Thursday, March 11, 2010

OSSIM, VMTools, and YOU!

I have had the pleasure of installing OSSIM for use at our company. It is replacing our old Cisco MARS appliance which, after using it at several place, I can say is a sub-par correlation and monitoring system.

I'm still setting up OSSIM, so I can't give it a review yet. I will say it's easy to install and looks great. I need to get some event pumping through it to really test it.

Anyway, if you are like me you want to do-it-yourself when it comes to installing something for the first time. In this case instead of using the configured VM image, I installed OSSIM from the installation media onto a VM.

Everything installed easily, now it's time to install the VMware tools. First I need to mount the virtual CD with the VM image:
# mount -t iso9660 /dev/cdrom1 /cdrom
I chose to install the tools from the tar.gz instead of the .rpm.
# ./vmware-install.pl
I accept the default, just to ensure ease of management. This is a personal choice, but I believe that unless their is a valid technical reason to change the settings, you shouldn't.

Which works fine until you get the following errors:
None of the pre-built vmmemctl modules for VMware Tools is suitable for your running kernel. Do you want this program to try to build the vmmemctl module for your system (you need to have a C compiler installed on your system)?
One solution is to load the generic Debian kernel. I boot from the AlienVault kernel and assume there is a valid reason they have their own kernel, and would prefer to keep it. So I decided to compile the VMtools for loading into the kernel.

First, you need to install the compliler and headers:
# apt-get install build-essential linux-headers-$(uname -r)
Next, we run the install and just choose yes when it asks us to build the modules:

None of the pre-built vmmemctl modules for VMware Tools is suitable for your running kernel. Do you want this program to try to build the vmmemctl module for your system (you need to have a C compiler installed on your system)?
[yes] Yes
If all goes well, after each module is compiled, you will get a success message:
The vmmemctl module loads perfectly into the running kernel.
I checked, and the VMTools appear to be running perfectly. I still have some testing to do...but it works great.
Posted by at
Labels:

1 comment:

Anonymous said...

Did you finish testing? What are your thoughts on OSSIM vs CS-MARS? I'm looking at OSSIM and Prelude as alternatives to our MARS appliance.

Thanks!

June 9, 2011 at 8:04 AM

Post a Comment

Subscribe to: Post Comments (Atom)