I want to install and configure the OSSIM SIEM at work, but I have had a lot of problem with the configuration and the networking part actually.
I would really like your help on this if someone has some experience with this tool here. I think ITPro.tv has, since they show it on their shows :-)
My problem is with the configuration of the network interface and both the automatic and manual deployment.
All of the tutorials I could find on the web don't really explain what IP addresses and subnets one must use, nor do they explain in great detail how to deploy an agent.
Assuming my computer has the IP 192.168.1.10, the subnet mask 255.255.255.0, and gateway 192.168.1.1, how would you answer the following questions?
- How many network adapters should I enable in VirtualBox? Is it enough to just have one adapter for both the OSSIM management interface and the network interface? Or do you need to use two separates Virtualbox adapters?
- If you use only one adapter, what type of adapter do you choose? Bridged, NAT, NAT Network, Host-only or Internal?
2.1. Once you selected a certain type of adapter, what IP address, subnet mask, gateway and dns do you choose when configuring it in OSSIM?
- If you use two adapters, what type of adapter do you choose for the Management Interface and what type of adapter do you choose for the Network Interface? Bridged, NAT, NAT Network, Host-only or Internal?
3.1. What IP Address, subnet mask, gateway address, and DNS do you choose for the Management Interface?
3.2. What IP Address, subnet mask, gateway address, and DNS do you choose for the Network Interface?
- Once you configured all of this and logged it to the management interface in your browser, how do you configure your network interfaces?
4.1. Do you choose Network monitoring or log collection scanning for your network interface card? What is the difference between the two? Take a look at the right side of this screenshot to see what I'm talking about.
- At last, how do you deploy an agent?
5.1. When I tried to deploy automatically via the network, I change the settings of the Windows 10 machine I wanted to deploy the agent on as described here under "To change settings on Windows 8 and 10". Not only did it not work, but it also broke the network shares on this computer. When I tried accessing the shares on this computer, Windows showed a warning saying "You cannot access these shares because they use SMB1, an insecure version of the protocol.". Why the hell did those changes switched the shares back to using SMB1? I had to restore Windows from a recovery point, because undoing the changes I had just made and rebooting did not solve the issue. Anyway, once I had made the changes described on AlienVault's website, I launched the agent deployment, but I got an error about some "Job ID not found...". I don't understand what it means.
5.2. How to deploy an agent manually? When I ran the ossec executable on the target computer, it did not work either. I looked at the HIDS manager on the computer, the server key was not there, and if I tried to paste the key myself, it said that there was an IP error. I guess it couldn't find the server. Any advice on that as well would be greatly appreciated.
Does anyone have a complete, detailed manual on how to set this up?