How to properly add a sensor to AlienVault/OSSIM

I recently re-deployed our SIEM environment since it’s initial incarnation was never meant to be “production”. One of the issues I had immediately is that after adding the sensor machines, they didn’t show up under the “Alienvault Center”  section of the Components page.  They did show up under “Sensors” and were basically functioning normally as they were sending data and I was able to run discovery and vulnerability scans with them. However, not having them under the AV Center section prevented me from viewing and editing much of the sensor configuration (including applying updates) from the web interface.

It seems there is a specific way sensors need to be added. I had manually added the sensor in the web interface, which I guess is “wrong”.  Here’s how I fixed it:

1) SSHed to the sensor and changed the framework IP to 127.0.0.1 and the AV Server IP to an unused IP.

2)  “disassociate” any Groups, Networks and Assets from the sensor. In my case, I kept the networks and just associated them with the “master”, but ended up just deleting the 100+ assets, since I really didn’t want to manually edit all of those and haven’t found a way to bulk-edit assets. Please let me know in the comments if you do!

3) Delete the sensor from the Deployment->Components->Sensors list.

4) SSHed to the sensor again and changed both the Framework IP and the AV Server IP back to the IP of the Master.

5) Log into the web interface and go back to Deployment->Components->Sensors

Here you should now be notified that a sensor is “reported as enabled but hasn’t been configured.”  Clicking “Insert” on this message  appears to be the correct way to add a sensor.

New-Sensor-Msg

Once I had “Inserted” the sensor, it showed up properly under both the “Alienvault Center” view as well as under “Sensors”.

I didn’t find this exact issue in any of the forums (but did find a hint here: https://www.alienvault.com/forums/discussion/1322/adding-sensors-to-the-alienvault-centre-display), so thought I’d post it here. Hope it helps someone.

Mobile Hotspot in Yosemite

A cool new feature in Apple’s latest OS X Yosemite is the ability to turn on your iPhone’s hotspot without touching your phone. You simply drop down your WiFi selection menu and if you have bluetooth on everywhere, you’ll see a special network section listing your device. The problem is it only works about 20% of the time – at least for me – and guessing by the other reports out there, I’m not the only one . So if you find yourself endlessly stopping and starting your hotspot and WiFi to get the magic just right for a successful connection, this simple, but somewhat cumbersome manual approach works for me every time:

  • Stop bluetooth on your mac
  • Start your hotspot manually
  • Select your hotspot network
  • Once connected, restart bluetooth on your mac

My biggest pain point (pretty minor) is forgetting to turn bluetooth back on at the end, which just means I’m mouseless for a few seconds when I return to my desk until I remember bluetooth is off.

Hopefully if you’re struggling with Apple’s increasingly infamous buggy “forced-features” this article will help some tiny amount. Stay mobile.

Great Whitepaper for Securing PCs at home

James Michael over at Global Knowledge has put together a great list of online (and offline) security tools everyone should know about. I use many of these myself and even found a couple of new ones in the mix I haven’t checked out yet.
You can find the PDF here:http://www.globalknowledge.com/training/whitepaperdetail.asp?pageid=502&wpid=1297&country=United+States

It’s a quick read with great info.