2. Active / Passive The different Tools integrated within OSSIM can be classified under the following categories: Active: They generate traffic within the Network that is being monitored. Passive: They analyze network traffic within generating any traffic within the monitored network. The passive tools require a port mirroring/port span configured in the network equipment. 2
3. Snort NIDS (Network Intrusion Detection System) http://www.snort.org Snort analyzes the network traffic Events are generated when the Snort patterns (Signatures) match the network traffic Utility within OSSIM: Portscans Worms Malware Policy violations (P2P, IM, Porn, Games...) PASSIVE 3
5. Snort PASSIVE Virus and Trojans alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET VIRUS Bugbear@MM virus via SMTP"; flow: established; content:"uv+LRCQID7dIDFEECggDSLm9df8C/zSNKDBBAAoGA0AEUQ+FEN23f7doqAT/dCQk/xWcEQmDxCTD"; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001764; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_BugBear; sid: 2001764; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM UPX encrypted file download - possible worm"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; content:"|00|code|00|"; content:"|00 C0|text|00|"; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001047; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_Suspicious_Extensions; sid: 2001047; rev:6;) Scans alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET SCAN Unusually Fast 403 Error Messages, Possible Web Application Scan"; flow:from_server,established; content:"HTTP/1.1 403"; depth:13; threshold: type threshold, track by_dst, count 35, seconds 60; classtype:attempted-recon; reference:url,www.checkupdown.com/status/E403.html; reference:url,doc.emergingthreats.net/2009749; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_403; sid:2009749; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"ET SCAN Rapid POP3 Connections - Possible Brute Force Attack"; flags: S,12; threshold: type both, track by_src, count 10, seconds 120; classtype: misc-activity; reference:url,doc.emergingthreats.net/2002992; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_General_Services; sid: 2002992; rev:5;) 5
6. Ntop Network and use monitor http://www.ntop.org Ntop analyzes all the network traffic Ntop provides information (Real-time and historical) of the network usage Utility within OSSIM: Usage network statistics Assets information Time and activity matrixes Real-time session monitoring Network abuse PASSIVE 6
10. Ntop – RRD Aberrant Behaviour Analyzing the historical data, Ntop uses the RRD Aberrant Behaviour algorithm to draw predictions of future behaviour of our assets and networks. If the prediction differs from the real traffic an event is generated within OSSIM PASSIVE 10
11. NFSen /NFdump Nfdump: The nfdump tools collect and process netflow data on the command line. http://nfdump.sourceforge.net/ NFSen is a graphical web based front end for the nfdump netflow tools. PASSIVE 11
12. NFSen /NFdump NetFlow is a network protocol developed by CiscoSystems to run on Cisco IOS-enabled equipment for collecting IP traffic information. It is supported by platforms other than IOS such as Juniper, Linux, FreeBSD or OpenBSD. PASSIVE 12
13. OCS Inventory Management http://www.ocsinventory-ng.org OCS requires an agent installed of every inventoried computer. OCS can also be used to deploy software packages. Utility within OSSIM Inventory Management (Software & Hardware) Vulnerability Management Policy violations Hardware monitoring ACTIVE (AGENTS) 13
15. Nagios Availability monitor http://www.nagios.org Nagios monitors the availability of assets and services in our network. A service can be monitored with using different checks: Ex: MySQL Server Check whether the host is up or not Check whether the MySQL port is opened or closed Check whether there is a MySQL listening in that port Do a query and check the result ACTIVE 15
16. Nagios Utility within OSSIM: Availability monitoring (As a detector and in real time) Nagios can do checks remotely or with agent deployed on the host that is being monitored. Nagios has a wide number of plugins to monitor different devices and applications. ACTIVE 16
17. OpenVas Vulnerability Scanning http://www.openvas.org OpenVas uses signatures to identify vulnerabilities in the host of our network. Utility within OSSIM Attacks prevention (We know what is vulnerable) Is the network policy being violated? Shared folders, forbidden activities... ACTIVE 17
18. OpenVas Some vulnerabilities can only be verified after actually exploiting them (Ex: DOS) OpenVas allows for scanning aggressivenessfine-tuning. Mis-configured scans may severely impact the scanned network. After installation, the first scanning profiles have to be defined and watched over very carefully. ACTIVE 18
19. OpenVas OpenVas is able to perform local scans on remote machines if valid credentials for them are provided. This way OpenVas will have an exact listing of software installed on remote hosts being able to determine existing vulnerabilities with a high degree of accuracy. OpenVas provides it’s own plugin creation language. ACTIVE 19
20. OSVDB Vulnerability Database http://www.osvdb.org OSVDB is a compendium of vulnerabilities. Usage within OSSIM Correlation rule creation Vulnerability identifier cross-relation Complements OpenVas scanning information 20
23. OSSEC HIDS (Host level IDS) http://www.ossec.org OSSEC requires an agent to be installed for monitoring. (Except ssh-accesible systems) OSSEC features log analisys, rootkit detection, system integrity checking and Windows registry monitorization. ACTIVE (AGENTS) 23
24. OSSEC OSSEC is based on a client -> server architecture, OSSIM collects events from the OSSEC server. OSSEC provides it’s own plugin system used for Windows and UNIX tool analysis. Utility within OSSIM: Windows and Unix log collection Application log collection Registry, file and folder monitorization (DLP) ACTIVE (AGENTS) 24
25. Kismet Wireless network sniffer and IDS http://www.kismetwireless.net Kismet requires a compatible wifi nic allowing for raw monitoring and 802.11b, 802.11a, 802.11n and 802.11g sniffing Utility within OSSIM: WIFI network securization. Rogue AP detection Compliance enforcement (PCI) PASIVE 25
26. Nmap Port Scanner http://www.insecure.org Nmap provides customizable options for host and network scanning (Speed, range, precision…) Utility within OSSIM: Asset Discovery Open port discovery Service version discovery Operating System manufacturer and version discovery May determine some hardware details about the scanned host ACTIVE 26
27. P0f Operating System anomaly detection http://lcamtuf.coredump.cx/p0f.shtml Passive Operating System detection based on traffic pattern analysis. Utility within OSSIM: Operating System changes Inventory Management Unauthorized network access PASIVE 27
28. Pads Service anomaly detection http://passive.sourceforge.net/ Passively detect running services based on traffic pattern matching. Utility within OSSIM: Inventory Management Service version changes Policy violations Inventory correlation PASIVE 28
29. Arpwatch MAC address anomaly detection. http://ee.lbl.gov/ Based on network asset generated traffic, Arpwatch is able to identify the MAC addresses associated to each IP address. Utility within OSSIM: Inventory Management IP address change detection ARPSpoofing PASIVE 29
30. Tcptrack Session Monitor (network) http://www.rhythm.cx/~steve/devel/tcptrack/ Tcptrack provides information about network sessions (Duration, transferred data…) Utility within OSSIM: Session information used for correlation. PASIVE 30
31. Nepenthes Honeypot http://nepenthes.mwcollect.org Nepenthes emulates known services and vulnerabilities in order to collect information about potential attackers (Attack patterns, files, …) Utility within OSSIM Detect infected systems (They’ll target the Honeypot) Rule and directive creation based on captured files/attacks Malware collection PASIVE 31