PKF AvantEdge

Category: SIEM (Page 5 of 6)

AlienVault Troubleshooting: NFSEN cannot start

September 3, 2015 / / 0 Comments

One of the issues we faced was that our NFSEN suddenly barfed when restarted. This is highly annoying because everytime we reconfigure AlienVault, it has to hang at NFSEN service restart because it couldn’t get it up. I don’t know why.

Eventhough we don’t use netflow much in our environment, it was still a pain for us so we tried to troubleshoot it and finally resolved it.

The issue was when we click on Environment>Netflow we saw these errors

ERROR: nfsend connect() error: Connection refused!

ERROR: nfsend – connection failed!!

NFSEN

Obviously this was irritating. Under Configuration>Deployment>Sensors, we clicked on our AIO and scroll to the bottom, we saw that the netflow collection configuration was not running.

I think it could be because we didn’t set any interface to be ‘monitoring’. We went ahead and set it using the alienvault-setup menu and assigned eth1 to be monitoring. Strangely we couldn’t assign it in the GUI under Configuration>Deployment>AIO>Sensor Configuration and Detection. We only had option for Eth0 (our management) and ETH5 (our logging interface).

Anyway, once we set an interface to monitoring we still couldn’t start nfsen through the GUI or even through the command line under /etc/init.d/nfsen start/stop.

It kept giving this error

Use of uninitialized value $pid in scalar chomp at /usr/bin/nfsend line 765.
Use of uninitialized value $pid in kill at /usr/bin/nfsend line 767.
Use of uninitialized value $pid in concatenation (.) or string at /usr/bin/nfsen

Which made as much sense as greek.

In any case, at least it gave a clue that /usr/bin/nfsend might be complaining because nfsen wasn’t up in the first place. So we went ahead and
VirtualUSMAllInOne:/usr/bin# ./nfsen start
Starting nfcapd:(564D89B81691003B6E98F73F9FFA258C)[25330]
Starting nfsend.

This apparently didn’t through any errors and nfsend seems started! Do a ps -ef and grep nfsen and you have a nice PID allocated.

VirtualUSMAllInOne:/usr/bin# ps -ef | grep nfs
www-data 25330 1 0 23:12 ? 00:00:00 /usr/bin/nfcapd -w -D -p 555 -u www-data -g www data -B 200000 -S 7 -P /var/nfsen/run/p555.pid -I 564D89B81691003B6E98F73F9FFA258C -l /var/cache/nfdump/flows//live/564D89B81691003B6E98F73F9FFA258C
www-data 25332 1 0 23:12 ? 00:00:00 /usr/bin/perl -w /usr/bin/nfsend
www-data 25333 25332 0 23:12 ? 00:00:00 /usr/bin/nfsend-comm
root 25339 22649 0 23:12 pts/0 00:00:00 grep –color=auto nfs

So we stopped it again but this time with the init.d script.

VirtualUSMAllInOne:/usr/bin# /etc/init.d/nfsen stop
Stopping Nfsen: nfsenShutdown nfcapd: (564D89B81691003B6E98F73F9FFA258C)[25330]. .
Shutdown nfsend:[25332]..

And started it again using the init.d script

VirtualUSMAllInOne:/usr/bin# /etc/init.d/nfsen start
Starting Nfsen: nfsenStarting nfcapd:(564D89B81691003B6E98F73F9FFA258C)[26383]
Starting nfsend.

Now we checked back our netflow on the gui and it works.

I don’t know if anyone else is facing this or has an explanation to this, but it might or might not have anything to do with our interface not being set to monitoring. You can try this out if you are facing this issue.

 

OSSIM Part 2: Typical Setup

September 2, 2015 / / 4 Comments

From the previous post, you have successfully installed OSSIM into a VM running ESXi 5.1. Congratulations.

Go ahead and access the web IP address of the OSSIM (you do remember it, don’t you??!)

You are greeted with the same screen as AlienVault – setting the admin account. You should never lose the root password, the admin password can be reset.

Once that is done, relogin again with the new admin password and go through the wizard.

Let’s start with the interface. Go ahead and configure one for Logging and the other for monitoring (no IP). Assign another IP to it. For now, we didn’t do any scanning or other setup, the whole idea was just to see what OSSIM is offering.

In case you messed up and only set up 2 network interfaces, don’t worry. Just add a new network interface into the VM and power up the OSSIM again.

You would want to reconfigure it to have that new interface so go to configuration and wait for your OSSIM to load up. The annoying thing about AlienVault is that the Getting Started Wizard is literally ‘Getting Started’. You don’t have a way to invoke that wizard again so you generally have to reconfigure your network devices the hard way. There are two ways:

SSH into your OSSIM and run alienvault-setup if not already in the setup menu. Go to Configure Sensor > Configure Network Monitoring and select the new ETH as your network monitor. Then you need to apply changes and wait for OSSIM to rebuild

Second option is GUI>Configuration>Deployment>Click on the OSSIM installation

On the top right, click on Sensor configuration and then on ‘Detection’. You will see listening interfaces there. Go ahead and select the NIC to add to listening interfaces. You don’t need an IP address for monitoring. Apply Changes.

