Scribd Logo
Carica

Benvenuto in Scribd!

  • OSSEC and OSSIM Unified Open Source Security PDF

    Caricato da

    Anibal
    83 visualizzazioni17 pagine
    OSSEC and OSSIM provide unified open source security. OSSEC is an open source host-based intrusion detection system that performs log analysis, file integrity checking, and malware detection. It feeds events to the open source SIEM OSSIM. OSSIM provides threat detection, monitors network assets, and centralizes information and management. It assesses threats, reliability, and risk. Collectors parse data from OSSEC and other monitoring tools into a normalized format for OSSIM's correlation engine and risk assessment.

    Descrizione originale:

    Titolo originale

    OSSEC_and_OSSIM_Unified_Open_Source_Security.pdf

    Copyright

    © © All Rights Reserved

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    OSSEC and OSSIM provide unified open source security. OSSEC is an open source host-based intrusion detection system that performs log analysis, file integrity checking, and malware detection. It feeds events to the open source SIEM OSSIM. OSSIM provides threat detection, monitors network assets, and centralizes information and management. It assesses threats, reliability, and risk. Collectors parse data from OSSEC and other monitoring tools into a normalized format for OSSIM's correlation engine and risk assessment.

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    83 visualizzazioni17 pagine

    OSSEC and OSSIM Unified Open Source Security PDF

    Caricato da

    Anibal
    OSSEC and OSSIM provide unified open source security. OSSEC is an open source host-based intrusion detection system that performs log analysis, file integrity checking, and malware detection. It feeds events to the open source SIEM OSSIM. OSSIM provides threat detection, monitors network assets, and centralizes information and management. It assesses threats, reliability, and risk. Collectors parse data from OSSEC and other monitoring tools into a normalized format for OSSIM's correlation engine and risk assessment.

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 17

    OSSEC

    & OSSIM
    Unied Open Source Security
    san8ago@alienvault.com
    Why OSSIM
    Open Source SIEM GNU GPL 3.0
    Provides threat detec)on capabili8es
    Monitors network assets
    Centralizes Informa)on and Management
    Assesses threats reliability and risk
    Collabora8vely learns about APT

    hLp://communi8es.alienvault.com/
    OSSIM Architecture

    Normalized
    Events

    Congura8on &
    Management
    OSSIM Embedded Tools
    Assets Threat detec)on
    nmap ossec
    prads snort
    suricata
    Behavioral monitoring
    fprobe Vulnerability assessment
    nfdump
    osvdb
    ntop
    openvas
    tcpdump
    nagios
    OSSIM Collectors
    OSSIM Collector Anatomy
    [apache log]
    76.103.249.20 - - [15/Jun/2013:10:14:32 -0700] "GET /ossim/session/login.php HTTP/1.1" 200
    2612 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like
    Gecko) Chrome/27.0.1453.110 Safari/537.36"

    [apache.cfg]
    event_type=event
    regexp=((?P<dst>\S+)(:(?P<port>\d{1,5}))? )?(?P<src>\S+) (?P<id>\S+) (?P<user>\S+) \[(?P<date>
    \d{2}\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2})\s+[+-]\d{4}\] \"(?P<request>.*)\ (?P<code>\d{3}) ((?P<size>
    \d+)|-)( \"(?P<referer_uri>.*)\" \(?P<useragent>.*)\")?$
    src_ip={resolv($src)}
    dst_ip={resolv($dst)}
    dst_port={$port}
    date={normalize_date($date)}
    plugin_sid={$code}
    username={$user}
    userdata1={$request}
    userdata2={$size}
    userdata3={$referer_uri}
    userdata4={$useragent}
    lename={$id}
    OSSIM Threat assessment
    SSH Failed
    authen8ca8on event

