Professional Documents
Culture Documents
Table of Contents
WELCOME .............................................................................................................................................. 2
AUDIENCE ............................................................................................................................................................................ 3
STEP 0: DOWNLOAD AND INSTALL ......................................................................................................3
PRE-INSTALL CHECKLIST............................................................................................................................................... 3
PRE-DEPLOYMENT CONSIDERATIONS FOR VMWARE ESX 4.X ........................................................................... 3
HOW TO DEPLOY ALIENVAULT .................................................................................................................................... 4
OPTION 1: HOW TO MANUALLY CONFIGURE THE MANAGEMENT INTERFACE ............................................... 5
OPTION 2: HOW TO CONFIGURE THE MANAGEMENT INTERFACE USING DHCP ........................................... 7
HOW TO COMPLETE YOUR ALIENVAULT INSTALLATION...................................................................................... 8
Optional: How to enter unique hostnames for your AlienVault devices .....................................11
HOW TO ACTIVATE ALIENVAULT ............................................................................................................................. 12
STEP 1: CONFIGURE NETWORK INTERFACES ................................................................................... 13
HOW TO CONFIGURE NETWORK MONITORING .......................................................................................................... 15
HOW TO CONFIGURE LOG COLLECTION & SCANNING ............................................................................................... 15
STEP 2: DISCOVER ASSETS IN YOUR NETWORK .............................................................................. 16
OPTION 1: HOW TO DISCOVER ASSETS USING A NETWORK SCAN .......................................................................... 17
1.1 How to Manually Add A New Network ...............................................................................................18
1.2 How to Add New Networks from a CSV ..............................................................................................19
OPTION 2: HOW TO ADD ASSETS MANUALLY....................................................................................................... 19
OPTION 3: HOW TO IMPORT A CSV LIST OF ASSETS........................................................................................... 20
STEP 3: DEPLOY HOST-BASED INTRUSION DETECTION (HIDS) TO SERVERS ................................ 20
HOW TO DEPLOY HIDS TO WINDOWS.................................................................................................................... 21
HOW TO DEPLOY HIDS TO UNIX/LINUX ............................................................................................................... 21
STEP 4: LOG MANAGEMENT ............................................................................................................. 21
HOW TO ENABLE PLUGINS TO GET DATA FROM YOUR DEVICES INTO ALIENVAULT ................................. 21
Additional Log Management Considerations ..........................................................................................22
STEP 5: OTX COMMUNITY REGISTRATION ...................................................................................... 22
HOW TO SIGN UP (USERNAME / PASSWORD)............................................................................................................ 24
HOW TO SIGN UP (SOCIAL MEDIA AUTHENTICATION)......................................................................................... 25
HOW TO SIGN UP IF YOU HAVE AN EXISTING ACCOUNT ....................................................................................... 26
CONGRATULATIONS! .................................................................................................................................................... 27
STEP 6: ENTER A COMMERCIAL LICENSE KEY (IN THE FREE TRIAL)................................ 28
OPTION 1: ACTIVATE A COMMERCIAL LICENSE ONCE THE TRIAL PERIOD HAS ENDED ............................ 28
OPTION 2: ACTIVATE A COMMERCIAL LICENSE BEFORE THE TRIAL PERIOD HAS ENDED........................ 28
STEP 7: ANALYZING THE RESULTS IN ALIENVAULT ......................................................................... 30
INTRODUCTION TO THE ALARMS INTERFACE........................................................................................................ 30
INTRODUCTION TO DASHBOARDS ................................................................................................................................. 32
INTRODUCTION TO THE ASSETS INTERFACE.......................................................................................................... 33
INTRODUCTION TO THE VULNERABILITIES INTERFACE...................................................................................... 35
Welcome
Page 2
Welcome! In this tutorial we are going to show you how to get started with the
AlienVault Virtual Appliance for OSSIM and USM. We will start with how to install
AlienVault, how to configure your network interfaces, and network topology. Youll then
learn how to discover assets using AlienVault, how to deploy HIDS (host-based intrusion
detection system) to your servers and how to configure log collection.