It’s just annoying, and we really wish OSSIM would just allow us to run the getting started wizard again.

If you need to set up a logging and monitoring role, you just need to go to the alienvault-setup, setup the network interfaces under system preferences and give it an IP. Immediately gets a logging and monitoring role. There shouldn’t be more than one interface per subnet. The question here is, can your management interface also be the logging interface. Yes of course, but it’s best not to.

Now, again, we wish OSSIM would be a little more clear on this. They already have an awesome GUI, but you would think running the wizard again would be a simple thing to do. Nope, it’s not. You have one shot at it.

So now, you have an interface to manage, to log and to monitor.Go ahead and have a look at it under the deployment components.

Once this is done, you are basically good to go to start OSSIM!

OSSIM Part 1: Getting Started

August 31, 2015 / / 0 Comments

After getting our hands wet on AlienVault, another demand we have technically from clients is OSSIM. OSSIM here means Open Source Security Information Management – the open source variant of AlienVault. We can explore the differences in another post, but in this post, let’s get our hands dirty with this AlienVault cousin.

First of all, we are back where we started with VMWARE. I will assume we have a running vmware install, in our case its ESXi 5.1 and managing through SSH and Vsphere.

1) Create a Virtual Machine for OSSIM

It sounds more intuitive than it really is, but VMWare continues to annoy us. Here we just click on File->New->Virtual Machine. Do note for AlienVault it was an OVF image we deployed. For OSSIM, it will be an ISO image, so we first need to create the Virtual Host first.

Go through the wizard and we basically went for the typical installation. We got a little stuck at the Guest Operating System though. We were supposed to load the ISO from the datastore, so in this case, we just randomly selected a 64-bit OS under ‘Others’. Don’t think it will make any difference if we selected anything else, since OSSIM install will basically take over the OS.

2) ISO load up

Once created we need to get the ISO (650MB) into our machine. It’s quite annoying because I was running through a VPN and I tried to WinSCP or SFTP from my laptop to the host and from the host, copy it to datastore. However, the line keeps dying after 200mb transferred and I could never fix it. I don’t know why. Maybe there is a limit or something.

So we went the conventional route:

a) Put the ISO into the datastore – Click on the host (not the VM) and click on Configuration Tab. You will see a datastore there. Select it, right click> Browse Datastore. On the little tabs, click on ‘Upload files to this datastore’, and select your local OSSIM iso and upload it away.

It’s magnificently slow, but it seems to work, and all 600+ MB of the payload was sent into the datastore.

b) Right click on the new OSSIM VM>Edit Settings>CD/DVD Drive

You want to click on ‘Connect at Power on’ and also Datastore ISO File. Go ahead and browse the datastore and select the ISO image you just put into the datastore.

3) Start your engines

So load her up. It will boot into the OSSIM installation menu and basically we did all defaults, and allocated an IP address and let it install

4) Post Installation

We did face a problem after the installation. The OSSIM Console hung at with the ‘VMWARE’ logo and ‘waiting for connection’. We powered off the OSSIM, went back to the CD/DVD drive setting and remove the ‘Connect at power on’ option.

Voila.

The familiar face of the happy Alien greeted us and yes it takes pretty long to boot up just like her commercial cousin. Get a coffee, and we can then dive deeper into OSSIM.

The IOT (Internet of Things) : My Personal Experience

August 24, 2015 / / 0 Comments
ThumbPrint

ThumbPrint

Unless you have been living in a cave or on a secluded island without internet connection, you may have come across the term ‘Internet of Things’ or IoT. According to Gartner, “The Internet of Things (IoT) is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.”

Living in an era where we have easy access to information at the tip of our fingers is now taken for granted. Going out of your home without your smart phone is absolutely unthinkable – well, at least for me. I can be connected with my friends & family members anytime and anywhere – it can’t get better than that right? Well, let’s re-think this carefully.

Security
I am a huge fan of Strava application. This mobile application uses GPS and mobile data to track your activity (be it cycling or running) – it tracks your mileage, exercise effort level (wattage), time taken to complete the activity and then, further provides data on your ranking against other Strava users on the same activity/route. As I cycle and run competitively as a ‘hobby’, Strava is a great way for me to track my improvements and also pit myself against my friends to be the Queen Of Mountain of a certain mountain anywhere in the world. Awesome! – well, maybe….

The great thing with Strava is that it is connected to Facebook. In fact, if you use your Garmin to track your activity, you can set up your Garmin to connect seamlessly to Strava on every activity tracked on Garmin. Notice the word I’ve used here: SEAMLESSLY. Yes, it is that easy. Friends on Facebook are able to know where I was or where I am currently at based on my post through Strava.  Now, my friends can like my activity and comment as well. Let’s just say that a friend of my Facebook friend intends to track me and know my current whereabouts, s/he can definitely find all that information via Facebook. If s/he intends to break-in to my home (assuming s/he knows where I live), can do so as well – because I am not at home – I’m still cycling back to my house. Dangerous? Am I inviting trouble? You bet! The internet of things have enabled different types of devices to be connected seamlessly and we love that; however, have we ever stopped to think of the danger that we’re opening ourselves up to? It doesn’t take much to be information technology savvy to track a person’s whereabouts.

