AlienVault Users Manual 1.0
AlienVault Users Manual 1.0
AlienVault Users Manual 1.0
AlienVault LC - 1901 S Bascom Avenue Suite 220 Campbell, CA, 95008 T +1 408 465-9989 info@AlienVault.com http://www.AlienVault.com
Juan Manuel Lorenzo (jmlorenzo@AlienVault.com)
version 1.0
Copyright AlienVault 2010-2011
All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or me-
chanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written per-
mission of the copyright owner and publisher.
Any trademarks referenced herein are the property of their respective holders.
AlienVault LC - 1901 S Bascom Avenue Suite 220 Campbell, CA, 95008 T +1 408 465-9989 info@AlienVault.com http://www.AlienVault.com
Tabl e of Contents
Welcome to AlienVault! 1
Introduction 1
What is AlienVault Unied SIEM? 2
Basic Operation 3
Components 4
Data Sources 4
Sensor 5
SIEM 5
Logger 5
Web interface 6
AlienVault Web interface 7
Introduction 7
Access the AlienVault Web Interface 7
Login 8
Logout 8
Dashboard 9
Dashboards 9
Dashboards 9
Dashboards -> Dashboards 9
Risk 12
Maps 12
Dashboards -> Risks -> Risk Maps 12
Metrics 16
Dashboards -> Risks -> Risk Metrics 16
Incidents 22
Alarms 22
Alarms 22
Incidents -> Alarms -> Alarms 22
Report 28
Incidents -> Alarms -> Report 28
Tickets 29
Tickets 29
Incidents -> Tickets -> Tickets 29
AlienVault
AlienVault Users Manual 3
Knowledge DB 36
Knowledge DB 36
Incidents -> Knowledge DB 36
Analysis 40
SIEM 40
SIEM 40
Analysis -> SIEM -> SIEM 40
Wireless 47
Analysis -> SIEM -> Wireless 47
Anomalies 53
Analysis -> SIEM -> Anomalies 53
Statistics 54
Analysis -> SIEM -> Statistics 54
Logger 55
Logger 55
Analysis -> Logger -> Logs 55
Vulnerabilities 58
Vulnerabilities 58
Analysis -> Vulnerabilities -> Vulnerabilities 58
Reports 60
Analysis -> Vulnerabilities -> Reports 60
Scan Jobs 62
Analysis -> Vulnerabilities -> Scan Jobs 62
Threats Database 68
Analysis -> Vulnerabilities -> Threats Database 68
Reports 70
Reports 71
Reports 71
Reports -> Reports -> Reports 71
Modules 79
Reports -> Reports -> Modules 79
Layouts 81
Reports -> Reports -> Layouts 81
Scheduler 83
Reports -> Reports -> Schedulers 83
Assets 87
Assets 87
Structure 87
Assets -> Assets -> Structure 87
Hosts 89
AlienVault
AlienVault Users Manual 4
Assets -> Assets -> Hosts 89
Host groups 94
Assets -> Assets -> Host Groups 94
Networks 97
Assets -> Assets -> Networks 97
Network groups 100
Assets -> Assets -> Network Groups 100
Ports 102
Assets -> Assets -> Ports 102
Assets Search 105
Simple 105
Assets -> Asset Search -> Simple 105
Advanced 108
Assets -> Asset Search -> Advanced 108
SIEM Components 111
Sensors 111
Assets -> SIEM Components -> Sensors 111
Servers 114
Assets -> SIEM Components -> Servers 114
Databases 116
Assets -> SIEM Components -> Databases 116
Intelligence 118
Policy & Actions 118
Policy 118
Intelligence -> Policy & Actions -> Policy 118
Actions 127
Intelligence -> Policy & Actions -> Actions 127
Correlation Directives 130
Directives 130
Intelligence -> Correlation Directives -> Directives 130
Properties 142
Intelligence -> Correlation Directives -> Properties 142
Backlog 144
Intelligence -> Correlation Directives -> Backlog 144
Compliance Mapping 145
ISO 27001 145
Intelligence -> Compliance Mapping -> ISO 270001 145
PCI DSS 147
Intelligence -> Compliance Mapping -> PCI DSS 147
Cross Correlation 149
AlienVault
AlienVault Users Manual 5
Cross Correlation 149
Intelligence -> Cross Correlation -> Cross Correlation 149
Monitors 151
Networks 151
Trafc 151
Monitors -> Network -> Trafc 151
Proles 164
Monitors -> Networks -> Proles 164
Availability 166
Monitors -> Availability 166
System 168
System 168
Monitors -> System -> System 168
User Activity 170
Monitors -> System -> User Activity 170
Conguration 171
Main 171
Conguration -> Main 171
Simple Conguration 172
Advanced Conguration 173
Users 175
Conguration 175
Conguration -> Users -> Conguration 175
User Activity 182
Conguration -> Users -> User Activity 182
Collection 183
Plugins 183
Conguration -> Collection -> Plugins 183
Plugin Groups 185
Conguration -> Collection -> Plugin Groups 185
Software Upgrade 189
Software Upgrade 189
Conguration -> Software Upgrade -> Software Upgrade 189
Update Notication 190
Conguration -> Software Upgrade -> Update Notication 190
Tools 192
Backup 192
Tools -> Backup 192
Downloads 194
Tools -> Downloads 194
AlienVault
AlienVault Users Manual 6
Net Discovery 195
Tools -> Net Discovery 195
My Prole 198
My Prole 198
System Status 199
System Status 199
Writing correlation rules 201
XML syntax 202
Directive global properties 202
Correlation level: 1 203
Correlation level: 2 204
Correlation level: 3 206
Correlation level: 4 207
Detector Rule elements 211
Monitor Rule elements 215
Further reading and Information 218
Reporting Bugs 218
AlienVault 218
Website 218
Forums 218
IRC 218
AlienVault
AlienVault Users Manual 7
Wel come to Al i enVaul t!
Introduction
This manual contains conguration and operation guidelines to assist you with implementing and using our AlienVault SIEM.
As the de facto standard in the world today, AlienVault has a large community of users with experience using AlienVault SIEM
in numerous types of applications ranging from compliance to operations, government to control systems, nance to
manufacturing. This community of active developers and users communicate through the forums found on AlienVaults web
site (http://www.alienvault.com). We encourage our customers to engage with this rich source of tactical expertise.
Since AlienVault SIEM is a fully unied security management system you will nd a great number of tools you are familiar with
already integrated into the AlienVault technology. These tools are not only manageable through the AlienVault interface but,
they are also tightly integrated with the other functional components of the system. AlienVault products additionally integrate
with external security tools of all sorts to allow you to create a unied solution to t your specic needs. AlienVault is stands
behind the technology we create. As a company with roots in the Open Source community we understand the necessity for
honesty and transparency. This is critically important when it comes to addressing the types of integration SIEM users
undertake. The AlienVault team delivers the same level of commitment to its community that has led the technology to be
adopted by more than half of all SIEM users worldwide.
If you have any comments or questions about AlienVault and its products please contact us at any time.
Welcome to the AlienVault community!
AlienVault Users Manual 1
What is AlienVault Unied SIEM?
AlienVault provides a Security and Event Management solutions, whose framework allows tight control over widely
distributed enterprise networks from a single location.
The AlienVault Unied SIEM is created and developed by AlienVault.
AlienVault SIEM Technology offers advanced intelligence, capable of synthesizing the underlying risks associated with
complex distributed attacks on extensive networks.
The system considers the context of each threat and the importance of the assets involved, evaluates situational risk,
discovers, and distinguishes actual threats from the thousands of false positives that are produced each day in each
network.
The solution features:
Low level, real-time detection of known threats and anomalous activity
Compliance automation
Network, host and policy auditing
Network behavior analysis and situational behavior
Log management
Intelligence that enhances the accuracy of threat detection
Risk oriented security analysis
Executive and technical reports
A scalable high performance architecture
AlienVault Users Manual 2
Basic Operation
The following processes take place within AlienVault Unied SIEM:
Events are collected and normalized before being sent to a central Server (AlienVault Sensors)
The AlienVault Server does the Risk Assessment, correlation and storage of the events in an SQL Database (SIEM)
The AlienVault Server stores the events (Digitally signed) in a Massive Storage system, usually NAS or SAN (Logger)
A web interfaces allows provides a reporting system, metrics, reports, Dashboards, ticketing system, a vulnerability
Management system and real-time information of the network. (Web interface)
AlienVault Users Manual 3
Components
Data Sources
Any application or device that generates events within the network that is being monitored will be considered a Data Source
within the AlienVault deployment.
AlienVault includes a number of Data Sources using well-known Open Source Tools. From this moment we will use AlienVault
Data Sources when referring to the Data Sources included by default when installing AlienVault Unied SIEM.
AlienVault Sensors have been designed for managed security. They compile an arsenal of technology into a single device,
and introduce it into each remote network as if it were an eye detecting unauthorized activity. The combined result of
numerous detection and control points is global visibility and compliance management.
AlienVault Sensors are installed on each network segment and inspect all trafc, detecting attacks through various methods
and collecting information on attack context without affecting network performance.
These sensors utilize more than 10 expert systems that identify attacks along 5 different axes:
Intrusion Detection
Anomaly Detection
Vulnerability Detection
Inventory systems
Detection systems locate in near real time, both known and unknown attacks through learning and anomaly reporting.
The Vulnerability detection system discovers and identies latent network threats and can correct them before an attack
occurs. This information, stored by the Management Server, is of vital importance when an attack is in progress. Prior
knowledge of vulnerabilities in systems is vital when assessing the risk associated with an attack, prioritizing, alerting, and
launching countermeasures.
The network information gathered by AlienVault probes also provide detailed information in near real time about network
usage of each computer, which it then collects for analysis. The system automatically creates a highly detailed usage prole
of each element on the network.
AlienVault Users Manual 4
Sensor
The Sensors gather the events generated by external Data Sources and by Data Sources running within the AlienVault
Sensors. Sensors classify and normalize the events before sending them to SIEM and Logger.
In order to support the maximum possible number of applications and devices, Sensors use Data Source connectors (also
called Collection Plugins). Each DS connector (Formerly AlienVault Plugins) dene the way events generated by each
detector should be collected and normalized.
DS connectors can be congured easily using a simple conguration le and regular expressions to dene the format of each
type of event.
The Sensor component can be deployed as a standalone system or included in the Sensor or SIEM appliance depending on
your needs.
SIEM
The SIEM component provides the system with Security Intelligence and Data Mining capacities, featuring:
Risk assessment
Correlation
Risk metrics
Vulnerability scanning
Real-time monitoring
AlienVault SIEM uses a SQL database and stores information normalized allowing strong analysis and data mining
capacities.
AlienVault Unied SIEM is tuned for high performance and scalability of millions events per day.
Logger
PRO ONLY
The Logger component stores events in raw format in the le system. Events are digitally signed and stored en masse
ensuring their admissibility as evidence in a court of law.
The logger component allows storage of an unlimited number of events for forensic purposes. The logger is usually
congured so that events are stored in a NAS / SAN network storage system.
AlienVault Users Manual 5
Web interface
The Web interface provides access to all information collected and generated by the system as well as access to the
conguration parameters.
The following tasks can be performed using the Web interface:
Conguration changes
Reports generation
Ticketing system
Vulnerability Management
Responses conguration
AlienVault Users Manual 6
Al i enVaul t Web i nterface
Introduction
The AlienVault Web interface displays all the information collected and generated by AlienVault products. The web interface
provides access to the information stored in both SIEM and Logger. The Web interface also provides real-time information on
the status of the monitored networks as well as the possibility of conguring the AlienVault deployment.
Access the AlienVault Web Interface
To access the AlienVault Web Interface point your browser to the IP address of the machine that has in which you have
installed the Web Interface prole (Formerly known as Framework). If you have installed a single AlienVault box point your
browser to the IP address of that box.
http://IP_ADDRESS_OF_THE_AlienVault_BOX
AlienVault Users Manual 7
Login
To access the AlienVault Web interface enter a user and a password and click on Login. If you want to login and open a
maximized window displaying the AlienVault Web interface mark the checkbox next to Maximized.
Default User - Password
AlienVault is installed by default with a single user. This user will always keep special permissions within the AlienVault system
(Permissions to monitor all assets and all menu options enabled).
The default user is admin with admin as password. As soon as you log in to the system you will be prompted to change
the password.
Reset Default User - Password
If you forget the admin password you can reset the password using the following command in the linux console.
AlienVault-reset-password admin
This command can be used to change the password of any user from the console. Anyway, an administrator user will always
be able to change the password of another user using the AlienVault Web Interface.
Logout
User sessions will nish automatically after some time. If you want to logout manually click on the name of the user at the
bottom of the left menu and then click on Logout.
AlienVault Users Manual 8
Dashboard
Dashboards
Dashboards
Dashboards -> Dashboards
Description
The Dashboards tab allows each user on AlienVault set up their personal conguration of charts and indicators to show all
the information collected and generated by AlienVault. When creating a new user in the AlienVault Web interface it is possible
to assign the admin user dashboard as the default dashboard for the new user.
The Dashboard is divided into different tabs; each tab has a different window. The user can dene the content of each
window using the conguration wizard.
By default, the dashboard includes several tabs designed by the AlienVault team. Each user can customize his dashboard
using the predened tabs and windows as reference or even create their own panel from scratch.
Tabs
The Dashboards panel includes the following tabs by default:
Tab Content
Executive High level metrics and information
Network Network Statistics (Ntop & Aggregated Risk)
Tickets Ticketing system statistics
Security Statistics and Reports on SIEM Events
Vulnerabilities Vulnerability Scanning Reports
Inventory Statistics and reports on the OCS and AlienVault inventory
Compliance Compliance Report Graphs
Windows
Each tab contains many different Windows. The number of windows shown in each tab can be customized. The user will
congure the content of each window using one of the following plugins:
RSS Feed
Custom Tag-Cloud
Cong Import
Metrics Metapanel
The top panel lets you select the duration of your metrics: over the last 24 hours, the last week, month, or year.
The middle panel provides a graphical representation, or dashboard of Global Administrative Metrics, a Risk Meter, and
Service Level.
0 No importance
1 Very Low
2 Low
3 Average
4 Important
5 Very Important
AlienVault Users Manual 19
Reliability
Reliability determines the probability of an attack being real or not. We are not determining if the event is a false positive or
not (E.g.: A single authentication failure event it is not a false positive, but I cannot conrm that the corporation is undergoing
a brute force attack with a single event).
Reliability can be a value between 0 and 10
0 False Positive
10 Real attack
Aggregated Risk
An aggregated risk is calculated for every object (Hosts, Host groups, Networks and Network groups) belonging to the
AlienVault Inventory using two indicators (the compromise and the attack value).
This two indicators will help us identify whether an object in our network may have been compromised (It is attacking other
hosts or networks) or is under attack.
Compromise
Compromise means a network element is generating lots of events (as source), this is, its behaving like if its been
compromised. Compromise is calculated by taking into account the risk for all the elements where the specic element is
involved as source.
The compromise value is increased based on the risk of the event calculated using the asset value of the source of the
event. The system will increase the compromise value of the host, of the networks and host groups the host belongs to, and
of course the global compromise value.
Attack
Attack is a value that measures the level of attack an element has received in our network, that is, how much it has been
attacked.
In order to determine the attack level for any network element, the risk value of all the events where the element is involved
as destination is added.
The attack value is increased based on the risk of the event calculated using the Asset value of the destination of the event.
The system will increase the attack value of the host, of the networks and host groups the host belongs to, and of course
the global compromise value.
