PKF AvantEdge

Page 26 of 40

AlienVault Logging Setup Part 1

September 11, 2015 / / 0 Comments

One of the thing about AlienVault is that you would think from the user interface it would be a sort of system to just plug and play and everything is OK.

While it is a far cry ahead from the days of manual configuration, AV still requires a little know-how to get things up to speed, and yes, it does require a little dive into the venerable CLI, so you would need to know a little about some of the engine running under the AV hood.

Let’s start.

One of the first thing that a customer wants when he opens AV, before all the snazzy vulnerable scans and all the network IDS or host IDS comes in, even before SIEM comes in is LOG. Log is to the SIEM what audit is to accounting companies. You just do it.

Strangely, this is not as intuitive as it sounds. Here’s a step by step. We don’t put any screenshots here because we have limited storage capacity on this blog. Yes, we are very frugal. And we like words.

AlienVault Scenario Setup

Because we are slightly lazy, we just want a simple scenario that the VMWare ESXi Box that we are hosting the AV on, to send logs to the AV. Just logs first. Like what it would do when sending to a syslog server. Our Vmware esxi for instance is 192.168.0.10, our AV is 192.168.0.11 (logging interface).

Setup your Esxi.

I know this is out of scope. In most cases, we would just tell our clients, look send your logs from PaloAlto, SonicWall, Juniper, Sophos etc to AlienVault’s logging interface. For Esxi, it is very simple.

1. Start your VMware VSphere client, login > right click on the VMWare host

2. Configuration>Software>Advanced Settings

3. Under Syslog, click on global, under syslog.global.logHost, put in your interface of the AV (192.168.0.11)

4. Click on Security Profile under Software and on the right top, click Properties

5. You are in ‘Firewall Properties’ tab, scroll down under label and find ‘syslog’. Click it. This should enable your syslog traffic to go out to your AV.

You are done. How other systems do it, no idea. But it will probably be more or less straightforward as this.

Initial Testing

If you are like me, and just want to make sure everything is working, setup your own free Syslog server (3CDaemon works nicely) and turn it on, and point your Esxi syslog to your own laptop running the syslog server. If you see stuff coming in, you know Esxi is running ok, and if any roadblock you face down the road, it would be AlienVault’s fault. Now point it back to the AV interface please.

AV Setup to Receive Logs

AV needs to see the logs coming in first. We used the base document found in

https://www.alienvault.com/doc-repo/usm/security-intelligence/AlienVault_Device_Integration_Fortinet_FortiGate.pdf

I know you are not doing fortigate, but the idea here is similar. Get the loggee (that’s what we will call the system sending logs to AV) to send to AV, Set up AV to receive logs, configure log expiration, enable plugin.

The annoying thing is in most cases, everyone starts at the ‘enable plugin’ stage and forgets to set up AV to receive those logs first. You can’t fault them. I attended the training for AlienVault engineer and the training assumed you have magically conjured up AV to receive logs so you could be banging your head for a while on this.

Time to go CLI. I will magically assume you know how to get to AV CLI. Just jailbreak it! It’s just a scary sounding name to get out of the AV menu to CLI. Log into your AV using Putty or your favoured SSH client, and in the menu, select jailbreak system and accept whatever disaster they warn you about.

Once in CLI:

a) Configure your rsyslogd. Go to /etc/rsyslog.d and ls. You don’t see vmware in there do you?

b) Because it’s not. AV doesn’t babysit you. It expects you to know stuff.

c) Check if rsyslog is actually running

ps -ef | grep rsyslog – check if the process is up

netstat -tulpen | grep rsyslog – check if its listening on the right ports – 514?

Extra geek points you can:

VirtualUSMAllInOne:/var/log# logger -t test syslog-test-message
VirtualUSMAllInOne:/var/log# tail /var/log/messages | grep test
Sep 11 18:09:19 VirtualUSMAllInOne test: syslog-test-message

Basically what you did was to get the logger to send a test message to itself and then check the message logs if the message was there. It is, so rsyslog is working nicely!

