Main Ossim Functions

Main Ossim Functions

By integrating open-source products, OSSIM provides a basic platform that can implement security monitoring, including Nagiso, Ntop, Snort, nmap and other open-source tools are integrated to provide comprehensive security protection functions, without having to switch back and forth between systems. In addition, data storage is unified, so that people can get an all-in-one service, this is what benefits OSSIM brings to us. After the Ossim system is installed, you can enter the Web to open the main interface. The following example uses ossiim 3.x to explain to the platform and see what practical functions it provides.

I. Installation

There is no difference between installing Ossim and the general Linux release. When deploying an enterprise environment, refer to the Ntop principles described in the previous section, in terms of hardware selection, we need an independent high-performance server with a memory of at least 8 GB and a multi-processor. The hard disk space is no less than 1 TB, in the partition option, select Guided-use entire disk and set up LVM. Do not select "All files in one partition" when defining the partition, but select/home in the third option, /usr/,/var, And/tmp are separated independently.

Due to space limitations, other installation processes are not explained, and the installation time is generally about half an hour based on hardware configuration ).

After the installation is complete, restart the machine and enter the IP address of your machine on the client. Here is http: // 192.168.150.20/

Log on to the system for the first time and enter the user admin and password: admin. Then, the system prompts you to change the password.

Because OSSIM is tailored to Debian Linux, there is no graphic interface. After configuring the network, we recommend that you upgrade the alienvault system (and also upgrade the vulnerability Library) for the first login. The upgrade method is very simple:

# Alienvault-update

The data size for the first upgrade is relatively large, usually around 300 MB. In this case, your network environment is better. Note that the configuration file of the entire system is configured in/etc/ossim/ossim_setup.conf, it contains important information such as logon Ip address, host name, listener Nic name, mysql name, Snmp, started Sensors category, and monitored network segment.

1. Localization

The Chinese Language Pack for OSSIM is "/usr/share/local/zh_CN/LC_MESSAGES/ossim. po". input:

# Msgfmt ossim. po-o ossim.mo

Because the Apache character page is encoded as a UTF-8, to prevent garbled characters after each refresh, You need to modify "/etc/apache2/conf. d/charset"

Unregister adddefacharset UTF-8 line

Enable adddefacharcharset gb2312 and restart apache.

#/Etc/init. d/apache2 restart

II. Application

After entering the system through verification, we immediately see the event, log, and risk assessment images. If they are not displayed completely, it is very likely that your browser does not support Flash plug-ins.

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; "title =" clip_image004 "border =" 0 "alt =" clip_image004 "src =" http://www.bkjia.com/uploads/allimg/140103/0021345351-0.jpg "height =" 255 "/>

You can scan the network segment of the monitoring server area to obtain basic host information.

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; "title =" clip_image006 "border =" 0 "alt =" clip_image006 "src =" http://www.bkjia.com/uploads/allimg/140103/0021341044-1.jpg "height =" 348 "/>

Click Tools-> Net Discovery, select manual scan, and enter the CIDR address, 192.168.150.0/24, indicating that the IP address of this network segment starts from 192.168.150.1 to 192.168.150.254, in the Scan mode, select "FastScan". If the number of machines is greater than 5, we recommend that you do not select "Full Scan". If the Scan time is based on the number of machines. After scanning, you forgot to confirm "Update database values" to Update the database. This step has just completed the task of collecting basic host information. Next we will perform more detailed host analysis-host Security Information and event analysis and management.

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; "title =" clip_image008 "border =" 0 "alt =" clip_image008 "src =" http://www.bkjia.com/uploads/allimg/140103/0021343H8-2.jpg "height =" 412 "/>

3). Scan vulnerabilities on specified hosts

Select Analysis-> Vulnerabilities-> Scan Jobs-> Create A Scan task. Enter the basic information of the CIDR block, as shown in.

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; "title =" clip_image010 "border =" 0 "alt =" clip_image010 "src =" http://www.bkjia.com/uploads/allimg/140103/0021341448-3.jpg "height =" 207 "/>

After entering the information, click "Configuration Check" to Check and confirm the Configuration file. The details of the entire scan are unimaginable. Let's take a look at the results later.

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; "title =" clip_image012 "border =" 0 "alt =" clip_image012 "src =" http://www.bkjia.com/uploads/allimg/140103/0021341503-4.jpg "height =" 423 "/>

The pie chart automatically generated after the scan is complete is displayed, showing the current host's security level and open services. High 27 in deep red) indicates that High-risk hosts have serious vulnerabilities and need to be handled.

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; "title =" clip_image015 "border =" 0 "alt =" clip_image015 "src =" http://www.bkjia.com/uploads/allimg/140103/002134H28-5.jpg "height =" 377 "/>

For details, on the Reports tab, the hosts in the red area need to be carefully checked and handled. If you think this is not an addiction, We will detail a vulnerability scanning case later.