AlienVault Users Manual 20
Threshold
Depending on the amount of collected events and the risk of those events each corporation will have a different compromise
and attack value. You will have to update the threshold to tell the system what you consider a normal situation in your
corporation. This tuning should be done whenever you have integrated all devices in AlienVault and when nothing strange
has happened in your network (No attacks, no new devices, and no availability problems).
To adjust the global Threshold, use the parameter Global Threshold in Conguration ! Main ! Metrics. Apart from this
global threshold each object will have its own Compromise and Attack Threshold that will be set in Assets ! Assets.
Recovery
Events will increase the Compromise and Attack values but none of them will decrease the value, so the system will
automatically subtract a value every 15 seconds.
This value is stored in the parameter Recovery Ratio in Conguration ! Main ! Metrics
AlienVault Users Manual 21
Incidents
Alarms
Alarms
Incidents -> Alarms -> Alarms
Description
The Alarm Panel shows all the alarms generated in AlienVault. Each user will only see the alarms belonging to the hosts that
they are authorized to monitor based on the user permissions.
Alarm
An alarm is an event that has a risk higher than 1. Alarms are a special type of event since it may group more than one event
when the event becomes an alarm generating using correlation directives.
The correlation engine will only generate new events, that may become alarm or not, when risk is calculated for the new
event. An alarm can also be generated with a single event if the event has high priority and reliability values and the value of
the hosts involved in generating the event is high enough.
AlienVault Users Manual 22
Usage
Alarm View
The default Alarm View will show the following columns:
Column Content
Alarm Name of the alarm: Name of the directive for events generated during Correlation or
Name of the event when a single event generates an alarm
Risk Risk Value from 0 to 10
Sensor Sensor that has collected the events generating an alarm (Events generating an alarm
may have been collected by more than one sensor)
Since Date and time of the rst event belonging to the alarm
Last Date and time of the last event belonging to the alarm
Source Source of the event or events generating the alarm (May be more than one source but
only the rst will be shown)
Destination Destination of the event or events generating the alarm (May be more than one
destination but only the rst will be shown
Status Status of the alarm: Open or Closed
AlienVault Users Manual 23
Filters
To lter or show only certain alarms click on Filter, Actions and Options in the upper left corner. This will display the
following form:
This form allows ltering based on Sensor, Alarm Name, Source and Destination. Alarms can also be ltered based on the
time range in which they were generated using the following calendar:
The number of alarms displayed per page can also be congured using the parameter Num. alarms per page. The system
will show 50 alarms per page by default.
Grouped Alarms
To simplify the analysis of the alarms, alarms can be grouped based on the type of alarm, the source and the destination. To
access the grouped view of the alarms click on Grouped in the upper right corner.
A correlation directive that is not grouping enough events may be generating the same alarm many times, with the same
source and same destination in a short period of time. To avoid this we will have to modify the correlation directive.
AlienVault Users Manual 24
Unique Alarms
The Unique Alarms view will group all alarms by type of alarm, to access this view click on Unique in the upper right corner.
Manage Alarms
Close Alarms
Closed Alarms will not be shown in the Web interface by default. Once an alarm has been analyzed it should be closed. This
way it will be easier to manage future alarms.
Some reports such as the compliance reports use the alarms (Closed or opened) to generate the reports, for this reason
alarms that have not been deemed a false positive should never be deleted, they should just be closed.
To close an alarm click on this icon next to the alarm that you want to close, to see both opened and closed alarms,
click on Filters, Actions and Options and unmark the checkbox next to Hide closed alarms.
To close more than one alarm click on Filters, Actions and Options, mark the checkbox next to the alarms than you wish
to delete and then click on Close selected.
Delete Alarms
Only alarms that have been considered a false positive should be deleted. Alarms representing a real problem in
the network should be closed nor deleted. You can delete all alarms that happened the same day by clicking on Delete
next to the date:
To delete more than one alarm click on Filters, Actions and Options, mark the checkbox next to the alarms than you wish
to delete and then click on Delete selected.
AlienVault Users Manual 25
Analyze Alarms
Detailed View
When a correlation directive is generating events, all the events will be grouped within the same alarm. In this case the alarm
will be composed of many different types of events. To see all those events click on the green cross next to the alarm name:
This will display a new window with all the events organized by the correlation level in which the events have been collected:
Clicking on each event will show the original event in the forensic console.
AlienVault Users Manual 26
Right click View
Right clicking on any IP address will show a menu that provides direct access to all the information stored by the system for
that specic IP address as shown in the following image:
New ticket
To open a new ticket in the ticketing system from an alarm, click on this icon next to the alarm.
AlienVault Users Manual 27
Report
Incidents -> Alarms -> Report
Description
This page shows graphs and charts generated based on the data of the alarms generated within AlienVault.
Usage
This page features the following charts:
Top 10 Alarms
AlienVault_INTERNAL_PENDING: If this tag is set, the vulnerability scanner will not open the same ticket again.
AlienVault_FALSE_POSITIVE: If this tag is set, the vulnerability will be marked as a false positive and it will not be
opened again during a future scan.
You can add new tags by clicking on Tags in the upper right corner.
AlienVault Users Manual 35
Knowledge DB
Knowledge DB
Incidents -> Knowledge DB
Description
As the name indicates, the Knowledge DB tab provides access to a user-dened, searchable knowledge base of solutions to
incidents. New documents can be created with a title, description, and key words that may be linked to a host, a host
group, a network, a network group, a ticket, a directive or a type of event. One or more les may be attached to each
document.
AlienVault Users Manual 36
Usage
View Documents
The upper form can be used to search through documents, it is possible to search for a document using AND and OR
operators.
To access a document click on the name of the document:
AlienVault Users Manual 37
New Document
A new document can be added to the Knowledge Database by clicking on New Document. The system provides a rich
text editor to format the text and offers the possibility of including images in the documents.
Each document can be visible for a user or for an entity:
Edit Document
To edit a document click on this icon next to the name of the document that you wish to edit.
Delete Document
To delete a document click on this icon next to the name of the document that you wish to delete.
AlienVault Users Manual 38
Change Owner
To change the owner of the document click on the icon next to the document that will modify its ownership.
Attach les
To attach a le to a document in the Knowledge DB click on the icon next to the name of the document.
Link Documents
A document in the Knowledge DB can be linked to a host, a host group, a network, a network group, a ticket, a directive or
a type of event.
To link a document just click on the icon . You will get the following form that will allow to link and unlink the document
with the different objects in your inventory, and with tickets, directives and events:
AlienVault Users Manual 39
Analysis
SIEM
SIEM
Analysis -> SIEM -> SIEM
Description
The SIEM tab gives access to all the events stored (SQL Storage) when using the SIEM functionality of AlienVault. It allows
the user to do a forensic analysis of all events that been processed by the AlienVault SIEM.
In the SIEM prole, events are qualied (A risk is calculated for every event) and correlated. Correlation generates new events
that will also be stored in the SQL database. Alarms are a special type of event, with a risk higher than 1, but, as events,
they will also be stored in the SIEM prole, and you will be able to see them in both Incidents ! Alarms, but also in Analysis
!SIEM.
AlienVault Users Manual 40
The SIEM forensic console is divided into different sections that will be explained in different sections:
In the top of the screen we will nd a trend graph showing the number of events in a time line. This time range will be
modied based on the current time search criteria. On the left we have a link to see events arriving to the AlienVault Server in
Real Time:
IIn the upper left corner you will nd two links, the rst one, Search links to the advanced search, the second one, Clear will
clear all search criteria. In this block you can also nd search boxes and drop boxes that will help you searching certain
events. At the bottom of this block, different links allow you to set the time and range of the events that will be used when
doing the forensic analysis.
AlienVault Users Manual 41
In the upper right side of the screen, we can nd the current search criteria that are being applied when getting events from
the SQL database. We can also nd access to summary statistics that will show statistics based on the search criteria that is
currently being used. On the bottom of this block you will be able to congure a custom view to see certain elds of the
events stored in the SQL database.
The list of events is shown in the bottom of the screen.
The list of elds showed can be customized, by default the following elds will be visible for every event:
Timestamp: This indicates the date and time when the event occurred.
Source Address: This is the address of the source host, that can be the name of the host, its IP, or its IP and port.
Dest. Address: This is the address of the destination host that can be the name of the host, its IP or its IP and Port.
Asset S!D: Asset Value of the Source host of the event (S) and Asset Value of the destination host in the event. The
Asset value is a number between zero and ve.
Risk S!D: Risk calculated based on the source of the event (S) and risk calculated based on the destination of the event
(D).
Event Information
The SIEM stores the original event that was collected by one of the collectors deployed in the monitored network, or, in case
of Snort events, the network payload that has generated a snort alert.
AlienVault Users Manual 42
The system provides some utilities to work with the payloads (Shellcode Analysis, Download in Pcap format).
Events in Database
Depending on the hardware and on the number of events per second that you are getting you may be able to store in the
SQL Database a certain number of events. When storing a lot of events in the SQL Database, the analysis gets slower and it
is harder to navigate through the AlienVault Web interface.
For this reason events are rotated every few days, in a company that is only generating a few events per day you will be able
to store events of for many years, but if a company is generating a huge number of events and your hardware can not deal
with that amount of events you may need to rotate events every 3 days.
By default the system will only keep in database the events of the last 5 days, but this can be congured modifying the
parameter Forensics Active Event Window in Conguration ! Main (Backup).
Active lters
When navigating through the SIEM console new lters can be applied, reducing the number of events you are working with.
It is very important to be aware of the current search criteria, because you may reach the point in which all events have been
ltered due to your search criteria.
AlienVault Users Manual 43
Usage
Time range
When selecting the time range you want to work with you can reduce the amount of events you are working with and the
analysis will be much faster.
It is possible to select the time frame using a calendar displayed when clicking on the icon :
Or using one of the predened time ranges:
The time range will appear as a lter in the Search Criteria box.
More precise time frame denition can be set using the Advanced Search functionality.
Clickable columns
When working with a list of events or in any summary statistics view, it is possible to click in the name of the column to order
the information based on the column that has been clicked, clicking again in the same column will show the information in
reverse order.
Simple Search
The Simple search allows the user ltering events by name of the event (Signature), by an IP address (Source or Destination),
or by text contained in the original event that was collected by AlienVault (Payload).
Logical operators AND/OR can be used (In capital letters) when searching events by Signature or by IP address:
When searching new lters will be applied and shown in the Search criteria box. You can click only one lter clicking on
Clear next to the lter you wish to clear.
AlienVault Users Manual 44
Summary Statistics
Summary statistics provides useful information (Data is retrieved from the database using the search criteria) grouping events
using different criteria:
Networks
Clients
Sensors
Events
Reports
Networks
Suspicious clientsNetworks
AlienVault Users Manual 48
Networks
This report shows a list of wireless networks that can be found in the location. Each network is displayed with the following
properties:
Encryption Type: Type of encryption used within the wireless network (AES-CCM, TKIP, WEP, WPA, PSK...)
Notes: Optional eld to enter information manually regarding this wireless network
Networks displayed can be ltered using the form on top of the table displaying the wireless networks to show only trusted
or un-trusted networks and also hiding the old networks.
Wether the network is trusted or not can be modied manually by clicking on the symbol in the line representing the
wireless network. Clicking on that icon will show the following form that can also be used to enter notes and a short
description about the wireless network.
To delete a wireless network from the list click on in the line representing the Wireless Network.
AlienVault Users Manual 49
Clients
This report shows a list of clients connected to the wireless networks. Each client is displayed with the following properties:
MAC: Physical address of the network device used by the client to connect to the wireless network (Mac address)
Type: Network Connection Type: Infrastructure, Ad-Hoc, tods, sendto, fromds, interds
Model: Model of the wireless device used within the wireless sensor.
Serial: Serial number of the wireless device that it is being used to monitor the wireless network
Mounting Location: Description of the place where the sensor has been deployed.
To delete a sensor from a location click on the symbol next to the sensor that you wish to delete.
Modify Location
To modify the properties and the sensors related to a location click on next to the name of the location that you want to
modify.
Delete Location
To delete a location click on next to the location that you wish to delete.
AlienVault Users Manual 52
Anomalies
Analysis -> SIEM -> Anomalies
Description
The anomalies tab shows ve types of anomalies:
Sensor
Event
IP addresses
Ports
Usage
This stats may cause performance problems due to the heavy queries that have to be done in the SQL Database every
often. For this reason these statistics are not enabled by default.
To enable this functionality go to Conguration ! Main (Advanced), expand the category AlienVault Framework Daemon
and set the variable Enable EvenStats to Enabled
AlienVault Users Manual 54
Logger
Logger
Analysis -> Logger -> Logs
Description
The Logger allows for storage of large volumes of data while ensuring its admissibility as evidence in a court of law. The
Logger provides an additional database specically geared for massive, long-term, forensic archiving. The Logger collects
data in its native format, digitally signs, and time-stamps the data. The data is then securely stored preserving data integrity;
whereas the SIEM database is designed for the rapid and versatile analysis required for attack detection and response.
In the Logger, events are stored in the le system, using an AlienVault specic schema of directories and les
AlienVault Users Manual 55
Usage
Time range
The logger analysis requires working with a huge amount of data. If you reduce the amount of events you are working with
the analysis will be much faster.
You can select the time range you want to work with using a calendar or using one of the predened time ranges.
Clicking on the bars of the graph on the top will also update the time range.
Search
The search for events stored in the Logger implements auto-completion based on the text that you type. For example, if you
enter a host name, the system will suggest searching for the dened value in the host eld of the events.
The following syntax can be used when searching over the events in the Logger:
sensor: Ip address or name of the AlienVault Sensor that collected the event. Eg: sensor=Vegas sensor=172.2.2.1
src: Source of the event in IPV4 format or name of the host used in the AlienVault inventory. Eg: src=192.168.2.1
src=Web_2000
dst: Destination of the event in IPV4 format or name of the host used in the AlienVault inventory. Eg: dst=192.168.1.1
dst=gateway
Next Scan: Time and Date of the next scan of this scheduled job
Action: Disable the scheduled job . Enable the scheduled job . Edit the scheduled job . Delete the scheduled job
.
All Scans
This table shows all vulnerability scans that have run, that are currently running, or that will run in the future. Each Scan Job
is displayed using the following elds:
Scan End Time : When the vulnerability scan nished or timed out
Next Scan: When the scan will be run again (Scheduled Scans or Scans that failed)
AlienVault Users Manual 63
Usage
Scan Jobs
New Scan Job
To congure a new vulnerability scanning job click on New Scan Job. The web interface will display a form to congure the
scanning parameters.
The parameters to be congured are:
Job Name: Name given to the vulnerability scanning job.Name given to the vulnerability scanning job. If it is a scheduled
Job the word SCHEDULED will be added to the Job name.
Select Server: Select the scan server (AlienVault Sensor prole includes the OpenVas Scan Server by default) from which
to perform the scan. The scan can also be congured as a distributed scan, this way the system automatically chooses
the sensor closest to the host or network being scanned. If no scanning server is selected, the default conguration is
First Available Server - Distributed Scan
Prole: Vulnerability Scan Prole. Set of OpenVas or Nessus plugins enabled for the scan job.
Timeout: Maximum scan duration. If the scan takes longer the scan will be cancelled.
Schedule Method: Immediately / Run Once / Daily / Day of the week / Day of the Month / Nth weekday of the month
Make this scan job visible for: Users or Entities that will have access to the scan job conguration and to the reports
generated by the scan job
Send an email notication when nished: Enable / Disable sending an email to the user who scheduled the scan job
once the scan is complete.
Only scans hosts that are alive: Does a fast network scan (Ping scan) prior to start the vulnerability scan to nd hosts
that are alive. This will greatly speed up but prevent vulnerability scanning to nd vulnerabilities on computers that are
blocking ICMP requests.
