Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
&
OSSIM
Unied
Open
Source
Security
san8ago@alienvault.com
Why
OSSIM
Open
Source
SIEM
GNU
GPL
3.0
Provides
threat
detec)on
capabili8es
Monitors
network
assets
Centralizes
Informa)on
and
Management
Assesses
threats
reliability
and
risk
Collabora8vely
learns
about
APT
hLp://communi8es.alienvault.com/
OSSIM
Architecture
Normalized
Events
Congura8on
&
Management
OSSIM
Embedded
Tools
Assets
Threat
detec)on
nmap
ossec
prads
snort
suricata
Behavioral
monitoring
fprobe
Vulnerability
assessment
nfdump
osvdb
ntop
openvas
tcpdump
nagios
OSSIM
Collectors
OSSIM
Collector
Anatomy
[apache
log]
76.103.249.20
-
-
[15/Jun/2013:10:14:32
-0700]
"GET
/ossim/session/login.php
HTTP/1.1"
200
2612
"-"
"Mozilla/5.0
(Macintosh;
Intel
Mac
OS
X
10_8_3)
AppleWebKit/537.36
(KHTML,
like
Gecko)
Chrome/27.0.1453.110
Safari/537.36"
[apache.cfg]
event_type=event
regexp=((?P<dst>\S+)(:(?P<port>\d{1,5}))?
)?(?P<src>\S+)
(?P<id>\S+)
(?P<user>\S+)
\[(?P<date>
\d{2}\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2})\s+[+-]\d{4}\]
\"(?P<request>.*)\
(?P<code>\d{3})
((?P<size>
\d+)|-)(
\"(?P<referer_uri>.*)\"
\(?P<useragent>.*)\")?$
src_ip={resolv($src)}
dst_ip={resolv($dst)}
dst_port={$port}
date={normalize_date($date)}
plugin_sid={$code}
username={$user}
userdata1={$request}
userdata2={$size}
userdata3={$referer_uri}
userdata4={$useragent}
lename={$id}
OSSIM
Threat
assessment
SSH
Failed
authen8ca8on
event
Reliability
100
SSH
Failed
SSH
successful
authen8ca8on
events
authen8ca8on
event
Event
Priority
=
2
Source
Des8na8on
Event
Reliability
=
10
Attacker Target
X.X.X.X Attack Y.Y.Y.Y Alert: IIS attack
detected
Remoted
Alarm
Alerts.log
Logcollector
Analysisd
Decode
Ossim-server
Syscheckd
Agentd
Ossec
collector
Correla8on
Analyze
Rootcheckd
Risk
assessment
Ossim-agent
Monitord
Logger
[alerts.log]
AV
-
Alert
-
"1374721595"
-->
RID:
"3333";
RL:
"7";
RG:
"syslog,poscix,service_availability,";
RC:
"Poscix
stopped.";
USER:
"None";
SRCIP:
"None";
HOSTNAME:
"10.0.0.80";
LOCATION:
"/var/log/syslog";
EVENT:
"[INIT]May
16
14:47:19
10.0.0.80
pos{ix/master[2925]:
termina8ng
on
signal
15[END]";
[ossec-single-line.cfg]
event_type=event
regexp=^AV\s-\sAlert\s-\s\"(?P<date>\d+)\"\s-->\sRID:\s\"(?P<rule_id>\d+)\";\sRL:\s\"(?P<rule_level>
\d+)\";\sRG:\s\"(?P<rule_group>\S+)\";\sRC:\s\"(?P<rule_comment>.*?)\";\sUSER:\s\"(?P<username>\S
+)\";\sSRCIP:\s\"(?P<srcip>.*?)\";\sHOSTNAME:\s\"\(?(?P<hostname>[A-Za-z0-9_\.]+)\)?[^"]*";
date={normalize_date($date)}
plugin_id={translate($rule_id)}
plugin_sid={$rule_id}
src_ip={resolv($srcip)}
dst_ip={resolv($hostname)}
username={$username}
userdata1={$rule_level}
userdata2={$rule_group}
userdata3={$rule_comment}
OSSIM
Correla8on
Rules
[AV
Bruteforce
agack,
SSH
authen)ca)on
agack]
Correla8on
Engine
Alerts
OSSEC
Event
OSSEC
Embedded
GUI
Status
monitor
Events
viewer
Agents
control
manager
Congura8on
manager
Rules
viewer/editor
Logs
viewer
Server
control
manager
Deployment
manager
Rules
viewer/editor
PDF/HTML
Reports
Ques8ons
/
Demo
8me
san8ago@alienvault.com
@san8agobasseL