get to external network from AV.
- System Preferences > Configure Network > Setup Network Interface > eth0 > IP address > Netmask
- Apply all Changes
- Use 10.0.2.15 /24 as IP
- Edit the network interfaces and specify the gateway for eth0 such that your configuration looks like;
# vim /etc/network/interfaces auto eth0 iface eth0 inet static address 10.0.2.15 netmask 255.255.255.0 network 10.0.2.0 broadcast 10.0.2.255 gateway 10.0.2.2 dns-nameservers 10.0.2.3
- Once the IP is set, restart networking service;
# service networking restart
- You can now access you AV on browser via https://192.168.59.113/
- If you receive browser warnings of insecure connection, click Advanced and Add Security Exception permanently and proceed the IP address you entered.
Create an admin account on the Welcome page by filling in all the fields. Click Start Using AlienVault. This takes you to login screen as shown below.
Login to your AlienVault SIEM and begin your Initial Setup. Once you are done with initial setup, you should the main dashboard of OSSIM server.
In our next article, we will be covering how to import Assets to OSSIM server. Stay connect for more tutorials on AV OSSIM.