Open Source Security Information Management (OSSIM)
Document
updated: Wed, 13 Apr 2005 10:00:07 GMT
Authors: David
Gil and Juan Manuel Lorenzo
0. Before installing OSSIM
1.
ossim-mysql
2. ossim-server
3.
ossim-agent
4. ossim-framework
5.
ossim-utils
6. ossim-contrib
7.
Post OSSIM installation
8. TODO
A.
Plugins
If you have Fedora Core 3 installed on you system you can ommit this section, but please make sure you use the package version provided in the ossim rpm Fedora Core 3 repositories, some of the utils such as ntop, pads, have been patched in order to work propertly with OSSIM.
If Fedora Core 3 is not installed or you want to reinstall Fedora Core 3 you can download the DVD or the cd set from the Fedora Project download section.
To follow the installation guide you will have to install apt in your machinne, this will make installing and updating easier, so just download the rpm package from http://apt.freshrpms.net and install it using the following command:
# rpm -i apt*.rpm
Edit the file /etc/apt/sources.list to set the repository of OSSIM, we do also recommend you to use freshrpms and DAG repository:
[ -- /etc/apt/sources.list -- ] #OSSIM rpm repository rpm http://www.ossim.net/ download/fedora fc3 #Freshrpms.net repository rpm http://ayo.freshrpms.net fedora/linux/3/i386 core updates freshrpms #DAG reposotory rpm http://apt.sw.be fedora/3/en/i386 dag
Update the avaliable package list info with:
# apt-get update
Create a /etc/apt/preferences file like this:
[ -- /etc/apt/preferences -- ] Package: * Pin: release o=ossim Pin-Priority: 995
This way apt will assign a higher priority to OSSIM packages and their dependencies. This is very important, because many of the dependencies of OSSIM have been patched in order to work correctly with OSSIM.
Install it:
# apt-get install ossim-mysql
Start Mysql daemon:
# /etc/init.d/mysqld start
Set a root password for your database:
# mysqladmin -u root password your_secret_password
Create the following databases:
# mysql -u root -p mysql> create database ossim; mysql> create database ossim_acl; mysql> create database snort; mysql> exit;
Then load the tables in the databases:
# cat /usr/share/ossim/db/create_mysql.sql \ /usr/share/ossim/db/ossim_config.sql \ /usr/share/ossim/db/ossim_data.sql \ /usr/share/ossim/db/realsecure.sql | \ mysql -u root ossim -p # cat /usr/share/ossim/db/create_snort_tbls_mysql.sql \ /usr/share/ossim/db/create_acid_tbls_mysql.sql \ | mysql -u root snort -pStart Mysql server:
# /etc/init.d/mysqld start
Set mysql to run at startup
# chkconfig mysqld on
Install ossim-server rpm using this command
# apt-get install ossim-server
Edit /etc/ossim/server/config.xml to set you network properties and the database properties:
[ -- /etc/ossim/server/config.xml -- ] .. <sensor name="here_goes_your_sensor_name" ip="sensor_ip" interface="eth0"/> .. <datasource name="ossimDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=yourpassword;DATABASE=ossim;HOST=localhost"/> <datasource name="snortDS" provider="MySQL"
dsn="PORT=3306;USER=root;PASSWORD=yourpassword;DATABASE=snort;HOST=localhost"/> .. <notify emails="heregoes@youremail.com" alarm_risks="low" />
Start OSSIM server:
# ossim-server -d -c /etc/ossim/server/config.xml
Install the plugins you want to use with OSSIM (see appendix A)
Install ossim-agent:
# apt-get install ossim-agent
Now it is time to update the sensor configuration. The file /etc/ossim/agent/config.xml must be edited by hand:
[ -- /etc/ossim/agent/config.xml -- ]
<!-- Replace 127.0.0.1 with your sensor Ip --> <!ENTITY sensor "127.0.0.1" > <!-- Default network interface --> <!ENTITY interface "eth0" > <!-- Default OSSIM database connection (db:host:dbname:user:pass) --> <!ENTITY ossim_db "mysql:localhost:ossim:root:yourossimdbpass" > <!-- Replace localhost with your server Ip --> <!ENTITY serverip "localhost" >
Start OSSIM agent:
# ossim-agent -d -c /etc/ossim/agent/config.xml
Install phpgacl package:
# apt-get install phpgacl
Edit phpgacl/gacl.class.php
[ -- /usr/share/phpgacl/gacl.class.php -- ] .. var $_db_type = 'mysql'; .. var $_db_user = 'root'; .. var $_db_password = 'yourdbpassword; .. var $_db_name = 'ossim_acl'; .. var $_db_table_prefix = '';Now edit /usr/share/phpgacl/admin/gacl_admin.inc.php:
[ -- /usr/share/phpgacl/admin/gacl_admin.inc.php -- ] .. 'db_type' => 'mysql', 'db_host' => 'localhost', 'db_user' => 'root', 'db_password' => 'yourdbpassword', 'db_name' => 'ossim_acl',Start httpd:
# /etc/init.d/httpd startTo run httpd server at startup:
# chkconfig httpd on
Go to http://yourhost/phpgacl/setup.php to check if you have a correct configuration.
