Can't get AlienVault OSSIM working at work.

---

Hi everyone,

I want to install and configure the OSSIM SIEM at work, but I have had a lot of problem with the configuration and the networking part actually.
I would really like your help on this if someone has some experience with this tool here. I think ITPro.tv has, since they show it on their shows :-)

My problem is with the configuration of the network interface and both the automatic and manual deployment.
All of the tutorials I could find on the web don't really explain what IP addresses and subnets one must use, nor do they explain in great detail how to deploy an agent.

Assuming my computer has the IP 192.168.1.10, the subnet mask 255.255.255.0, and gateway 192.168.1.1, how would you answer the following questions?

1. How many network adapters should I enable in VirtualBox? Is it enough to just have one adapter for both the OSSIM management interface and the network interface? Or do you need to use two separates Virtualbox adapters?
2. If you use only one adapter, what type of adapter do you choose? Bridged, NAT, NAT Network, Host-only or Internal?
   2.1. Once you selected a certain type of adapter, what IP address, subnet mask, gateway and dns do you choose when configuring it in OSSIM?
3. If you use two adapters, what type of adapter do you choose for the Management Interface and what type of adapter do you choose for the Network Interface? Bridged, NAT, NAT Network, Host-only or Internal?
   3.1. What IP Address, subnet mask, gateway address, and DNS do you choose for the Management Interface?
   3.2. What IP Address, subnet mask, gateway address, and DNS do you choose for the Network Interface?
4. Once you configured all of this and logged it to the management interface in your browser, how do you configure your network interfaces?
   4.1. Do you choose Network monitoring or log collection scanning for your network interface card? What is the difference between the two? Take a look at the right side of this screenshot to see what I'm talking about.
5. At last, how do you deploy an agent?
   5.1. When I tried to deploy automatically via the network, I change the settings of the Windows 10 machine I wanted to deploy the agent on as described here under "To change settings on Windows 8 and 10". Not only did it not work, but it also broke the network shares on this computer. When I tried accessing the shares on this computer, Windows showed a warning saying "You cannot access these shares because they use SMB1, an insecure version of the protocol.". Why the hell did those changes switched the shares back to using SMB1? I had to restore Windows from a recovery point, because undoing the changes I had just made and rebooting did not solve the issue. Anyway, once I had made the changes described on AlienVault's website, I launched the agent deployment, but I got an error about some "Job ID not found...". I don't understand what it means.
   5.2. How to deploy an agent manually? When I ran the ossec executable on the target computer, it did not work either. I looked at the HIDS manager on the computer, the server key was not there, and if I tried to paste the key myself, it said that there was an IP error. I guess it couldn't find the server. Any advice on that as well would be greatly appreciated.

Does anyone have a complete, detailed manual on how to set this up?

Hey @Thomas-Pondant,

I hope I can help address at least some of your problems. When it comes to setting the IP address(es) for OSSIM it seems like it should be straight forward, but it can get tricky.

When you're installing, you get prompted for the IP/Netmask for the Management Interface. This is going to be the network interface you use to access the web administration portal. This will be a static address in CIDR notation. So if the network you are wanting OSSIM to manage is 172.16.32.0 with a netmask of 255.255.255.0 you will need a free IP address from that range, let's say 172.16.32.200, and enter that as 172.16.32.200/24

Also, make sure that you're giving the OSSIM host PLENTY of RAM, otherwise it will be so slow as to seem unresponsive. Not sure if you're having that issue, but I did so I figured I'd mention it here.

Now, after your installation is complete and you login for the first time you will have the opportunity to configure network interfaces from

System Preferences > Configure Network > Setup Network Interface

This leads us to your first question of how many network adapters should you enable. You need one for the Management interface and another to perform other activities like alert gathering, netflow, packet capture, etc. The adapter used for the Management interface is dedicated and doesn't do anything else (AFAIK).

As to the type of adapter, I'm pretty sure it can be of any type as long as it can connect to the network that you wish to deploy OSSIM. Also, these will need to be static IPs.

A helpful tip when attempting to configure an adapter other than the Management interface. When you're in OSSIM and are trying to set the IP and Netmask for that interface, you may run into a confusing situation where you get an error about an incorrect IP, or that the entered IP isn't formatted correctly, or requires the Netmask. This is due to a bug in the menu system, and it was a real joy to read a bunch of forums to discover how to get around it.

What you need to do is, when it asks you to enter an IP for the interface, leave it blank. Then you will be able to go to the next screen where it asks you to enter the Netmask. Enter the proper Netmask and finish the configuration. Then go back and configure that same interface again at which time you'll be able to enter the IP and move through the menu without further issues.

Now that you have the interfaces configured, you can enter the web admin portal and set the interfaces to do what you want. You'll see that the Management interface can't be changed/is greyed out, but you can now assign what you want this secondary interface to do (Network Monitoring, Log Collection/Scanning, NotUsed).

The definitions are defined on that screen to the very right of the list of interfaces and drop-down menu, but basically they are asking you if you want to do a packet capture(Network Monitoring) which will be like a Wireshark/TCPDump session or port-mirroring in Cisco so that you can analyze the traffic on the network, or do you want to use that interface to do vulnerability scanning and/or log aggregation for analysis, aka traditional SIEM stuff.

As for you last question about deploying an agent, I haven't gotten that far down the rabbit-hole yet, but if I come across a solution I'll make sure to let you know.

Cheers,

Daniel Lowrie