Now to configure your vmware-esxi.conf. We followed the above fortigate config

Vi vmware-esxi.conf and in your vi

if ($fromhost-ip == ‘192.168.0.10’) then /var/log/vmware-esxi.log

I am assuming you are a Vi person. If you are nano person or something else, then, that’s your cuppa.

I have a few problems with the above line, because it basically it means I am logging everything that’s coming from my vmware. I need to filter those annoying debug messages. So below does it

if $fromhost-ip == ‘192.168.0.10’ and $syslogseverity <= ‘6’ then -/var/log/vmware-esxi.log
if $fromhost-ip == ‘192.168.0.10’ then ~
& ~

Actually I copied this from somewhere else (https://www.alienvault.com/forums/discussion/2111/vmware-plugin-series) and I don’t know why line 2 is even there.

Basically the first line says anything coming from my loggee, with severity of informational and below (filter out debug), then put it into the vmware-esxi.log. The dash sign in front is just telling rsyslogd not to sync operation after writing out each line. According to the MAN: “You may prefix each entry with the minus “-” sign to omit syncing the file after every logging. Note that you might lose information if the system crashes right behind a write attempt. Nevertheless this might give you back some performance, especially if you run programs that use logging in a very verbose manner.”

However, recent times, there doesn’t seem to be any relevance to the dash anymore and is just there out of habit.

Line 2 = no idea because it just says, to discard (tilde ~) everything filtered out by line 1 (debug messages). The last line does the same. The ampersand & is just there for connecting the two lines.

OK so anyway, you have your configuration set up and filtering.

Go ahead and restart

/etc/init.d/rsyslog restart

Remember to configure a log rotation for yourself

vi /etc/logrotate.d/vmware-esxi

/var/log/vmware-esxi.log
{
rotate 4 # save 4 days of logs
daily # rotate files daily
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
invoke-rc.d rsyslog reload > /dev/null
endscript
}

I didn’t bother to find out what all these meant, I just took the AlienVault document as gospel truth.

You look pretty set up.

Now go to /var/log and see if vmware-esxi.log is there.

If it’s not,

touch vmware-esxi.log

tail -f vmware-esxi.log

This basically creates the file manually and do a ‘tail’, to see if any new lines have been appended to it.

Now go to your Esxi box and try to log in, you should be able to see some activity on that tail of yours.

Amazingly you have not even touched AlienVault yet. But you have gotten logs from the loggee into the logger so go ahead and grab your coffee. That’s a good start. We’ll look into what AlienVault can do better than other syslog servers in the next post.

AlienVault Troubleshooting: NFSEN cannot start

September 3, 2015 / / 0 Comments

One of the issues we faced was that our NFSEN suddenly barfed when restarted. This is highly annoying because everytime we reconfigure AlienVault, it has to hang at NFSEN service restart because it couldn’t get it up. I don’t know why.

Eventhough we don’t use netflow much in our environment, it was still a pain for us so we tried to troubleshoot it and finally resolved it.

The issue was when we click on Environment>Netflow we saw these errors

ERROR: nfsend connect() error: Connection refused!

ERROR: nfsend – connection failed!!

NFSEN

Obviously this was irritating. Under Configuration>Deployment>Sensors, we clicked on our AIO and scroll to the bottom, we saw that the netflow collection configuration was not running.

I think it could be because we didn’t set any interface to be ‘monitoring’. We went ahead and set it using the alienvault-setup menu and assigned eth1 to be monitoring. Strangely we couldn’t assign it in the GUI under Configuration>Deployment>AIO>Sensor Configuration and Detection. We only had option for Eth0 (our management) and ETH5 (our logging interface).

Anyway, once we set an interface to monitoring we still couldn’t start nfsen through the GUI or even through the command line under /etc/init.d/nfsen start/stop.

It kept giving this error

Use of uninitialized value $pid in scalar chomp at /usr/bin/nfsend line 765.
Use of uninitialized value $pid in kill at /usr/bin/nfsend line 767.
Use of uninitialized value $pid in concatenation (.) or string at /usr/bin/nfsen

Which made as much sense as greek.

