Saturday, June 19, 2010


OSSIM is an open source security information management and correlation tool from a company called AlienVault (there's a pro version too). I installed on it on two boxes recently, one using the unattended install the other using the custom install. It's an incredibly easy app to install. You download an ISO from their web site and make an install CD, boot it up and give it some info (the unattended asks only for a few basic items like the network config info, a name for a box and a few details on how you want the app configured). The default unattended install sets up the server, sensor, and database all on one box. Once the app is installed and rebooted, you'll need to set up your monitoring interfaces (the custom install asks which ones to use) and you're off and running. If you want to use Nagios, you will need to configure that as well. You'll have over 30 apps all properly installed, with a nice dashboard to show your status at a glance, and then you can drill down to investigate events, check your network status, see what hosts are detected from the traffic and more. The box does passive vulnerability assessment using Nessus, runs Snort, arpwatch, P0F, Ntop, Osiris and many others.
I see this as being a great teaching tool for new analysts, as it will allow them to work with a lot of tools quickly without the learning curve of getting them all installed and configured properly and working together. The site for the open source version is here.

Thursday, June 17, 2010

Tune It Like a Fiddle

Whens the last time you did a comprehensive review of your IDS for further filtering? If you haven't done it in a while, you might be shocked at the false positive creep. New partner circuits get added, new app servers, maybe your company is using a a totally new app? Which brings up another point. Not only do you need to review what needs filtered, you may need to review what needs UNFILTERED as well. If your company wasn't using Citrix, for example, the last time you did a review, you may have all those signatures disabled to optimize the performance of your sensors and reduce overhead. If you work for a smaller company, and those decisions are left to your discretion, as opposed to a group that regularly reviews policy, you'll need to keep awareness of what platforms and apps your company uses on a regular basis. Doing regular ports scans should alert you to new services opened up, and using the OS scan switch can help determine if if there are new platforms you need signatures for.
And don't just do this for your external addresses. As they say, most networks are a Tootsie-Pop. Hard on the outside with a soft chewy center. If an attacker pops a perimeter box, he now has a pivot point to attack further in, depending on how in-depth your defenses and detectors are layered. That's why it's important not to put all your eggs in one basket with just perimeter sensors.
You need sensors in front of your most vital assets, like database servers, HR and payroll boxes and anything with confidential info stored on it. That way, if the attacker eludes your perimeter defenses, you have another opportunity to detect (and stop) her. HIDS, and log files are your last line of defense. All that good log data is worth anything unless you have a process in place to parse, and alert on it.
Review those signatures.. not only can you cut down a lot of white noise, you might find out you didn't know what you were missing.

Saturday, June 12, 2010

Honeynet Challenges

New Honeynet Challenges available at The June challenge is VOIP based, so if voice is your cup of tea (or honey), slide over and take a whack at it. These really are great for self-training to sharpen your skills and find out what you know (and more importantly, don't...)

Blog Archive