Audience
This information is intended for use by administrators who are responsible for
investigating and managing network security for their organization. To use this guide
you must have knowledge of your organizations network infrastructure and networking
technologies.
Pre-Install Checklist
Page 3
1. Reinstall the ESX host on a different drive (e.g. a second RAID set or boot from
SAN) and leave the original disk for the VMFS volume. Choose your block size
when creating the second datastore.
2. Alternatively, install ESX 3.5, create the volume with the desired block size or reformat the volume with the intended block size, then upgrade to ESX 4.x. Be sure
to use the existing VMFS volume to store your console OS VMDK.
3. Create a second RAID set, forming a discrete device or volume, which can be
utilized with the intended block size, post installation.
4. Carve out a new LUN volume on the local controller to be utilized with the
intended block size post-installation.
You cannot create a second datastore (via another partition) on the same drive via the
ESX GUI. You must use the vmkfstools command. You may also need to create a
partition in the free space first with the fdisk command:
vmkfstools -C vmfs -b Xm -S local2mBS
/vmfs/devices/disks/naa.xxxxxxxxxx:y
Page 4
Note: To avoid having to pre-allocate the full amount of disk space, select the
Thin Provision option for disk format. This will allocate the minimal footprint for
your image and will grow as you store logs.
2. Once you get to the Ready to Complete screen, check the box for Power on
after deployment and click Finish.
Note: The deployment process may take several minutes to complete. Please
wait for a success message before moving on.
Page 5
1. Click on AlienVault USM Trial and open the console from the menu bar, by
going to Inventory > Virtual Machine > Open Console
2. Choose the Manual Configuration option (menu item 0)
3. Enter the assigned IP address for the device. Note: If you do not have this
information, contact your network administrator
4. Enter a netmask. This will be used to get information about devices in your
environment.
5. Enter the address of your gateway (router) that serves as an access point to
external traffic.
Page 6
6. Enter DNS Server name(s). This will be used to look up host names on the
network. Note: To add multiple DNS servers, use commas to separate each server
name.
Page 7
1. Click on AlienVault USM Trial and open the console from the menu bar, by
going to Inventory > Virtual Machine > Open Console
2. Choose the option for DHCP Configuration (menu item 1)
3. A message will appear showing the settings that will be applied for your DHCP
configuration. Click Yes to save the settings.
2. Log in using the credentials found in step 1 on the screen and change the root
password.
Page 8
Note: the username is always root. In the first use, the password is randomly set
and is intended for the first time use only. You will be prompted to change your
password after this step.
3. Change the root password by click Yes and enter a new password. You will be
asked to enter your new password again to confirm the change.
4. Once the setup is complete, you will be given the URL to access the AlienVault
web UI. Click Enter and then exit the AlienVault setup.
5. If there is no internet connection, the following message will appear. Click Enter
to go to the setup main menu.
Page 9
Page 10
Note: If you are using a proxy, you must also configure it before registration. Follow
the instructions found here: https://alienvault.bloomfire.com/posts/527852
Page 11
3. Enter the desired hostname for your AlienVault device into the field. This device
name will appear in the AlienVault user interface.
Page 12
3. Fill out the Welcome form with your information and sign in to the AlienVault
web console using your username and password.
4. Run the Getting Started Wizard to perform initial configuration of AlienVault.
Page 13
These interfaces will be used by AlienVault to monitor the network using the built-in IDS
capabilities, run asset scans, collect log data from your assets, run vulnerability scans,
generate netflows, etc. The options available for each interface include:
Management. This is the interface that is used to communicate with the
AlienVault virtual device and connect to the web UI. This is configured during
the initial console step and is presented in the Configure Network Interfaces
section of the wizard by default. It is likely tied to eth0, but may be different
depending on what the user configured on the console. You cannot configure
this in in the wizard.