In any case, at least it gave a clue that /usr/bin/nfsend might be complaining because nfsen wasn’t up in the first place. So we went ahead and
VirtualUSMAllInOne:/usr/bin# ./nfsen start
Starting nfcapd:(564D89B81691003B6E98F73F9FFA258C)[25330]
Starting nfsend.

This apparently didn’t through any errors and nfsend seems started! Do a ps -ef and grep nfsen and you have a nice PID allocated.

VirtualUSMAllInOne:/usr/bin# ps -ef | grep nfs
www-data 25330 1 0 23:12 ? 00:00:00 /usr/bin/nfcapd -w -D -p 555 -u www-data -g www data -B 200000 -S 7 -P /var/nfsen/run/p555.pid -I 564D89B81691003B6E98F73F9FFA258C -l /var/cache/nfdump/flows//live/564D89B81691003B6E98F73F9FFA258C
www-data 25332 1 0 23:12 ? 00:00:00 /usr/bin/perl -w /usr/bin/nfsend
www-data 25333 25332 0 23:12 ? 00:00:00 /usr/bin/nfsend-comm
root 25339 22649 0 23:12 pts/0 00:00:00 grep –color=auto nfs

So we stopped it again but this time with the init.d script.

VirtualUSMAllInOne:/usr/bin# /etc/init.d/nfsen stop
Stopping Nfsen: nfsenShutdown nfcapd: (564D89B81691003B6E98F73F9FFA258C)[25330]. .
Shutdown nfsend:[25332]..

And started it again using the init.d script

VirtualUSMAllInOne:/usr/bin# /etc/init.d/nfsen start
Starting Nfsen: nfsenStarting nfcapd:(564D89B81691003B6E98F73F9FFA258C)[26383]
Starting nfsend.

Now we checked back our netflow on the gui and it works.

I don’t know if anyone else is facing this or has an explanation to this, but it might or might not have anything to do with our interface not being set to monitoring. You can try this out if you are facing this issue.

 

OSSIM Part 2: Typical Setup

September 2, 2015 / / 4 Comments

From the previous post, you have successfully installed OSSIM into a VM running ESXi 5.1. Congratulations.

Go ahead and access the web IP address of the OSSIM (you do remember it, don’t you??!)

You are greeted with the same screen as AlienVault – setting the admin account. You should never lose the root password, the admin password can be reset.

Once that is done, relogin again with the new admin password and go through the wizard.

Let’s start with the interface. Go ahead and configure one for Logging and the other for monitoring (no IP). Assign another IP to it. For now, we didn’t do any scanning or other setup, the whole idea was just to see what OSSIM is offering.

In case you messed up and only set up 2 network interfaces, don’t worry. Just add a new network interface into the VM and power up the OSSIM again.

You would want to reconfigure it to have that new interface so go to configuration and wait for your OSSIM to load up. The annoying thing about AlienVault is that the Getting Started Wizard is literally ‘Getting Started’. You don’t have a way to invoke that wizard again so you generally have to reconfigure your network devices the hard way. There are two ways:

SSH into your OSSIM and run alienvault-setup if not already in the setup menu. Go to Configure Sensor > Configure Network Monitoring and select the new ETH as your network monitor. Then you need to apply changes and wait for OSSIM to rebuild

Second option is GUI>Configuration>Deployment>Click on the OSSIM installation

On the top right, click on Sensor configuration and then on ‘Detection’. You will see listening interfaces there. Go ahead and select the NIC to add to listening interfaces. You don’t need an IP address for monitoring. Apply Changes.

It’s just annoying, and we really wish OSSIM would just allow us to run the getting started wizard again.

If you need to set up a logging and monitoring role, you just need to go to the alienvault-setup, setup the network interfaces under system preferences and give it an IP. Immediately gets a logging and monitoring role. There shouldn’t be more than one interface per subnet. The question here is, can your management interface also be the logging interface. Yes of course, but it’s best not to.