Pre-Scan locally: Run the ping scan from the host running the AlienVault Web Interface
To select the targets to be scanned for vulnerabilities, you have to select them from the tree displaying all assets in the
AlienVault inventory (Click on the name of the asset to add it as a target). Available targets will be displayed in a tree in the
right side, the left side will show a list with assets that have already been selected as targets to be scanned, to expand each
of the branches of the tree click on [+], to hide a branch click on [-].
AlienVault Users Manual 64
To launch the scan, click on New Job, to launch a simulation of the scan (which checks the user's permissions and the
availability of the sensors that must perform the scan), click on Conguration Check.
A process checks every 300 seconds if there are pending scans (Scheduled scans that have not been started). For this
reason it may take a few minutes before the scans start. Meanwhile, the scan will be displayed in this All Scans table.
Scheduled scans that have not been started yet will be displayed using this icon:
Running Scans will be shown in the All Scans table using this icon
To cancel the Scan Job click on in the line representing the Scan Job that you wish to cancel. To cancel and delete the
scheduled job click on .
Once the scan has started you can monitor the status of the Scan Job in the Status table.
The blue line next to the text Scan in Progress is a visual representation of the number of vulnerabilities found during the
scan.
AlienVault Users Manual 65
To see in real time what hosts are been scanned and what plugins are being used place the mouse over the text Scan in
Progress. This can be useful to nd out why an scan takes so long (A lot of targets? Plugins misconguration?)
If for some reason the scan fails to start, it will be re-scheduled to be executed again one hour later. After three failed
attempts the scan job will be cancelled. Put the mouse over the name of the Scan Job to see wether the scan failed to start
or not.
Run Scan Now
The Run Scan Now button will allow the user conguring a new scan job to executed immediately.
Re-Run Scan Job
To rerun a Scan Job that was to be executed previously, click on the icon in the line representing the Scan Job that you
want to run again (All Scans table). The scan will be executed using its original conguration parameters. (All Scans table)
Delete Scan Job
To delete an Scan Job click on in the line representing the Scan job that you want to delete. This will delete the reports
generated by the scan Job (if any) as well as the Scan Job conguration. (All Scans table)
Scheduled Jobs
Delete Scheduled Job
To delete an scheduled Job click on in the line representing the scheduled job that you want to delete. (Scheduled Jobs
table)
Modify Scheduled Job
To modify an scheduled Job click on in the line representing the scheduled job that you want to modify. (Scheduled
Jobs table)
AlienVault Users Manual 66
Enable Scheduled Job
To enable a disabled scheduled Job click on in the line representing the scheduled job that you want to enable.
(Scheduled Jobs table)
Disable Scheduled Job
To disable an enabled scheduled Job click on in the line representing the scheduled job that you want to enable.
(Scheduled Jobs table)
Reports
View Reports
A report is generated once the Scan Job is nished. Reports are generated in HTML , CSV , PDF and NBE
format. To access the reports click on the icon in the line representing the Scan Job in the All Scans table.
Delete Reports
To delete Vulnerability Scan reports click on in the line representing the Scan job that you want to delete. This will delete
the reports generated by the scan Job (if any) as well as the Scan Job conguration. (All Scans table)
Vulnerability Scan Proles
The vulnerability scan proles are the groups of plugins (Nessus or OpenVas plugins) that can be used for vulnerability
scanning. AlienVault includes a number of predened vulnerability scan proles. Also, users have the ability to create their
own.
By creating scanning proles, the vulnerability scan jobs are greatly accelerated because only plugins that may be useful in
our network are used.
It is also possible to create groups of plugins to monitor compliance, enabling only the plugins that are monitoring
compliance control objectives.
To access the conguration of the scan proles click on Proles in the upper right corner.
AlienVault Users Manual 67
Threats Database
Analysis -> Vulnerabilities -> Threats Database
Description
This page displays the vulnerability scanner rules loaded in the database to be used in the vulnerability scans. These rules
can be OpenVAS rules or Nessus rules . The default installation includes a set of OpenVAS rules.
The rules are listed grouped by families and by severity.
Usage
To access each of the vulnerability scanner plugins, click on the value shown on the Severity columns next to the group of
plugins. This will show all plugins belonging to the family with the chosen severity.
Click on to go back.
To access information of each plugins, put the mouse over the numerical value shown in the ID column.
AlienVault Users Manual 68
Most of the plugins contain a CVE identier referring to the vulnerability that the plugin can detect. Click on the CVE Id in the
CVE Id column for more information about this vulnerability.
Search Plugins
A search box is displayed at the top of the page so the user can lter the plugins by keywords, CVE, Risk and by date. Insert
your search criteria and click on Search.
AlienVault Users Manual 69
Reports
The AlienVault Reporting system offers users the ability to generate complete reports based on the information collected by
AlienVault.
The information displayed in the reports is gathered from the SIEM and Logger storage system. When the report is
generated the system keeps permissions dened for each user, this way only assets that can be monitored by this user will
be included in the report. The user permissions can be changed in Conguration -> Users.
Each report is a combination of sub-reports or modules. The default AlienVault installation includes more than 2000 modules
that can be used within reports. Some of them provide enough information to be used as a new report composed by just a
single reporting module.
In addition to the default report, each user can easily dene new reports without modifying the source code. This is done
simply by using a series of forms in the AlienVault Web interface.
For the generation of a new report the user must congure the following aspects:
Report Name
Date range
Layout
Page Break
Title Page
DAY: YY-MM-DD
HOUR: HH-MM-SS
Schedule Type: Type of schedule: Daily, Run Once, Day of the Week or Day of the month.
Launch time: Shows the conguration of the schedule type (At what hour will it be generated? What day of the
month? What day of the week?)
Next Launch: Shows the time and date in which the report will be generated again.
Host Group
Network
Network Groups
All hosts
Assets are also shown grouped by the entities they
belong to.
AlienVault Users Manual 87
The tree on the right shows the assets grouped by:
Operating System
Services
Software
Work Group
Role
Department
Mac Address
CPU
Ram
Usage
To expand each of the branches of the tree click on +. To hide a branch click on - . The tree on the left can also include the
users within the entity the belong to. To do this click on With users at the bottom of the tree.
AlienVault Users Manual 88
Hosts
Assets -> Assets -> Hosts
Description
This sections offers access to the list of inventoried hosts within AlienVault, certain events will only be stored when the host
involved in generating the events belongs to the network that is being monitored. For this reason only assets belonging to
the network that is being monitored should be included in the AlienVault inventory.
Each host in AlienVault has the following properties:
FQDN/Aliases: Fully qualied domain name (FQDN). A host can have more than one alias separated by comma.
Description: Short text describing, for example, the role of the host within the network.
Sensors: AlienVault Sensors monitoring the network the host belongs to.
RRD Prole: Prole to be used with the RRD Aberrant Behavior Plugin (Anomalies based on information provided by
Ntop)
Hostname: Alphanumeric characters with no spaces. Some symbols such as - _ can also be used in the Hostname
eld.
FQDN/Aliases: Fully qualied domain name (FQDN). A host can have more than one alias separated by comma.
Description: Alphanumeric characters and spaces. Some symbols such as - _ can also be used.
OS: Alphanumeric characters and spaces. Some symbols such as - _ can also be used.
Mac Address: Six groups of two hexadecimal digits, separated by colons (:)
Mac Vendor: Alphanumeric characters and spaces. Some symbols such as - _ can also be used.
Modify a Host
To modify the properties of a Host select the host in the grid using a single left click and then click on Modify.
The system will display the following screen allowing you to change the properties of the host.
AlienVault Users Manual 90
In addition to the properties described previously, when inserting a host, the system will show a list of services running in the
host. Using this list, the system can automatically setup Nagios checks to monitor the availability of the services.
AlienVault automatically populates each host service using the information provided by Pads (Passive Asset Detection
System). This information can also be completed using the active scanning tool (Nmap) which can be found at Tools -> Net
Discovery
The table in the upper right shows the lists of services of the box, to run an active scan (Using Nmap) in real time to update
the list of services click on Scan. The checkbox in the column named Nagios indicates whether AlienVault should
automatically congure Nagios to monitor the availability of the service (Checkbox enabled) or not (Checkbox disabled).
By default, this will be monitored from the Nagios installed in the AlienVault box running the AlienVault Web interface, so
make sure that it can access the IP address that needs to be monitored.
If you wish to delete one of the services click on .
AlienVault Users Manual 91
To manually add a new service use the form called Add new service, enter the port and protocol, select wether you want to
enable Nagios (Availability Monitoring) for that service or not and click on OK.
Delete a Host
To delete a host, click on the host (Single left click) and then click on Delete Selected.
Duplicate Hosts
To duplicate a host, click on the host (Single left click) and then click on Duplicate Selected.
Now you will have the possibility of modifying the properties as if you were inserting a new host.
Edit Credentials
To perform a detailed inventory of software and hardware installed on the host, you can dene credentials to log into the host
remotely. These credentials will also be used in the future to perform a vulnerability scan taking into account the software
installed on each machine that cannot be accessed remotely.
To edit the Credentials of a Host click on the host (Single left click) and then click on Edit Credentials.
Select the type of authentication that will be used to log remotely to the host:
AD (Active Directory)
SSH
Windows
AlienVault Users Manual 92
Enter the username and password and click on Update.
Import CSV
A CSV le containing a list of host can be imported to ll in the AlienVault Inventory. To do this click on Import CSV.
The CSV must use the following format:
IP;hostname;FQDNs(FQDN1,FQDN2,... );Description;Asset;NAT;Sensors(Sensor1,Sensor2,...);Operating System
Example:
192.168.10.3*;Host_1;www.example-1_esp.es,www.example-2_esp.es;Short description of host;2;;192.168.10.2,192.168.10.3;Windows**
The following Operating systems can be used: Windows, Linux, FreeBSD, NetBSD, OpenBSD, MacOS, Solaris, Cisco,
AIX,HP-UX, Tru64, IRIX, BSD/OS, SunOS, Plan9 or IPhone
Apply Changes in Hosts
Some properties of the hosts are used when processing the events arriving to the Logger or SIEM. For this reason, once you
have nished inserting or modifying the hosts, click on Apply. This will reload all hosts information in the SIEM and Logger.
AlienVault Users Manual 93
Host groups
Assets -> Assets -> Host Groups
Description
Host Groups are used to create a new object which groups hosts of the same network or different networks. Host Groups
can be used to create policy exceptions, run vulnerability scanning against this host group, or to create reports only for hosts
belonging to the host group.
A Host Group has the following properties in AlienVault:
Description: Short text describing, for example, the role of the hosts part of this Host Group. Alphanumeric characters
and spaces.
Sensors: AlienVault Sensors monitoring the hosts that belong to the Host Group.
Scan options: Enable/Disable Availability monitoring of the Host Group (Nagios). This needs to be enabled in every host
included in the Host Group.
RRD Prole: Prole to be used with the RRD Aberrant Behavior Plugin (Anomalies based on information provided by
Ntop)
Name: Alphanumeric characters and spaces. Some symbols such as - _ can also be used in the Hostname eld.
Description: Alphanumeric characters and spaces. Some symbols such as - _ can also be used.
Description: Short text describing, for example, the role of the hosts part of this Host Group.
Sensors: AlienVault Sensors monitoring the hosts that belong to the Host Group.
Scan options: Enable/Disable Availability monitoring of the Host Group (Nagios). This needs to be enabled in every host
included in the Host Group.
RRD Prole: Prole to be used with the RRD Aberrant Behavior Plugin (Anomalies based on information provided by
Ntop)
Name: Alphanumeric characters with no spaces. Some symbols such as - _ can also be used in the Hostname eld.
CIDR: IP address and the prex size, the latter being the number of leading 1 bits of the routing prex. The IP address is
expressed according to the standards of IPv4. It is followed by a separator character, the forward slash (/) character, and
the prex size expressed as a decimal number. (Eg: 192.168.100.1/24)
Description: Alphanumeric characters and spaces. Some symbols such as - _ can also be used.
Description: Short text describing the role of the networks that are part of the network group
RRD Prole: Prole to be used with the RRD Aberrant Behavior Plugin (Anomalies based on information provided by
Ntop)
Name: Alphanumeric characters and spaces. Some symbols such as - _ can also be used in the Hostname eld.
Description: Alphanumeric characters and spaces. Some symbols such as - _ can also be used.
Network: Enter the name given to the Network (Assets -> Networks) or the network in CIDR format.
Inventory: Enter an Operating System or a the name of a service (Assets -> Hosts)
Vulnerability: Enter a text string that will be searched in the vulnerabilities found in the hosts (Analysis ->
Vulnerabilities)
Tickets: Enter a text string that will be searched in the ticketing system (Incidents -> Tickets)
Security Events: Enter a text string that will be searched in the events stored in the SIEM (Analysis -> SIEM) and in
the Logger system (Analysis -> Logger)
Once you have dened your search criteria click on Search and if one or more hosts are matching your search criteria you
will get a list as the result of the search.
AlienVault Users Manual 106
The search results are show in a table with the following columns
Host/Network: Hostname, IP Address, name of the network the host belongs and network in CIDR format
Events: Number of events in the SIEM and in the Logger from the host
Trafc Prole: Link to Ntop graphs regarding the network trafc generated by the host
Clicking on the name of the Host will take you to the Host Report.
This Host Report includes all the information that the system has regarding a host such as:
Alarms
Vulnerabilities
Tickets
Services
Operating system
Network Usage
Predened Search
Using the Advanced Search functionality you can create your predened searches. You can use this predened searches
clicking on Predened Searches.
AlienVault Users Manual 107
Advanced
Assets -> Asset Search -> Advanced
Description
Advanced Asset search allows more complex searches in all the data stored in AlienVault. This searches can be saved as
predened searches.
This allows a user with greater technical knowledge create searches that may be used by an operator with less knowledge.
AlienVault Users Manual 108
Usage
Searches are created by combining search conditions. These conditions can be combined using an OR and AND logical
operators. After inserting the description you will have to select if ALL conditions should be met (AND operator) or ANY
condition should be met (OR operator).
Then select the condition or lter you would like to include from the drop-down list. Several conditions can be used:
Operating System
Services
Mac Address
Vulnerabilities
SIEM Events
META
Alarms
Ticket
Asset
Properties
Each condition will have its own options, for example if we choose Vulnerabilities, we will get the following options:
Has Vuln
Vuln Contains
Has Vulns
Has no Vulns
Host/Network: Hostname, IP Address, name of the network the host belongs and network in CIDR format
Events: Number of events in the SIEM and in the Logger from the host
Trafc Prole: Link to Ntop graphs regarding the network trafc generated by the host
Clicking on the name of the Host will take you to the Host Report.
This Host Report includes all the information that the system has regarding a host such as:
Alarms
Vulnerabilities
Tickets
Services
Operating system
Network Usage
Predened Search
Once you have created all the search conditions you can save the search as a predened search by clicking on Save
Current.
To delete a Predened Search select the search that you wish to delete and click on Delete.
AlienVault Users Manual 110
SIEM Components
Sensors
Assets -> SIEM Components -> Sensors
Description
The AlienVault Sensor is the component in charge of collecting and normalizing the events generated by the Data Sources.
Multiple Data Sources will feed events to the AlienVault Sensors such as Firewalls, Antivirus, AD, Database, and any other
application or device that was used in the network before AlienVault was deployed. Some other Data Sources will be running
in the same box that AlienVault does. We usually refer to this Data Sources as AlienVault Data Sources.
Snort, Ntop, Arpwatch, Pads, P0f, Fprobe and many others are AlienVault Data Sources. When you have a Sensor with no
AlienVault Data Sources installed on it you will say that this sensor is a collector only. When we have a Sensor collecting
events and generating events (Because the AlienVault Data Sources are running on it) we will say that this sensor is
combining the Collector and the AlienVault Data Sources in the same box.
