SlideShare una empresa de Scribd logo

OSSEC @ ISSA Jan 21st 2010

W
wremes

OSSEC is an open source host-based intrusion detection system that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. It decodes and analyzes logs using rules to detect anomalies and security events. OSSEC includes components for log collection, rule-based analysis, alerting and active responses. It can be installed and configured in different modes and includes features for centralized management, file integrity monitoring, log source configuration, and rule management.

Tecnología
1 de 48
Descargar para leer sin conexión
OSSEC Log and event management the open source way ...
Introduction • Me (thx 4 the nice intro, maltego me) • Bull (not the bovine kind ...) • Eurotrash information security podcast • Brucon, Excaliburcon, FOSDEM, ...
Agenda • Logging 101 (what, how, why, ...) • OSSEC technical overview • break • OSSEC installation and configuration • OSSEC rules • OSSEC event management
Logging : what ? • Users • Systems • Network • Databases • Applications • .....
Logging: from ? Firewalls,VPN, IDS/IPS, routers, switches, ... Servers, workstations, virtualisation, UPS, ... anti-malware, applications, databases, ...
Logging : Why ? • System Monitoring (performance, management, troubleshooting, ...) • Compliance (regulatory, audit, internal policy, ...) • Incident Handling, Forensics, ...
Compliance PCI DSS 6.4. Follow change control procedures for all changes to system components 10. Track and monitor all access to network resources and cardholder data. 12. Maintain a policy that addresses information security for all employees and contractors
The Problem • There is NO standard !! • There is NO guidance !! • There is NO Consitency !!
Babel be thy name
We need to agree upon... • Format What does a log message look like ? • Content What do we put in a log message ? • Transport How do we send it ? • Guidelines How do we approach logging ? (ex. NIST 800-92)
It’s time for a standard !
not Syslog • RFC 3164 (08/2001) : BSD Syslog Protocol • It uses UDP • It’s a garbage bin • it’s a non-standard standard
Syslog Hell ! • Jun 11 03:06:38 (none) login [3432] : ROOT LOGIN on `tty1` • Jan 19 22:52:56 LT1 gdm-session- worker[1659]: pam_unix (gdm:session): session opened for user wim by (uid=0) • Jan 4 09:38:10 LT1 su[3510]: pam_unix(su:session): session opened for user root by wim (uid=1000)
Syslog Hell !! • <57> Jan 10 12:10:34:%SEC_LOGIN-5- LOGIN_SUCCESS:Login Success [user:frodo] [Source: 192.168.10.254] [localport:23] at ... • <13> Jan 18 10:15:45 2009 680 Security SYSTEM User Failure Audit ENTERPRISE ...
Can I continue ? • Jan 19 20:12:56 LT1 mycrappyapp [3526]: I’m the awesome programmer behind this crappy app and since you asked me to log something I’ve chosen to use syslog to dump all this meaningless events in here so you will still have to call and pay me to get the bugs that I left in there because I was surfing the internet instead of working for you solved. Eat that! And BTW, my app crashed for no apparent reason. kthxbai !
I promise to stop • Feb 24 15:10:24 server transact [5402]: user geoff transferred 500 dollars using credit card # XXX • Apr 1 10:14:28 server MEDIC [6420]: user kathy logged in to module patient using password selma1970
Then what ? • IDMF (by IETF) • XML based • Complex • Not widely adopted • Academic • WELF (by Webtrends) • Proprietary • didn’t scale
NEXT ! • CBE (by IBM) • also XML based • IBM didn’t even use it !
Event Taxonomy Standard terminology Log Syntax Consistent data elements and format Log Transport Standard communications mechanisms Log Recommendations Suggested events to log The future ?
OSSEC
Definition OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
SIEM (commercial)
Key Facts • 2005 • Daniel Cid • Third Brigade • TrendMicro