Now, again, we wish OSSIM would be a little more clear on this. They already have an awesome GUI, but you would think running the wizard again would be a simple thing to do. Nope, it’s not. You have one shot at it.

So now, you have an interface to manage, to log and to monitor.Go ahead and have a look at it under the deployment components.

Once this is done, you are basically good to go to start OSSIM!

OSSIM Part 1: Getting Started

August 31, 2015 / / 0 Comments

After getting our hands wet on AlienVault, another demand we have technically from clients is OSSIM. OSSIM here means Open Source Security Information Management – the open source variant of AlienVault. We can explore the differences in another post, but in this post, let’s get our hands dirty with this AlienVault cousin.

First of all, we are back where we started with VMWARE. I will assume we have a running vmware install, in our case its ESXi 5.1 and managing through SSH and Vsphere.

1) Create a Virtual Machine for OSSIM

It sounds more intuitive than it really is, but VMWare continues to annoy us. Here we just click on File->New->Virtual Machine. Do note for AlienVault it was an OVF image we deployed. For OSSIM, it will be an ISO image, so we first need to create the Virtual Host first.

Go through the wizard and we basically went for the typical installation. We got a little stuck at the Guest Operating System though. We were supposed to load the ISO from the datastore, so in this case, we just randomly selected a 64-bit OS under ‘Others’. Don’t think it will make any difference if we selected anything else, since OSSIM install will basically take over the OS.

2) ISO load up

Once created we need to get the ISO (650MB) into our machine. It’s quite annoying because I was running through a VPN and I tried to WinSCP or SFTP from my laptop to the host and from the host, copy it to datastore. However, the line keeps dying after 200mb transferred and I could never fix it. I don’t know why. Maybe there is a limit or something.

So we went the conventional route:

a) Put the ISO into the datastore – Click on the host (not the VM) and click on Configuration Tab. You will see a datastore there. Select it, right click> Browse Datastore. On the little tabs, click on ‘Upload files to this datastore’, and select your local OSSIM iso and upload it away.

It’s magnificently slow, but it seems to work, and all 600+ MB of the payload was sent into the datastore.

b) Right click on the new OSSIM VM>Edit Settings>CD/DVD Drive

You want to click on ‘Connect at Power on’ and also Datastore ISO File. Go ahead and browse the datastore and select the ISO image you just put into the datastore.

3) Start your engines

So load her up. It will boot into the OSSIM installation menu and basically we did all defaults, and allocated an IP address and let it install

4) Post Installation

We did face a problem after the installation. The OSSIM Console hung at with the ‘VMWARE’ logo and ‘waiting for connection’. We powered off the OSSIM, went back to the CD/DVD drive setting and remove the ‘Connect at power on’ option.

Voila.

The familiar face of the happy Alien greeted us and yes it takes pretty long to boot up just like her commercial cousin. Get a coffee, and we can then dive deeper into OSSIM.

Guarding Yourself From Internet Intrusions

August 26, 2015 / / 0 Comments

I generally store all my customers’ project data in folders and back them up on a weekly basis. May was crazy as it was the first time for everyone filing their GST with Customs Malaysia. To cut to the story, I was so busy that I didn’t do any backups for three weeks in a row. Guess what? I got attacked! An extremely bad case of internet intrusion that made me cried tears of anguish.
I was ‘googling’ for something that I was researching on and went into a website that looked ‘harmless’. My laptop was on Norton Antivirus Program. No alert or red flag went up but 10 minutes later, I couldn’t access any of Excel or Word docs. There was an additional notepad document in each of my folders. I knew I’ve been attacked right away.

I opened the notepad to read the message – I need to know what virus I’ve been infected with to decide what my next move should be.

So, it’s Cryptowall 3.0. It’s one of the newer versions of ransomware and so far, no available ‘key’ available to decrypt. There are many others out there that have been decrypted by helpful forum-ers but not Cryptowall 3.0. They want money before my files can be decrypted. There’s never been proven that if you pay them, they would give you the key to decrypt the files and it is my belief that we should never encourage these people to bribe and threaten in this manner.