Sensor IP Addresses must be unique within the AlienVault deployment, because we may nd a deployment in which we are
monitoring the range of IP Addresses in two different locations. For this reason, hosts and networks will always be related to
Sensors. And they should only be related to the sensors that are collecting events or trafc from the network. This will also
be helpful when running the vulnerability scanning or the monitor requests during correlation, this will always be done from
the sensors that are associated to the network or hosts and not from any other sensor in the AlienVault deployment.
An AlienVault deployment can have as many Sensors as required, the number of Sensors will basically depend on the
number of networks that need to be monitored and in the geographical distribution of the corporation that will be monitored.
When a Sensor is sending events to the AlienVault Server and it has not been congured, you will see a message in the Web
Interface and you will have to insert the New Sensor.
AlienVault Users Manual 111
Usage
New Sensor
To insert a new Sensor click on New in the upper left side.
You will have to ll in the following properties:
Hostname: Name of the Sensor. Alphanumeric characters and spaces. Some symbols such as - _ can also be used
in the Hostname eld.
IP: IP address of the Sensor in IPV4 format. In case the sensor has multiple IP Addresses you should enter the IP address
that will be used to send events to the AlienVault Server.
Description: Short Description of the Sensor (Location, Networks monitoring...). The description eld is optional.
Modify a Sensor
To modify the properties of a Sensor select the Sensor in the grid using a single left click and then click on Modify.
Apart from the IP Address and the priority of the Sensor, some other properties can be modied.
The Web interface needs to know the interfaces (Network cards) running in promiscuous mode (Collecting trafc). This way
you can switch between interfaces in Monitor -> Network -> Prole (Ntop Web Interface). You can also congure the main
interface, which will be the default one when using the Ntop Web interface.
AlienVault Users Manual 112
Enter the interface (Assigned by the Operating system E.g.: eth0, wlan0, en0, eth3...) and click on Insert. To delete an
interface, click on Delete next to the interface that has to be deleted.
After that we can congure the tools that will be used from this Sensor. Notice that the tools need to be enabled also in
AlienVault_setup.conf le in the Sensor.
If have Nagios installed and running in the Sensor you can enable Nagios, this way you will be able to switch between your
different Nagios installations in the page Monitor -> Availability.
The default installation of the Sensor prole will also install Ntop. Enable Ntop to be able to see the Ntop Web interface of
your Sensor from the AlienVault Web Interface.
If you enable the vulnerability scanner the Sensor will be used when running distributed vulnerability scans. It will ask you to
write the user and password that has to be used to connect remotely to the vulnerability scanning server (OpenVas or
Nessus). The default user will always be AlienVault, and the password will be the password stored in the le
AlienVault_setup.conf (In the Sensor) in the variable pass.
If your sensor has also been congured to run Kismet to monitor your wireless networks, enable Kismet in the Sensor
properties.
The last part of the Sensor properties refers to Flows collection. Fprobe is also installed and congured automatically to
generate ows based on the network trafc the Sensor is collecting. The ows should be sent to the AlienVault box with
running the Web Interface (Framework prole). Each Sensor or device generating Flows will use a different port to send the
ows and a different color can be used to identify the ows depending on the device that has generated the ows.
Select the color that will identify the ows generated by the Sensor and click on Congure and Run. For more information on
how to congure the Flows collection please refer to the section Network -> Trafc.
Delete a Sensor
To delete a Sensor, click on the Sensor (Single left click) and then click on Delete Selected.
Apply changes
Once you have inserted or modied the Sensors click on Apply. This will send a signal to the AlienVault Server to reload all
the information regarding the Sensors that is used during correlation and in Policies.
AlienVault Users Manual 113
Servers
PRO ONLY
Assets -> SIEM Components -> Servers
Description
A simple AlienVault deployment will have a single server working as SIEM and Logger. Large and complex deployments can
have multiple servers at multiple levels. Each server will always be congured to another server except the server on top, that
will be called master server and that doesn't need another server on top.
Multi-level deployment allows correlation at multiple servers and even storage at different levels. Using policies, you can
dene what type of events and alarms that will be exchanged with each server. Also what each server will do with each type
of event. In this section you will basically need to insert all the AlienVault Servers that are part of your deployment, and the
characteristics that will be enabled in each Server. If you have a single Server in your deployment you don't need to insert
your server in this section.
AlienVault Users Manual 114
Usage
New Server
To insert a new Server click on New in the upper left side.
You will have to ll in the following properties:
IP: IP address of the AlienVault Server (The IP address used by the Sensors to send events to the AlienVault Server)
SIEM: Enable/Disable the SIEM functionality. If enabled the following properties can also be enabled or disabled:
Qualify Events: Risk calculation for the events (Intrinsic Risk and Aggregated Risk)
Logger: Enable/Disable the Logger functionality. If enabled the following properties can also be enabled or disabled
Sign: Enable/Disable the digital signature for events stored in the Logger
Multilevel: Enable/Disable the forwarding functionality. If enabled the following properties can also be enabled or disabled
IP: IP address of the host running the Database. MySQL must be listening in that IP address (bind-address parameter in
my.cnf)
Risk assessment: A risk is assigned to each event taking into account the type of event and the assets involved in the
generation of the event.
Correlation: Correlation is the process of Transforming Into Various data input to output new data element. Using
correlation AlienVault can transform two or more input events into a more reliable output events. Events generated during
the correlation process are re-injected back to the AlienVault Server and processed the same way as if these were being
sent by one of the Sensors.
Forwarding: The AlienVault Server may be congured to send events and alarms to an upper Server (Parent Server) in
multi-level deployments.
SQL Storage: Events processed by the SIEM are stored in a SQL Database (MySQL Database).
AlienVault Users Manual 118
In the case of Logger, the system will sign the events to ensure integrity so that they can be used as evidence in trial.
When dening a policy is necessary to dene the conditions that the events must comply in order to match one of the Policy
rules.
Policy rules also dene what features of the SIEM and Logger will be enabled to process the events matching the policy
rules.
Policy rules are applied in descending order and when an event matches a rule, the system will stop processing that event,
so that it will not be able to match any other policy rule dened subsequently. For this reason the generic policy rules should
be always dened after the policy rules used to congure exceptions for certain events.
This page shows a series of tables, each table is a group of policies. These are the elds that are shown with each of the
policy rule:
Priority: Wether the priority of the events matching this policy rule has to be modied or not, and if modied, the value of
the new priority (Only applies if SIEM is enabled)
Source: Sources matching this policy rule (Hosts, Host Groups, Networks, Network Groups...)
Destination: Destinations matching this policy rule (Hosts, Host Groups, Networks, Network Groups...)
Port Group: Destination port of the events that will match this policy rule.
Plugin Group: Group of event types that matching this policy rule.
Sensors: Sensor or Sensors collecting the events matching this policy rule
Time Range: Time period in which this policy rule will be enabled.
Targets: Servers in which this policy rule will be installed (Multi-level deployments)
Correlate: Enables / Disables logical correlation for the events matching this policy rule (Only applies if SIEM is enabled)
Cross Correlate: Enables / Disables cross correlation for the events matching this policy rule (Only applies if SIEM is
enabled)
Store: Enables / Disables SQL Storage for the events matching this policy rule (Only applies if SIEM is enabled)
Qualify: Enables / Disables risk calculation for the events matching this policy rule (Only applies if SIEM is enabled)
Resend Alarms: Enables / Disables alarms forwarding to an upper server for the events matching this policy rule
Resend Events: Enables / Disables events forwarding to an upper server for the events matching this policy rule
SIEM: Enables / Disables SIEM for the events matching this policy rule
Logger: Enables / Disables Logger for the events matching this policy rule
Sign: Enables / Disables alarms forwarding to an upper server for the events matching this policy rule (Only applies if
Logger is enabled)
AlienVault Users Manual 119
Usage
New Policy Rule
To create a new Policy Rule click on New within the Policy Group in which you would like to include the new policy rule.
This will show the following screen.
When creating a new policy rule you will have to dene the conditions that have to be met for the events to match that policy
rule as well as the consequences that the policy will have when the events are being processed by the AlienVault Server.
The following conditions have to be congured when creating a policy rule:
Source
Insert in the Source the Assets (Networks, Hosts, Host groups, Network Groups) that must appear in the Source IP eld of
the events matching this policy. By default the source will be set to ANY.
You can also lter the hosts shown in the tree writing a search string in the box above the tree and clicking on Filter.
If you want to create a Policy rule using IP addresses that do not belong to your inventory type the IP address in the box
above the tree and click on Insert.
AlienVault Users Manual 120
Dest (Destination)
Insert in Dest the Assets (Networks, Hosts, Host groups, Network Groups) that must appear in Destination IP eld of the
events matching this policy. By default the destination will be set to ANY.
You can also lter the hosts shown in the tree writing a search string in the box above the tree and clicking on Filter.
If you want to create a Policy rule using IP addresses that do not belong to your inventory type the IP address in the box
above the tree and click on Insert.
AlienVault Users Manual 121
Ports
In ports you can congure the port that must appear as destination port in your events. By default this will be set to any. If
you want to create a policy rule that only matches events having one or more destination ports, you create the Port Group
rst (Refer to the documentation of Assets -> Ports) and then select the Port Group in this Policy form.
Plugin Group
In Plugin Group we need to select which type of events will be matching this Policy rule. By default this value will be set to
ANY. This means that every event type will match this policy. To select only certain events you need to create a Plugin Group
rst. Please refer to the documentation of Plugin Groups (Conguration -> Collection -> Plugin Groups) to learn how to
create Plugin Groups.
AlienVault Users Manual 122
Sensors
When the events are processed by the AlienVault Server, the Server knows the Sensor that was collecting the event. You can
also create a Policy that works only for events collected by certain Sensors. By default the policy will match events coming
from ANY sensor.
Install in
PRO ONLY
In multilevel deployments where multiple servers are deployed, you can congure a policy rule in your Master Server and
install that policy in one of the children servers. By default policies will be installed on every Server.
Time Range
A policy can be enabled only at certain time during the week, for example, at night, or during the weekend.
AlienVault Users Manual 123
The consequences of the policy will be congured in the last tab called Policy Consequences:
In the left side, you will nd the actions. Actions can be linked to policies, so whenever a Policy is matched the system can
automatically launch an action to send an e-mail or run a Linux command. This allows creating rewall rules automatically,
send SMS, shutdown a host remotely...
Actions are inserted in the tab Intelligence -> Policy & Actions -> Actions. Please refer to the documentation of that section
to see how to insert new Actions.
Actions in the left side will be executed whenever an event matches the policy rule. You can just drag and drop actions from
the right side to the left side, or click on Add All if you want to execute them all. If you want to stop executing one of the
actions just drag and drop from the left side to the right side or click on Remove all to stop executing all the actions that
were enabled.
AlienVault Users Manual 124
These are the rest of the consequences that can be used to create exceptions for certain events:
Priority: Modies the priority of the events overriding the default priority for that type of event (This affects Risk calculation)
SIEM: Enable/Disable the SIEM functionality. If enabled the following properties can also be enabled or disabled:
Qualify Events: Risk calculation for the events (Intrinsic Risk and Aggregated Risk)
Logger: Enable/Disable the Logger functionality. If enabled the following properties can also be enabled or disabled
Multilevel: Enable/Disable the forwarding functionality. If enabled the following properties can also be enabled or disabled
Send an E-mail
Run a command
Open a Ticket
This actions will always be executed in the AlienVault box running the Web interface prole (Framework).
When dening an action you can use the following keywords. These keywords will take the value of the variable referred in
the events matching the Policy rule.
DATE
PLUGIN_ID
PLUGIN_SID
RISK
PRIORITY
RELIABILITY
SRC_IP_HOSTNAME
DST_IP_HOSTNAME
SRC_IP
DST_IP
SRC_PORT
DST_PORT
PROTOCOL
SENSOR
BACKLOG_ID
EVENT_ID
PLUGIN_NAME
SID_NAME
USERNAME
PASSWORD
FILENAME
USERDATA1
USERDATA2
USERDATA3
USERDATA4
USERDATA5
USERDATA6
USERDATA7
USERDATA8
USERDATA9
AlienVault Users Manual 128
When creating the action you can also congure the action to be executed only if the events matching the policy have
become alarms (RIsk >= 1).
Modify an action
To modify an action select the action in the grid using a single left click and then click on Modify.
Delete an action
To delete an action select the action in the grid using a single left click and then click on Delete Selected.
AlienVault Users Manual 129
Correlation Directives
Directives
Intelligence -> Correlation Directives -> Directives
Description
Correlation
Event correlation is a technique for making sense of a large number of events and pinpointing the few events that are really
important in that mass of information.
AlienVault can correlate events generated by any tool or device regardless of the type and format of event. The events will be
normalized before the correlation takes place.
In AlienVault, logical correlation is implemented using Correlation Directives or Correlation rules. The correlation directives
dene different conditions that will be met by the incoming events. Whenever a condition has met the system will generate
new events that can even meet some other conditions in a different correlation directive.
Server
Correlation in AlienVault takes places in the AlienVault Server. The AlienVault Collectors will collect events from the different
devices or applications (Detectors). Once the events have been normalized they will be sent to the AlienVault Server.
Correlation happens whenever the SIEM functionality is enabled and if the correlation has not been disabled when dening
policies to handle incoming events.
Correlation Directives
Correlation directives are written using XML syntax. By default, AlienVault includes over 200 directives of correlation. The
Professional Feed provides greater coverage against attacks and network problems with more than 600 directives.
When a new plugin has been devolved, the user to integrate a device or tool is to create new correlation rules Correlation
directives are stored in .xml les in the following directory:
/etc/AlienVault/server/
Correlation directives are stored in different les according to the category they belong to. The category will be assigned
depending on the type of behavior that is being detected by the directive.
Correlation directives created by the users will always have to be stored in the following le:
/etc/AlienVault/server/user.xml
This will prevent loosing directives after an upgrade, since this is the only le that will not be updated automatically.
Whenever new tools and devices are integrated in AlienVault, new directives will not be created automatically. The user will
have to create their own directives to detect complex behaviors and patterns in the new events. If you share your new
plugins with the community then you will get more chances of having more correlation directives as the AlienVault team and
the community will create some that will be useful in your environment.
AlienVault Users Manual 130
Source of information
The correlation directives will create patterns for incoming events. Two different types of events will feed the correlation
engine:
Detector
They offer events (Snort, Firewalls, Antivirus, Web servers, OS events..). Detector plugins are constantly sending information
to the Correlation Engine. Once the event has been generated by the collector, the AlienVault Collector will collect and
normalize the event before sending it to the Correlation Engine.
Monitor
They offer indicators (Ntop, Tcptrack, Nmap, Webs, Compromise & Attack). Monitor plugins offer information to the
correlation engine in request by the AlienVault Server during the correlation process.
Correlation rules
Each correlation directive consists of at least one correlation rule. Each correlation level contains as many rules as necessary,
except the rst correlation level that will always have a unique correlation rule.
The correlation rules dene a set of conditions to be met for the events getting into the correlation directive.
AlienVault Users Manual 131
Usage
New Correlation Directive
New correlation rule
Correlation Directives are created using a wizard that simplies the process of writing a directive. To create a new correlation
directive click on Add Directive.
Set the name of the directive, This is the name that will take all the events generated within this directive. You can use the
following variable to be replaced by the value of the variable when the alarms are displayed in the Web console (Incidents !
Alarms): SRC_IP, DST_IP, SRC_PORT and DST_PORT.
After setting the name click on Next.
Choose the category for this directive. The default category is User.