Install Modes • Local • Single Client • Windows, AIX, Solaris, HP-UX, Linux • Server • Central Logging Point (250 clients/server) • AIX,Solaris,HP-UX,Linux • Client • Reports to server • Windows,AIX,Solaris,HP-UX,Linux
Architecture
Architecture syslog syslog virtualisation
Architecture SIEM virtualisation virtualisation
OSSEC Components logcollector Agent zlib compressed blowfish encrypted UDP 1514 Server ossec-analysisd ossec-maild ossec-execd
Time For a break
ossec-analysisd Predecoding Decoding Analysis
Predecoding • Feb 24 10:12:23 beijing appdaemon:stopped time/date : Feb 24 10:12:23 Hostname : beijing Program_name :appdaemon Log : stopped
Predecoding • Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10 time/date : Feb 25 12:00:47 Hostname : beijing Program_name :appdaemon Log : user john logged on from 10.10.10.10
Decoding • Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10 time/date : Feb 25 12:00:47 Hostname : beijing Program_name :appdaemon Log : user john logged on from 10.10.10.10 srcip : 10.10.10.10 user : john
Analysis <rule id=666 level=”0”> <decoded_as>appdaemon</decoded_as> <description>appdaemon rule</description> </rule> <rule id=”766” level=”5”> <if_sid>666</if_sid> <match>^logged on</match> <description>succesful logon</description> </rule>
Analysis <rule id=866 level=”7”> <if_sid>766</if_sid> <hostname>^beijing</hostname> <srcip>!192.168.10.0/24</srcip> <description>unauthorized logon!</description> </rule> <rule id=”966” level=”13”> <if_sid>766</if_sid> <hostname>^shanghai</hostname> <user>!john</user> <description>unauthorised logon !</description> </rule>
Analysis 666 766 866 966
Analysis <rule id=1066 level=”7”> <if_sid>666</if_sid> <match>^login failed</hostname> <description>failed login !</description> </rule> <rule id=”1166” level=”9” frequency=”10” timeframe=”100”> <if_matched_sid>1066</if_matched_sid> <same_source_ip /> <description>Probable Brute Force !</description> </rule>
Analysis 666 766 866 966 1066 1166
ossec.conf <command> <name>host-deny</name> <executable>host-deny.sh</executable> <expect>srcip</expect> <timeout_allowed>yes</timeout_allowed> </command> <active-response> <command>command2</command> <location>local</location> <rules_id>1166</rules_id> <timeout>600</timeout> </active-response>
ossec.conf syscheck <syscheck> <!-- Frequency that syscheck is executed - default to every 22 hours --> <frequency>79200</frequency> <!-- Directories to check (perform all possible verifications) --> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/bin,/sbin</directories> <!-- Files/directories to ignore --> <ignore>/etc/mtab</ignore> <ignore>/etc/mnttab</ignore> <ignore>/etc/hosts.deny</ignore> ... </syscheck>
ossec.conf rootcheck <rootcheck> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> </rootcheck>
ossec.conf varia <alerts> <log_alert_level>1</log_alert_level> </alerts> <localfile> <log_format>syslog</log_format> <location>/var/log/secure.log</location> </localfile> <ossec_config> <ossec_config> <!-- rules global entry --> <rules> <include>rules_config.xml</include> <include>pam_rules.xml</include> <include>sshd_rules.xml</include> <include>telnetd_rules.xml</include> ... </ossec_config>
Management /var/ossec/bin/ ossec-control stop|start|restart manage_agents (server) manage agent keys (client) import key
Management agent_control -lc agent_control -i [id] agent_control -R [id] agent_control -r -a agent_control -r -i [id]
Management syscheckcontrol -lc syscheckcontrol -i [id] syscheckcontrol -i [id] -f [file]
Centralized Management /var/ossec/etc/shared/agent.conf distributed to all agents specify config per client id specify config per OS pushed by server same syntax as ossec.conf
rolling out Deploy Customize Monitor Analyze
Thank you ! wim.remes@bull.be +32 495 58 59 12 http://www.twitter.com/wimremes wim@eurotrashsecurity.eu www.eurotrashsecurity.eu (itunes) http://www.ossec.net http://www.slideshare.net/anton_chuvakin

