Shulou(Shulou.com)06/01 Report--

The main functions of Ossim

By integrating open source products, OSSIM provides a basic platform that can realize security monitoring functions. Nagiso,Ntop,Snort,Nmap and other open source tools are integrated to provide comprehensive security protection functions without having to switch back and forth in various systems. Moreover, it is more troublesome to unify data storage, and people can get one-stop services. This is the benefit that OSSIM brings to us. When the Ossim system is installed, we can enter Web to open the main interface, the following example we temporarily use ossiim 3.x for the platform to see what practical functions it provides us.

I. installation

There is no difference between installing Ossim and an ordinary Linux distribution. When deploying in an enterprise environment, refer to the Ntop principles explained in the previous section. In terms of hardware selection, we need an independent high-performance server for deploying Ossim (at least 8 GB of memory and equipped with multiple processors, hard disk space is not less than 1TB), install custom installation, and choose Guided-use entire disk and set up LVM in partition options. Do not select "All files in one partition" when defining the partition, but you need to select the third item to separate / home,/usr/,/var,/tmp.

Due to space constraints, the rest of the installation process is not explained, the installation time is generally about half an hour (more determined by hardware configuration).

Restart the machine after installation, and then enter the IP address of your machine on the client. This is http://192.168.150.20/.

Log in to the system for the first time and enter the user admin, password: admin, then the system prompts you to change the password.

Because the OSSIM is cut with a compact Debian Linux, there is no graphical interface. After configuring the network, it is recommended to log in for the first time to upgrade the system alienvault (also upgrade the loophole library). The upgrade method is very simple:

# alienvault-update

The amount of data for the first upgrade is relatively large, usually around 300MB, which requires a better network environment. You need to note that the configuration file of the entire system is configured in / etc/ossim/ossim_setup.conf, which contains important information such as login Ip information, hostname, listening network card name, MySQL name, Snmp, launched Sensors category, listening network segment, and so on.

1. Sinicization problem

On the question of Sinicization, the Chinese language pack of OSSIM is "/ usr/share/local/zh_CN/LC_MESSAGES/ossim.po" input:

# msgfmt ossim.po-o ossim.mo

Because the character encoding of Apache default page is UTF-8, in order to prevent garbled display after each refresh, you need to modify "/ etc/apache2/conf.d/charset".

Log out of the AdddefaultCharset UTF-8 line

Then enable AddDefaultcharset gb2312, and finally restart apache

# / etc/init.d/apache2 restart

II. Application

After entering the system through verification, what is immediately displayed in front of us are images of events, logs and risk assessments. if they are not fully displayed, it is very likely that your browser does not support the Flash plug-in.

You can scan the network segment of the monitoring server area to obtain the basic information of the host.

Click Tools- > Net Discovery, select manual scan, and enter the CIDR address. Here is 192.168.150.0 CIDR 24, indicating that the IP address of this network segment starts from 192.168.150.1 to 192.168.150.254. The scanning mode is generally "FastScan". If the number of machines is greater than 5, it is recommended not to select "Full Scan". If the scanning time is based on the number of machines. Forgot to confirm "Update database values" to update the database after the scan is complete. This step has just completed the task of collecting the basic information of the host, the following is a more detailed host analysis-host security information and event analysis management.

3)。 Perform vulnerability scanning on the specified host

Select Analysis- > Vulnerabilities- > Scan Jobs- > New scan Task, and we fill in the basic information of the network segment, as shown in the figure above.

To make sure there are no errors after filling in, click "Configuration Check" to check and confirm the configuration file. The details of the whole scan are more detailed than you can imagine. We'll take a look at the results later.

The pie chart automatically generated after the completion of the scan is listed in the above figure, showing the security level and open services of the current host. The crimson area (High 27) indicates that high-risk hosts have serious vulnerabilities that need to be addressed.

The details are in the Reports tab, where the hosts in the red area need to be carefully checked and dealt with by engineers. If you think this is not good enough, we will talk about a vulnerability scanning case in detail later.

If your leader needs to view the scan report, just select the appropriate output type in Scan Jobs. The default system supports output in excel,pdf,html, and other formats. The picture below is the 143-page report generated.

We can also customize the report, Reports- > Reports on the right

Monitoring the status of the host becomes very easy here. We select Assets- > Assets,New to add.

Adding hosts and services here becomes more intuitive, and we can more easily view the network topology and display the information of each host.

Click Host Problem to directly list the details of the current hosts in the network.

Select "Status Map" and select Balanced tree in the Layout Method option. The result is shown below. If there are too many hosts, the image reality will be very dense. You can adjust the value of Scaling factor until the result is satisfactory.

It can show the open applications of all hosts, and it can also reflect the working conditions of the applications of a certain host in each time period. Green indicates normal, and red indicates that there is a fault and needs to be dealt with.

OSSIM can not only store and process all kinds of information and data of the network host, but also show its own health status unambiguously. Dozens of icons from Disk, Network, Postfix, Processes, Sensors and System record various running states for administrators to deal with in time.

OSSIM can generate an intuitive topology diagram in building distributed systems, and it is also very convenient to set parameters on each host.

The above image can customize the topology diagram of your choice.

III. Integration of third-party monitoring tools

1. Integration with Cacti

Some people like Cacti's traffic monitoring and want to integrate it into OSSIM, so we need to modify the php code. First, we need to install cacti and configure it, and then we need to edit the / usr/share/ossim/www/menu_options.php file (add the following code at about 1044 lines).

$menu ["Monitors"] [] = array (

"name" = > gettext ("Cacti")

"id" = > "Cacti"

"url" = > "http://192.168.150.100/cacti","

);

$menu ["Monitors"] [] = array (

"name" = > gettext ("Zabbix")

"id" = > "Zabbix"

"url" = > http://192.168.150.100/zabbix,

);

Next, I would like to share with you the use of Ossim to manage IT assets (video) http://chenguang.blog.51cto.com/350944/1348894

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.