Choose the Priority of the directive. Priority will be numerical value from 0 up to 5. All events generated within the same
directive will have the same directive but they may have a different reliability as it will depend on the correlation level in which
the event has been generated.
If you set the priority to 0, events generated within the directive will never become an alarm. If you set a high priority value,
the directive may generate alarms after grouping just a few events.
AlienVault Users Manual 132
Now its time to set the conditions for the rst rule in the correlation directive.
All events will try to match the rst level of every enabled correlation directive once they arrive to the AlienVault Server. This
behavior can be modifying dening a policy in (Intelligence ! Policy & Actions).
The rst rule of a directive will have special conditions:
It will always be a detector rule. Monitor rules can not be used in the rst level of directives.
It will wait for a single occurrence of an event
It will have no time out. The condition of the rst level will last as long as the server is running and the directive
enabled
The event will only be generated for the rst directive rule whenever the directive has only one correlation level
In the directive we are creating the correlation will start with any event coming from the SSH Server that refers to an
authentication failed attempt. We should always try to cover all possible variants of an attack, in a SSH brute force attack we
will nd the following events:
Failed Password
User blocked
Root login not allowed
Illegal user
User does not exist
and much more
So when writing a correlation rule we should always think about all possible events that may be interesting for our new
correlation rule. You can take a look to all events that can be generated by each plugin in the following section: Conguration
! Collection
Each rule will always wait for events with the same Plugin ID. In this case we will be waiting for events with the Plugin ID
4003, and the following plugin SID which correspond to the type of events we get when we are suffering a brute force attack
against one of our SSH Servers.
AlienVault Users Manual 133
Select the Plugin from the list.
Now select the event types (Plugin SIDs within this Plugin ID) that will match the rst correlation rule. Event types in the left
side are events that have already been added to the correlation rule. Events in the right side can be added to the correlation
rule using drag and drop, by moving them to the left side. Event types can also be added to the correlation rule by clicking
on +. To remove an event from the correlation rule click on - next to the event type that you wish to delete or click on
Remove all to delete all event types from the correlation rule. In the top of the right column you can also search a text string
and then click on Add all to include all events matching the search criteria in the correlation rule.
If you have no events in the left side, all events arriving to the correlation engine using the Plugin ID selected in the previous
step will match the correlation rule. Once you have chosen the event types for this correlation rule, click on Next.
In this step, you have to dene the sources and destination that can fulll the conditions of the correlation rule. By default,
any source and destination (internal or external) will meet the condition.
AlienVault Users Manual 134
To dene your own your own condition, use the trees displayed on the screen. The tree on the left is used for the source and
the tree of the right is used for the destination. You can select multiple hosts or Networks. To select a host or a Network,
simply click on the name of the host or network displayed in the tree.
To remove a host or network from your selection, click on the host or network that you wish to delete and then click on [X].
In this screen you can also dene the source and destination ports of the events that will match the correlation rule. By
default, any port will match the conditions dened by the correlation rule.
Insert as many port numbers for the source port and destination ports as you need. Ports must be in numerical format and
separated by comma (No spaces). You can also use ANY as a keyword, and then negate some ports using [!]. E.g.: ANY,!80
means port except port 80.
Once you congure both the conditions for the origin and destination, click on Next.
Some events (NIDS, Firewall ...) have a eld indicating the network protocol that was being used at the time that the event
was generated. This condition can be used in the correlation rule, so that the directive only works when the event has a
particular protocol.
AlienVault Users Manual 135
Click Next after setting the protocol condition. By default, any protocol will match the correlation rule conditions. A
correlation rule can be congured to work only with the events collected by certain AlienVault sensors. By default, a
correlation rule will work with events collected by every single AlienVault Sensor.
Sensors listed in the left side are Sensors that will enable the correlation rule (For events matching the rest of the conditions).
Sensors in the right side can be added to the correlation rule using drag and drop, by moving them to the left side. Sensors
can also be added to the correlation rule by clicking on +. To remove a sensor from the correlation rule click on - next to the
sensor that you wish to delete or click on Remove all to delete all sensors from the correlation rule. In the top of the right
column, you can also search a text string and then click on Add all to include all sensors matching the search criteria in the
correlation rule.
Whenever the condition established by the correlation rule is matched, a new event will be generated with a new reliability
value. This event will be re-injected to the Correlation Server as if it came from another AlienVault Sensor. This event will have
the priority value previously assigned as a global priority of the correlation directive, the reliability value dened in the
correlation rule, and the asset value of the hosts matching the conditions of the correlation rule (In case they have a different
asset value the highest one will be used).
The risk of the event will be calculated using the following formula:
RISK = (Asset Value*Priority*Reliability)/2
AlienVault Users Manual 136
Events that arrive at the correlation server can have assigned values in special elds (username, lename, password,
userdata1, userdata2 ...). In this step you can dene the value that should have these elds in order to correlate this rule
successfully.
You can assign more than one value for each of the elds, separated by commas.
The number of occurrences determines how many events (meeting the conditions of the rule) must reach the correlation
engine in order to correlate the rule successfully. Choose one of the predened values or enter a custom value occurrences.
AlienVault Users Manual 137
The timeout value determines how long the correlation server should wait (in seconds) before the correlation of the rule
expires.
Select one of the default timeout values or enter a custom value. Timeout is a numerical value (In seconds)
In some cases it may be interesting to force a eld to have a different value in each occurrence (Worms, Port scans ...). To
make all the occurrences have a different value in one of the elds select the eld from the list.
Eg: sticky_different = "dst_port"(All the events matching the rule Must Have A Different destination port (Port scanning
detection))
When editing rules (Rules other than the rst correlation level) we can force some elds to have the same value that came in
the events that matched the previous correlation levels. This can be done in the following elds of the correlation rule:
plugin_id
plugin_sid
Source
Destination
Source Port
Destination Port
^ Place cursor at the peak, found within +/- 1 hour time-span of current cursor position.
The graphs are immediately updated, when selecting a different time slot. However, there are limits for moving the cursor.
The cursor can not be moved outside the visible part of the graph on the left or right hand side. You may also not move the
AlienVault Users Manual 153
cursor outside a time slot where data has expired and no data is available for processing. This limit is marked by the dark
grey area on the left hand side of the graph.
Selecting a time window
Sometimes it is desirable to select and process more than a single 5 min time slot. From the menu below the main graph
select 'Time Window'
This splits the cursor handle into two halves, which can be dragged individually as needed. Drag the left and/or right border
of the selected window as needed.
The statistics summary is automatic updated, when releasing either handle, when moving. To switch back to a single time
slot, select 'Single Timeslot' from the menu..
AlienVault Users Manual 154
Statistic Summary
The statistic summary below the main graph gives you an overview about ows, packets and trafc of the selected time
slot or time window. Each line corresponds to one congured netow source in prole 'live' or to a congured channel in any
other prole. For easy visual matching a small color eld with the same color as in the the graph prepends each row. If you
are interested in only some of the channels, you may remove the others by clicking the checkboxes. This disables or enables
this channel in all graphs and in the statistics respectively. The statistic summary can be switched between the total sum of
the selected time window, or the rate values per second. The scaling factors for K, M and G are 1000.
Individual columns can be collapsed or expended as needed, by clicking on the blue triangles. The entire statistics can be
shown or hidden by clicking on the yellow triangle. When collapsing a column, a single column remains with the type, which
is shown in the main graph.
Enabling or disabling channels re-scales the graphs according the remaining sources, you get a more detailed graph and a
different resolution on the y-axis.
AlienVault Users Manual 155
Graph Display Options
To view the details your are interested in, a graph may be displayed with different options:
Scale:
Linear y-axis
Logarithmic y-axis.
Graph Type:
If you leave the 'Start' and 'End' inputs empty, a continuous prole is created and starts from the time the prole is
created.
If you enter a 'Start' time but no 'End' time, a continuous prole is created. Data from the past up to to time, the prole is
created is proled and updated immediately when the prole is created.
If you enter a 'Start' and 'End' time a history prole is automatically created.
Expire / Max Size A continuous prole may expire due to the age of the data or the prole size used on disk. Expiring starts
whenever one of the two limits is reached. Expiring ends at the congured value $low_water ( in % ) in the cong le
nfsen.conf. By setting any of these values to 0, the limit does not apply.
1:1 Prole For compatibility with NfSen version 1.2.x a prole with 1:1 channels may be created, which means, that for
every netow source in the live prole a corresponding channel in the prole will be automatically created. The selected
sources and the lter in the prole create dialogue are taken for this 1:1 prole. This is the easiest type of a prole.
Individual Channels For new style proles select this option. In the 'new prole' dialogue entries for netow sources as well
as for the common lter disappears, as these parameters are now individual for each channel and entered in the channel
dialogue.
AlienVault Users Manual 161
Creating channels
After the prole has been successfully created, one or more channels can be added now by clicking on the '+' icon at the
right hand side of the 'Channel List'.
The parameters color, sign and order are used to display the channel correctly in the graph. The lter as well as the netow
sources are needed to correctly prole the channel. The procedure of adding a channel to a new prole can be repeated as
often as required to complete the prole. When all channels are added the new prole must be committed to activate the
new prole. This is done by clicking on the checkmark on the right hand side of the 'Status' line.
AlienVault Users Manual 162
Once the prole is committed, the build process starts if required. Depending on how long back in the past the prole starts,
this can take a considerable amount of time. You can follow the build process by looking at the progress bar, showing you
the percentage of completion. This progress bar is updated automatically every 5 seconds. Note: There are no graphs
available in the prole as long as the prole is not completely built.
Please note: For the 'live' prole, channels have to be congured in nfsen.conf.
Managing Proles
Proles can be modied by selecting the 'Stat' tab of the prole and click on any of the available edit icons of the desired
parameter. By clicking on the edit icon of a channel, you may modify the requested channel. All changes will affect the prole
immediately. You may also add or delete channels in a continuous prole. However, please note, that adding a new channel
to an already existing prole will not rebuild any data for this channel for data in the past. Deleting a channel or the entire
prole may be done by clicking on the trash icon.
Converting Proles
Prole may be converted into another type as desired. However, not all conversions are possible. The gure below shows
and explains the possible conversions.
By switching a prole type between continuous and history you may temporary stop collecting data for a prole or continuing
to collect data from a stopped prole. Note, that you will loose all netow data, when a prole is converted to a shadow
prole. When switching back, the data recording resumes at the time of switching.
AlienVault Users Manual 163
Proles
Monitors -> Networks -> Proles
Description
This tab displays the Ntop web administration console. Ntop is installed by default on each of the sensors that make up the
deployment of AlienVault. This tab is reliable and useful. It is imperative that the network interface in which Ntop is listening
receives all network trafc. This requires using a HUB, a Network tap or conguring a port mirroring or port spanning on the
network electronics.
Ntop provides graphs and statistics from the analysis of network trafc being monitored. Ntop also contains a wealth of
information about the type of use that is being given to the network, creating a prole that allows you to observe the
behavior of each user within the network.
Usage
By default, the system will show the instance of Ntop that is running on the machine that is serving the AlienVault Web
interface. To see the Ntop instance running on a different sensor select the sensor in the combo of the upper left. In this
combo you can also lter by interface, in case Ntop is listening in more than one interface in the sensor. In case you see your
sensor in the combo, or you cannot select your listening interface you should go to Assets ! SIEM Components !
Sensors in order to update the conguration of your sensors or to insert a new AlienVault sensor.
Sessions are viewed through Monitors -> Trafc. Sessions are TCP and UDP sessions communications between hosts on
a monitored network. They are persistent communications between two hosts (if it is a TCP session). AlienVault monitors
session when correlating network data. Ntop collects and presents this session information. There is a Sensor selector and a
table listing network sessions in the interface.
The Sensor selector allows the user to choose which sensor session table to view. The selector is the combo-box below the
AlienVault menu and above the TCP/UDP Session table. The selector lists sensors and networks. Networks are dened
under Assets -> Networks.
The Active TCP/UDP Sessions table lists all of the sessions for the selected Sensor. There are ten columns in this table:
Client is the hostname or IP Address of the host talking to a server. A host is any computer, router, printer, or other
device attached to a network. There are four elds within this column. The rst eld is the hostname. Ntop will display
a hostname if it can resolve the name via DNS or NetBIOS; else wise it displays an IP Address. The second eld is
optional and in brackets and tells you how the hostname was resolved. The third eld is an optional icon or series
icons. Flag icons denote a risk with that particular host, where green is low, yellow is medium, and red is high risk.
Finally, the last eld is the port number on the host where network trafc is originating. Ntop uses the/etc/services le
on the Ntop server to resolve service numbers with service names.
Server is the hostname or IP Address of the host accepting connections from clients. A server typically accepts
connections from multiple clients because it offers services to those clients. There are four elds with this column.
These elds are the same as the client elds described above (see Client).
Data Sent is the amount of data sent from the client in the current connection. This is given in bytes, Kilobytes (KB),
Megabytes (MB), etc.
Data Rcvd (Data Received) is the amount of data received from the server in the current connection. This is given in
bytes, Kilobytes (KB), Megabytes (MB), etc.
Active Since is the time and date when this connection started. This time is the time on the Ntop server.
Last Seen is the time the connection was last monitored on the network. This is the time on the Ntop server.
Duration is the time duration of the monitored session. This is in the format hh:mm:ss
AlienVault Users Manual 164
Service Detail lists the details of monitored network services. This includes services like http and ftp.
Host Detail lists the details of monitored hosts. This provides details of various statistics collected by the Nagios agents.
Status Overview, Status Grid, Status Map, Service Problems, Service Problems, Host Problems, Process Info,
and Performance Info all provide different views into comprehensive information for the sensor. These features allow
users to see problems with their network assets in one place.
Scheduling Queue is where various nagios jobs are scheduled. Nagios runs processes at various times and this is where
that is congured. This includes when services are checked among other things.
Reporting
Trends reports with graphs the various state of assets over a period of time.
Event Histogram reports with a graph the availability of an asset over time.
Event Summary has generic reports about host and service alert data. This includes alert totals, top alert producers, and
a number of other metrics.
Notications displays messages that have been sent to various contacts in nagios database. These messages are used
to forward information about a specic asset to specic persons.
Performance Info is a collection of MRTG graphs illustrating various statistical data for monitored assets.
AlienVault Users Manual 167
System
System
Monitors -> System -> System
This tab shows all the Sensors connected to the AlienVault Server. In case not all your Sensors are displayed, go to
Assets! SIEM Components ! Sensors and insert the information of the missed Sensor. Sensors are used to collect
information from the different applications and devices in the network. In some cases the applications will be running in the
same box that the AlienVault Sensor resides, and in some other cases, the sensors will collect information from the devices
using SNMP, Syslog, FTP, Samba or any other collecting method.
There are ve columns to the sensor status table.
Plugin is the name of the plugin installed and congured on the sensor. A plugin is the mechanism through which
AlienVault receives data. The plugin is responsible for parsing incoming data on the sensor and normalizing it into a format
that AlienVault understands.
Process Status indicates whether or not the plugin is operational. A green UP indicates that the plugin is running and
sending information to AlienVault. A red DOWN indicates that the plugin is not running. A black Unknown indicates that
the sensor cannot determine the status (this is not necessary a bad thing as the application may not be running in the
same box that the Sensor is doing)
Action (at the right of Status) is a hyperlink that may be used to change the state of the plugin. Start hyperlinks attempt
to start the corresponding plugin. Stop hyperlinks attempt to stop the corresponding plugin. These commands are
executed only on the corresponding sensor.
Enabled indicates whether or not the plugin is active and reporting. The plugin may be disabled in the agent conguration
le. The sensors built-in watchdog does not monitor disabled plugins. Furthermore, it may be disabled in from the
following action column.