Recomendados

Fosdem10
Fosdem10Fosdem10
Fosdem10wremes
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Securitywremes
 
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...CODE BLUE
 
Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOpsPichaya Morimoto
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentNahidul Kibria
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21Max Kleiner
 

Recomendados

Fosdem10
Fosdem10Fosdem10
Fosdem10wremes
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Securitywremes
 
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...CODE BLUE
 
Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOpsPichaya Morimoto
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentNahidul Kibria
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21Max Kleiner
 
X64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 newX64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 newYiwei Ma
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...OWASP Russia
 
Logstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeLogstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeAndrea Cardinale
 
URL to HTML
URL to HTMLURL to HTML
URL to HTMLFrancois Marier
 
Tecnicas monitoreo reportes con Asterisk
Tecnicas monitoreo reportes con AsteriskTecnicas monitoreo reportes con Asterisk
Tecnicas monitoreo reportes con AsteriskNicolás Gudiño
 
IstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShockIstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShockBGA Cyber Security
 
Supporting Debian machines for friends and family
Supporting Debian machines for friends and familySupporting Debian machines for friends and family
Supporting Debian machines for friends and familyFrancois Marier
 
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...mfrancis
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Manich Koomsusi
 
Da APK al Golden Ticket
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden TicketGiuseppe Trotta
 
OpenStack Swift - MSST 2011 Tutorial Day
OpenStack Swift - MSST 2011 Tutorial DayOpenStack Swift - MSST 2011 Tutorial Day
OpenStack Swift - MSST 2011 Tutorial DayJoshua McKenty
 
PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22Yuya Takei
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoPichaya Morimoto
 
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...RootedCON
 
Mise en place d'un client VPN l2tp IPsec sous docker
Mise en place d'un client VPN l2tp IPsec sous dockerMise en place d'un client VPN l2tp IPsec sous docker
Mise en place d'un client VPN l2tp IPsec sous dockerNicolas Trauwaen
 
Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015GregMefford
 
Instalasi Solr
Instalasi SolrInstalasi Solr
Instalasi SolrDwi Fajar Saputra
 
Analyse OpenLDAP logs with ELK
Analyse OpenLDAP logs with ELKAnalyse OpenLDAP logs with ELK
Analyse OpenLDAP logs with ELKClément OUDOT
 
Hack any website
Hack any websiteHack any website
Hack any websitesunil kumar
 
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜Retrieva inc.
 
Implementing ossec
Implementing ossecImplementing ossec
Implementing ossecJeronimo Zucco
 
Securing Hadoop with OSSEC
Securing Hadoop with OSSECSecuring Hadoop with OSSEC
Securing Hadoop with OSSECVic Hargrave
 

Más contenido relacionado

La actualidad más candente

X64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 newX64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 newYiwei Ma
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...OWASP Russia
 
Logstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeLogstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeAndrea Cardinale
 
Tecnicas monitoreo reportes con Asterisk
Tecnicas monitoreo reportes con AsteriskTecnicas monitoreo reportes con Asterisk
Tecnicas monitoreo reportes con AsteriskNicolás Gudiño
 
IstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShockIstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShockBGA Cyber Security
 
Supporting Debian machines for friends and family
Supporting Debian machines for friends and familySupporting Debian machines for friends and family
Supporting Debian machines for friends and familyFrancois Marier
 
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...mfrancis
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Manich Koomsusi
 
OpenStack Swift - MSST 2011 Tutorial Day
OpenStack Swift - MSST 2011 Tutorial DayOpenStack Swift - MSST 2011 Tutorial Day
OpenStack Swift - MSST 2011 Tutorial DayJoshua McKenty
 
PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22Yuya Takei
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoPichaya Morimoto
 
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...RootedCON
 
Mise en place d'un client VPN l2tp IPsec sous docker
Mise en place d'un client VPN l2tp IPsec sous dockerMise en place d'un client VPN l2tp IPsec sous docker
Mise en place d'un client VPN l2tp IPsec sous dockerNicolas Trauwaen
 
Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015GregMefford
 
Analyse OpenLDAP logs with ELK
Analyse OpenLDAP logs with ELKAnalyse OpenLDAP logs with ELK
Analyse OpenLDAP logs with ELKClément OUDOT
 
Hack any website
Hack any websiteHack any website
Hack any websitesunil kumar
 
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜Retrieva inc.
 

La actualidad más candente (20)

X64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 newX64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 new
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
 
Logstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeLogstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtime
 
URL to HTML
URL to HTMLURL to HTML
URL to HTML
 
Tecnicas monitoreo reportes con Asterisk
Tecnicas monitoreo reportes con AsteriskTecnicas monitoreo reportes con Asterisk
Tecnicas monitoreo reportes con Asterisk
 
IstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShockIstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShock
 
Supporting Debian machines for friends and family
Supporting Debian machines for friends and familySupporting Debian machines for friends and family
Supporting Debian machines for friends and family
 
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017
 
Da APK al Golden Ticket
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden Ticket
 
OpenStack Swift - MSST 2011 Tutorial Day
OpenStack Swift - MSST 2011 Tutorial DayOpenStack Swift - MSST 2011 Tutorial Day
OpenStack Swift - MSST 2011 Tutorial Day
 
PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
 
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
 
Mise en place d'un client VPN l2tp IPsec sous docker
Mise en place d'un client VPN l2tp IPsec sous dockerMise en place d'un client VPN l2tp IPsec sous docker
Mise en place d'un client VPN l2tp IPsec sous docker
 
Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015
 
Instalasi Solr
Instalasi SolrInstalasi Solr
Instalasi Solr
 
Analyse OpenLDAP logs with ELK
Analyse OpenLDAP logs with ELKAnalyse OpenLDAP logs with ELK
Analyse OpenLDAP logs with ELK
 
Hack any website
Hack any websiteHack any website
Hack any website
 
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
 

Similar a OSSEC @ ISSA Jan 21st 2010

Securing Hadoop with OSSEC
Securing Hadoop with OSSECSecuring Hadoop with OSSEC
Securing Hadoop with OSSECVic Hargrave
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
 
Ossec Lightning
Ossec LightningOssec Lightning
Ossec Lightningwremes
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX SecurityHelpSystems
 
Log Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxLog Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxJohnnyPlasten
 
AWS Meet-up: Logging At Scale on AWS
AWS Meet-up: Logging At Scale on AWSAWS Meet-up: Logging At Scale on AWS
AWS Meet-up: Logging At Scale on AWSChris Riddell
 
Elk its big log season
Elk its big log seasonElk its big log season
Elk its big log seasonEric Luellen
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawnGábor Nyers
 
IBM Think 2018 - IBM Connections Troubleshooting
IBM Think 2018 - IBM Connections TroubleshootingIBM Think 2018 - IBM Connections Troubleshooting
IBM Think 2018 - IBM Connections TroubleshootingNico Meisenzahl
 
Building and Scaling Node.js Applications
Building and Scaling Node.js ApplicationsBuilding and Scaling Node.js Applications
Building and Scaling Node.js ApplicationsOhad Kravchick
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.jsorkaplan
 
From zero to hero - Easy log centralization with Logstash and Elasticsearch
From zero to hero - Easy log centralization with Logstash and ElasticsearchFrom zero to hero - Easy log centralization with Logstash and Elasticsearch
From zero to hero - Easy log centralization with Logstash and ElasticsearchRafał Kuć
 
From Zero to Hero - Centralized Logging with Logstash & Elasticsearch
From Zero to Hero - Centralized Logging with Logstash & ElasticsearchFrom Zero to Hero - Centralized Logging with Logstash & Elasticsearch
From Zero to Hero - Centralized Logging with Logstash & ElasticsearchSematext Group, Inc.
 
Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek PROIDEA
 
Docker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic StackDocker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic StackJakub Hajek
 

Similar a OSSEC @ ISSA Jan 21st 2010 (20)

Implementing ossec
Implementing ossecImplementing ossec
Implementing ossec
 
Securing Hadoop with OSSEC
Securing Hadoop with OSSECSecuring Hadoop with OSSEC
Securing Hadoop with OSSEC
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
 
AEO Training - 2023.pdf
AEO Training - 2023.pdfAEO Training - 2023.pdf
AEO Training - 2023.pdf
 
Ossec Lightning
Ossec LightningOssec Lightning
Ossec Lightning
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX Security
 
Rails Security
Rails SecurityRails Security
Rails Security
 
Log Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxLog Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptx
 
AWS Meet-up: Logging At Scale on AWS
AWS Meet-up: Logging At Scale on AWSAWS Meet-up: Logging At Scale on AWS
AWS Meet-up: Logging At Scale on AWS
 
Elk its big log season
Elk its big log seasonElk its big log season
Elk its big log season
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawn
 
OSSEC Holidaycon 2020.pdf
OSSEC Holidaycon 2020.pdfOSSEC Holidaycon 2020.pdf
OSSEC Holidaycon 2020.pdf
 
IBM Think 2018 - IBM Connections Troubleshooting
IBM Think 2018 - IBM Connections TroubleshootingIBM Think 2018 - IBM Connections Troubleshooting
IBM Think 2018 - IBM Connections Troubleshooting
 
Building and Scaling Node.js Applications
Building and Scaling Node.js ApplicationsBuilding and Scaling Node.js Applications
Building and Scaling Node.js Applications
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.js
 
From zero to hero - Easy log centralization with Logstash and Elasticsearch
From zero to hero - Easy log centralization with Logstash and ElasticsearchFrom zero to hero - Easy log centralization with Logstash and Elasticsearch
From zero to hero - Easy log centralization with Logstash and Elasticsearch
 
From Zero to Hero - Centralized Logging with Logstash & Elasticsearch
From Zero to Hero - Centralized Logging with Logstash & ElasticsearchFrom Zero to Hero - Centralized Logging with Logstash & Elasticsearch
From Zero to Hero - Centralized Logging with Logstash & Elasticsearch
 
Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek
 
Docker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic StackDocker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic Stack
 

Más de wremes

Distributed Denial Of Service Introduction
Distributed Denial Of Service IntroductionDistributed Denial Of Service Introduction
Distributed Denial Of Service Introductionwremes
 
Intro to Malware Analysis
Intro to Malware AnalysisIntro to Malware Analysis
Intro to Malware Analysiswremes
 
Crème Brulée :-)
Crème Brulée :-)Crème Brulée :-)
Crème Brulée :-)wremes
 
Vinnes jayson koken
Vinnes jayson kokenVinnes jayson koken
Vinnes jayson kokenwremes
 
Build Your Own Incident Response
Build Your Own Incident ResponseBuild Your Own Incident Response
Build Your Own Incident Responsewremes
 
Secure Abu Dhabi talk
Secure Abu Dhabi talkSecure Abu Dhabi talk
Secure Abu Dhabi talkwremes
 
Collaborate, Innovate, Secure
Collaborate, Innovate, SecureCollaborate, Innovate, Secure
Collaborate, Innovate, Securewremes
 
Data Driven Infosec Services
Data Driven Infosec ServicesData Driven Infosec Services
Data Driven Infosec Serviceswremes
 