Network Monitoring. By setting a network interface into this configuration,
AlienVault will put the interface into passive listening mode, also referred to as
promiscuous mode. The interface will listen to traffic as it comes by on the
wire. To use this configuration option the administrator needs to set up a
network tap or span to allow the traffic to flow to the network interface so it can
monitor for threats. AlienVaults built-in IDS capability uses this network
interface.
Log Collection & Scanning. This interface option is used to reach out to the
networks that the user wants to collect data from or scan using AlienVaults
built-in asset discovery, vulnerability assessment, and availability monitoring.
Setting up this interface will require the user to assign an IP address and network
mask to the interface so it can be used to communicate out and allow devices to
communicate in.
Page 14
Not In Use. This is the default option for each of the interfaces (except the
Management interface) on this screen. This means that the network interface is
not configured and will therefore not be used.
1. Choose the network interface that will be used for log collection and scanning.
2. Select Log Collection & Scanning from the drop-down list.
A lightbox will pop up and ask for an IP Address and Netmask. This information
will be used to configure the network interface with a static IP address.
Once you enter the IP address and netmask youll be placed back on the
Configure Network Interfaces screen. This screen will now show you the IP
address you supplied as the IP address for the interface. This will indicate that
the interface configuration is successful.
3. Configure the other interfaces as needed for additional log collection and
scanning.
Note: In some situations the network that you want to monitor may not be accessible
from the IP address provided without setting up a route on the routing table. This is an
extreme case and shouldnt happen often. If a route is required, you will need to
jailbreak the system using the AlienVault console and configure the route using the
command line.
Page 16
1. Choose one or more networks that you would like to scan. You should already
have one or more networks defined based on the network interfaces you
configured in Step 1. Note: If you would like to add more networks, see
instructions on page 10
2. Click the "Scan Now" button to initiate the scan. The confirmation screen will
then be displayed.
3. The confirmation screen will tell you how many assets may be scanned based on
the network defined. Click "Accept" to start the scan.
Note: Be aware that if you created a large network (e.g. 10.10.10.0/16) the scan
may take a long time. We suggest that you create smaller networks.
Page 17
4. You can Stop the scan at any time by clicking the "Stop Scan" button. Note that
if you stop the scan while running, no asset data will be retained and you'll need
to run the scan again.
5. Once the scan is completed you will be asked if you want to schedule a recurring
scan so you can discover changes in the environment periodically. The default
option is to run a weekly scan. Click "OK" to accept and schedule the scan,
change the frequency using the drop-down, or select no scan option by clicking
the "x" on scan period. Click "OK" to continue.
1. Enter the CIDR notation for the network that you want to define.
2. Enter a meaningful name to the describe the network (e.g. DMZ, Employee
Office). This will be used in the next step.
3. Enter an optional description to describe the network.
4. Click the "+Add" button to add the network.
Note: If you make a mistake and define the network incorrectly, use the delete
option (icon of trash can) to delete and re-enter the network.
Page 18
Page 19
Page 20
How to Enable Plugins to Get Data from Your Devices into AlienVault
1. For each asset, select the correct vendor, model, and version number that
corresponds to the data that you want to collect from that asset.
Page 21
2. Click on the "Enable" button to enable the selected plugins. This will take you to
the Log Management Confirmation screen.
Note: For assets that don't have a plugin selected, you will not be able to collect
data from them, but you can configure plugins for them at a later date.
3. The confirmation page shows you each of the assets that a plugin will be enabled
for, and an indicator that tells you if the plugin is enabled, and if you are
receiving data for that asset. Click on the "Instructions to forward logs" to learn
how to configure your asset to send data.
4. Once done enabling plugins for the devices you want to collect data from, click
"Finish" to exit the wizard.
Note: You will not be able to finish the wizard until you are receiving data from at
least one asset.
Additional Log Management Considerations
Remember that firewall deny logs represent an action that has already been
taken. To get visibility around what is coming into the network, we recommend
collecting firewall permit logs too.
