Ossim Application Guide

Ossim application entry

-- In the "Application of OSSIM in Enterprise Network Management" http://chenguang.blog.51cto.com/350944/802007 this article published, many colleagues on ossim expressed great attention to have a letter to ask how to use and deploy, in the following time, I will summarize the methods for installing and using this system.

1. OSSIM background

-- At present, network threats have evolved from traditional viruses to malicious attacks such as worms and denial of service. Today's network threat attacks are increasingly complicated and no longer limited to traditional viruses, hacker Trojans, botnets, spyware, rogue software, network frauds, spam, worms, phishing, and other serious threats to network security. Network attacks are often a combination of virus, Worm, Trojan, spyware, and scanning technology. Denial of Service (DOS) attacks have become one of the main attack methods for hackers and worms. Hackers use worms to create botnets, integrate more attack sources, and launch violent denial-of-service attacks against targets. Moreover, attack tools are becoming more and more advanced. For example, scanning tools can not only quickly scan target systems with vulnerabilities in the network, but also quickly implant attack programs.

-Therefore, the conflict between the importance of network security management and management difficulties is becoming increasingly prominent. Network security is a dynamic system engineering. Only useful information can be obtained and analyzed in real time and accurately from massive data related to network security, and relevant policies of various security subsystems can be adjusted in a timely manner, in order to cope with the increasingly severe network security threats.

-- In addition, the error and omission of IDS security tools are also one of the reasons that contribute to the idea of security integration. Take IDS as an example. In general, intrusion detection solutions include pre-defined rule-based detection and exception-based detection. The sensitivity and reliability of the two indicators used to determine the detection capability. Inevitably, whether it is based on pre-defined rules or exception detection, because prevention is always lagging behind attacks, it will inevitably encounter problems of omission or error reporting. Security integration integrates multiple security tools to greatly improve the detection capability, namely, the sensitivity and reliability. To sum up, we need to integrate various network security subsystems, including firewalls, anti-virus systems, intrusion detection systems, vulnerability scanning systems, and security audit systems. On the basis of information sharing, the establishment of a centralized monitoring and management platform enables subsystems to perform their respective duties and work closely together to form a unified and organic network defense system to jointly defend against increasing network security threats.

-- To sum up, the tools Nagios, Ntop, Cheops, OpenVas, Snort, and Nmap mentioned earlier are integrated to provide comprehensive security protection functions, instead of switching back and forth between systems and unifying data storage, people can get an all-in-one service, which is the benefit of OSSIM, the goal of this section is to display its main functions.

-- OSSIM integrates open-source products to provide a basic platform for security monitoring. It aims to provide a centralized and organized frame-type system for better monitoring and display. OSSIM is clearly positioned as an integrated solution. Its goal is not to develop a new feature, it uses a wide range of powerful programs, including Mrtg, Snort, Nmap, Openvas, Ntop, and other open-source system security software ). Integrate them in an open architecture that retains their original functions and functions. Up to 2395 plug-in http://www.alienvault.com/community/plugins is supported by OSSIM so far ). The core work of the OSSIM project is to integrate and associate the information provided by various products and integrate related functions, as shown in figure 1. Thanks to the advantages of open-source projects, these tools have been tested for a long time and all-round tests have been conducted to make them more reliable.

650) this. width = 650; "title =" image001.jpg "alt =" 124704414.jpg" src = "http://www.bkjia.com/uploads/allimg/131227/154G9D02-0.jpg"/>

Figure 1 hierarchical structure of OSSIM Functions

2. OSSIM Process Analysis

The workflow of the OSSIM system is as follows:

1) as the system's security plug-in detector Sensor) to execute their respective tasks, when the problem is found to give an alarm.

2) The alarm information of each detector will be collected in a centralized manner.

3) Resolve the alert records and store them to the EDB instance ).

4) based on the configured Policy) give each event a Priority ).

5) conduct risk assessment on the event and calculate a risk coefficient for each alarm.

6) Send events with priority settings to the associated engine. The associated engine associates events. Note: The associated engine is based on the alarm events reported by intrusion detection sensors, such as intrusion detection systems and firewalls. It is used for association analysis to determine the intrusion behavior and submit the association analysis results to the console.

7) after associating one or more events, the associated engine generates a new alarm record, assigns it a priority, carries out risk assessment, and stores it in the database.

