OSSIM - Base Documentation
OSSIM Configuration
Configuration Files
OSSIM uses several key configuration files that define how it collects, analyzes, and stores security information. These files are typically located in `/etc/ossim/`.
Key configuration files include:
- **/etc/ossim/ossim_setup.conf**: This is the main configuration file for OSSIM setup. It contains paths, database credentials, and other environment-specific settings.
- **/etc/ossim/ossim_agent.conf**: Configuration for the agent that collects data from remote systems.
- **/etc/ossim/ossim_server.conf**: Configuration for the OSSIM server, where most of the analysis and correlation takes place.
Example of basic settings in `/etc/ossim/ossim_setup.conf`:
# Database settings db_host=localhost db_name=ossim db_user=ossim_user db_password=secretpassword # Timezone configuration timezone=UTC
Configuring OSSIM Server
OSSIM server configuration determines how logs are processed, stored, and how different components interact.
Example of configuring the OSSIM server to collect logs from different network segments:
# In the server.conf file log_collector.enable=true log_collector.port=514 log_collector.protocol=UDP
This enables the log collector on port 514 and uses UDP for log transport.
OSSIM Components
Sensor and Agent Deployment
OSSIM relies on sensors and agents to collect logs and security data. Agents can be deployed on various endpoints, while sensors gather and process network data.
- Configuring the OSSIM Agent:
The agent configuration file is `/etc/ossim/ossim_agent.conf`.
Example:
# Enabling the agent agent_enabled=true agent_name=example_agent sensor_ip=192.168.1.100
This configuration connects the agent to a specific sensor for data collection.
Data Collection and Log Parsing
OSSIM uses various parsers for different types of logs:
- Syslog
- Snort IDS logs
- Firewall logs
- Application logs
The OSSIM server processes these logs, correlates them, and provides alerts based on predefined policies.
Example of parsing syslog messages:
syslog_parser.enabled=true syslog_parser.source=udp://0.0.0.0:514
This enables the system to collect logs via syslog from any source on the network.
Security Concepts
Role-Based Access Control (RBAC)
OSSIM supports role-based access control (RBAC), allowing administrators to define roles and restrict user access to specific data and functionality.
Example of configuring roles in OSSIM:
# In the user management section role=admin permissions=all
This gives the `admin` role full access to all features in OSSIM.
Securing Database Connections
All interactions with the OSSIM database must be secured to prevent unauthorized access. OSSIM uses MySQL, and connections should be encrypted using SSL/TLS.
Configuration for SSL/TLS in `/etc/ossim/ossim_setup.conf`:
db_ssl_enabled=true db_ssl_cert_file=/etc/ssl/certs/ossim_server.crt db_ssl_key_file=/etc/ssl/private/ossim_server.key
This ensures that the connection to the OSSIM database is encrypted.
Logging and Monitoring OSSIM Activity
OSSIM provides a robust logging system to track its own activities. Logs should be regularly reviewed to ensure the system is operating securely.
Logs are stored in `/var/log/ossim/`. Regularly check logs like `ossim-server.log` and `ossim-agent.log`.
Example of monitoring logs:
tail -f /var/log/ossim/ossim-server.log
This command allows real-time monitoring of the OSSIM server log.
Network Security Monitoring
Configuring Network Sensors
OSSIM includes network sensors for collecting network traffic data. These sensors can be placed at strategic points in the network to monitor traffic.
Example of configuring a network sensor:
sensor.enabled=true sensor.ip=192.168.1.101 sensor.interface=eth0
This sets up a network sensor on `eth0` of the host with IP `192.168.1.101`.
Integrating Snort IDS
Snort is often used in OSSIM as an Intrusion Detection System (IDS) to detect malicious network traffic.
To integrate Snort with OSSIM, ensure that Snort logs are forwarded to the OSSIM server.
Example Snort configuration for OSSIM:
output alert_syslog: localhost,514
This sends Snort alerts to the OSSIM server on port 514.
Troubleshooting
Troubleshooting OSSIM Server Connectivity
If the OSSIM server is not collecting or correlating data as expected, verify the following:
- The agent or sensor is configured correctly and reachable.
- The server has sufficient system resources (e.g., CPU, RAM).
- The firewall is not blocking necessary ports (e.g., UDP 514, port for database access).
Check for server status with:
systemctl status ossim-server
This shows whether the server is running correctly.
Agent Not Sending Data
If an agent is not sending data to the OSSIM server, verify:
- The agent is properly configured to point to the correct sensor.
- The network connection is stable.
- The agent has sufficient permissions to send logs.
Check agent status:
systemctl status ossim-agent
- Common Errors:
- Incorrect sensor IP address or port.
- Network issues or firewall blocking communication.
High CPU Usage or Slow Performance
High CPU usage can be caused by excessive log traffic, unoptimized configurations, or hardware limitations.
To monitor system performance:
top
Identify processes consuming high CPU and analyze log data volume.
Useful Links
- https://www.alienvault.com/products/ossim
- https://github.com/AlienVault-OSS/ossim
- https://www.cyberciti.biz/tips/how-to-check-ossim-server-status.html
- https://www.alienvault.com/blog/ossim-installation-guide
- https://www.youtube.com/channel/UCwDeTo54A5l1HFhdZCjPglw
