Tutorial 3: First recommended steps after installation
Fri, 07 Dec 2007

This tutorial tries to show the first common steps you could perform if you're new to ossim and just finished installation, without knowing what to do next.
The tutorial will cover:

  • Policies
  • Initial Inventory
  • Scans
  • Scheduled scans
  • What to do next
Many topics we'll cover on this tutorial can be extended checking the documentation wiki.

::start here

Asset definition: the quick way

Ok, first we should populate our asset database a bit. I'm pretty sure I know my home network/testing environment pretty well, but this could change on a larger scale network or an unknown environment.
The first thing I'll do is to ask the administrator (that is, myself) about the networks we've got and which are directly or indirectly seen by ossim.

The answer is two networks:
  • Public/internal network, connected to the gateway. It's a class C network in the 192.168.1.x range.
  • Private/internal network, the one served by my AP. It's a class C network too but since dhcp assigns addresses starting at 10.0.1.2 and I've got only a couple of hosts I'll choose a smaller network (/28)

Networks

So let's start by adding those networks with a default priority and rrd profile, without nessus scanning activated:
Networks are very important and you should define as many as you've got, even if ossim is not directly connected to them. This is because hosts defined in DB or belonging to a network are being treated differently and more information for them is being used (Passive OS and Service information only gets saved for defined hosts/hosts belonging to defined networks).

Network groups

Network groups are being used to aggregate information in case you've got many networks. In my case it's ridiculous, but we've got customers with hundreds of networks where they couldn't live without this feature :-)
You can group by any criteria you want, either division, building, network ranges, whatever:
In this case we're raising the threshold a bit since aggregated networks are supposed to raise more events than individual hosts / networks. 100 may be too low, but it's a matter of practice / experience and varies for each environment. Group information is specially useful for risk related panels, such as aggregated risk and riskmeter, preventing your pages from growing too much. Individual networks will be highlighted if their compromise or attack gets over their threshold:
Hint: If you click on the colored area of the risk graph you'll be redirected to the hosts involved in that risk peak. If you click on the host you'll get redirected to the event listing that has created that risk situation.

Netscan

So, next we would like to define a couple of hosts in order to personalize their asset information and to run reports and scans on them, and not on the entire network.
Hosts can be inserted manually as we'll see on the next point, but it's much easier to let ossim scan them using nmap and give some default data for all of them to be inventoried. Again my example is a bit short on hosts (only two), but think about a bunch of class C networks and the work you could save.
So we get to tools->netscan, select our private network and voila:
Note: depending on the size of your network this may take a while, and an php timeout would make this page unusable. You might want to increase php's max data size and session expiration.

Hosts

Since I don't really want to wait for a scan on my other class C network I'll insert them manually, as seen on the next images.
As an added benefit, you'll be able to see all the collected information about each host you define here:

Groups

Now we'll do our first nessus scan. Let's scan only the workstations, leaving the gateways untouched. We could enable them one by one, yes, but again that can get tiring for many hosts. The ideal solution is to create groups (you can create as many as you wish, having hosts in different groups too) so you can later on apply separate scan types and schedules on them.
Let's create a simple one, as said, only workstations: (we'll use it later)

OCS Inventory

Having extended inventory information from your hosts is also useful. See the old tutorial on OCS for more information on how to setup OCS. Hint: execute the installer as part of your logon scripts on a domain, that way you'll get a lightning fast inventory of your whole network.

Nessus Scan

Using the group we created before, we'll check how vulnerable my workstations are.
Unf, 8. That's not much, but taking into account that each vulnerability can have a level ranging from 0 to 10, I should look at the reports by clicking on the host. Aaah, almost forgot it. Since my vulnerability_incident_threshold at configuration->main is set to "0", every vulnerability with level 0 or higher will create a new incident too, as we can see here:
Note: Vulnerability incidents are able to handle false positives too. If you close it and tag it as false positive, it won't be opened on the next scan. But be warned, if you close it and it's not tagged, it will get opened again next time. That way you'll can happily close the incident when your sysadmin says he's patched the hole, knowing that if he has lied he'll have that incident on the table next month again :-)


