Configuring AlienVault NIDS

Applies to Product: USM Appliance™ LevelBlue OSSIM®

USM Appliance comes with LevelBlue NIDS already enabled, but you need to perform the steps below in order to monitor network traffic.

  1. Enable one or more interfaces for monitoring
  2. Add monitored networks

  3. Using SPAN or mirror ports, configure your network devices to send traffic to the monitoring interface.

    Important: LevelBlue recommends that you send packets untagged through the SPAN/mirror port. This is because VLAN trunking is currently not supported. Therefore, Bridge Protocol Data Units (BPDUs) or packets sent through the other Layer 2 protocols are dropped. The Layer 2 protocols include, but are not limited to, Cisco Discovery Protocol (CDP), Dynamic Trunking Protocol (DTP), Link Aggregation Control Protocol (LACP), Port Aggregation Protocol (PAgP), Spanning Tree Protocol (STP), and VLAN Trunk Protocol (VTP).

Enable a Network Interface for Monitoring

If you have a USM Appliance All-in-One and you have not completed the initial configuration, you can enable the interface for NIDS monitoring by using the Getting Started Wizard. See Configuring Network Interfaces.

Otherwise, you can configure the network interface by using the web UI (recommended) or the LevelBlue Setup menu.

  1. Go to Configuration > Deployment > Components > AlienVault Center.
  2. Double-click the instance you want to configure.

  3. Click Sensor Configuration.

  4. Click Detection.

  5. In the Listening Interfaces area, click the plus (+) sign next to the interface you want to add.

    AlienVault Center page for configuring NIDS monitioring.

  6. Click Apply Changes.

  1. Connect to the LevelBlue Console through SSH and use your credentials to log in.

    The LevelBlue Setup menu displays.

  2. Select Configure Sensor.
  3. Select Configure Network Monitoring.

  4. Use the keyboard arrow keys to move to the interface, select the interface by pressing the spacebar, and then press Enter (<OK>).

    Continue Network Monitoring console for enabling an interface for NIDS.

  5. Press <Back> until you are on the LevelBlue Setup menu again. Select Apply all Changes.

  6. Press <Yes> to confirm.

    USM Appliance applies the changes and restarts all the services, which may take several minutes.

Add Monitored Networks

By default, USM Appliance monitors all RFC 1918 private networks (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16). Therefore, you do not need to take any further actions if your network uses private IP addresses. However, if you want to monitor a network with public IP addresses, you have to add the network to the list of monitored networks. You can add a network for NIDS monitoring by using the web UI (recommended) or the LevelBlue Setup menu.

  1. Go to Configuration > Deployment > Components > AlienVault Center.
  2. Double-click the appliance you want to configure.
  3. Click Sensor Configuration.
  4. Click Detection.

  5. In Monitored Networks, type the network address and click Add.

  6. Click Apply Changes.

  1. Connect to the LevelBlue Console through SSH and use your credentials to log in.

    The LevelBlue Setup menu displays.

  2. Select Configure Sensor.
  3. Select Network CIDRs.

  4. Type the network addresses you want to monitor, separating with comma, and then press Enter (<OK>).

    Network CIDRs console that adds a network for monitoring NIDS.

  5. Press <Back> until you are on the LevelBlue Setup menu again. Select Apply all Changes.

  6. Press <Yes> to confirm.

    USM Appliance applies the changes and restarts all the services, which may take several minutes.

AlienVault OSSIM Limitations: Both LevelBlue OSSIM and the USM Appliance HIDS decoders are fully featured, with all of their information coming from the Plugin Feed Updates that USM Appliance and LevelBlue OSSIM provide. However, LevelBlue OSSIM lacks the depth of NIDS information that is provided to USM Appliance through the Threat Intelligence Updates.