Rather than crying over spilt milk, time for me to assess how to restore and clean my laptop. This is what I did.

1) Restore
Restore from my backups that were three weeks’ ago. Unfortunately, the work that I had done after my last back-ups was a lot. Not good. However, Microsoft does have feature that is very useful – ‘Restore Previous Version’
If you right-click on each folder, there is an option to select the restoration date of your folders. It is a life saver in many ways – you may not get your latest but it saves you tons of hours of trying to figure out what you done on your documents for the past three weeks – in my case. So, it was an ardous task of right-clicking on ALL my folders and restoring them to the so-called ‘latest’ version.

2) Anti-virus program re-assessment
Many times, it could be our own fault that we don’t update the latest virus update. In my case, it is auto-updated. So, go figure. I checked that I was still on auto-update mode for the program but the virus attacked anyway. We need to know that t here are no virus-proof programs. Hackers come up with new viruses on a daily basis. If you visit AlienVault’s OpenTreatExchange (OTX) forum; the viral list grows everyday. It is to our own benefit to be preventive rather than reactive when it comes to being on the alert and to ensure that we have a reasonable Internet Security Application in place of work.

3) Cleaning up my laptop
For those not in the know, there many forums available for poor ‘infected’ souls like us, who are willing to help clean up and make sure our laptops are running back in tip-top condition. It would be very foolish ( I repeat, foolish) to not do a proper clean-up after being infected as you may risk your files being encrypted again. Using Norton to clean-up is probably the bare minimum you should do; however, I wanted to be very sure. Speaking of forums, I have always gone to two forums which has helped me answer questions about all sorts of stuff about Internet Security & etc.
a) http://www.bleepingcomputer.com
b) http://forums.whatthetech.com/index.php?showtopic=129712&hl=
In my case, I decided to go to whatthetech. If you are a registered user of any of these forums, they will go through each step to help you. You can view my thread on how the clean-up process went from the link I’ve provided. No obligation to pay but donations are most welcomed by the folks that dedicate their time on the forums. (This article is not paid or asked by whatthetech).

4) Some things to take note
• Avoid P2P file sharing programmes; they are a security risk which can make your  computer susceptible to malware. File sharing networks are thoroughly infested with malware – worms, backdoor Trojans, IRCBots, and rootkits propagate via P2P file sharing networks, gaming, and underground sites. Users visiting such pages
may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install malware. The best way to reduce the risk of infection is to avoid these types of web sites and P2P programmes
• Registry cleaners and optimization tools that claim to speed up your computer should be avoided, and are potentially dangerous. By running a registry cleaner you risk rendering your machine unbootable.
• Personal Data Sharing: Wild Tangent Games – Did you know that if you own an ACER laptop/desktop, Wild Tangent Games are PRE-INSTALLED? Apparently, ACER has a partnership with them. What you need to know is:-
The privacy policy of Wild Tangent Games; by default, will indicate that you had agree to advertisements by WildTangent, third parties and brand studies whereby you had allowed WildTangent Games to collect certain personal information.
This was discovered by whatthetech consultant that was helping me. So, if you own an ACER laptop, beware and uninstall all Wild Tangent Games. [Check out my piece about Personal Data and PDPA Malaysia – http://www.pkfavantedge.com/pdpa/the-iot-internet-of-things-my-personal-experience/]

5) Back-up Frequently
Back-up, Back-up, Back-up. I cannot emphasize the importance of this exercise. Back-up at least once a week; especially if you have done a lot of work that week. You may choose to back-up your personal and work items separately in terms of frequency, but back-up all your precious memories and work.
My viral attack drama ends here. I certainly do not wish this drama on anyone.

Be SAFE!!!

For Internet Security Applications advisory or PDPA training, drop us an email at avantedge@pkfmalaysia.com or contact us at +603 6203 1888.

by Agnes Yew, PKFAE Project Manager

« Older posts Newer posts »

© 2024 PKF AvantEdge

Up ↑