The document discusses various tools that can be integrated within the AlienVault USM platform. It categorizes the tools as either active or passive. Active tools generate their own network traffic while passive tools analyze existing network traffic without generating any themselves. It then provides details on the purpose and functionality of each tool, including Snort for intrusion detection, Ntop for network monitoring, Nagios for availability monitoring, OpenVas for vulnerability scanning, and others. It explains how each tool can be used within the AlienVault platform.

1. Integrated Toolshttp://www.alienvault.comJuan Manuel Lorenzo (jmlorenzo@alienvault.com)

2. Active / PassiveThe different Tools integrated within OSSIM can be classified under the following categories:Active: They generate traffic within the Network that is being monitored.Passive: They analyze network traffic within generating any traffic within the monitored network.The passive tools require a port mirroring/port span configured in the network equipment. 2

3. SnortNIDS (Network Intrusion Detection System)http://www.snort.orgSnort analyzes the network trafficEvents are generated when the Snort patterns (Signatures) match the network traffic Utility within OSSIM:PortscansWorms MalwarePolicy violations (P2P, IM, Porn, Games...)PASSIVE3

4. SnortPASSIVEPolicy violationsalert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Megaupload file download service access"; flow:to_server,established; content:"GET "; depth: 4; uricontent:"/?d="; content:"|0d 0a|Host\: "; content:"megaupload.com"; within:25; nocase; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009301; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Download_Services; sid:2009301; rev:2;)alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Porn-Sports-Gambling site designed to bypass restrictions"; flow:to_server,established; content:"Host\:"; nocase; pcre:"/Host\:[^\n]+\.(bodog|bodogbeat|bodognation|bodogmusic|bodogconference|bodogpokerchampionships)\.com/i"; reference:url,www.bodog.com; classtype:policy-violation; reference:url,doc.emergingthreats.net/2003100; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_bodog.com; sid:2003100; rev:4;)Malwarealert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Potential Malware Download, rogue antivirus (IAInstall.exe)"; flow:established,to_server; uricontent:"/download/IAInstall.exe"; nocase; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; reference:url,doc.emergingthreats.net/2010447; sid:2010447; rev:2;)alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET 1024: (msg:"ET MALWARE 404 Response with an EXE Attached - Likely Malware Drop"; flow:established,from_server; content:"HTTP/1.1 404 Not Found|0d 0a|"; depth:24; content:"|0d 0a 0d 0a|MZ"; distance:0; classtype:attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2009028; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_404_EXE; sid:2009028; rev:2;)4

5. SnortPASSIVEVirus and Trojansalert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET VIRUS Bugbear@MM virus via SMTP"; flow: established; content:"uv+LRCQID7dIDFEECggDSLm9df8C/zSNKDBBAAoGA0AEUQ+FEN23f7doqAT/dCQk/xWcEQmDxCTD"; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001764; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_BugBear; sid: 2001764; rev:6;)alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM UPX encrypted file download - possible worm"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; content:"|00|code|00|"; content:"|00 C0|text|00|"; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001047; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_Suspicious_Extensions; sid: 2001047; rev:6;)Scansalert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET SCAN Unusually Fast 403 Error Messages, Possible Web Application Scan"; flow:from_server,established; content:"HTTP/1.1 403"; depth:13; threshold: type threshold, track by_dst, count 35, seconds 60; classtype:attempted-recon; reference:url,www.checkupdown.com/status/E403.html; reference:url,doc.emergingthreats.net/2009749; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_403; sid:2009749; rev:2;)alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"ET SCAN Rapid POP3 Connections - Possible Brute Force Attack"; flags: S,12; threshold: type both, track by_src, count 10, seconds 120; classtype: misc-activity; reference:url,doc.emergingthreats.net/2002992; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_General_Services; sid: 2002992; rev:5;)5

6. NtopNetwork and use monitorhttp://www.ntop.orgNtop analyzes all the network trafficNtop provides information (Real-time and historical) of the network usage Utility within OSSIM:Usage network statisticsAssets informationTime and activity matrixesReal-time session monitoringNetwork abusePASSIVE6

7. NtopPASSIVE7

8. NtopNtop creates passively a profile for every Asset in our networkPASSIVE8

9. NtopData & Time MatrixesPASSIVE9

10. Ntop – RRD Aberrant BehaviourAnalyzing the historical data, Ntop uses the RRD Aberrant Behaviour algorithm to draw predictions of future behaviour of our assets and networks. If the prediction differs from the real traffic an event is generated within OSSIMPASSIVE10

11. NFSen /NFdumpNfdump: The nfdump tools collect and process netflow data on the command line.http://nfdump.sourceforge.net/NFSen is a graphical web based front end for the nfdump netflow tools.PASSIVE11

12. NFSen /NFdumpNetFlow is a network protocol developed by CiscoSystems to run on Cisco IOS-enabled equipment for collecting IP traffic information.It is supported by platforms other than IOS such as Juniper, Linux, FreeBSD or OpenBSD.PASSIVE12

