AlienVault v4.

7 Getting Started Guide

Welcome
Welcome! In this tutorial we are going to show you how to get started with the
AlienVault Virtual Appliance for OSSIM and USM. We will start with how to install
AlienVault, how to configure your network interfaces, and network topology. Youll then
learn how to discover assets using AlienVault, how to deploy HIDS to your servers and
how to configure log collection.

Audience
This information is intended for use by administrators who are responsible for
investigating and managing network security for their organization. To use this guide
you must have knowledge of your organizations network infrastructure and networking
technologies.

Step 0: Download and Install

To get started, you must download and install AlienVault in to your virtual environment.
Be sure to check the system requirements and the pre-install checklist before you begin
then follow the instructions below:

System Requirements

Total cores: 8
RAM: 16 GB
Storage: 250 GB+ (requires VMWare thin provisioning)
VMWare ESXi 4.0+

Pre-Install Checklist

Email address used to register for the free trial

List of CIDR network ranges to monitor
Static IP address for your AlienVault instance*
Data source info to enable log management (e.g. firewalls)*
Access to a span port or tap to monitor your network*
Domain account info to install the HIDS agent*

Note: The asterisk (*) denotes optional items

How to Install AlienVault

Page 2

AlienVault v4.7 Getting Started Guide

1. Install AlienVault into your ESXi environment by deploying the OVF using your
vSphere client with the menu option File Deploy OVF Template. Deploy using
default deployment options

Note: When deploying for evaluation purposes, at the prompt to select the disk
format, choose Thin Provision to avoid having to pre-allocate the full amount of
disk space. This will allocate a minimal footprint for your image and will grow as
you store logs.
2. Power on the appliance and open the AlienVault command line console to allow
AlienVault to do initial configuration

Page 3

AlienVault v4.7 Getting Started Guide

3. Log in using the credentials found on screen and change the root password.
4. Open the AlienVault web UI using the URL provided.
5. Activate the AlienVault Free Trial by entering the email address that you used to
sign-up for the free trial.

6. Fill out the Welcome form with your information and sign in to the AlienVault
web console using your username and password.

Page 4

AlienVault v4.7 Getting Started Guide

7. Run the Getting Started Wizard to perform initial configuration of AlienVault.

Step 1: Configure Network Interfaces

When you first connect to the AlienVault web UI you are prompted to use the Getting
Started Wizard. This wizard is designed to walk you through six steps to get the basics
of AlienVault configured so you can start using the product quickly to find threats in
your environment. The first step of the wizard is to configure the six network interfaces
that come pre-defined.

Page 5

AlienVault v4.7 Getting Started Guide

These interfaces will be used by AlienVault to monitor the network using the built-in IDS
capabilities, run asset scans, collect log data from your assets, run vulnerability scans,
generate netflows, etc. The options available for each interface include:
Management. This is the interface that is used to communicate with the
AlienVault virtual device and connect to the web UI. This is configured during
the initial console step and is presented in the Configure Network Interfaces
section of the wizard by default. It is likely tied to eth0, but may be different
depending on what the user configured on the console. You cannot configure
this in in the wizard.
Network Monitoring. By setting a network interface into this configuration,
AlienVault will put the interface into passive listening mode, also referred to as
promiscuous mode. The interface will listen to traffic as it comes by on the
wire. To use this configuration option the administrator needs to set up a
network tap or span to allow the traffic to flow to the network interface so it can
monitor for threats. AlienVaults built-in IDS capability uses this network
interface.
Log Collection & Scanning. This interface option is used to reach out to the
networks that the user wants to collect data from or scan using AlienVaults
built-in asset discovery, vulnerability assessment, and availability monitoring.
Setting up this interface will require the user to assign an IP address and network
mask to the interface so it can be used to communicate out and allow devices to
communicate in.
Not In Use. This is the default option for each of the interfaces (except the
Management interface) on this screen. This means that the network interface is
not configured and will therefore not be used.

How to Configure Network Monitoring

AlienVault has a built-in networking monitoring (i.e. Network IDS) capability that allows
you to identify malicious network activity by passively monitoring traffic on the
network. One of the network interfaces in AlienVault must be dedicated to this. Do the
following to enable it:
1. Choose the network interface that will be used for network monitoring.

Page 6

AlienVault v4.7 Getting Started Guide

2. Select Network Monitoring from the drop-down list.

Once selected, AlienVault will immediately configure the network interface to
listen for incoming traffic.
3. Configure your virtual machine to get traffic from your physical network.
Once the network is forwarding data to the selected network interface, the
Status button will go from red to green. This will indicate that the interface is
both configured and receiving data as expected.
Note: Once you've configured the network monitoring IF, you'll need to ensure that the
virtual networking is configured to receive network traffic. Ensure you are getting
network traffic and not just virtual switch traffic. Follow these instructions.

How to Configure Log Collection & Scanning

AlienVault needs to have direct communication access to the networks in your
environment that you want to scan or collect data from. This will allow you to use
AlienVault to run an asset scan, vulnerability scan, deploy the HIDS agents to your
systems, monitor availability of your systems, and collect data from your
systems. Configure your interfaces for log collection and scanning by:
1. Choose the network interface that will be used for log collection and scanning.
2. Select Log Collection & Scanning from the drop-down list.
A lightbox will pop up and ask for an IP Address and Netmask. This information
will be used to configure the network interface with a static IP address.