SOPA 4 dummies
SOPA 4 dummiesSOPA 4 dummies
SOPA 4 dummieswremes
 
In the land of the blind the squinter rules
In the land of the blind the squinter rulesIn the land of the blind the squinter rules
In the land of the blind the squinter ruleswremes
 
And suddenly I see ... IDC IT Security Brussels 2011
And suddenly I see ... IDC IT Security Brussels 2011And suddenly I see ... IDC IT Security Brussels 2011
And suddenly I see ... IDC IT Security Brussels 2011wremes
 
Blackhat Workshop
Blackhat WorkshopBlackhat Workshop
Blackhat Workshopwremes
 
SIEM brown-bag presentation
SIEM brown-bag presentationSIEM brown-bag presentation
SIEM brown-bag presentationwremes
 
10 things we're doing wrong with SIEM
10 things we're doing wrong with SIEM10 things we're doing wrong with SIEM
10 things we're doing wrong with SIEMwremes
 
Teaser
TeaserTeaser
Teaserwremes
 
Brucon presentation
Brucon presentationBrucon presentation
Brucon presentationwremes
 
Pareto chart using Openoffice.org
Pareto chart using Openoffice.orgPareto chart using Openoffice.org
Pareto chart using Openoffice.orgwremes
 

Más de wremes (17)

Distributed Denial Of Service Introduction
Distributed Denial Of Service IntroductionDistributed Denial Of Service Introduction
Distributed Denial Of Service Introduction
 
Intro to Malware Analysis
Intro to Malware AnalysisIntro to Malware Analysis
Intro to Malware Analysis
 
Crème Brulée :-)
Crème Brulée :-)Crème Brulée :-)
Crème Brulée :-)
 
Vinnes jayson koken
Vinnes jayson kokenVinnes jayson koken
Vinnes jayson koken
 
Build Your Own Incident Response
Build Your Own Incident ResponseBuild Your Own Incident Response
Build Your Own Incident Response
 
Secure Abu Dhabi talk
Secure Abu Dhabi talkSecure Abu Dhabi talk
Secure Abu Dhabi talk
 
Collaborate, Innovate, Secure
Collaborate, Innovate, SecureCollaborate, Innovate, Secure
Collaborate, Innovate, Secure
 
Data Driven Infosec Services
Data Driven Infosec ServicesData Driven Infosec Services
Data Driven Infosec Services
 
SOPA 4 dummies
SOPA 4 dummiesSOPA 4 dummies
SOPA 4 dummies
 
In the land of the blind the squinter rules
In the land of the blind the squinter rulesIn the land of the blind the squinter rules
In the land of the blind the squinter rules
 
And suddenly I see ... IDC IT Security Brussels 2011
And suddenly I see ... IDC IT Security Brussels 2011And suddenly I see ... IDC IT Security Brussels 2011
And suddenly I see ... IDC IT Security Brussels 2011
 
Blackhat Workshop
Blackhat WorkshopBlackhat Workshop
Blackhat Workshop
 
SIEM brown-bag presentation
SIEM brown-bag presentationSIEM brown-bag presentation
SIEM brown-bag presentation
 
10 things we're doing wrong with SIEM
10 things we're doing wrong with SIEM10 things we're doing wrong with SIEM
10 things we're doing wrong with SIEM
 
Teaser
TeaserTeaser
Teaser
 
Brucon presentation
Brucon presentationBrucon presentation
Brucon presentation
 
Pareto chart using Openoffice.org
Pareto chart using Openoffice.orgPareto chart using Openoffice.org
Pareto chart using Openoffice.org
 

Último

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Último (20)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