Action (at the right of Enabled) is a hyperlink that may be used to change the status of the plugin. Disable turns off a
plugin and stops it from auto starting when the sensor reboots. Enable turns on a plugin and starts it when a Sensor
reboots.
AlienVault Users Manual 168
When clicking on this icon shown in each line (One line per Sensor) you can access Munim. Munim is a tool that helps
analyzing resource trends and monitor performance providing a lot of graphs to monitor the system performance. Munim is
installed by default in each Sensor of the AlienVault deployment.
AlienVault Users Manual 169
User Activity
Monitors -> System -> User Activity
Description
The User Activity section displays a record of user activity within AlienVault console. This allows for keeping track of user
accesses to the AlienVault Web interface, as well as conguration changes. The admin user will have permissions to delete
records on this screen, so be sure to only have one admin user in your corporation to avoid continuity problems.
It is possible to congure what actions have to be logged in this section in Conguration ! Users ! User Activity.
Usage
The upper form can be used to lter by user or by action.
The admin user will also have permission to delete certain records or all records shown on this screen.
AlienVault Users Manual 170
Conguration
Main
Conguration -> Main
Description
The Conguration section allows you to set appearance and general system settings. Notice that many of the settings are
also modied by AlienVault-recong script and should not be modied unless you know what you are doing. If you are
facing any problem using AlienVault please refer to the professional support or ask for help in the forums before modifying
advanced conguration parameters. As AlienVault integrates many software packages a single change in conguration could
affect many AlienVault components
Conguration options have been categorized into in Simple and Advanced Conguration.
Usage
To change the value of one of the conguration parameters, click on the category, insert the new conguration value and
click on Update conguration.
AlienVault Users Manual 171
Simple Conguration
Language Language
Language Web interface default Language
Metrics Metrics
Recovery Ratio Recovery value for Compromise and Attack (subtracted every 15
seconds)
Global Threshold Global Threshold Value (Compromise and Attack)
Backup Backup
Forensics Active Event Window Number of days stored in the SIEM database
Vulnerability Scanner Vulnerability Scanner
Vulnerability Ticket Threshold Minimum risk that a vulnerability has must have to automatically open a
ticket in the system
User Activity User Activity
Enable User Log Log user actions within the AlienVault Web interface
Log to Syslog Log user actions to Syslog
Login Methods / Options Login Methods / Options
Show welcome message at next login Show welcome message
Require a valid AlienVault user for login Allow login for not dened users (When using LDAP)
Enable LDAP for login Enable LDAP authentication
Ldap server address IP address of the LDAP server
LDAP CN /LDAP O/LDAP OU LDAP conguration parameters
Password Expire Require a password change after N days
Updates Updates
Enable auto update-checking Check for updates automatically (Requires internet connection)
Tickets Tickets
Open Tickets for new alarms automatically? Open tickets automatically whenever an alarm happens
AlienVault Users Manual 172
Advanced Conguration
Language Language
Language Web interface default Language
Locale le directory Directory containing localization les
AlienVault Server AlienVault Server
Server Address AlienVault Server listening address
Server Port AlienVault Server listening port
SIEM Enable/Disable SIEM functionality
Qualication Enable/Disable Risk assessment features
Correlation Enable/Disable correlation
Cross-correlation Enable/Disable Cross correlation
SQL Storage Enable/Disable SQL Storage
Logger Enable/Disable Logger functionality (Available in Professional SIEM)
Sign AlienVault Server event signing mode (Available in Professional SIEM)
Forward Alarms Enable/Disable Alarm forwarding functionality (Available inProfessional
SIEM)
Forward Events Enable/Disable Event forwarding functionality (Available inProfessional
SIEM)
Alarms to Syslog Log Alarms using Syslog (Available in Professional SIEM)
Remote Logger Enable remote Logger console
Remote Logger user Remote Logger username (AlienVault Web interface)
Remote Logger password Remote Logger password (AlienVault Web interface)
Remote Logger AlienVault url Remote Logger URL
Metrics Metrics
Recovery Ratio Recovery value for Compromise and Attack (subtracted every 15
seconds)
Global Threshold Global Threshold Value (Compromise and Attack)
Backup Backup
Forensics Active Event Window Number of days stored in the SIEM database
Vulnerability Scanner Vulnerability Scanner
Vulnerability Ticket Threshold Minimum risk that a vulnerability has must have to automatically open a
ticket in the system
User Activity User Activity
Enable User Log Log user actions within the AlienVault Web interface
Log to Syslog Log user actions to Syslog
Login Methods / Options Login Methods / Options
Show welcome message at next login Show welcome message
Require a valid AlienVault user for login Allow login for not dened users (When using LDAP)
Enable LDAP for login Enable LDAP authentication
Ldap server address IP address of the LDAP server
LDAP CN /LDAP O/LDAP OU LDAP conguration parameters
Password Expire Require a password change after N days
Updates Updates
Enable auto update-checking Check for updates automatically (Requires internet connection)
AlienVault Users Manual 173
Tickets Tickets
Open Tickets for new alarms automatically? Open tickets automatically whenever an alarm happens
AlienVault Users Manual 174
Users
Conguration
Conguration -> Users -> Conguration
Description
To access the information collected and generated by AlienVault, you must have a user in the AlienVault Web Interface. The
installation creates a default user that allows for access to the Web interface for the rst time to create and set permissions
for other users.
The default username is admin, with admin as password. After the rst successful login with the admin user, you will be
prompted to change the password for this user.
This user will always keep that special permissions, for this reason it should not be shared and should always be used the
admin user or the person in charge of maintenance and management of the AlienVault deployment.
Setting user permissions allows you to limit the information that will be displayed for that user (Assets that the user can
monitor) as well as disable or disable certain characteristics of the AlienVault Web interface.
The main difference when managing users between the AlienVault Open Source version and the AlienVault professional
version is that in the Open Source version permissions are assigned directly to users while Professional version permits
assigning to templates that can be reused for more than one user.
The AlienVault Professional version also allows the creating of entities to create a new virtual layer that groups assets
(Networks, Sensors, Network Groups, Hosts, Host Groups ...)
AlienVault Users Manual 175
Users
To successfully congure the users within the AlienVault web interface it is important to have a good inventory of the
networks that are being monitored.
The assignment of permissions for a user is performed based on the networks that the user can monitor. It is also possible
to assign permissions based on the sensors, so that a user has access to all information that has been collected by
individual AlienVault Sensors.
For this reason it is important to relate every asset in the inventory (Hosts, Host Groups, Networks and Network Groups) with
the sensor or sensors that can collect events generated or in which this asset is involved.
Entities
PRO ONLY
In order to simplify the management of complex AlienVault deployments, AlienVault (SOC, MSSP, Big corporations...) with
multiple organizations, departments being monitored where there are multiple users, the professional version allows the
creation of entities that greatly simplify the management of user permissions in these complex environments.
An entity is a virtual grouping of objects within the AlienVault inventory (Hosts, Host Groups, Networks and Network
Groups...).
Entities can be used to create departments, organizations, companies, or whatever kind of group is needed to simplify the
asset management.
AlienVault stores all the entities using a tree, with all entities that can be monitored using the AlienVault deployment. This way
the Entities can be congured to inherit permissions or assets from bigger entities.
AlienVault Users Manual 176
Usage
Entities
To create or modify entities click on Entities in the upper right. This will display a screen with two tables. The table on the left
shows the entities types that have already been created within this AlienVault deployment, and the left side shows a tree with
all entities that have been congured in AlienVault.
Entities are shown using a tree with branches. This allows to easy viewing of dependencies between all entities.
New entity type
To insert a new type of entity use the form at the bottom left. You will have to select wether you want the entity type to
inherit permissions from an upper entity in case this entity is below another entity.
Click on to insert the new entity type.
Modify entity type
To modify an entity type click on next to the entity that you wish to modify.
Delete entity type
To delete an entity type click on next to the entity that you wish to delete.
AlienVault Users Manual 177
New entity
To insert a new entity click on the button New Entity below the tree.
You will have to enter the following properties for the new entity:
Address: Physical address in which the assets belonging to this entity can be found
Parent: Parent entity in case this entity belongs to a bigger entity Eg: A department within a company.
The permissions for this entity have to be assigned using from one of the user templates:
Menu: Menu options within the AlienVault Web Interface that users within this entity have access to
Modify entity
To modify an entity click on the name of the entity displayed in the tree.
Delete entity
To delete an entity click on the name of the entity displayed in the tree, then click on the button Delete below the form.
AlienVault Users Manual 178
Templates
To create or modify user templates click on Templates in the upper right.
New template
To create a new template click on the button New Template in the bottom left.
Enter the name of the template and select the entity in which you would like to include this template, or select Entity free
template from the drop-down menu to assign this template to an entity later.
Then select the Networks that the users using this template will be able to monitor, as well as which sensors will collect
events that users will see in the AlienVault Web interface.
AlienVault Users Manual 179
The menu options shown in the AlienVault Web Interface can be limited in each user template. Mark the checkboxes
corresponding to the sections you want to give access to the users taking their permissions from this user template.
Modify template
To modify a template select the template from the tree on the left side by clicking on the name of the template.
Delete template
To delete a template select the template from the tree on the left side by clicking on the name of the template. Then click on
the Delete button.
AlienVault Users Manual 180
Users
New user
To add a new user click on Add New User below the list of users.
Fill in the values for the following properties
User email: E-mail address of the username that will be used to send notications, reports... to the user
User language: Language of the AlienVault Web Interface ( English, Spanish, French, German, Japanese, Russian,
Brazilian Portuguese, Simplied Chinese or Traditional Chinese)
Ask to change password at next login: Force a password change after the next successful login of the user
Global admin: Whether the user is a superuser within the AlienVault Web interface or not. (Permissions to see all assets
and all menu options). Admin users will be represented with this icon whenever the list of users is displayed.
Entity: Choose the entity or entities this user belongs to. Select the entity from the drop down menu and click on Add
Entity. Select the entity from the right side and then click on Remove Entity to remove the user from that entity.
Then assign the permissions for the new users using the user templates created previously
Modify user
To modify a user click on next to the user that you want to modify.
Delete user
To delete a user click on next to the user that you want to delete.
Enable / Disable users
To enable a disabled user on the icon in the user list. Click on to disable a user.
AlienVault Users Manual 181
User Activity
Conguration -> Users -> User Activity
Description
This tab lets you congure the user activities within the AlienVault Web interface to be logged. This log can be viewed on the
tab User Activity (Monitor -> System -> User Activity)
Usage
Mark the checkboxes next to the activities that you wish to log and click on Update Conguration.
AlienVault Users Manual 182
Collection
Plugins
Conguration -> Collection -> Plugins
Plugins are used by AlienVault to improve the collection capabilities of the AlienVault Sensors, telling the system how to
understand, and to collect events generated by each application and device. Plugins help with collecting and normalizing
events. In order to calculate a risk for every event arriving to the AlienVault Server, the system needs to know every possible
type of event that can be collected by the system. This screen shows all the events that the AlienVault server is ready to
process. The AlienVault Server retrieves the list of events that may arrive to the AlienVault Server from the AlienVault
database.
Usage
The Id (Plugin ID), is the internal number AlienVault uses to identify the type of device or application that generated the
events. The Plugin ID is a unique number that is also used when creating correlation directives or when dening policies to
lter certain events. Each type of event is always identied using the Plugin ID (Identies the tool that generates the event)
and the Plugin SID (Identies the type of event within the tool described by the Plugin ID). The same Plugin SID can be used
in different Plugin ID's.
All the events that can be collected for each plugin can be seen by clicking on the ID column.
The Name is the name of the plugin assigned to the plugin ID. This may be any string, but should be descriptive.
The Type is the type of plugin. There are two possible values. Detector is a plugin type that AlienVault uses to send data to
the server.. Monitor is a plugin type that AlienVault queries for information.
The Description is additional information used to clarify a plugins purpose. This is very helpful when a plugin has a
particularly obscure name.
AlienVault Users Manual 183
Plugin SID is the internal number AlienVault uses to track various messages from sensors. For example, there is a unique
Plugin SID for each alert that snort generates . Some parameters for SIDs may be edited here:
The Plugin is the internal number AlienVault uses to track various plugins. Each plugin has a unique plugin ID. Each plugin
uses this number and its sub-ID.
The Name is a string assigned to the SID. This may be any string, but should be the close to the message generated by
the sensor.
The Priority is a number used to qualify AlienVault alerts with varying levels. It is a numeric value ranging from 0 to 5. 0 is
the lowest priority and indicates that AlienVault should ignore that SID. 1 is the the lowest priority while 5 is the highest.
The Reliability is a measure of rule dependability. It is a value from 0 to 10 where 10 is the most dependable and 0 is the
least. Reliability is read as a tenth of a percentage. i.e. 4 means there is a 40% chance that this rule is accurate at this
stage of the directive.
The Action column contains a Modify button. Clicking the button saves changes to the Priority and Reliability column in
the AlienVault database. At this time is necessary to change plugin SID by plugin SID, this means that you can change the
Priority or Reliability value just for one plugin SID each time.
AlienVault Users Manual 184
Plugin Groups
Conguration -> Collection -> Plugin Groups
Description
The Plugin Groups page allows you create groups containing event types from the same plugin (Data Source) or even
containing events from different plugins.
As an example, you can create a Plugin Group that includes all events that detect a successful authentication in an
application or device. This would allow creating a policy that tells the system that successful authentication events (Included
in a plugin group) must be stored only in the SIEM when they occur outside normal working hours.
The plugin groups can be used when dening policies as well as during a forensic analysis of information stored in SIEM or
Logger
AlienVault Users Manual 185
Usage
This page shows a table with all the Plugin Groups dened in AlienVault. The default installation will include some examples
of Plugin Groups. Notice that Plugin Groups are not related with Taxonomy, and they will not be updated automatically to
include new event types.
Insert New Plugin Group
To insert a new Plugin Group simply click on Insert New Plugin Group on the top or on the bottom of the table listing all
Plugin Groups.
This will show the next screen:
Name and description of the Plugin Group are mandatory elds. Try to use an easy to remember name as you will be able to
use this as a search criterion in SIEM and Logger consoles.
Now you must dene the types of events that will be part of this Plugin Group. To do this you can select the plugin (Data
Source Type) from which you select the events, or search for all types of events that contain a text string in their names.
To include even types (Plugin SID) from a particular Data Source Type (Plugin ID) enter the name of the Plugin. The form will
help you with auto-completion.
If you do not know the name of the Plugin click on to display a list of all Plugins.
AlienVault Users Manual 186
Simply click on the line of the Plugin you want to select even types from. In the following example we will select events from
the Snort Rules plugin (Plugin ID 1001). By default, all events in this plugin will be included in the Plugin Group. You can
select only certain events within this plugins by writing the Plugin SIDs in the Signature IDs separated by comma.
To explore the event types within this Plugin click on . This will show a oating window with two columns. Event types in
the left side are events that have already been added to the Plugin Group. Events in the right side can be added to the
Plugin group using drag and drop, by moving them to the left side. In the top of the right column you can also search a text
string and then click on Add all to include all events matching the search criteria in the Plugin Group.
By clicking on Remove all you will clean the selection so none of the events within the Plugin will be added to the Plugin
Group.
To save changes click on Submit selection.
To see the list of events that have already been included in the Plugin Group click on
The same process can be used to include event types from any other Plugin (Data Source Type) in the Plugin Group.
To include all event types from any Plugin matching a search criteria you can use the SIDs Search. Enter the text you
would like to match in the events name and click on SIDs Search.
AlienVault Users Manual 187
Then select the Event Types you would like to include in the Plugin Group by marking the checkboxes in each line or
mark the checkbox next to the Plugin ID column title to include all event types matching the search criteria. Click on
Add Selected to save changes.