Page 7

AlienVault v4.7 Getting Started Guide

Once you enter the IP address and netmask youll be placed back on the
Configure Network Interfaces screen. This screen will now show you the IP
address you supplied as the IP address for the interface. This will indicate that
the interface configuration is successful.
3. Configure the other interfaces as needed for additional log collection and
scanning.
Note: In some situations the network that you want to monitor may not be accessible
from the IP address provided without setting up a route on the routing table. This is an
extreme case and shouldnt happen often. If a route is required, you will need to
jailbreak the system using the AlienVault console and configure the route using the
command line.

Step 2: Discover Assets in Your Network

Understanding what is in your environment is as critical step to identify threats and
vulnerabilities. You need to know what you have so you can prioritize and respond to
threats discovered. AlienVault includes a built-in asset database and ways for you to
discover assets. You can use the built-in asset discovery capability to automatically scan
your networks and find assets, manually enter assets, or import assets from a CSV file.

Option 1: How to Discover Assets Using a Network Scan

AlienVault needs to have a basic understanding of your network topology to run asset
scans, vulnerability scans, and use other built-in capabilities. The Getting Started Wizard
includes an option to scan your networks for assets. Click the Scan Networks button
to run a network scan.

Page 8

AlienVault v4.7 Getting Started Guide

1. Choose one or more networks that you would like to scan. You should already
have one or more networks defined based on the network interfaces you
configured in Step 1. Note: If you would like to add more networks, see
instructions on page 10

2. Click the "Scan Now" button to initiate the scan. The confirmation screen will
then be displayed.
3. The confirmation screen will tell you how many assets may be scanned based on
the network defined. Click "Accept" to start the scan.

Note: Be aware that if you created a large network (e.g. 10.10.10.0/16) the scan
may take a long time. We suggest that you create smaller networks.
4. You can Stop the scan at any time by clicking the "Stop Scan" button. Note that
if you stop the scan while running, no asset data will be retained and you'll need
to run the scan again.

Page 9

AlienVault v4.7 Getting Started Guide

5. Once the scan is completed you will be asked if you want to schedule a recurring
scan so you can discover changes in the environment periodically. The default
option is to run a weekly scan. Click "OK" to accept and schedule the scan,
change the frequency using the drop-down, or select no scan option by clicking
the "x" on scan period. Click "OK" to continue.

How to Manually Add A New Network

1. Enter the CIDR notation for the network that you want to define.
2. Enter a meaningful name to the describe the network (e.g. DMZ, Employee
Office). This will be used in the next step.
3. Enter an optional description to describe the network.
4. Click the "+Add" button to add the network.
Note: If you make a mistake and define the network incorrectly, use the delete
option (icon of trash can) to delete and re-enter the network.

How to Add New Networks from a CSV

1. Click on Import from CSV option to import a list of the important network
ranges in your environment from a CSV file.

Page 10

AlienVault v4.7 Getting Started Guide

2. Click on Browse and select a CSV file.

3. Click Import to upload the selected file.
Once the import is completed, a confirmation screen will appear to show the
number of hosts that have been imported from your CSV file.

Option 2: How to Add Assets Manually

If you do not have access to a list of assets in the form of a CSV, you can quickly add
assets manually by doing the following:

1. Provide a meaningful name for the asset (e.g. domain controller).

2. Enter the IP address in the field provided.
Note: We suggest that you create smaller networks. Be aware that if you create
a larger network (e.g. 10.10.10.0/6) the scan may take a long time.
3. Choose the asset type from the list.
4. Click the +Add button to add the asset.

Option 3: How to Import a CSV List of Assets

In AlienVault, you are also able to import a list of assets from a CSV by doing the
following:

Page 11

AlienVault v4.7 Getting Started Guide

1. Click on Import from CSV button. A lightbox will pop up and ask for you to
choose a file to upload.

2. Click the Browse button and select a CSV file.

3. Click on Import button to import the CSV file. You will see a confirmation screen
that will display the number of hosts that have been imported.

Step 3: Deploy Host-based Intrusion Detection (HIDS) to Servers

We recommend deploying HIDS in order to perform file integrity monitoring, rootkit
detection and to collect event logs. For windows machines the HIDS agent will be
installed locally, for Unix/Linux environments remote HIDS monitoring will be
configured. Unix/Linux systems are monitored remotely and only include file integrity
monitoring capability.
Note: HIDS needs administrative access to create directories, files, set permission and
launch processes. You must provide credentials to the administrative account on the
system that you want to deploy the HIDS on.