Collect OS audit logs to get visibility around who is accessing your assets paying
special attention to privileged accounts is critical
Page 22
Enabling AlienVault OTX in your installation will allow you to automatically share
anonymous threat information with the OTX community. In return you will receive
crowd-sourced threat updates every 30 minutes. The image below shows a sample of
the type of data being sent from an AlienVault installation to OTX.
Once you have finished installing and configuring AlienVault (with OTX enabled), you will
be able to quickly see which alarms indicate malicious activity from a known bad actor
on the Alarms page. These alarms contain an orange bulls-eye icon next to the IP
address that has been identified in OTX as malicious. Clicking the bulls-eye icon will
open a new page with a threat analysis for that IP address including location, any
domains associated with that IP, a list of recorded threat activity, and more.
Page 23
To enable OTX in your AlienVault installation, you must sign up for an AlienVault OTX
community account. You will then receive a token to link your installation to OTX.
Follow the instructions below:
Page 24
5. Click the Next button to continue. A Thank You page will appear to confirm
your OTX registration.
6. Click Finish to complete the Getting Started Wizard and start using AlienVault.
2. Choose one of the social media options on the left (Facebook, Twitter, or
Google+)
3. If you are not currently logged into that network, you will be prompted to sign-in
with your social media credentials.
Page 25
4. An alert will appear to let you know what the app would like to do (e.g. view
your email address and view basic information about your account)
Note: AlienVault OTX will never post to your social media account on your behalf.
5. Click Accept. You will be prompted to complete your sign-up by choosing a
username and confirming your email address.
6. Click Sign Up. Your AlienVault Community account will be created. The
window will refresh and give you your new OTX Token.
7. Copy the OTX Token from the pop-up and paste it into the available field of the
Getting Started Wizard.
7. Click the Next button to continue. A Thank You page will appear to confirm
your OTX registration.
8. Click Finish to complete the Getting Started Wizard and start using AlienVault.
Page 26
2. Sign in by entering your username and password or through one of the social
media authentication options.
3. Once youve logged in, you will see a screen with your unique Open Threat
Exchange token. Copy the token in the pop-up and then go back to the page with
the Getting Started Wizard.
4. Paste the token into the field marked Enter Token and click Next.
5. A Thank You page will appear to confirm your OTX registration. Click Finish to
complete the Getting Started Wizard and start using AlienVault.
Congratulations!
You are finished setting up AlienVault. You can click the See Alarms button to view any
alarms that have been generated in your installation or click Explore AlienVault USM
to go to the Dashboards screen.
Page 27
Option 2: Activate a Commercial License before the Trial Period has Ended
1. To activate a commercial license before the end of the 30-day trial, open the
Environment Snapshot tray on the right tab.
Page 28
2. In the notifications section, click on the link that says how many days are left in
your free trial. You will be directed to the following screen
Page 29
2. Click on a bubble to filter the results and show only attacks of that type during
that time period.
3. Scroll down to the list of alarms, if you see a bulls eye next to some of the IP
addresses, this indicates that we have an entry in the AlienVault Open Threat
Exchange (OTX) reputation database. Clicking on the bulls eye will take you to
Page 30
4. Click on a single alarm. The alarm will expand and give you a little more
information as seen below.
5. Click the View Details button to see more about this threat, including the
related events and/or IDS signatures related to the attack. You can also click on
the event in the list to see for further detail as well as an output of the raw log
that AlienVault collected.
Page 31
Introduction to Dashboards
1. Go to the Dashboards > Overview page. You can review the pre-built dashboard
tabs and discover data about your environment or you create your own
dashboards through the Dashboard Wizard by clicking the pencil icon on the top
right of the dashboards.
Page 32
2. You can enter a particular hostname, IP, or even naming convention into the
search bar to filter the results.
Page 33
3. To view more details about the asset, either click the button labeled Details, or
click the Details icon at the far right of the list entry. This will display more
information about the asset, including system properties, discovered
software/services, related log event/flow data, and the number of vulnerabilities
found.
Page 34
Page 35