Edit a Plugin Group
To edit a plugin group, click the Edit button in the line that represents the Plugin Group that you wish to edit. Use the
process described previously in New Insert Plugin Plugin group to modify the Plugin Group.
Delete a Plugin Group
To delete a plugin group, click the Delete button in the line that represents the Plugin Group that you wish to delete.
AlienVault Users Manual 188
Software Upgrade
Software Upgrade
Conguration -> Software Upgrade -> Software Upgrade
The upgrade process will automatically update the database schema. This section will show a historical of all database
upgrades that have been applied.
If the updates have not been done correctly, this section will appear after the user log in. In this case, you will have to apply
database updates manually. In case the database cannot be upgraded correctly please report to the AlienVault Support
Team.
AlienVault Users Manual 189
Update Notication
Conguration -> Software Upgrade -> Update Notication
Description
AlienVault can be congured to automatically check the availability of the new software updates.
AlienVault Users Manual 190
Usage
If new updates are available a message will be shown in the Top Bar. Clicking on that message will take you to this section,
where you will be able to see new features and improvements included in the new software packages. Once you have read
that message click on Acknowledge Updates to remove the notication message from the top bar.
AlienVault Users Manual 191
Tools
Backup
Tools -> Backup
Description
Events in the SIEM are purged from the database when they are older than the parameter dened in Conguration !
Main ! Backup . The parameter is called Forensics Active Event Window, and denes the number of days that will be
stored in the forensic database. By default the events of the last 5 days will be kept in the SQL Database.
This number can be increased depending on the hardware that is being used and the number of events per day that are
been collected and stored when using the SIEM. This parameter only applies to the SIEM, not to the Logger.
If navigating through the AlienVault Web interface takes too long, try decreasing the number of days worth of events that are
kept in the database. On the other hand, if your system is collecting a few events per day, you may want to increase the
number of days that are been stored in the database.
Events are never deleted after been purged from the database, they are just stored in a le and they can be restored later on,
using the form available in Tools ! Backup
AlienVault Users Manual 192
Usage
Dates that can be restored appear in the Backup Manager, below the dates to restore column. Simply click a date and then
click on Insert. AlienVault then performs the restoration and displays the status of the restore below in the Backup Events
section.
To purge a restored day, click the date of the event in the Dates in Database section and click on Purge.
AlienVault Users Manual 193
Downloads
Tools -> Downloads
The downloads sections provides links to precongured software packages for AlienVault operation. Currently it includes:
Putty : PuTTY is an SSH and telnet client, developed originally by Simon Tatham for the Windows platform. PuTTY is
open source software that is available with source code and is developed and supported by a group of volunteers.
AlienVault Agent installer for Windows: AlienVault Agent installer for windows hosts, server ip is already
precongured. Run the installer and afterwards go to \AlienVault\ and run 'AlienVault.bat'.
Python for Windows : Python is a remarkably powerful dynamic programming language that is used in a wide
variety of application domains. Python is often compared to Tcl, Perl, Ruby, Scheme or Java.
OCS : Open Computer and Software Inventory Next Generation is an application designed to help a network or
system administrator keep track of the computers conguration and software that are installed on the network.
OSSEC Agent for Windows: OSSEC is an Open Source Host-based Intrusion Detection System. It performs log
analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response.
Snare for Windows: Snare for Windows is a Windows NT, Windows 2000, Windows XP, Vista and Windows 2003
compatible service that interacts with the underlying Windows Eventlog subsystem to facilitate remote, real-time
transfer of event log information.
Snare Cong le (Audit service takeover): Import this .reg le into every host running snare. It's congure to log
against this host's IP, you may edit it to change it. This le takes over control of the windows audit service, allowing
for easy policy specications via Snare's web interface. This is the recommended way of running it.
Snare Cong le (No audit service takeover): Import this .reg le into every host running snare. It's congure to
log against this host's IP, you may edit it to change it. This le leave's the hosts audit service settings untouched.
FW1Loggrabber: FW1-Loggrabber is a command-line tool to grab log les from Checkpoint FW-1 remotely using
Checkpoints LEA (Log Export API), which is one part of Checkpoints OPSEC API.
Osiris Windows: Osiris is a Host Integrity Monitoring System that periodically monitors one or more hosts for
change. It maintains detailed logs of changes to the le system, user and group lists, resident kernel modules, and
more.
AlienVault Users Manual 194
Net Discovery
Tools -> Net Discovery
Description
Net Discovery allows scans from the AlienVault system in order to discover assets on the network and to ensure that no
changes have occurred in services, operating systems and MAC addresses that use each of the IP addresses of the
network.
Scanning is done using NMAP in a distributed manner, if the network has an associated sensor in the AlienVault inventory. In
case of failure of the distributed scanning, scanning will be done from the machine running the AlienVault Web Interface.
AlienVault Users Manual 195
Usage
Using the form above, it is possible to scan for a network asset that we have previously dened in the inventory of AlienVault
(Assets ! Network) or write a network manually for it to be scanned. If you want to add some new network you need to
go to Assets ! Networks and dene a new one.
When launching the scan you can set the scanning prole that will be used when scanning the network:
Full Mode will be much slower but will include OS, services, service versions and MAC address that can be inserted into
the inventory
Paranoid
Sneaky
Polite
Normal
Aggressive
Insane
Paranoid and Sneaky modes are for IDS evasion. Polite mode slows down the scan to use less bandwidth and target
machine resources. Aggressive and Insane modes speed up the scan (fast and reliable networks)
Once you are ready, click on Discover. AlienVault scans the network and displays a message once it is complete. The Click
here to show the results link appears; the results appear back in the NET Scan page below the select network table.
AlienVault Users Manual 196
You can click the Update Database Values, which displays the Insert new scan page. This page allows you to add global
properties to the freshly scanned host. These properties are:
Asset
Threshold C
Threshold A
RRD Prole
NAT
Sensors
Scan options
Description
Some properties may have corresponding links that allow you to perform additional tasks, especially when working with
sensors. Once you have completed any changes, click OK. You can click Reset to return to initial values. To perform the
scan, the system makes use of Nmap.
AlienVault Users Manual 197
My Prole
My Prole
Description
From this page each user can update their personal information and change the password to access the AlienVault Web
Management interface.
Usage
The system can change these settings using a form:
User name: Name of the person associated with the User login
User email: Email address of the user. It will be used to receive information regarding tickets, alarms notications...
User language: Language for this user in the AlienVault Web Management interface (
Company / Department: Optional elds to identify the role of the user within the corporation that is been monitored.
Your unix server running samba gets attacked by the Sasser worm .
The attack per se is dangerous, it has compromised thousands of hosts and is very easy to accomplish. But. does it
really matter to you? Surely not, but it's a big security hole so it'll have a high priority .
You're running a CVS server on an isolated network that is only accessible by your friends and has only access to the
outside. Some new exploit tested by one of your friends hits it .
Again, the attack is dangerous, it could compromise your machine but surely your host is patched against that
particular attack and you don't mind being a test-platform for one of your friends .
Priority will be numerical value from 0 up to 5. All events generated within the same directive will have the same directive but
they may have a different reliability as it will depend on the correlation level in which the event has been generated.
Correlation level: 1
All events will try to match the rst level of every enabled correlation directive once they arrive to the AlienVault Server. This
behavior can be modied dening a policy in (Intelligence ! Policy & Actions).
The rst rule of a directive will have special conditions:
It will always be a detector rule. Monitor rules can not be used in the rst level of directives.
It will have no time out. The condition of the rst level will last as long as the server is running and the directive enabled
The event will only be generated for the rst directive rule whenever the directive has only one correlation level
In the directive we are creating the correlation will start with any event coming from the SSH Server that refers to an
authentication failed attempt. We should always try to cover all possible variants of an attack, in a SSH brute force attack we
will nd the following events:
Failed Password
User blocked
Illegal user
Getting almost immediately an authentication successful event (Same source and same destination as the event that
matched the rst correlation level)
Getting more authentication failed events (Same source and same destination as the event that matched the rst
correlation level)
In case we get an authentication successful event the correlation of this directive will be nished. In case we keep getting
more authentication failed events then we will reach the third correlation level.
We will also set a time out, as we don not want to wait for so long assuming that a brute force attack will generate a lot of
events in a short period of time and not in the next two years. We have also set the reliability value to 1, as we consider that
login after only one login failed does not seem to be a brute force attack.
So the rst rule of the second correlation level will look as follows:
<rule type="detector" name="SSH Successful Authentication (After 1 failed)"
reliability="1" occurrence="1" from="1:SRC_IP" to="1:DST_IP"
port_from="ANY" time_out="15" port_to="ANY"
plugin_id="4003" plugin_sid="7,8"/>
This means that once we reach the second correlation level the AlienVault Server will wait for 15 seconds for an
authentication successful event with the same source and same destination as the event that matched the previous level.
All rules in the same correlation level will try to collect events at the same time, so the AlienVault server doesn't have to wait
for 15 seconds to start the second rule in the second correlation level. We can also have rules with different time_out values.
In our case we will wait 40 seconds expecting to collect 10 Authentication Failed events with the same source and same
AlienVault Users Manual 204
destination ip addresses that matched the rst correlation level. So the rst 15 seconds both rules could be matched by the
incoming events, but after that only the second rule of the second correlation level will keep alive waiting for incoming events.
In this case, the events matching this rule, would also match the rst correlation rule of the directive. That's why we are using
sticky=true so we avoid that events getting into this correlation level start their own directive and we keep grouping those
events within the same Correlation directive.
<rule type="detector" name="SSH Authentication failure (10 times)"
reliability="2" occurrence="10" from="1:SRC_IP" to="1:DST_IP"
port_from="ANY" time_out="40" port_to="ANY"
plugin_id="4003" plugin_sid="1,2,3,4,5,6,9,10,12,13,14,15,16,20"
sticky="true"/>
We will use the rules tag to open each correlation level (The rst one will be started with the directive tag):
<rules>
<rule type="detector" name="SSH Successful Authentication (After 1 failed)"
reliability="1" occurrence="1" from="1:SRC_IP" to="1:DST_IP"
port_from="ANY" time_out="15" port_to="ANY"
plugin_id="4003" plugin_sid="7,8"/>
<rule type="detector" name="SSH Authentication failure (10 times)"
reliability="2" occurrence="10" from="1:SRC_IP" to="1:DST_IP"
port_from="ANY" time_out="40" port_to="ANY"
plugin_id="4003" plugin_sid="1,2,3,4,5,6,9,10,12,13,14,15,16,20"
sticky="true"/>
</rules>
Once one of the rules is matched by incoming events, the other rule is discarded and correlation will continue if there are
some other rules dened after the rule that has been matched.
Our directive now looks as follows:
<directive id="500000" name="SSH Brute Force Attack Against DST_IP" priori-
ty="4">
<rule type="detector" name="SSH Authentication failure" reliability="0"
occurrence="1" from="ANY" to="ANY" port_from="ANY" port_to="ANY"
plugin_id="4003" plugin_sid="1,2,3,4,5,6,9,10,12,13,14,15,16,20">
<rules>
<rule type="detector" name="SSH Successful
Authentication (After 1 failed)"
reliability="1" occurrence="1"
from="1:SRC_IP" to="1:DST_IP"
port_from="ANY" time_out="15" port_to="ANY"
plugin_id="4003" plugin_sid="7,8"/>
<rule type="detector"
name="SSH Authentication failure (10 times)"
reliability="2" occurrence="10" from="1:SRC_IP"
to="1:DST_IP"
port_from="ANY" time_out="40" port_to="ANY"
plugin_id="4003"
plugin_sid="1,2,3,4,5,6,9,10,12,13,14,15,16,20"
sticky="true"/>
</rules>
</rule>
</directive>
AlienVault Users Manual 205
In this correlation level we may have an alarm generated, as we the event generated in the second rule will have a priority of
4, a reliability of 2 we will have the following risk formula:
RISK = (Asset Value * 4 * 2) /25
An event becomes alarm when it gets a risk higher or equal than 1. So if with a host involved with an asset value of 4 or 5
we would get an alarm after 11 Authentication Failed events (1 of the rst correlation level and 10 on the second correlation
level)
It is important not to use very high time_out values at a second level of the correlation when the rst level of the directive has
established simple conditions (plugin_sid=ANY, from=ANY, to=ANY) . This will cause many events reaching the
second level of correlation, greatly augmenting the memory consumption of the correlation server.
Correlation level: 3
The third correlation level is reached in case you have received a total of 11 SSHD failed authentication events in less than 40
seconds (The rst event starts correlation and 10 more will get into the second correlation level).
Here again we have two possibilities, the rst will be to collect a successful authentication event, the second option will be
waiting to collect more authentication failed events (100).
It is important to note that in case we get the successful authentication event, this will have occurred after several failed
attempts so it will be a interesting situation. We will have to increase the reliability in case this rule is matched to ease the
generation of an alarm.
The rst rule of the third level:
<rule type="detector" name="SSH Successful Authentication (After 1 failed)"
reliability="4" occurrence="1" from="1:SRC_IP" to="1:DST_IP"
port_from="ANY" time_out="15" port_to="ANY"
plugin_id="4003" plugin_sid="7,8"/>
In case this correlation rule is matched it will generate an alarm when the asset value of one of the host involved is at least 2.
The second rule of the third level:
<rule type="detector" name="SSH Authentication failure (100 times)"
reliability="4" occurrence="100" from="1:SRC_IP" to="1:DST_IP"
port_from="ANY" time_out="400" port_to="ANY"
plugin_id="4003"plugin_sid="1,2,3,4,5,6,9,10,12,13,14,15,16,20"
sticky="true"/>
</rules>
AlienVault Users Manual 206
Our directive, including the third correlation level will look as follows:
<directive id="500000" name="SSH Brute Force Attack Against DST_IP" priority="4">
<rule type="detector" name="SSH Authentication failure" reliability="0"
occurrence="1" from="ANY" to="ANY" port_from="ANY" port_to="ANY"
plugin_id="4003" plugin_sid="1,2,3,4,5,6,9,10,12,13,14,15,16,20">
<rules>
<rule type="detector" name="SSH Successful Auth (After 1 failed)"
reliability="1" occurrence="1" from="1:SRC_IP" to="1:DST_IP"
port_from="ANY" time_out="15" port_to="ANY"
plugin_id="4003" plugin_sid="7,8"/>
<rule type="detector" name="SSH Auth failure (10 times)"
reliability="2" occurrence="10" from="1:SRC_IP"
to="1:DST_IP"
port_from="ANY" time_out="40" port_to="ANY"
plugin_id="4003"
plugin_sid="1,2,3,4,5,6,9,10,12,13,14,15,16,20"
sticky="true">
<rules>
<rule type="detector"
name="SSH Successful Auth (After 1 failed)"
reliability="4" occurrence="1"
from="1:SRC_IP" to="1:DST_IP"
port_from="ANY" time_out="100" port_to="ANY"
plugin_id="4003" plugin_sid="7,8"/>
<rule type="detector"
name="SSH Auth failure (100 times)"
reliability="4" occurrence="100"
from="1:SRC_IP" to="1:DST_IP"
port_from="ANY" time_out="400" port_to="ANY"
plugin_id="4003"
plugin_sid="1,2,3,4,5,6,9,10,12,13,14,15,16,20"
sticky="true"/>
</rules>
</rule>
</rules>
</rule>
</directive>
Correlation level: 4
On the fourth level of correlation also we will keep open the possibility of keep getting SSH failed authentications or receiving
an Authentication successful event. Time_out value will also be increased as well as occurrence a reliability value.