How to Deploy HIDS to Windows

1. Enter the domain admin account information.
2. From the asset tree on the right, choose the assets that you would like to deploy
a HIDS agent to.
3. Click Deploy to deploy the agent to selected assets.
4. Once the plugin is configured correctly, green circles will appear below Plugin
Enabled and below Receiving Data.
Page 12

AlienVault v4.7 Getting Started Guide

How to Deploy HIDS to Unix/Linux

1. Enter the SSH credentials for your Unix/Linux environment.
2. From the asset tree on the right, choose the assets that you would like to install
HIDS in agentless mode.
3. Click Deploy to deploy the agent to selected assets.
4. Once the plugin is configured correctly, green circles will appear below Plugin
Enabled and below Receiving Data.
TIP: Select assets with the same administrative credentials to deploy HIDS to more
than one asset.

Step 4: Log Management

One of the key capabilities provided by AlienVault is the ability to collect external data
from network devices, security devices, and your servers. The data collected allows
AlienVault to do event correlation to see patterns of activity and warn you via an
alarm. The Getting Started Wizard allows you to easily configure each of the assets
you've discovered or added in the Asset Discovery step with the appropriate Plugin to
collect the data from your assets. Do the following to enable plugins:
1. For each asset, select the correct vendor, model, and version number that
corresponds to the data that you want to collect from that asset.

2. Click on the "Enable" button to enable the selected plugins. This will take you to
the Log Management Confirmation screen.
Note: For assets that don't have a plugin selected, you will not be able to collect
data from them, but you can configure plugins for them at a later date.

Page 13

AlienVault v4.7 Getting Started Guide

3. The confirmation page shows you each of the assets that a plugin will be enabled
for, and an indicator that tells you if the plugin is enabled, and if you are
receiving data for that asset. Click on the "Instructions to forward logs" to learn
how to configure your asset to send data.
4. Once done enabling plugins for the devices you want to collect data from, click
"Finish" to exit the wizard.
Note: You may not finish the wizard until you are receiving data from at least one
asset.

Additional Log Management Considerations

Remember that firewall deny logs represent an action that has already been
taken. To get visibility around what is coming into the network, we recommend
collecting firewall permit logs too.

Collect OS audit logs to get visibility around who is accessing your assets paying
special attention to privileged accounts is critical

Step 5: OTX Community Registration

AlienVault Open Threat Exchange (OTX) is an open information sharing and analysis
network. It provides you with access to real-time, detailed information about incidents
that may impact you, allowing you to learn from and work with others who have already
experienced them.
Enabling AlienVault OTX in your installation will allow you to automatically share
anonymous threat information with the broader community. In return you will receive
the threat information shared by others in the network. You will receive updates every
30 minutes.
You will need an AlienVault community account to get started. This account will give you
access to AlienVault free services like Reputation Monitor and will also allow you to link
your AlienVault installation to OTX.

How to Sign Up (Username / Password)

1. Click the Sign Up Now button to open the Join AlienVault OTX window.

Page 14

AlienVault v4.7 Getting Started Guide

2. Select a username, password, password confirmation, and email. These are

required fields.
Note: The password must be at least 7 characters.
3. Click Create Account. Your AlienVault Community account will be created.
The window will refresh and give you your new OTX Token.
4. Copy the OTX Token from the pop-up and paste it into the available field of the
Getting Started Wizard.

5. Click the Next button to continue. A Thank You page will appear to confirm
your OTX registration.
6. Click Finish to complete the Getting Started Wizard and start using AlienVault.

Page 15

AlienVault v4.7 Getting Started Guide

How to sign up (Social media authentication)
1. Click the Sign Up Now button to open the Join AlienVault OTX window.

2. Choose one of the social media options on the left (Facebook, Twitter, or
Google+)
3. If you are not currently logged into that network, you will be prompted to sign-in
with your social media credentials.
4. An alert will appear to let you know what the app would like to do (e.g. view
your email address and view basic information about your account)
Note: AlienVault OTX will never post to your social media account on your behalf.
5. Click Accept. You will be prompted to complete your sign-up by choosing a
username and confirming your email address.
6. Click Sign Up. Your AlienVault Community account will be created. The
window will refresh and give you your new OTX Token.
7. Copy the OTX Token from the pop-up and paste it into the available field of the
Getting Started Wizard.

Page 16

AlienVault v4.7 Getting Started Guide

7. Click the Next button to continue. A Thank You page will appear to confirm
your OTX registration.
8. Click Finish to complete the Getting Started Wizard and start using AlienVault.

How to sign up if you have an existing account

If youve already created an AlienVault community account for free services like
Reputation Monitor, follow the instructions below.
1. Click the Join Now button. A pop-up will appear in a new window and ask you
to sign-up for an AlienVault OTX account. Click the Login tab on the top left.

2. Sign in by entering your username and password or through one of the social
media authentication options.
3. Once youve logged in, you will see a screen with your unique Open Threat
Exchange token. Copy the token in the pop-up and then go back to the page with
the Getting Started Wizard.

Page 17

AlienVault v4.7 Getting Started Guide

4. Paste the token into the field marked Enter Token and click Next.
5. A Thank You page will appear to confirm your OTX registration. Click Finish to
complete the Getting Started Wizard and start using AlienVault.

Congratulations!
You are finished setting up AlienVault. You can click the See Alarms button to view any
alarms that have been generated in your installation or click Explore AlienVault USM
to go to the Dashboards screen.

Page 18