Configuring AlienVault NIDS

Applies to Product: USM Appliance™ LevelBlue OSSIM®

USM Appliance comes with LevelBlue NIDS already enabled, but you need to perform the steps below in order to monitor network traffic.

  1. Enable one or more interfaces for monitoring
  2. Add monitored networks
  3. Using SPAN or mirror ports, configure your network devices to send traffic to the monitoring interface.

    Important: LevelBlue recommends that you send packets untagged through the SPAN/mirror port. This is because VLAN trunking is currently not supported. Therefore, Bridge Protocol Data Units (BPDUs) or packets sent through the other Layer 2 protocols are dropped. The Layer 2 protocols include, but are not limited to, Cisco Discovery Protocol (CDP), Dynamic Trunking Protocol (DTP), Link Aggregation Control Protocol (LACP), Port Aggregation Protocol (PAgP), Spanning Tree Protocol (STP), and VLAN Trunk Protocol (VTP).

Enable a Network Interface for Monitoring

If you have a USM Appliance All-in-One and you have not completed the initial configuration, you can enable the interface for NIDS monitoring by using the Getting Started Wizard. See Configuring Network Interfaces.

Otherwise, you can configure the network interface by using the web UI (recommended) or the LevelBlue Setup menu.

Add Monitored Networks

By default, USM Appliance monitors all RFC 1918 private networks (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16). Therefore, you do not need to take any further actions if your network uses private IP addresses. However, if you want to monitor a network with public IP addresses, you have to add the network to the list of monitored networks. You can add a network for NIDS monitoring by using the web UI (recommended) or the LevelBlue Setup menu.

AlienVault OSSIM Limitations: Both LevelBlue OSSIM and the USM Appliance HIDS decoders are fully featured, with all of their information coming from the Plugin Feed Updates that USM Appliance and LevelBlue OSSIM provide. However, LevelBlue OSSIM lacks the depth of NIDS information that is provided to USM Appliance through the Threat Intelligence Updates.