Scribd Logo
Upload

Welcome to Scribd!

  • How AlienVault Components Communicate via TCP/IP

    Uploaded by

    fawas hamdi
    206 views12 pages

    Original Title

    236692402-AlienVault-Component-Communicationx.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    206 views12 pages

    How AlienVault Components Communicate via TCP/IP

    Uploaded by

    fawas hamdi

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 12

    HOW ALIENVAULT COMPONENTS

    COMMUNICATE
    TCP/IP Connections Between
    OSSIM/USM Components
    CORE ALIENVAULT COMPONENTS
    SERVER HOST SENSOR HOST
    • Server • Agent
    • Web Framework • Vulnerability Scanner
    • Database • Log Collection
    • Identity Management
    • Vulnerability Management
    REFERENCE: OPEN SERVER PORTS
    An AlienVault Server will have the following ports listening for incoming connections
    TCP/22 – SSH – Secure Shell Management Service
    TCP/443 – HTTPS – Web UI
    TCP/40001 – alienvault-server - the core server process
    TCP/40002 - alienvault-idm –identity management process
    TCP/40003 - alienvault-frameworkd – web UI process
    TCP/40004 – forwarder – log forwarding (server to server)
    TCP/40005 – machete – AlienVault Smart Event Collection service (USM Only)
    TCP/40006 – mixterd – AlienVault Smart Event Collection service (USM Only)
    TCP/40007 - alienvault-center – Server and Sensor status monitoring
    TCP/40008 - alienvault-idm – identify management process
    UDP/514 – rsyslog – syslog collection service
    UDP/1514 – ossec – OSSEC agent management service
    REFERENCE: OPEN SENSOR PORTS
    An AlienVault Sensor will have the following ports listening for incoming connections

    TCP/22 – SSH - Secure Shell Management Service


    TCP/9390 - openvasmd - OpenVAS management client
    TCP/9391 - openvassd - OpenVas VulnerabilityScanner
    TCP/4949 – munin - Sensor Service Watching
    TCP/3000 – ntop – Traffic monitoring service
    TCP/40007 - Alienvault-Center – Server and Sensor status monitoring
    UDP/514 – rsyslog – syslog collection service
    ALIENVAULT SERVER
    OSSIM Server provides the core SIEM functions of log
    aggregation, normalization, prioritization , reputation and
    correlation

    The Server process accepts communication from


    agents (on sensors) and the OSSIM Framework, via
    TCP port 40001 inbound.

    Agents communicate with Alienvault IDM (Identify


    Management) on the Server over TCP Port 40002
    inbound

    OSSIM Server communicates with the Database over


    TCP port 3306 outbound.

    OSSIM Server is managed via command line over TCP


    port 22 inbound (Secure Shell)
    ALIENVAULT FRAMEWORK (WEB UI)
    Framework provides connectivity and
    management between OSSIM components and
    the primary User Interface

    The Web UI is served over HTTPS, TCP port


    443 Inbound. Port 80 Inbound is also active by
    default, but serves only to redirect clients to the
    HTTPS port.

    OSSIM Framework communicates with the


    Database over TCP port 3306 outbound.

    OSSIM Framework is managed via command


    line over TCP port 22 inbound (Secure Shell)
    ALIENVAULT SENSOR (NETWORK INTERFACES)
    OSSIM Sensors are typically
    configured with two interfaces – a
    Management interface and a
    Monitoring interface. The
    management interface is configured
    with an IP and is used for
    communication to other OSSIM
    components, the monitoring
    interface requires visibility to network
    traffic (typically via a SPAN port on a
    network switch).
    ALIENVAULT SENSOR - CONNECTIONS
    Devices transmit log data to the sensors via the
    syslog protocol operating on UDP (and optionally
    TCP where supported) Port 514.
    Other log types may require outbound connections
    from the Sensor to the device – consult
    documentation for a particular device type for
    information on which ports are used.
    Sensors communicate back to the OSSIM Server
    via TCP ports 40001 and 40002 outbound.
    The Server pulls updates for inventory and network
    monitoring via TCP ports 3000 and 4949 and UDP
    Port 555
    The Vulnerability Scanning systems operates from
    the Sensor and is controlled via TCP Ports 9390
    and 9391
    REMOTE SENSORS OVER VPN
    AlienVault Sensors may also be
    configured to establish a VPN tunnel to the
    AlienVault Server.
    In this configuration all connectivity
    between the Sensor to the Server occurs
    over UDP port 1194.
    ALIENVAULT DATABASE
    The Database system stores event data
    and runtime configurations for OSSIM
    components.
    Both the OSSIM Server and OSSIM
    framework connect to the Database over
    TCP Port 3306
    ALL COMPONENTS
    All Hosts running AlienVault components can be managed via
    commandline over Secure Shell on TCP port 22
    All Hosts require internet access to TCP Port 80 and Port 443 (Or
    an HTTP Proxy) for retrieval of software updates and reputation
    data.

    NETWORK VISIBILITY
    AlienVault Sensors require visibility to network traffic for monitoring
    functions . Usually via a SPAN port on a network switch.
    Active scanning for asset and vulnerability detection will require
    uninhibited network access from the Sensor to achieve accurate
    results.
    NETFLOW COLLECTION
    Netflow Collection – from AlienVault Sensors or third party devices – will require an additional
    UDP port on the AlienVault Server.

    This port is configured when activating NetFlow on the Sensor (or when creating a dummy
    sensor to collect netflow data from a third party source.

    Each device will be configured to transmit on a different port, and thus each device will
    require a separate UDP port listening on the Server.

    By default, these ports are assigned from UDP Port 12000 and upwards.

    You might also like