Been trying for a week now to get AlienVault (referred to as AV hereon) running with little success.
I've gone through 2 installs so far.
First time messing with SIEM, though have very limited experience with log collection (splunk, kiwi).
Very small network. <10 workstations (win7); 1 Windows server (2008);AD; 2 Linux servers; 1 firewall with IDS, GatewayAV & syslog pointing to AV. No DMZ, no local mail, no VPN or other external access.
On the first install, I did a manual config and selected plugins/detectors all willy-nilly. I did an asset discovery scan which seemed to work. Though, over the course of a couple of days, my service level dropped to 0. I think this was due to the fact that the thresholds were set too low for the amount of surfing our users do. The risk metrics page drilled down through the machines showing traffic etc for each. I also installed SNARE on the Win server box and we met with message too large errors which I was able to correct with a syslog local rules entry:
<rule id="1003" level="0" maxsize="1025" overwrite="yes">
<description>Non standard syslog message (size too large).</description>
</rule>
and I pointed the plugin cfg locations to syslog for both snare and firewall since I couldn't get rsyslog to pull out their respective entries. It seemed to be working with the firewall plugin, but didn't notice anything from snare.
Eventually, I ran ossim-update which borked the machine (plugins stopped working; mysql connection issues; ossim-agent connection issues).
Second install I went the same route, though with an automated install. However, I installed ossec agent on windows server (with IP and auth token), but haven't seen any events from it. But, this did initiate a snare entry for a new process.
The assets seems to be different, though. On the risk metrics, it does not have the drill-down as it did on the first install. Also, I raised global threshold and though my service level isn't dropping, the attack or compromise metrics don't seem to be increasing at all. It's as if the LAN machines aren't triggering the same stuff it was before for some reason. Firewall events are aplenty. I tried running a vuln scan which creates tickets, but never finishes (it just sits in running scans even though scanner status is idle, thus I can't run through the HTML report and mark false +'s).
So, questions:
What plugins should I be utilizing considering the network layout?
What is the best way to get the assets in there? Should I skip the asset discover alltogether and install agents?
How exactly do the policies work? i.e. are there any examples of default policies out there? are the necessary at this level? (I could not find any; AV forum had talk of some being included back in '09, but hasn't happened)
Are there alternative (open source!) solutions that may work better for our situation? (NB: have explored snorby, cyberoam; I may have become biased because I've already invested so much time in AV)
Much thanks.