OSSEC @ ISSA Jan 21st 2010

  • 1. OSSEC Log and event management the open source way ...
  • 2. Introduction • Me (thx 4 the nice intro, maltego me) • Bull (not the bovine kind ...) • Eurotrash information security podcast • Brucon, Excaliburcon, FOSDEM, ...
  • 3. Agenda • Logging 101 (what, how, why, ...) • OSSEC technical overview • break • OSSEC installation and configuration • OSSEC rules • OSSEC event management
  • 4. Logging : what ? • Users • Systems • Network • Databases • Applications • .....
  • 5. Logging: from ? Firewalls,VPN, IDS/IPS, routers, switches, ... Servers, workstations, virtualisation, UPS, ... anti-malware, applications, databases, ...
  • 6. Logging : Why ? • System Monitoring (performance, management, troubleshooting, ...) • Compliance (regulatory, audit, internal policy, ...) • Incident Handling, Forensics, ...
  • 7. Compliance PCI DSS 6.4. Follow change control procedures for all changes to system components 10. Track and monitor all access to network resources and cardholder data. 12. Maintain a policy that addresses information security for all employees and contractors
  • 8. The Problem • There is NO standard !! • There is NO guidance !! • There is NO Consitency !!
  • 10. We need to agree upon... • Format What does a log message look like ? • Content What do we put in a log message ? • Transport How do we send it ? • Guidelines How do we approach logging ? (ex. NIST 800-92)
  • 11. It’s time for a standard !
  • 12. not Syslog • RFC 3164 (08/2001) : BSD Syslog Protocol • It uses UDP • It’s a garbage bin • it’s a non-standard standard
  • 13. Syslog Hell ! • Jun 11 03:06:38 (none) login [3432] : ROOT LOGIN on `tty1` • Jan 19 22:52:56 LT1 gdm-session- worker[1659]: pam_unix (gdm:session): session opened for user wim by (uid=0) • Jan 4 09:38:10 LT1 su[3510]: pam_unix(su:session): session opened for user root by wim (uid=1000)
  • 14. Syslog Hell !! • <57> Jan 10 12:10:34:%SEC_LOGIN-5- LOGIN_SUCCESS:Login Success [user:frodo] [Source: 192.168.10.254] [localport:23] at ... • <13> Jan 18 10:15:45 2009 680 Security SYSTEM User Failure Audit ENTERPRISE ...
  • 15. Can I continue ? • Jan 19 20:12:56 LT1 mycrappyapp [3526]: I’m the awesome programmer behind this crappy app and since you asked me to log something I’ve chosen to use syslog to dump all this meaningless events in here so you will still have to call and pay me to get the bugs that I left in there because I was surfing the internet instead of working for you solved. Eat that! And BTW, my app crashed for no apparent reason. kthxbai !
  • 16. I promise to stop • Feb 24 15:10:24 server transact [5402]: user geoff transferred 500 dollars using credit card # XXX • Apr 1 10:14:28 server MEDIC [6420]: user kathy logged in to module patient using password selma1970
  • 17. Then what ? • IDMF (by IETF) • XML based • Complex • Not widely adopted • Academic • WELF (by Webtrends) • Proprietary • didn’t scale
  • 18. NEXT ! • CBE (by IBM) • also XML based • IBM didn’t even use it !
  • 19. Event Taxonomy Standard terminology Log Syntax Consistent data elements and format Log Transport Standard communications mechanisms Log Recommendations Suggested events to log The future ?
  • 20. OSSEC
  • 21. Definition OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
  • 23. Key Facts • 2005 • Daniel Cid • Third Brigade • TrendMicro
  • 24. Install Modes • Local • Single Client • Windows, AIX, Solaris, HP-UX, Linux • Server • Central Logging Point (250 clients/server) • AIX,Solaris,HP-UX,Linux • Client • Reports to server • Windows,AIX,Solaris,HP-UX,Linux
  • 26. Architecture syslog syslog virtualisation
  • 27. Architecture SIEM virtualisation virtualisation