To do that we will use the following two rules:
<rule type="detector" name="SSH Successful Authentication (After 1 failed)"
reliability="6" occurrence="1" from="1:SRC_IP" to="1:DST_IP"
port_from="ANY" time_out="150" port_to="ANY"
plugin_id="4003" plugin_sid="7,8"/>
<rule type="detector" name="SSH Authentication failure (1000 times)"
reliability="7" occurrence="10" from="1:SRC_IP" to="1:DST_IP"
port_from="ANY" time_out="4000" port_to="ANY"
plugin_id="4003" plugin_sid="1,2,3,4,5,6,9,10,12,13,14,15,16,20"
sticky="true"/>
This level will also include a monitor-type rule, that will be used to check wether is an established established connection
between the two hosts (attacker and attacked).
AlienVault Users Manual 207
In this case we will use the ntop-session monitor plugin (session-monitor.cfg) . All monitor plugins can be found in the
following folder, and they all include monitor in their names:
/etc/AlienVault/agent/plugins/
The ntop is can be queried using the plugin_id 2005, and it supports many different types of request, each request is
identied with a different plugin_sid.
In this case we will check the session duration between the two hosts. This request is identied with the plugin_sid 248 and
it is dened in the session-monitor.cfg le as follows:
[ntop-session-duration]
#192.168.1.42:46378 --> 192.168.1.2:22 (15667.200000 12800.000000) duration: 144
query=/{$from}.html
sid=248
regexp=(?P<ip_src>\d+\.\d+\.\d+\.\d+):(?P<port_src>\d+)\s+-->\s+{$to}:(?P<port_dst>\d+)\s
+\((?P<data_sent>\S+)\s+(?P<data_rcvd>[^\)]+)\)\s+duration:\s+(?P<duration>\d+)
result={$duration}
As you can see the monitor plugin is using a variable ($from) to get the information from one of the Ntop webpages, this
variable has to be sent by the AlienVault Server request during correlation and it will be used by the monitor plugin to build
the query.
So we will build the monitor rule as follows, to check wether there is a connection established for more than 10 seconds:
<rule type="monitor" name="More than 10 secs persistence"
reliability="+4" from="1:SRC_IP" to="1:DST_IP"
port_from="1:SRC_PORT" port_to="1:DST_PORT" plugin_id="2005"
plugin_sid="248" condition="ge" value="10" interval="20"
time_out="120" absolute="true"/>
We are sending the source IP, destination IP, Source port and Destination port of the event that matched the previous
correlation level. The monitor plugin will be requesting this information to Ntop every 20 seconds (interval) for 120 seconds
(time_out). Whenever the condition dened by condition and value is matched ( In this case session established for 10 or
more seconds), the rule will have been matched and an event will be sent to the AlienVault Server to continue correlating the
directive. In our directive correlation will have nished.
The third level will look as follows, same as when using only detector rules, the three rules will be processed at the same
time, and whenever one of them is matched the AlienVault server will discard the two other rules.
<rule type="detector" name="SSH Successful Authentication (After 1 failed)"
reliability="6" occurrence="1" from="1:SRC_IP" to="1:DST_IP"
port_from="ANY" time_out="150" port_to="ANY"
plugin_id="4003" plugin_sid="7,8"/>
<rule type="detector" name="SSH Authentication failure (1000 times)"
reliability="7" occurrence="10" from="1:SRC_IP" to="1:DST_IP"
port_from="ANY" time_out="4000" port_to="ANY"
plugin_id="4003"
plugin_sid="1,2,3,4,5,6,9,10,12,13,14,15,16,20" sticky="true"/>
<rule type="monitor" name="More than 10 secs persistence"
reliability="+4" from="1:SRC_IP" to="1:DST_IP"
port_from="1:SRC_PORT" port_to="1:DST_PORT" plugin_id="2005"
plugin_sid="248" condition="ge" value="10" interval="20"
time_out="120" absolute="true"/>
AlienVault Users Manual 208
Each correlation directive can include as much rules as needed. It is always advisable to include a last level to capture a
large number of events. Thus, if the attack continues for a long period of time, these events will be entering into the same
directive and grouped within the same alarm.
<directive id="500000" name="SSH Brute Force Attack Against DST_IP"
priority="4">
<rule type="detector" name="SSH Authentication failure"
reliability="0" occurrence="1" from="ANY" to="ANY"
port_from="ANY" port_to="ANY"
plugin_id="4003"
plugin_sid="1,2,3,4,5,6,9,10,12,13,14,15,16,20">
<rules>
<rule type="detector"
name="SSH Successful Authe (After 1 failed)"
reliability="1" occurrence="1" from="1:SRC_IP"
to="1:DST_IP"
port_from="ANY" time_out="15" port_to="ANY"
plugin_id="4003" plugin_sid="7,8"/>
<rule type="detector" name="SSH Auth failure (10 times)"
reliability="2" occurrence="10"
from="1:SRC_IP" to="1:DST_IP"
port_from="ANY" time_out="40" port_to="ANY"
plugin_id="4003"
plugin_sid="1,2,3,4,5,6,9,10,12,13,14,15,16,20"
sticky="true">
<rules>
<rule type="detector"
name="SSH Suc. Auth (After 1 failed)"
reliability="4" occurrence="1"
from="1:SRC_IP" to="1:DST_IP"
port_from="ANY" time_out="100"
port_to="ANY"
plugin_id="4003" plugin_sid="7,8"/>
<rule type="detector" name="SSH Auth f.(100
times)"
reliability="4" occurrence="100"
from="1:SRC_IP" to="1:DST_IP"
port_from="ANY" time_out="400"
port_to="ANY"
plugin_id="4003"
plugin_sid="1,2,3,4,5,6,9,10,12
,13,14,15,16,20" sticky="true">
<rules>
<rule type="detector"
name="SSH Successful
Authentication (After 1 failed)"
reliability="6" occur-
rence="1" from="1:SRC_IP" to="1:DST_IP"
port_from="ANY" ti-
me_out="150" port_to="ANY"
plugin_id="4003"
plugin_sid="7,8"/>
<rule type="detector" name="SSH
Authentication failure (1000 times)"
reliability="7" occur-
rence="10" from="1:SRC_IP" to="1:DST_IP"
AlienVault Users Manual 209
port_from="ANY" ti-
me_out="4000" port_to="ANY"
plugin_id="4003" plug-
in_sid="1,2,3,4,5,6,9,10,12,13,14,15,16,20" sticky="true"/>
<rule type="monitor" name="More
than 10 secs persistence"
reliability="+4"
from="1:SRC_IP" to="1:DST_IP"
port_from="1:SRC_PORT"
port_to="1:DST_PORT" plugin_id="2005"
plugin_sid="248" condi-
tion="ge" value="10" interval="20"
time_out="120"
absolute="true"/>
</rules>
<rule>
</rules>
</rule>
</rules>
</rule>
</directive>
AlienVault Users Manual 210
Detector Rule elements
type
What type of rule is this. There are two possible types as of today :
monitor
detector
As we are talking about detector rule elements. Type will take detector as value. Eg: type=detector
name
The name of the rule describes what the system expects to collect in order to satisfy the condition of the rule for the
correlation. This name Eg: name=100SSH Auth Failed events
reliability
Reliability value of every event generated within the directive. It can be an absolute value 0-10 or incremental +2, +6. When
using an incremental value, this will be added to the value that has taken the reliability eld in the last event generated within
this directive.
By assigning the value of reliability for each of the rules is important to remember the formula for calculating the risk in
AlienVault. Using high-reliability values at the lowest levels of correlation will get a large number of alarms even when low-
valued assets is involved.
Eg: reliability=3 reliability=+3
occurrence
Number of events matching the conditions given in the rule that have to be collected before the directive generates an event.
The rst level doesnt have an occurrences value as it will always be one.
time_out
Waiting time before the rule expires and the directive process dened in that rule is discarded. The rst rule doesnt have a
time_out value.
from
Source IP. There are various possible values for this eld :
Network Name: You can use any network name dened via web (Assets ! Networks) .
Relative value: This is used to reference ip addresses from previous levels. This should be easier to understand using
examples
1:SRC_IP means use the source ip that matched the condition dened by the previous rule as source ip address.
2:DST_IP means use the destination ip that matched the condition dened two rules below as destination ip
address .
Negated elements: You can also use negated elements. I.e. : !192.168.2.203,INTERNAL_NETWORK.
If INTERNAL_NETWORK == 192.168.2.0/24 this would match the whole class C except 192.168.2.203.
HOME_NET: This will match only when the Source IP belongs to your Assets, this means that is has been included in the
AlienVault inventory as a host or that it belongs to a network or network group that is within your inventory.
AlienVault Users Manual 211
to
Destination IP. There are various possible values for this eld:
Network Name: You can use any network name dened via web (Assets ! Networks) .
Relative value: This is used to reference ip addresses from previous levels. This should be easier to understand using
examples
1:SRC_IP means use the source ip that matched the condition dened by the previous rule as source ip address.
2:DST_IP means use the destination ip that matched the condition dened two rules below as destination ip
address .
Negated elements: You can also use negated elements. I.e. : !192.168.2.203,INTERNAL_NETWORK. If
INTERNAL_NETWORK == 192.168.2.0/24 this would match the whole class C except 192.168.2.203.
HOME_NET: This will match only when the Source IP belongs to your Assets, this means that is has been included in the
AlienVault inventory as a host or that it belongs to a network or network group that is within your inventory.
sensor
Sensor Name: You can use any Sensor name dened via web (Assets ! SIEM Components ! Sensors) .
Relative value: This is used to reference ip addresses from previous levels. This should be easier to understand using
examples
1:SENSOR means use the Sensor that matched the condition dened by the previous rule
Negated elements: You can also use negated elements, separated by comma. I.e. : !192.168.2.203,ANY.
port_to
This can be a port number or a sequence of comma separated port numbers. ANY port can also be used. Hint:
1:DST_PORT or 1:SRC_PORT would mean level 1 src and dest port respectively. They can be used too. (level 2 would be
2:DST_PORT for example).
Also you can negate ports. This will negate ports 22 and 21 in the directive:
port=!22,25,110,!21
port_from
This can be a port number or a sequence of comma separated port numbers. ANY port can also be used. Hint:
1:DST_PORT or 1:SRC_PORT would mean level 1 src and dest port respectively. They can be used too. (level 2 would be
2:DST_PORT for example).
Also you can negate ports. This will negate ports 22 and 21 in the directive:
port=!22,25,110,!21
AlienVault Users Manual 212
protocol
This can be one of the following strings:
TCP
UDP
ICMP
Host_ARP_Event
Host_OS_Event
Host_Service_Event
Host_IDS_Event
Information_Event
Additionally, you can put just a number with the protocol.
Although Host_ARP_Event, Host_OS_Event, etc, are not really a protocol, you can use them if you want to do directives with
ARP, OS, IDS or Service events. You can also use relative referencing like in 1:TCP, 2:Host_ARP_Event, etc
You can negate the protocol also like this: protocol=!Host_ARP_Event,UDP,!ICMP This will negate Host_ARP_Event and
ICMP, but will match with UDP.
plugin_id
Numerical identier of the tool that provides the information (Events in detector rules and indicators in monitor rules)
plugin_sid
Numerical identier of the type of event within the tool dened by plugin_id that must met the condition dened by the
directive rule. plugin_sid can take ANY as value, or a relative value when it is being used in a second or higher correlation
level: Eg plugin_sid=1:PLUGIN_SID
sticky
When the events arrive to the correlation engine they will try to be correlated inside directives whose correlation has been
started
Using sticky we avoid those events to start the correlation of the same directive again, as they may also meet the conditions
given by the same directive. Eg: sticky=true or sticky=false
sticky_different
This variable can be associated to any eld in rules with more than one occurrence, to make all the occurrences have a
different value in one of the elds.
Eg: sticky_different=DST_PORT (All the events matching the rule must have a different destination port (Port scanning
detection))
AlienVault Users Manual 213
Username, password, lename, userdata1, userdata2, userdata3, userdata4, userdata5, userdata6, userdata7,
userdata8, userdata9
This keywords are optional. They can be used to store special data from agents. Obviously, this only will work if the event
has this elds. The following values are accepted: You can insert any string to match here. If you want that this matches with
any keyword, you can skip these keywords, or use ANY as the value.
ANY: Just that, this will match with any word. You can also avoid this keyword, and it will match too.
Comma separated list:You can use any number of words separated by commas
Relative value: This is used to reference keywords from previous levels, for example:
1:FILENAME ! Means use the lename referenced in the rst rule level
2:USERDATA5 ! Means use some data from USERDATA5 keyword referenced in the second rule level
Negated: You can also use negated keywords, i.e: !johndoe,foobar. This will match with foobar, but not johndoe
Syslog Events: Username = dest username ; Userdata1 = src username ; Userdata2 = src user uid ; Userdata3 = service
AlienVault Users Manual 214
Monitor Rule elements
type
What type of rule is this. There are two possible types as of today :
monitor
detector
As we are talking about monitor rule elements. Type will take monitor as value. Eg: type=monitor
name
The rule name should describe the type of information that we obtain when querying the tool or device during correlation
using the monitor plugin.
reliability
Reliability value of every event generated within the directive. It can be an absolute value 0-10 or incremental +2, +6. When
using an incremental value, this will be added to the value that has taken the reliability eld in the last event generated within
this directive.
By assigning the value of reliability for each of the rules is important to remember the formula for calculating the risk in
AlienVault. Using high-reliability values at the lowest levels of correlation will get a large number of alarms even when low-
valued assets is involved.
Eg: reliability=3 reliability=+3
plugin_id
Numerical identier of the monitor plugin that will query the device or application to feed the correlation engine with
indicators while correlation takes place.
plugin_sid
Numerical identier of the request or query that has to be executed. In this case we can not use ANY or a relative value.
time_out
Waiting time before the rule expires and the directive process dened in that rule is discarded. The rst rule doesnt have a
time_out value.
AlienVault Users Manual 215
condition
The condition eld establishes a logical relation between the value eld and the value returned in the monitor plugin request.
It can take the following values:
eq equal
ne non equal
lt less than
gt greater than
le less or equal
ge greater or equal
value
This eld sets the value that has to be compared with the value returned by the collector after doing the monitor request.
Value must be an integer. Eg: value=333
time_out
Waiting time before the rule expires and the directive process dened in that rule is discarded.
interval
This value of this eld sets the waiting time between each monitor request before the rule is discarded because the time
dened by time_out is over.
absolute
This value sets if the value that has to be compared is relative or absolute.
Absolute true: If the host has more than 1000 bytes sent during the next 60 seconds. There will be an answer if in 60
seconds this value is reached. absolute=true
Absolute false: If the host shows an increase of more than 1000 bytes sent. There will be an answer if the host shows this
increase in 60 seconds. absolute=false
AlienVault Users Manual 216
from, to, port_from, port, to, protocol, sensor,Username, password, lename, userdata1, userdata2, userdata3,
userdata4, userdata5, userdata6, userdata7, userdata8, userdata9
In monitor type rules, these elds are not used to dene a condition that must be matched by the events arriving to the the
AlienVault server. These elds will be used to send information to the collector in order to be used in the query that is done
through a monitor plugin.
For this reason it does not makes sense to use values such as HOME_NET or ANY. You will need to write the value that has
to be send to the build the query of the monitor plugin: Eg: from=192.168.2.2 or use a relative value such as
from=1:SRC_IP to send to the monitor plugin the ip address that matched as source ip in the previous correlation level.
AlienVault Users Manual 217
Further readi ng and I nformati on
Reporting Bugs
Reporting a bug with all required information will reduce the time required by the developer to x it. When reporting a bug
keep this in mind:
Be precise
Be clear
Report every possible bugs, as small bugs may hide bigger bugs