Tag: vmware

OSSIM Part 1: Getting Started

After getting our hands wet on AlienVault, another demand we have technically from clients is OSSIM. OSSIM here means Open Source Security Information Management – the open source variant of AlienVault. We can explore the differences in another post, but in this post, let’s get our hands dirty with this AlienVault cousin.

First of all, we are back where we started with VMWARE. I will assume we have a running vmware install, in our case its ESXi 5.1 and managing through SSH and Vsphere.

1) Create a Virtual Machine for OSSIM

It sounds more intuitive than it really is, but VMWare continues to annoy us. Here we just click on File->New->Virtual Machine. Do note for AlienVault it was an OVF image we deployed. For OSSIM, it will be an ISO image, so we first need to create the Virtual Host first.

Go through the wizard and we basically went for the typical installation. We got a little stuck at the Guest Operating System though. We were supposed to load the ISO from the datastore, so in this case, we just randomly selected a 64-bit OS under ‘Others’. Don’t think it will make any difference if we selected anything else, since OSSIM install will basically take over the OS.

2) ISO load up

Once created we need to get the ISO (650MB) into our machine. It’s quite annoying because I was running through a VPN and I tried to WinSCP or SFTP from my laptop to the host and from the host, copy it to datastore. However, the line keeps dying after 200mb transferred and I could never fix it. I don’t know why. Maybe there is a limit or something.

So we went the conventional route:

a) Put the ISO into the datastore – Click on the host (not the VM) and click on Configuration Tab. You will see a datastore there. Select it, right click> Browse Datastore. On the little tabs, click on ‘Upload files to this datastore’, and select your local OSSIM iso and upload it away.

It’s magnificently slow, but it seems to work, and all 600+ MB of the payload was sent into the datastore.

b) Right click on the new OSSIM VM>Edit Settings>CD/DVD Drive

You want to click on ‘Connect at Power on’ and also Datastore ISO File. Go ahead and browse the datastore and select the ISO image you just put into the datastore.

3) Start your engines

So load her up. It will boot into the OSSIM installation menu and basically we did all defaults, and allocated an IP address and let it install

4) Post Installation

We did face a problem after the installation. The OSSIM Console hung at with the ‘VMWARE’ logo and ‘waiting for connection’. We powered off the OSSIM, went back to the CD/DVD drive setting and remove the ‘Connect at power on’ option.

Voila.

The familiar face of the happy Alien greeted us and yes it takes pretty long to boot up just like her commercial cousin. Get a coffee, and we can then dive deeper into OSSIM.

AlienVault Setup 1: VMWare Esxi 5.1

AV1

We decided to get an old server we had lying around the office and turn it into our AV (AlienVault) machine using a trial license (30-day full spec).

We faced several issues, which I will put it down in this article and a few others to guide others in installing AV product in their network.

1) Installing VMWare Vsphere 6.0

AlienVault is actually quite easy to install. Getting VMWare ESXi or VSphere running in an old machine was a different story. So before we even get AV up and running, we had to coax our machine to run VM. The first issue was that there was no CD drive. This wasn’t so difficult, you have basically two choices:

a) Boot with a CD, with a VMWare ISO image

b) Boot from USB, if your BIOS supports it.

As it turns out, our BIOS was able to support USB boot. So we used the extremely useful Rufus (https://rufus.akeo.ie/) tool to burn the ISO image we downloaded from at  VMWare https://my.vmware.com/web/vmware/evalcenter?p=free-esxi6.

We set up the BIOS to boot from USB and immediately got into the installation portion for VM. So far so good.

2) Unsupported network adapter

Immediately we got hit with an unsupported network adapter and basicall VMWare refused to go on. At this point we have 3 options:

a) Hack the image and inject the drivers of our network adapter in (I believe it was Realtek 8168 GB Ethernet)

b) Purchase and set up an adapter that is in the compatibility list at http://www.vmware.com/resources/compatibility/search.php

c) Downgrade VMWare 6 to 5.1 or below

Fortunately we had an older version of VMWare a few years back in our network drive and we chose to take the path of C), since Realtek was supported by VMWare then. Why they removed the support, I have no idea.

We re-did the image to 5.1 and rebooted to USB – this time, we got through without any issue, and VMWare ESXi was installed!

d) Deploying AlienVault 

Once you had your VM server up, you just download the client and deploy the AV OVF using File -> Deploy OVF Template. Of course, you obviously have to download the Trial AV first. Head over to www.alienvault.com/free-trial.

Just use default settings BUT choose ‘Thin Provisioning’ as disk format to avoid having to pre-allocate the full amount of disk space. This will allocate a minimal footprint for your image and grow as you store logs.

e) Power On — Not.