13. OCSInventory Managementhttp://www.ocsinventory-ng.orgOCS requires an agent installed of every inventoried computer.OCS can also be used to deploy software packages.Utility within OSSIMInventory Management (Software & Hardware)Vulnerability ManagementPolicy violationsHardware monitoringACTIVE (AGENTS)13

14. OCSACTIVE (AGENTES)14

15. NagiosAvailability monitorhttp://www.nagios.orgNagios monitors the availability of assets and services in our network.A service can be monitored with using different checks:Ex: MySQL ServerCheck whether the host is up or notCheck whether the MySQL port is opened or closedCheck whether there is a MySQL listening in that portDo a query and check the resultACTIVE 15

16. NagiosUtility within OSSIM:Availability monitoring (As a detector and in real time) Nagios can do checks remotely or with agent deployed on the host that is being monitored. Nagios has a wide number of plugins to monitor different devices and applications.ACTIVE 16

17. OpenVasVulnerability Scanninghttp://www.openvas.orgOpenVas uses signatures to identify vulnerabilities in the host of our network.Utility within OSSIMAttacks prevention (We know what is vulnerable)Is the network policy being violated?Shared folders, forbidden activities...ACTIVE 17

18. OpenVasSome vulnerabilities can only be verified after actually exploiting them (Ex: DOS)OpenVas allows for scanning aggressivenessfine-tuning.Mis-configured scans may severely impact the scanned network. After installation, the first scanning profiles have to be defined and watched over very carefully. ACTIVE 18

19. OpenVasOpenVas is able to perform local scans on remote machines if valid credentials for them are provided.This way OpenVas will have an exact listing of software installed on remote hosts being able to determine existing vulnerabilities with a high degree of accuracy.OpenVas provides it’s own plugin creation language.ACTIVE 19

20. OSVDBVulnerability Databasehttp://www.osvdb.orgOSVDB is a compendium of vulnerabilities. Usage within OSSIMCorrelation rule creationVulnerability identifier cross-relationComplements OpenVas scanning information20

21. OSVDBVulnerability Description:Indicators and references:21

22. OSVDBInter-tool relationships:CVSSv2 Score (Common Vulnerability Scoring System):22

23. OSSECHIDS (Host level IDS)http://www.ossec.orgOSSEC requires an agent to be installed for monitoring. (Except ssh-accesible systems)OSSEC features log analisys, rootkit detection, system integrity checking and Windows registry monitorization.ACTIVE (AGENTS) 23

24. OSSECOSSEC is based on a client -> server architecture, OSSIM collects events from the OSSEC server.OSSEC provides it’s own plugin system used for Windows and UNIX tool analysis.Utility within OSSIM:Windows and Unix log collectionApplication log collectionRegistry, file and folder monitorization (DLP)ACTIVE (AGENTS) 24

25. KismetWireless network sniffer and IDShttp://www.kismetwireless.netKismet requires a compatible wifi nic allowing for raw monitoring and 802.11b, 802.11a, 802.11n and 802.11g sniffingUtility within OSSIM:WIFI network securization.Rogue AP detectionCompliance enforcement (PCI)PASIVE25

26. NmapPort Scannerhttp://www.insecure.orgNmap provides customizable options for host and network scanning (Speed, range, precision…)Utility within OSSIM:Asset DiscoveryOpen port discoveryService version discovery Operating System manufacturer and version discoveryMay determine some hardware details about the scanned host ACTIVE 26

27. P0fOperating System anomaly detectionhttp://lcamtuf.coredump.cx/p0f.shtmlPassive Operating System detection based on traffic pattern analysis.Utility within OSSIM:Operating System changesInventory ManagementUnauthorized network accessPASIVE27

28. PadsService anomaly detectionhttp://passive.sourceforge.net/Passively detect running services based on traffic pattern matching.Utility within OSSIM:Inventory ManagementService version changesPolicy violationsInventory correlationPASIVE28

29. ArpwatchMAC address anomaly detection.http://ee.lbl.gov/Based on network asset generated traffic, Arpwatch is able to identify the MAC addresses associated to each IP address.Utility within OSSIM:Inventory ManagementIP address change detectionARPSpoofingPASIVE29

30. TcptrackSession Monitor (network)http://www.rhythm.cx/~steve/devel/tcptrack/Tcptrack provides information about network sessions (Duration, transferred data…)Utility within OSSIM:Session information used for correlation.PASIVE30

31. NepenthesHoneypothttp://nepenthes.mwcollect.orgNepenthes emulates known services and vulnerabilities in order to collect information about potential attackers (Attack patterns, files, …)Utility within OSSIMDetect infected systems (They’ll target the Honeypot)Rule and directive creation based on captured files/attacksMalware collectionPASIVE31

32. About this documentThis Document is part of the OCSA Training Material (OSSIM Certified Security Analyst)Author: Juan Manuel Lorenzo (jmlorenzo@alienvault.com)Copyright © Alienvault 2010All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and publisher.Any trademarks referenced herein are the property of their respectiveholders.32