OSSIM Part 2: Typical Setup

From the previous post, you have successfully installed OSSIM into a VM running ESXi 5.1. Congratulations.

Go ahead and access the web IP address of the OSSIM (you do remember it, don’t you??!)

You are greeted with the same screen as AlienVault – setting the admin account. You should never lose the root password, the admin password can be reset.

Once that is done, relogin again with the new admin password and go through the wizard.

Let’s start with the interface. Go ahead and configure one for Logging and the other for monitoring (no IP). Assign another IP to it. For now, we didn’t do any scanning or other setup, the whole idea was just to see what OSSIM is offering.

In case you messed up and only set up 2 network interfaces, don’t worry. Just add a new network interface into the VM and power up the OSSIM again.

You would want to reconfigure it to have that new interface so go to configuration and wait for your OSSIM to load up. The annoying thing about AlienVault is that the Getting Started Wizard is literally ‘Getting Started’. You don’t have a way to invoke that wizard again so you generally have to reconfigure your network devices the hard way. There are two ways:

SSH into your OSSIM and run alienvault-setup if not already in the setup menu. Go to Configure Sensor > Configure Network Monitoring and select the new ETH as your network monitor. Then you need to apply changes and wait for OSSIM to rebuild

Second option is GUI>Configuration>Deployment>Click on the OSSIM installation

On the top right, click on Sensor configuration and then on ‘Detection’. You will see listening interfaces there. Go ahead and select the NIC to add to listening interfaces. You don’t need an IP address for monitoring. Apply Changes.

It’s just annoying, and we really wish OSSIM would just allow us to run the getting started wizard again.

If you need to set up a logging and monitoring role, you just need to go to the alienvault-setup, setup the network interfaces under system preferences and give it an IP. Immediately gets a logging and monitoring role. There shouldn’t be more than one interface per subnet. The question here is, can your management interface also be the logging interface. Yes of course, but it’s best not to.

Now, again, we wish OSSIM would be a little more clear on this. They already have an awesome GUI, but you would think running the wizard again would be a simple thing to do. Nope, it’s not. You have one shot at it.

So now, you have an interface to manage, to log and to monitor.Go ahead and have a look at it under the deployment components.

Once this is done, you are basically good to go to start OSSIM!

2 thoughts on “OSSIM Part 2: Typical Setup

  1. With OSSIM 5.2.1, each time you log into the web console as ‘admin’ you can invoke the Getting Started Wizard by click on the orange banner at the top of the page.

Leave a Reply