If your leader needs to view the scan report, then you only need to go to 650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; "title =" clip_image017 "border =" 0 "alt =" clip_image017 "src =" http://www.bkjia.com/uploads/allimg/140103/0021341624-6.jpg "height =" 50 "/> select the corresponding output type in Scan Jobs, by default, the system supports output in excel, pdf, html, and other formats. Is a 143-page report generated.

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; "title =" clip_image019 "border =" 0 "alt =" clip_image019 "src =" http://www.bkjia.com/uploads/allimg/140103/0021341Q2-7.jpg "height =" 304 "/>

We can also customize the report, in the right-side Reports-> Reports

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; "title =" clip_image021 "border =" 0 "alt =" clip_image021 "src =" http://www.bkjia.com/uploads/allimg/140103/002134M18-8.jpg "height =" 240 "/>

It is very easy to monitor the host status here. We select Assets> Assets and add New

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; "title =" clip_image023 "border =" 0 "alt =" clip_image023 "src =" http://www.bkjia.com/uploads/allimg/140103/0021345150-9.jpg "height =" 153 "/>

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; "title =" clip_image025 "border =" 0 "alt =" clip_image025 "src =" http://www.bkjia.com/uploads/allimg/140103/0021345105-10.jpg "height =" 398 "/>

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; "title =" clip_image027 "border =" 0 "alt =" clip_image027 "src =" http://www.bkjia.com/uploads/allimg/140103/002134BA-11.jpg "height =" 188 "/>

Adding hosts and services becomes more intuitive here, and we can view the network topology more conveniently and display the information of each host.

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; "title =" clip_image029 "border =" 0 "alt =" clip_image029 "src =" http://www.bkjia.com/uploads/allimg/140103/0021344A9-12.jpg "height =" 377 "/>

Click Host Problem to list the Host details on the network.

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; "title =" clip_image031 "border =" 0 "alt =" clip_image031 "src =" http://www.bkjia.com/uploads/allimg/140103/002134C92-13.jpg "height =" 320 "/>

Select "Status Map" and select the Balanced tree in the Layout Method option. The result is as follows: if there are too many hosts, the image is very intensive. You can adjust the value of Scaling factor until the effect is satisfactory.

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; "title =" clip_image033 "border =" 0 "alt =" clip_image033 "src =" http://www.bkjia.com/uploads/allimg/140103/00213425V-14.jpg "height =" 316 "/>

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; "title =" clip_image035 "border =" 0 "alt =" clip_image035 "src =" http://www.bkjia.com/uploads/allimg/140103/0021343421-15.jpg "height =" 330 "/>

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; "title =" clip_image037 "border =" 0 "alt =" clip_image037 "src =" http://www.bkjia.com/uploads/allimg/140103/0021342440-16.jpg "height =" 267 "/>

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; "title =" clip_image039 "border =" 0 "alt =" clip_image039 "src =" http://www.bkjia.com/uploads/allimg/140103/0021342C3-17.jpg "height =" 240 "/>

It can show the Application Opening status of all hosts, or reflect the application running status of a host in each time period. Green indicates normal, red indicates a fault occurs, and must be handled.

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; "title =" clip_image041 "border =" 0 "alt =" clip_image041 "src =" http://www.bkjia.com/uploads/allimg/140103/002134MC-18.jpg "height =" 370 "/>

OSSIM not only stores and processes various information and data of the network host, but also displays its health status in an unambiguous manner, dozens of icons, including Disk, Network, Postfix, Processes, Sensors, and System, record various running statuses for administrators to handle them in a timely manner.

In terms of building a distributed system, OSSIM can generate an intuitive topology and set parameters on each host.

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; "title =" clip_image043 "border =" 0 "alt =" clip_image043 "src =" http://www.bkjia.com/uploads/allimg/140103/00213450I-19.jpg "height =" 232 "/>

You can customize your own topology.

III,Third-party monitoring tool Integration

1. Integration with Cacti

Some people like Cacti's traffic monitoring and want to integrate it into OSSIM. In this case, we need to modify the php code. First, install and configure cacti, then we need to edit the/usr/share/ossim/www/menu_options.php file by adding the following code at around 1044 rows ).

$ Menu ["Monitors"] [] = array (

"Name" => gettext ("Cacti "),

"Id" => "Cacti ",

"Url" => "http: // 192.168.150.100/cacti ",

);

$ Menu ["Monitors"] [] = array (

"Name" => gettext ("Zabbix "),

"Id" => "Zabbix ",

"Url" => http: // 192.168.150.100/zabbix,

);

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; "title =" clip_image004 [9] "border =" 0 "alt =" clip_image004 [9] "src =" http://www.bkjia.com/uploads/allimg/140103/0021345043-20.jpg "height =" 245 "/>

650) this. width = 650; "style =" background-image: none; border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; "title =" clip_image006 [5] "border =" 0 "alt =" clip_image006 [5] "src =" http://www.bkjia.com/uploads/allimg/140103/0021343P2-21.jpg "height =" 296 "/>

 

This article from the "Li chenguang Original Technology blog" blog, please be sure to keep this source http://chenguang.blog.51cto.com/350944/1347638