    SSH successful 10 SSH Failed


    authen8ca8on event authen8ca8on events

    Reliability
    100 SSH Failed SSH successful

    authen8ca8on events authen8ca8on event

    Persistent SSH successful 1000 SSH Failed


    connec8ons authen8ca8on event authen8ca8on events
    OSSIM Risk assessment

    Event Priority = 2
    Source Des8na8on
    Event Reliability = 10

    Asset Value = 2 Asset Value = 5

    RISK = (ASSET VALUE * EVENT PRIORITY * EVENT RELIABILITY)/25


    OSSIM ALack analysis

    Alert: Low Vulnerability: IIS Remote


    OTX reputation IP Command Execution

    Attacker Target
    X.X.X.X Attack Y.Y.Y.Y Alert: IIS attack
    detected

    Accepted HTTP packet Attack: WEB-IIS multiple


    from X.X.X.X to Y.Y.Y.Y decode attempt
    Why OSSEC
    Open Source Host-based IDS (HIDS)
    Log analysis based intrusion detec8on
    File integrity checking
    Registry keys integrity checking (Windows only)
    Signature based malware/rootkits detec)on
    Real 8me aler)ng and ac8ve response
    Feeds SIEMs (OSSIM)
    OSSEC Architecture
    OSSEC Agent
    Logcollectord: Read logs (syslog, wmi, at les)
    Syscheckd: File integrity checking
    Rootcheckd: Malware and rootkits detec8on
    Agentd: Forwards data to the server
    OSSEC Server
    Remoted: Receives data from agents
    Analysisd: Processes data (main process)
    Monitord: Monitor agents
    OSSEC Integra8on
    Monitored Host OSSIM Sensor OSSIM Server

    Remoted
    Alarm
    Alerts.log
    Logcollector Analysisd

    Decode Ossim-server
    Syscheckd Agentd Ossec
    collector Correla8on
    Analyze
    Rootcheckd
    Risk assessment
    Ossim-agent
    Monitord

    Logger

    OSSEC Agent OSSEC Server OSSIM Agent OSSIM Server


    OSSEC Collector Anatomy
    [ossec.conf]
    <custom_alert_output>AV - Alert - "$TIMESTAMP" --> RID: "$RULEID"; RL: "$RULELEVEL"; RG:
    "$RULEGROUP"; RC: "$RULECOMMENT"; USER: "$DSTUSER"; SRCIP: "$SRCIP"; HOSTNAME:
    "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT: "[INIT]$FULLLOG[END]"; </custom_alert_output>

    [alerts.log]
    AV - Alert - "1374721595" --> RID: "3333"; RL: "7"; RG: "syslog,poscix,service_availability,"; RC: "Poscix
    stopped."; USER: "None"; SRCIP: "None"; HOSTNAME: "10.0.0.80"; LOCATION: "/var/log/syslog";
    EVENT: "[INIT]May 16 14:47:19 10.0.0.80 pos{ix/master[2925]: termina8ng on signal 15[END]";

    [ossec-single-line.cfg]
    event_type=event
    regexp=^AV\s-\sAlert\s-\s\"(?P<date>\d+)\"\s-->\sRID:\s\"(?P<rule_id>\d+)\";\sRL:\s\"(?P<rule_level>
    \d+)\";\sRG:\s\"(?P<rule_group>\S+)\";\sRC:\s\"(?P<rule_comment>.*?)\";\sUSER:\s\"(?P<username>\S
    +)\";\sSRCIP:\s\"(?P<srcip>.*?)\";\sHOSTNAME:\s\"\(?(?P<hostname>[A-Za-z0-9_\.]+)\)?[^"]*";
    date={normalize_date($date)}
    plugin_id={translate($rule_id)}
    plugin_sid={$rule_id}
    src_ip={resolv($srcip)}
    dst_ip={resolv($hostname)}
    username={$username}
    userdata1={$rule_level}
    userdata2={$rule_group}
    userdata3={$rule_comment}
    OSSIM Correla8on Rules
    [AV Bruteforce agack, SSH authen)ca)on agack]

    Correla8on Engine Alert OSSEC Rule ID

    Alert Reliability OSSEC Event Type


    OSSIM Alarm
    [AV Bruteforce agack, Windows authen)ca)on agack]
    Risk Value

    Correla8on Engine
    Alerts

    OSSEC Event
    OSSEC Embedded GUI
    Status monitor
    Events viewer
    Agents control manager
    Congura8on manager
    Rules viewer/editor

    Logs viewer
    Server control manager
    Deployment manager
    Rules viewer/editor
    PDF/HTML Reports
    Ques8ons / Demo 8me
    san8ago@alienvault.com
    @san8agobasseL

    Potrebbero piacerti anche