8) the user monitoring monitor generates a real-time risk chart based on each event.

9) provide the latest Associated alarm records in the control panel, and provide all event records in the underlying console.

650) this. width = 650; "width =" 1200 "height =" 1200 "title =" ossim-2.jpg "style =" width: 764px; height: 773px; "alt =" 104647642.jpg" src = "http://www.bkjia.com/uploads/allimg/131227/154G924I-1.jpg"/>

Ossim Workflow

OSSIM Security Information Integration Management System 2) is designed by the Security Plug-in Plug-ins, Agent process Agent), Sensor), associated engine Server), data warehouse Database) and Web Framework.

650) this. width = 650; "title =" image003.jpg "alt =" 124730223.jpg" src = "http://www.bkjia.com/uploads/allimg/131227/154G93L8-2.jpg"/>

Figure 2 logical structure of information security Integrated Management System

1) Security plug-ins

-- Security plug-ins are various security products and facilities. Such as firewalls and IDS. The open-source security tools in Linux are introduced here: Arpwatch, P0f, Snort, Nessus, Spade, Tcptrack, Ntop, Nagios, Osiris, and so on. These Plugins are specific to one aspect of Network Security. In general, they can be divided into Detector and Monitor) camps, and they are integrated for the purpose of security integration, as shown in 3.

650) this. width = 650; "title =" 12-7.jpg "alt =" 105257465.jpg" src = "http://www.bkjia.com/uploads/allimg/131227/154G95632-3.jpg"/>

Figure 3 Security plug-in

2) proxy process

-- The Agent process runs on multiple or a single host, collects related information, such as alarm logs, from various security devices and security tools), and collects all types of information in a unified format, then pass the data to the Server.

-- The main function of the Agent is to receive or actively capture the file-type logs sent or generated by the plug-in, and send them to the Server of the OSSIM in sequence after preprocessing. Its functions are very complex, because it is designed to take into account the network interruption, congestion, packet loss between the Agent and the Server, and the possibility that the Server may not be able to receive or even crash, make sure that logs are not lost or missed. Based on this consideration, the log processing of OSSIM cannot be implemented in real time in most cases. It is usually cached on the Agent side for a period of time before being sent to the Server. The Agent will actively connect two ports to communicate with the outside world or transmit data. One is the port 40001 connecting to the Server, and the other is the port 3306 connecting to the database.

3) sensor

-- A sensor is often understood as a program, but it is not a definite program, but a concept of a logical unit. In OSSIM, a combination of Agent and plug-in with the network behavior monitoring function is called a Sensor. The Sensor has the following functions:

L intrusion detection Snort)

L vulnerability scan OpenVas)

L Spade, P0f, Pads, Arpwatch, RRD AB behaviour)

L network traffic monitoring and analysis Ntop)

-- Collect local routers, firewalls, IDS, and other hardware devices for use as firewalls. In specific deployment, the above functions can be deployed on one server or multiple servers.

4) associated Engine

-- The Association engine is the core part of the OSSIM Security integrated management system. It supports distributed operations, associates events sent by the Agent, and evaluates the risks of network assets.

5) Data Warehouse

-- The Data Warehouse is written by the Server to the Database. In addition, the system user, such as the security administrator, can also read and write the Database through the FrameworkWeb console. Data Warehouse is the source of information for system event analysis and policy adjustment. It is divided into event database EDB, knowledge database KDB, and user database UDB in general) the default MySQL listening port used by the OSSIM system is 3306, which bears the heaviest burden on the database in the system, because it not only stores data, but also analyzes and sorts it, so the real-time performance is not strong, this is also the biggest defect of the OSSIM architecture.

6) Web Framework

-- The Web framework console provides the Web page of the user's security administrator to control the running of the system, for example, setting policies). It is the front-end of the entire system, it is used to implement the B/S mode interaction between users and the system. The Framework can be divided into two parts: Frontend is a Web page of the system that provides the user terminal of the system; Frameworkd is a daemon, which is bound to the OSSIM knowledge base and event library, the listening port is 40003, which is used to associate the USER commands received by Frontend with other system components and draw Web charts for front-end display.

Next we will explain how to deploy the Ossim system.: Http://chenguang.blog.51cto.com/350944/1333522

This article from the "Li chenguang Original Technology blog" blog, please be sure to keep this source http://chenguang.blog.51cto.com/350944/1332329