AlienVault: File Integrity Monitor


AlienVault is an OSSIM product. OSSIM stands for Open Source Security Information Management. The installation package can be found here.

One of the things that AlienVault can do is to monitor the file integrity. To do that, you have to install ossec agent on the servers that you want to monitor. ossec is an open sourced HIDS (Host Intrusion Detection System) tool.

Here is how I use AlienVault to monitor some folders(files) on a Windows server.

1) Create a new Windows host in the Asset section through AlienVault web UI. (Don’t forget to click ‘Apply’).

2) Install the ossec agent on the Windows server. Just simply follow the installation wizard.

3) ssh to the AlienVault server with your root or sudo account, then run the command: /var/ossec/bin/manage_agents

4) Type ‘A’. Then input the name, IP address of the agent (here it means the Windows server), and press Enter to accept the default ID number. After that, type ‘L’ to confirm the agent has been added into the server.

image

5) Type ‘E’ and input the ID number of the agent to generate a key for it.

image

6) Copy the key and paste it into the agent installed on the Windows server, and add the AlienVault server IP address.

image

7) Start the ossec service.

8) To test it: Add a new line ‘#ossec agent file integrity check test’ in the file ‘C:\WINDOWS\System32\drivers\etc\hosts’ on the Windows server. Then go to the AlienVault web UI, and navigate to SIEM under Analysis section. A message ‘ossec: Integrity checksum changed.’ will be displayed once the modification has been detected.

image

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s