Create phpgacl/admin/templates_c directory and make it writable by the user the webserver run as:
# mkdir /usr/share/phpgacl/admin/templates_c
# chown -R apache:apache /usr/share/phpgacl/admin/templates_c
Install ossim-framework and all its dependencies:
# apt-get install ossim-framework
Set the framework configuration editing the file /etc/ossim/framework/ossim.conf:
[ -- /etc/ossim/framework/ossim.conf -- ] .. ossim_pass=ossimdbpass .. phpgacl_pass=phpgaclpass
Edit the file /var/www/acid/acid_conf.php:
[ -- /var/www/acid/acid_conf.php -- ] .. DBlib_path = "/var/www/adodb/"; .. $DBtype = "mysql"; .. $alert_dbname = "snort"; $alert_host = "localhost"; $alert_port = ""; $alert_user = "root"; $alert_password = "yourpassword";
Edit /etc/php.ini and set the include_path,set also what kind of errors will be displayed:
[ -- /etc/php.ini -- ] .. include_path = "/usr/share/ossim/include" .. error_reporting = E_ALL & ~E_NOTICE .. ;error_reporting = E_ALL
Start ossim-framework:
# ossim-framework -d
Access the framework [ http://yourhost/ossim/ ] and go to configuration menu Configuration->Main.
It is also recommended to activate the displaying of errors in php.ini, at least until everything it is working fine. This will help to discover where do errors come from. This can be donde editting the file /etc/php.ini[ -- /etc/php.ini -- ] .. display_errors = On ..
The ossim-framework package depends on the ossim-utils one, so you if you have installed ossim-framework you must have it installed. If you want to install it on another host:
# apt-get install ossim-utils
The package ossim-contrib contains a set of patches, examples and configuration files used by the ossim distribution. This package is only useful for development purposes. If you still want to install it:
# apt-get install ossim-contrib
The package ossim is a meta-package which depends on the the other ones.
# apt-get install ossim
Install snort:
# apt-get install snort-mysql
Don't configure snort database via debconf, it's better that you edit the file /etc/snort/snort.conf by hand:
[ -- /etc/snort/snort.conf --] .. var HOME_NET [192.168.0.0/16] var EXTERNAL_NET !$HOME_NET .. # splitted in two lines for readability output database: alert, mysql, user=root password=yourdbpass dbname=snort host=yourdbhost sensor_name=your_sensor_ip logfile=fast.log .. # if you want spade support obtain a valid spade.conf file # (for example from ossim source or from ossim-contrib package) include spade.conf
Comment the line containing ALERTMODE= fast in the file /etc/sysconfig/snort
Check out Bleeding Edgeg of Snort web page for up-to-date, bleeding edge snort rules. The false positive rate is extremely low for little tested signatures and they are being very useful to us:
# cd /etc/snort/rules/ # wget http://www.bleedingsnort.com/bleeding-all.rules # echo "include \$RULE_PATH/bleeding-all.rules" >> /etc/snort/snort.conf
Update OSSIM database with the rules of your system:
# /usr/share/ossim/scripts/create_sidmap.pl /etc/snort/rules | \ mysql -u root ossim -pStart snort:
# /etc/init.d/snortd start
Install Ntop:
# apt-get install ntop
Define the password for the admin user:
# ntop -u ntop >> Please enter the password for the admin user: # ^C # /etc/init.d/ntop start
Go to http://yourhost:3000/ to see Ntop in action. Activate the rrdPlugin at Admin->plugins. Click on Host at Data Dump and specify your netmask at Hosts Filter.
As simple as:
# apt-get install p0f arpwatch pads tcptrack
Don't run arpwatch on boot, let ossim-agent do the job:
# chkconfig arpwatch off