TAKE YOUR OPEN SOURCE SECURITY STRATEGY TO THE NEXT LEVEL

The power of open source from a single, unified console

WWW.ALIENVAULT.COM/

The World’s Most Widely Used SIEMMEET OSSIM

OSSIM is trusted by 195,000+ security professionals in 175 countries…and countingEstablished and launched by security engineers out of necessityUsers enjoy all of the features of a traditional SIEM – and more

EXAMPLE OF HOW THE TOOLS WORK TOGETHER

Tools ClassificationHOW IT WORKS

TOOLS integrated with AlienVault OSSIM are classified by behavior of the tool with the network

Active: they generate traffic in network being monitoredPassive: they analyze network traffic without generating any traffic

Passive tools require port mirroring (SPAN) configured in network equipment or virtual machines to analyze traffic

ASSET DISCOVERY

Detecting Network Assets in AlienVault OSSIM

PRADS

What is it?Signature-based detection engine used to passively detect network assets

OSSIM allows for distributed PrADS monitoring, to help simplify:Inventory managementVersion changes on servicesPolicy violationsInventory correlation

Passive Tool

Passive.sourceforge.net

Identifying Network Hosts & Services in AlienVault OSSIM

NMAP (NETWORK MAPPER)

What is it?Security scanner to discover hosts & services on networkProduct includes interface for scheduling NMAP scans & inventory system to manage results

The OSSIM user interface makes it easy to schedule NMAP scans and manage results.

Quickly find: network assets, open ports, service versions, operating systems and product versions

Active Tool

nmap.org

Inventorying IT Assets in AlienVault OSSIMOCS INVENTORY NG

What is it?Lightweight agent; provides full enumeration on installed softwareCollects information about hardware running OCS agent

OSSIM simplifies OCS inventory installation and management of:

Hardware and software inventoryVulnerabilitiesInformation on policy violations

Active Tool

ocsinventory.ng.org

VULNERABILITY ASSESSMENT

Vulnerability Assessment in AlienVault OSSIMOPENVAS

What is it?Provides both authenticated and unauthenticated vulnerability detectionActively scans network for known vulnerabilities per your specificationsDaily feed of network vulnerability tests (over 33,000)Allows for scanning aggressiveness fine-tuning

OSSIM gives users the ability to schedule OpenVAS scans and reporting in concert with vulnerability information.

Active Tool

openvas.org

Web Vulnerability Scanning in AlienVault OSSIMNIKTO

What is it?Performs comprehensive tests against web servers

NIKTO in OSSIM scans web servers for problems including:Server and software misconfigurationsDefault files and programsInsecure files and programsOutdated software

Active Tool

cirt.net/nikto2

THREAT DETECTION

Host-based Intrusion Detection in AlienVault OSSIMOSSEC

What is it?Host-based intrusion detection system

How it works? OSSIM provides a web interface for OSSEC to simplify management of distributed deploymentsAlienVault Sensor collects events from OSSEC serverOSSIM can use Windows, UNIX and application logs, as well as registry and file integrity monitoring information

Active Tool

ossec.org

Network Intrusion Detection in AlienVault OSSIM SNORT

What is it?Default IDS in virtual applianceGenerates security events for SIEM when analyzing network trafficCombines signature, protocol and anomaly-based inspection

OSSIM makes it easy to manage distributed SNORT installations. Manage IDS rules to monitor for malware signatures and policy violations (p2P, unauthorized IM, games, etc.)

Passive Tool

snort.org

Intrusion Detection & Prevention in AlienVault OSSIM

SURICATA

What is it?Intrusion detection and intrusion prevention, based on threat signaturesSame IDS signatures as SNORTAdvanced processing of HTTP signaturesMulti-threaded processing

OSSIM makes it easy to manage distributed Suricata installations and manage IDS rules.

Passive Tool

Suricata.ids.org

Wireless Intrusion Detection System in AlienVault OSSIM

KISMET

What is it?

OSSIM uses the Kismet package for wireless IDSWorks with any wireless card supporting raw monitoring (rfmon) modeWith appropriate hardware, like Raspberry Pi, can sniff 802.11b, 802.11a, 802.11g & 802.11n traffic

OSSIM provides an interface for easy distributed deployments of Kismet.

WIFI network security monitoringRogue Apps detectionPCI compliance help

Passive Tool

kismetwireless.org

SECURITY INFORMATION & EVENT MANAGEMENT

Security Event & Information ManagementALIENVAULT OSSIM

OSSIM, the open source SIEM, is the most widely used SIEM in the world.

What can you do with it?

Event collection, normalization and correlationLeverage suite of pre-integrated, best of breed security tools for incident response

Passive Tool

www.alienvault.com/open-threat-exchange/projects

BEHAVIORAL ANALYSIS

System & Network Monitoring in AlienVault OSSIMNAGIOS

What is it?Watches hosts & services and provides alertsConfigurable checking of assetsCan do checks with agent or remotely, without agentWide variety of plugins for monitoring apps and devices available

OSSIM provides web interface for Nagios, making distributed installations easy with:

Ongoing availability monitoringAvailability monitoring during logical correlation (by request)Visibility whether service ports are open or closed

Active Tool

nagios.org

Network Traffic Capture in AlienVault OSSIM TCPDUMP

What is it?

TCPDUMP is a command-line packet analyzer and libpcapIt is also a portable C/C++ library

What does it do? Watches hosts and services and provides alertsConfigurable checking of assetsCan do checks with agent or remotely, without agentWide variety of plugins for monitoring apps and devices available

Active Tool

tcpdump.org

Generating Netflow Data in AlienVault OSSIM FPROBE

What is it?Collects network traffic data and distributes it as netflow flows towards the specified collectorLibpcap-based tool

OSSIM provides an integrated console where you can view netflow information, from FPROBE, to assist with incident response

Passive Tool

fprobe.sourceforge.net/

Netflow Collector in AlienVault OSSIM NFDUMP

What is it?Read netflow data from the files stored by NFCAPD NFSUMP syntax is similar to TCPDUMP

OSSIM makes it easy to quickly implement NFDUMP for netflow analysisProvides netflow data Creates customizable, top N statistics of flows, IP addresses, ports etc.Saves time by eliminating need for “How To” tutorial

Passive Tool

Nfdump.sourceforge.net

Collecting IP Traffic in AlienVault OSSIM NFSEN

What is it?Web based front end for NFDUMPNFSEN is a network protocol developed by Cisco to run on iOS-enabled equipment and collect IP traffic informationIt is supported by other platforms, such as Juniper, Linux, FreeBSD and OpenBSD

OSSIM aggregates NFSEN data and allows you to:Display netflow dataProcess netflow data within specific time frameCreate historic and continuous profiles

Passive

nfsen.sourceforge.net

Network Use Monitoring in AlienVault OSSIM

NTOP

What is it?Network probe providing real-time & historical network usageUses RRD Aberrant Behavior algorithm to draw predictions of future behavior**If prediction differs from real traffic, an event is generated in OSSIM

In OSSIM, NTOP provides:Network usage statisticsAsset informationTime & activity matricesReal-time session monitoringAnd network abuse information

Passive Tool

ntop.org

Play, share, enjoy!START USING OSSIM TODAY

Download OSSIM

Join AlienVault OTX

Learn more about our commercial offering

Try AlienVault USM, free for 30 days

Join us for a LIVE Demo!