Hint: you can check to see if the scan is actually working by grepping on the agent, since the information shown during scan ain't very verbose.
Hint2: Nessus scan is distributed, that is, ossim tries to find the sensor associated to the target in order to scan from there. 
ossim:~# ps ax | grep nessus
 2536 ?        Ss     0:00 nessusd: waiting for incoming connections
 6600 ?        S      0:00 /usr/bin/nessus -c /usr/share/ossim/www/vulnmeter/tmp/.nessusrc 
-x -T nsr -q 10.0.1.50 1241                
/usr/share/ossim/www/vulnmeter/tmp/sensors/10.0.1.50.targets.txt 
/usr/share/ossim/www/vulnmeter/tmp/sensors/10.0.1.50.temp_res.nsr
 6606 ?        Ss     0:03 nessusd: serving 10.0.1.50
 6614 ?        S      0:00 nessusd: testing 10.0.1.3
 6615 ?        S      0:00 nessusd: testing 192.168.1.33
 6618 ?        S      0:00 nessusd: testing 192.168.1.33 (/var/lib/nessus/plugins/nessus_tcp_scanner.nes)
 6619 ?        S      0:00 nessusd: testing 10.0.1.3 (/var/lib/nessus/plugins/nessus_tcp_scanner.nes)
 6625 pts/0    R+

Schedule scans

Finally, let's leave a scan scheduled to execute once a month:

Final words

That's all for today, it may shed a bit of light on some easy to use, basic features of ossim. If you followed these steps you can be pretty sure that you'll start getting more and more useful information out of the system.
Check the monitors, reports and dashboards and you'll see how your asset information starts to affect all the indicators.
The next thing I'd recommend is checking out the tools at "Tools->Downloads" and install ossec and ocs, in order to get even more information out of your network's hosts.

posted at: 16:53 | path: /ossim/tutorials | permanent link to this entry | 7 comments |
Tags: , ,



* Posted by henri guillot at Wed Jan 9 21:35:19 2008
Excellent article !
This is like a ''how to'' manual or like a ''How to start'' manual.
I am a new user with OSSIM, and after i installed it , i had some problems to use it, and the doc on the ossin web site are not very suitable, good . But your tutorail is very good and helped me a lot.
Thank's

Henri G,  CCNA, CCNP,MCPs, ITIL
Chef des Services Informatiques du CSSSM
Centre de Santé et de Services Sociaux de Manicouagan
henri_guillot@ssss.gouv.qc.ca
* Posted by Brian Lavender at Wed May 21 20:18:12 2008
Great tutorial. Finally ran OCS inventory. It was too easy.
* Posted by DanMac at Tue Aug 12 16:19:34 2008
Totally agree with other comments - OSSIM is great but documentation seems lacking. Something like this is great - "how to set up OSSEC without shooting yourself in the foot" guide.

Thanks DK :)
* Posted by linzhang at Wed Oct 8 05:39:24 2008
something error when i use  'nessus scan'.
the error is:
Previous scan aborted raising errors, please check your logfile. Error: Result file /usr/share/ossim/www/vulnmeter/tmp/20081007152200result.nsr not present after scan
what it means,what can i do?
thank you!
* Posted by Jonathan at Fri Nov 21 21:13:00 2008
Hi all,

i would like to scan my large 10.0.0.0/16 network.

I have a php timeout. What is the way of scanning such a large network ?

Jonathan
* Posted by Jonathan at Mon Nov 24 12:57:44 2008
Hi all,

i would like to scan my large 10.0.0.0/16 network.

I have a php timeout. What is the way of scanning such a large network ?

Jonathan
* Posted by Umarzuki at Fri Nov 28 01:14:34 2008
in /etc/php5/apache2/php.ini, change session.gc_maxlifetime value (in seconds) to a few hours.

Name:


E-mail:


URL:


Comment:


 Categories

/ (37)
    code/ (1)
    feed/ (1)
    ossim/ (24)
        installer/ (3)
        plugins/ (2)
        tuning/ (3)
        tutorials/ (7)
    personal/ (10)
        campus/ (2)
        opinion/ (1)
        travel/ (1)
    rants/ (1)



RSS



< December 2007 >
MoTuWeThFrSaSu
      1 2
3 4 5 6 7 8 9
10111213141516
17181920212223
24252627282930
31      



Archives

2008-Dec
2008-Oct
2008-Aug
2008-Jul
2008-May
2008-Mar
2008-Feb
2008-Jan
2007-Dec
2007-Nov



Tags


Made with PyBlosxom