  • 28. OSSEC Components logcollector Agent zlib compressed blowfish encrypted UDP 1514 Server ossec-analysisd ossec-maild ossec-execd
  • 30. ossec-analysisd Predecoding Decoding Analysis
  • 31. Predecoding • Feb 24 10:12:23 beijing appdaemon:stopped time/date : Feb 24 10:12:23 Hostname : beijing Program_name :appdaemon Log : stopped
  • 32. Predecoding • Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10 time/date : Feb 25 12:00:47 Hostname : beijing Program_name :appdaemon Log : user john logged on from 10.10.10.10
  • 33. Decoding • Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10 time/date : Feb 25 12:00:47 Hostname : beijing Program_name :appdaemon Log : user john logged on from 10.10.10.10 srcip : 10.10.10.10 user : john
  • 34. Analysis <rule id=666 level=”0”> <decoded_as>appdaemon</decoded_as> <description>appdaemon rule</description> </rule> <rule id=”766” level=”5”> <if_sid>666</if_sid> <match>^logged on</match> <description>succesful logon</description> </rule>
  • 35. Analysis <rule id=866 level=”7”> <if_sid>766</if_sid> <hostname>^beijing</hostname> <srcip>!192.168.10.0/24</srcip> <description>unauthorized logon!</description> </rule> <rule id=”966” level=”13”> <if_sid>766</if_sid> <hostname>^shanghai</hostname> <user>!john</user> <description>unauthorised logon !</description> </rule>
  • 36. Analysis 666 766 866 966
  • 37. Analysis <rule id=1066 level=”7”> <if_sid>666</if_sid> <match>^login failed</hostname> <description>failed login !</description> </rule> <rule id=”1166” level=”9” frequency=”10” timeframe=”100”> <if_matched_sid>1066</if_matched_sid> <same_source_ip /> <description>Probable Brute Force !</description> </rule>
  • 38. Analysis 666 766 866 966 1066 1166
  • 39. ossec.conf <command> <name>host-deny</name> <executable>host-deny.sh</executable> <expect>srcip</expect> <timeout_allowed>yes</timeout_allowed> </command> <active-response> <command>command2</command> <location>local</location> <rules_id>1166</rules_id> <timeout>600</timeout> </active-response>
  • 40. ossec.conf syscheck <syscheck> <!-- Frequency that syscheck is executed - default to every 22 hours --> <frequency>79200</frequency> <!-- Directories to check (perform all possible verifications) --> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/bin,/sbin</directories> <!-- Files/directories to ignore --> <ignore>/etc/mtab</ignore> <ignore>/etc/mnttab</ignore> <ignore>/etc/hosts.deny</ignore> ... </syscheck>
  • 41. ossec.conf rootcheck <rootcheck> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> </rootcheck>
  • 42. ossec.conf varia <alerts> <log_alert_level>1</log_alert_level> </alerts> <localfile> <log_format>syslog</log_format> <location>/var/log/secure.log</location> </localfile> <ossec_config> <ossec_config> <!-- rules global entry --> <rules> <include>rules_config.xml</include> <include>pam_rules.xml</include> <include>sshd_rules.xml</include> <include>telnetd_rules.xml</include> ... </ossec_config>
  • 43. Management /var/ossec/bin/ ossec-control stop|start|restart manage_agents (server) manage agent keys (client) import key
  • 44. Management agent_control -lc agent_control -i [id] agent_control -R [id] agent_control -r -a agent_control -r -i [id]
  • 45. Management syscheckcontrol -lc syscheckcontrol -i [id] syscheckcontrol -i [id] -f [file]
  • 46. Centralized Management /var/ossec/etc/shared/agent.conf distributed to all agents specify config per client id specify config per OS pushed by server same syntax as ossec.conf
  • 47. rolling out Deploy Customize Monitor Analyze
  • 48. Thank you ! wim.remes@bull.be +32 495 58 59 12 http://www.twitter.com/wimremes wim@eurotrashsecurity.eu www.eurotrashsecurity.eu (itunes) http://www.ossec.net http://www.slideshare.net/anton_chuvakin