We love to tell our Facebook friends where we are at by posting “Agnes Yew checked in at Mid Valley” or “Agnes Yew checked in at Madam Kwan, Mid Valley City”. Have you ever stopped to think that we’re providing information to people on our whereabouts willingly and this could be used to our disadvantage?

Time to stop and think…

Data Breach
Ashley Madison was recently hacked and it was let out that the hackers had access to its customer database and have posted the information on a public website for all to see. Ashley Madison is a discreet website which allows their customers to hook up with other folks who are interested in dabbling in a little fun outside the marriage bed. If you were a registered customer (married or attached) of Ashley Madison, you’ll be jumping or maybe peeing in your pants as the list of customers are now in the hands of hackers and shared on a public website.

Personal data is very much valued by consumer marketing companies and anyone who has access to a database has the upper hand to sell that information. I’ve been bombarded with these annoying SMS(es) on properties going on sale and what not every day. Yes, every day. I have to add these numbers under SPAM. It’s annoying as I don’t know where and how they got my mobile number. It could be when I got on the internet and signed up for some newsletter and I did not read the fine print and,or, I did not un-check a box to unsubscribe.

The Personal Data Protection Act in Malaysia was gazetted in 2010 and has been in enforcement from April 2013 on-wards. PDPA is supposed to protect consumers whereby companies holding our personal data are obligated to set up policies and a structured framework to ensure that the data is stored safely and not be leaked out. In my opinion, Malaysia is still in its infancy in comparison to US or EU, in terms setting up a stringent DPA (Data Protection Act) framework. Companies are not investing in being PDPA compliant unless they are required to by the Ministry. At the moment, the Finance, Telecommunications and health industry players are required to be PDPA compliant.

As a Malaysian consumer, we have every right to be concerned if companies managing our personal data are not enforcing a certain measure of security to ensure that our data is safely kept. Companies in Europe and US are willing to invest huge dollars in a Security Information Event Management (SIEM) solution to manage internet threat intrusions. At the moment, the Multimedia and Communication Ministry has not published any data on companies in Malaysia that are allocating budgets for SIEM or some sort of Internet Security application.
Time to stop and think….

How to Be Safe
I want to be safe. I want my family members to be safe as well. What measures am I taking to make sure that only people I want to know about me, know about me?
• I and my family members do not post our actual profile pictures on Watsapp, LINE and Facebook.
• I clean up my friends’ list in Facebook every three months. ‘Friend of Friends’ will be deleted.
• I read and uncheck boxes when I sign up for newsletter/etc. online. I read the fine print.
• I do not post my Strava activity until I get home – Announcing that I am Queen of Mountain can wait.
• I do not ‘check in’ to any location using Facebook. Yes, I may miss getting some discounts from that restaurant or shop by not checking in but I really don’t think it is worth letting people know where I am at.
• I block all sms’ numbers that are marketing in nature and park them under SPAM.

Different folks may have different appetites of risk tolerance towards being bombarded by SPAM or wanting to let the world know what they are doing or where they are at. The effort level you put into ensuring that you and your family members are safe is a choice and for me, is a very important choice.
Stop and think…..

For PDPA Training/Advisory or Internet Security Applications, drop us an email at avantedge@pkfmalaysia.com or contact us at +603 6203 1888.

by Agnes Yew, PKFAE Project Manager

AlienVault Setup 2: Deploying into your network

July 16, 2015 / / 0 Comments

Deployment of AlienVault generally will depend on your network complexity.

For us, we only have an AIO (All In One). While this is great, the lack of sensors make network visibility limited. Basically we can see traffic within the network segment we are connected to. Another issue here is that everyone can see/ping the AV server, which generally isn’t too great. Let’s call this the Invasion Approach. Everyone sees the Alien Ship invading the network.

Another scenario would be to segment your network and deploy remote sensors in each segment and sends back data to a secure segment – we call this the Mother Ship Approach, where these little alien ships send back information to the big mother ship in space – like that Independence Day movie.

Another scenario would be to have multi-server, multi-sensors. We will call this the Divide and Conquer strategy. This makes the whole SIEM infrastructure harder to compromise, lowering its visibility to other devices and also distributes workload over different areas.

Remember – anyone hacking into the SIEM has access to a whole lot of informatin so its worth defending.

For our deployment scenario, we are deploying it for IDS, network vulnerability and asset management purposes – and will be doing it on a SPAN port in our main switch.

Now, let’s get some information.

For more details on Alien Vault products and services, please drop us an email at alienvault@pkfmalaysia.com

« Older posts Newer posts »

© 2024 PKF AvantEdge

Up ↑