VMOSSIM

Average user Rating:
0
0 Ratings (Login to rate)


Preconfigured Open Source Security Information Management (OSSIM) appliance with all-in-one, server and sensor only variants.

Features

Collegiate:
No

One-line Description:
Preconfigured Open Source Security Information Management (OSSIM) appliance with all-in-one, server and sensor only variants.

Filename:
VMOSSIM.tar.bz2

Size Compressed:
213

Allocated Memory:
160

Username:
root

Password:
vmossim

VMware Tools Installed?:
Yes

Operating System:
Debian Etch

Applications:

  • Apache 1.3.34-2
  • Arpwatch 2.1a13-2
  • Base 1.1.4-1ossim.1
  • Mysql 5.0.20-1
  • Nagios 2.3-1
  • Nessus 2.2.7-1
  • Ntop 3.2.2-ossim3
  • Osiris 4.0.6-1
  • Ossim 0.9.9
  • P0f 2.0.5-1
  • Pads 1.2-7
  • Php 4.4.2-1
  • Snort 2.3.3-5ossim1
  • Tcptrack 1.1.5-1

Description:
VMOSSIM - Virtualized Security Information Management
Introduction
This virtual appliance contains a ready to use ossim deployment. For detailed information about OSSIM please refer to http://www.ossim.net
Ossim stands for Open Source Security Information Management. Its goal is to provide a comprehensive compilation of tools which, when working together, grant a network/security administrator with detailed view over each and every aspect of his networks/hosts/physical access devices/server/etc...
Besides getting the best out of well known open source tools, some of which are quickly described below these lines, ossim provides a strong correlation engine, detailed low, mid and high level visualization interfaces as well as reporting and incident managing tools, working on a set of defined assets such as hosts, networks, groups and services.
All this information can be limited by network or sensor in order to provide just the needed information to specific users allowing for a fine grained multi-user security environment.
Also, the ability to act as an IPS (Intrusion Prevention System) based on correlated information from virtually any source result in a useful addition to any security professional.
Components
Included with the applianace are the following software components:

  • Arpwatch, used for mac anomaly detection.
  • P0f, used for passive OS detection and os change analisys.
  • Pads, used for service anomaly detection.
  • Nessus, used for vulnerability assessment and for cross correlation (IDS vs Security Scanner).
  • Snort, the IDS, also used for cross correlation with nessus.
  • Spade, the statistical packet anomaly detection engine. Used to gain knowledge about attacks without signature.
  • Tcptrack, used for session data information which can grant useful information for attack correlation.
  • Ntop, which builds an impressive network information database from which we can get aberrant behaviour anomaly detection.
  • Nagios. Being fed from the host asset database it monitors host and service availability information.
  • Osiris, a great HIDS.

To this we add a bunch of self developed tools, the most important being a generic correlation engine with logical directive support (more on http://www.ossim.net/docs.php ). Some code has been added to the appliance in order to make use of the added benefits of virtualization technology.
Profiles
Usually a typical ossim deployment consists of:

  • A database host.
  • A server which hosts the correlation, qualification and risk assesment engine.
  • N agent hosts which do information collection tasks from a number of devices. For a list of plugins please refer to: http://www.ossim.net/dokuwiki/doku.php?id=roadmap:plugins
  • A control daemon which does some maintenance work and ties some parts together. It's called frameworkd.
  • The frontend is web based, unifying all the gathered information and providing the ability to control each of the components.

The appliance has an easy to use wizard which helps both in selecting the type of Appliance as well as the needed IP address information.
You can choose between three different deployment types:

  • All in one (the default type).
  • Sensor only.
  • Server + Database + Frontend.

Some quick notes about the image
The image has been downsized with easy & fast downloading and deployment in mind.
The partition has been done taking into account that we've got virtual disks so every separate partition can be easyly exchanged without too much trouble.
After installing a new Debian operating system and all the needed ossim components as well as the software itself a cleanup has been done in order to get the image size down to (compressed) XXX MB.
After getting a perfectly working system we focused in ways to allow for different uses of a single image as well as ease of reconfiguration for new environments.
All the software used herein has some sort of Open Source License, please refer to individual vendors/groups for the right ones. Ossim is licenses under the BSD license .
Customization instructions.
First of all: this appliance requires promiscuous mode NIC on the host system. Please refer to the links you get returned when searching for "promiscuous" on the vmware.com site.
Of course you must make sure your guest operating system also puts it's NIC into promiscuous mode.
The default IP address is 10.155.37.204.
Non-privileged user is "vmuser:vmuser".
First you have to decide what this image is going to be. For a start I'd suggest leaving it as it is (all in one) and only customizing it's ip address. To do so follow a couple of simple steps:

  1. Start up the Virtual Appliance
  2. Setup your networking, edit /etc/networking/interfaces
  3. Restart your networking "/etc/init.d/networking restart"
  4. Use the included wizard to reconfigure your ossim server/sensor: "/root/tools/wizard.pl".
  5. The easiest way to make all the components aware of the new settings is to reboot the Virtual Appliance.
    Otherwise kill the following processes: ossim-server, ossim-agent, ossim-framework, pads, ntop, p0f, arpwatch.
    And issue a "/etc/init.d/ossim start".

  6. Point your browser at http://your_address/ossim/. Default login is "admin:admin" and upon login further
    instructions are being shown.

  7. Enjoy!

In case you want to add more appliances on other parts of your network, you should split the server up and reconfigure the sensors as, well, sensors.
To do so follow the instructions provided by the /root/tools/setup.pl script. That script does the following tasks:
Sensor

  • Disable server, mysql and apache.
  • Reconfigure /etc/issue and /etc/issue.net so you can see what is configured at any time.
  • Setup the right server & database values.

Server

  • Disable pads, p0f, ntop, etc...
  • Reconfigure /etc/issue and /etc/issue.net so you can see what is configured at any time.
  • Grant mysql privileges to remote sensors.

Vendor: dkarg

Date Created: 05/26/2006
Last Updated: 05/26/2006

Technical Specifications

Operating System:

Debian Etch

VMware Tools installed: No

Size: 213MB

Allocated Memory (RAM): 160

Applications Installed:

  • Apache 1.3.34-2
  • Arpwatch 2.1a13-2
  • Base 1.1.4-1ossim.1
  • Mysql 5.0.20-1
  • Nagios 2.3-1
  • Nessus 2.2.7-1
  • Ntop 3.2.2-ossim3
  • Osiris 4.0.6-1
  • Ossim 0.9.9
  • P0f 2.0.5-1
  • Pads 1.2-7
  • Php 4.4.2-1
  • Snort 2.3.3-5ossim1
  • Tcptrack 1.1.5-1


Virtual Appliance Account Information

Username: root
Password: vmossim

Download link provided by the submitter, not VMware. Report broken downloads here.

<< BACK

  • Welcome, Guest
  • Login
    You must be a Communities member to submit entries.