We still had some minor issues, such as the error stating that the virtual CPU configured were more than the physical – in this case, it was simply right clicking the VM – Edit Settings -> CPUs and lowering the number of CPUs from 8 to 4. You might not face this, but remember we are using a low spec system.

f) Power On — NOT again.

This time it powers up but when we try to get into AV console, we get blanked. Check the event logs. It stated:

“The CPU has been disabled by the guest operating system. You will need to power off or reset the virtual machine at this point.”

We were a little stumped at this point and googling didn’t really revealed much. More information over at

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2000542

But again, that was still not so helpful.

I chanced upon a similar issue where I recall in the earlier VM installation that VMware was complaining about this system not being able to support Hardware Virtualisation and that to ensure this was enabled in BIOS. Tinkering around the BIOS, found the setting for Intel Technology Virtualisation to be ‘disabled’.

Enabled it and it worked like a charm.

Alien Vault is finally up and ready to go! Next article, we will look into the basic functions of Alien Vault.

P/s – make sure you have a different IP setting on the AV VM image and the actual host itself. Since VMware also has a WebUI, you won’t be able to access AV if you put the same IP address.

Stopping Insider Scans

I’ll admit it. I’ve knocked on doors before, while sitting at Starbucks.

“Knocking on doors” here means running port scanners like Nmap, or vulnerability scanners like Nessus or Nexpose, to see if that guy in the suit across the room is using a laptop that’s vulnerable to exploits. I was much younger then. WiFi was just introduced, and to a guy born with a curious mind like mine, this was exciting stuff. I wasn’t a hacker or cracker by any means, neither did I dwell too much in doing malicious scripts, but it was just curiosity that got me going.

I did find myself on the good side of the law soon, running DHL’s global security group in Asia, and there faced monumental challenges like random denial of services,and naughty scans from external.

However, it is usually the insiders that do us in.

I’m sure you heard before, a secured perimeter is only as strong as its weakest link. And the weakest link is usually inside. A disgruntled employee. A corporate spy. A curious, idle employee with too much time on his hands, and reading too much Network Security Online articles. Whatever the case, every company will have its day in the sun. It’s just a matter of when.

For instance, we ran our penetration testing services for a network. We usually don’t have too much issues in the scanning phase, where we enumerate services and probe a little for vulnerabilities. Our standard process was to inform our client when we were doing exploits. One thing we’ve learnt in almost every project we’ve done.

Not everything goes according to plan.

It was an internal penetration testing, but we weren’t given much details on the network or servers as agreed and we ran several IPs scan at once. Soon, our technical client came back to inform that their servers were not doing too well, and one of the virtual servers running HA has rebooted. We immediately stopped the scans and realised that the IPs given were all running on VM. Nessus and VM does not play nice. Do a search on nessus on communities.vmware.com and pick your poison.

Thankfully, nothing serious occurred, which shows us again how important it was to have people ready and standby especially in PenTest and to follow certain set procedures and standards. We continued the pentest exercise with greater care, taking into account the vulnerabilities of Nessus and VM, and using alternative scanners.

Which shows, how simple it is for someone to DOS (Denial of Service) a network, with just a vanilla Nessus running. What can a company do about it?

Well several options are there:

1) IPS/IDS (Intrusion Prevention/Detection System). These babies usually run on the network points and works wonders to detect scans and stop them, among other thing. We used to run Tipping Point a lot in my previous companies. The problem here is that for a flat network, how do we want to run this? The server needs to be segregated into its own server segment, and an IPS laid out in front of the network point. In a flat network where everything is plugged into a single IP address space, it still can be done, I suppose, but probably not the best way.

2) HIPS/HIDS (Host IPS/IDS). It’s like a mini gun compared to a gatling gun. It runs on critical servers and works about the same way, except that the network interface gets hit before the intrusion prevention services kicks in. It’s pretty effective and we ran a lot of Symantec previously.

3) If those don’t do the trick, then we could probably secure every end point. If we want to secure internal attacks, the best way is to properly guard your asset. Control all your laptops through proper asset management, no administrative capability to install Nessus and an asset scan to ensure nothing naughty has been somehow installed on by enterprising employees. You might want to control/choke up the USB ports as well.

4) Finally, set corporate policies. Many companies fail to do this and we don’t know why. Document what will happen if activities like scanning is done. Make sure employees understand their obligations to the company and sign acceptable use policies before giving them corporate-owned assets, bought by corporate owned money. Sometimes a little awareness works better at prevention.

There are probably other ways I’ve missed out, but generally this would be how we’d deal with idle employees with too much time on their hands scanning our network. That, and putting them on a cold-storage project to wash out their curiosity, maybe.

© 2024 PKF AvantEdge

Up ↑