Featured image of post Running AlienVault OSSIM as a virtual machine on Unraid

Running AlienVault OSSIM as a virtual machine on Unraid

Introduction

This guide demonstrates setting up AlienVault OSSIM as a virtual machine within Unraid. OSSIM, a robust open-source SIEM (Security Information and Event Management) system, offers free network monitoring and protection. Its applications include network-wide vulnerability assessments and intrusion detection on endpoint devices.

The integrated HIDS within OSSIM originates from OSSEC. Moreover, OSSIM seamlessly integrates with Open Threat Exchange (OTX), a platform available for Windows, Mac, and Linux systems. This integration provides an updated, open-source vulnerability scanning tool. Deploying the OTX installer is made possible through platforms like Mosyle (MDM for MacOS) and Intune (MDM for Windows).

While a custom-built Unraid server serves as the primary system, getting OSSIM to run on it as a VM was a challenge previously. Past attempts resulted in the VM failing to boot after installation. This guide outlines the successful configuration settings for installing and running OSSIM on Unraid, potentially filling a gap in available resources.

Download OSSIM

The OSSIM installation ISO is freely downloadable from: https://cybersecurity.att.com/products/ossim/download. As an open-source solution, it’s free to use.

Alternatively, you can use Unraid’s terminal or SSH to download the ISO directly. Ensure you’re in the desired directory (e.g., /mnt/user/iso/) and use the command:

1

wget https://dlcdn.alienvault.com/AlienVault_OSSIM_64bits.iso

Prepare Unraid

If downloaded locally, transfer the ISO file to your Unraid server’s file share. If using ‘wget,’ the ISO is ready for use.

Create a New VM

The key to running OSSIM within Unraid lies in selecting ‘Debian’ as the VM host. Under the ‘VMs’ tab in Unraid, choose ‘ADD VM’ and select ‘Debian’ under the ‘Linux’ section.

Configure the VM

Maintain the default ‘Host Passthrough’ CPU mode. Allocate desired cores/threads (e.g., 8 cores for a Ryzen 9 3950x). Set both Initial and Max Memory to 8192MB.

Select the following:

  • Machine: Q35-6.0
  • BIOS: SeaBIOS
  • USB Controller: 3.0 (nec XHCI)
  • OS Install ISO: Path to the downloaded OSSIM ISO (e.g., /mnt/user/iso/AlienVault_OSSIM_64bits.iso)

Choose ‘SATA’ for ‘OS Install CDRom Bus.’ Specify the location and size of the OSSIM VM’s virtual disk under ‘Primary vDisk Location,’ opting for ‘SATA’ again for ‘Primary vDisk Bus.’

Leave remaining settings until ‘Network MAC’ untouched. Add a second virtual network interface by clicking the ‘+’ in the network pane’s bottom left corner. For the new ‘2nd Network MAC,’ duplicate the original MAC address and modify the last character. Keep the rest as default.

Start the VM

Save the VM configuration and start the machine. Follow the standard OSSIM installation process. The designated vDisk will be automatically chosen for installation. When prompted to install the GRUB bootloader, skip this step.

After installation and upon restarting the VM, you’ll be able to set up the OSSIM administrator credentials.

Wrapping Up

OSSIM’s capabilities come with complexity. For newcomers, extensive research on SIEM tools and OSSIM-specific configuration is advised. While potentially exceeding typical home lab needs, mastering OSSIM is valuable for any security professional.

Licensed under CC BY-NC-SA 4.0