tech_documents:security:ossim_install

  • Download OSSIM ISO from Alienvault
  • Create a virtual guest (or use a physical host) with 2 NICs and 8GB or more RAM (12-16GB preferred for small locations) + 100GB or more of space.
  • Start the installer by booting from ISO/CD.
  • Set your non-management LAN as the default network, enter an IP address/gateway (this is due to your management network only having 1 routable subnet where you other network can be used to access other routable subnets)
  • After install login OS console and up the the OS + threat intelligence
  • After the updates are complete login to the Web UI via https://management.lan.ip
  • Create the WebUI admin account
  • Login to WebUI and start Wizard
  • Setup your non-management Ethernet interface to “Log Collection and Scanning”, then set an IP and netmask.
  • Add assests by entering them manually if you want to use the agent, a scan will just give you a bunch a hosts. For your routers/swtiches/linux hosts use syslog instead.
  • Create an account for OTX and enter the API key.
  • Once you have the syslog files being sent to your OSSIM install, create an asset or edit an existing asset and add plugins that apply to that asset. For example, a PFSense box would use Vendor: OpenBSD and PF, then OpenBSD and OpenSSH as well. Untangle has an Untangle Vendor with a NG firewall. See the notes from the syslog doc about properly setting up a syslog server to send to OSSIM: Syslog-ng on CentOS7
  • Configure mail server relay for sending notifications.

Login to the USM Appliance web UI, and then go to Configuration > Deployment.
Under AlienVault Components Information, click the System Details icon (system details) of the system you want to change.
On the next page, click General Configuration, located top-right above the System Status.
In the General Configuration form, select Yes for Mail Server Relay.
This expands the form to disclose new fields.
Type the Server IP, the username and password used for the mail server, and the port number in the respective fields.

Note: All of the USM Anywhere Sensors use the Syslog Server app to collect syslog event log data for processing. The USM Anywhere Sensor passively listens to the syslog ports; USM Anywhere collects data through syslog over UDP on port 514 by default; USM Anywhere collects data through syslog over TCP on port 601 by default; USM Anywhere collects TLS-encrypted data through syslog over TCP on port 6514 by default.

Note: If OSSIM is virtualized and you need the host to be able to shutdown the guest then add the qemu-ga channel and install the qemu-guest-agent. You can also install the Zabbix agent if you want to monitor your OSSIM host (it starts without needing to configure the systemd options as in RHEL8/CentOS8)

There seems to be a problem with some things hanging on shutdown/update: https://success.alienvault.com/s/question/0D50Z000098iZGOSA2/system-update-will-not-proceed-without-killing-processroot-43869-43868-0-1323-pts1-000000-binbash-varlibdpkginfoalienvaultopenvas9fe 

apt update
/etc/init.d/monit stop
killall -9 openvassd
killall -9 openvasmd
killall -9 redis-server
killall -9 dpkg
rm -rf /var/lib/redis/*;
apt upgrade -y
  • tech_documents/security/ossim_install.txt
  • Last modified: 2021/05/25 23:21
  • by jacob.hydeman