OSSEC & OSSIM Unified Open Source Security. san8ago@alienvault.com

Size: px

Start display at page:

Download "OSSEC & OSSIM Unified Open Source Security. san8ago@alienvault.com"

Elfreda Rich
8 years ago
Views:

1 OSSEC & OSSIM Unified Open Source Security

2 Why OSSIM Open Source SIEM GNU GPL 3.0 Provides threat detec)on capabili8es Monitors network assets Centralizes Informa)on and Management Assesses threats reliability and risk Collabora8vely learns about APT hlp://communi8es.alienvault.com/

assets Centralizes Informa)on and Management Assesses

3 OSSIM Architecture Normalized Events Configura8on & Management

4 OSSIM Embedded Tools Assets nmap prads Behavioral monitoring fprobe nfdump ntop tcpdump nagios Threat detec)on ossec snort suricata Vulnerability assessment osvdb openvas

5 OSSIM Collectors

6 OSSIM Collector Anatomy [apache log] [15/Jun/2013:10:14: ] "GET /ossim/session/login.php HTTP/1.1" "- " "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/ (KHTML, like Gecko) Chrome/ Safari/537.36" [apache.cfg] event_type=event regexp= ((?P<dst>\S+)(:(?P<port>\d{1,5}))? )?(?P<src>\S+) (?P<id>\S+) (?P<user>\S+) \[(?P<date> \d{2}\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2})\s+[+- ]\d{4}\] \"(?P<request>.*)\ (?P<code>\d{3}) ((?P<size> \d+) - )( \"(?P<referer_uri>.*)\" \ (?P<useragent>.*)\")?$ src_ip={resolv($src)} dst_ip={resolv($dst)} dst_port={$port} date={normalize_date($date)} plugin_sid={$code} username={$user} userdata1={$request} userdata2={$size} userdata3={$referer_uri} userdata4={$useragent} filename={$id}

$P<id>\S+) (?P<user>\S+) \[(?P<date> \d{2}\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2})\s+[+- ]\d{4}\] \"(?P<request>.*)\ (?P<code>\d{3}) ((?P<size> \d+) - )( \"(?P<referer_uri>.*)\" \ (?P<useragent>.*)\")?$

7 OSSIM Threat assessment SSH Failed authen8ca8on event SSH successful authen8ca8on event 10 SSH Failed authen8ca8on events Reliability 100 SSH Failed authen8ca8on events SSH successful authen8ca8on event Persistent connec8ons SSH successful authen8ca8on event 1000 SSH Failed authen8ca8on events

Failed authen8ca8on events SSH successful authen8ca8on event Persistent

8 OSSIM Risk assessment Source Asset Value = 2 Event Priority = 2 Event Reliability = 10 Des8na8on Asset Value = 5 RISK = (ASSET VALUE * EVENT PRIORITY * EVENT RELIABILITY)/25

9 OSSIM ALack analysis OTX Alert: Low reputation IP Vulnerability: IIS Remote Command Execution Attacker X.X.X.X Attack Target Y.Y.Y.Y Alert: IIS attack detected Accepted HTTP packet from X.X.X.X to Y.Y.Y.Y Attack: WEB-IIS multiple decode attempt

10 Why OSSEC Open Source Host- based IDS (HIDS) Log analysis based intrusion detec8on File integrity checking Registry keys integrity checking (Windows only) Signature based malware/rootkits detec)on Real 8me aler)ng and ac8ve response Feeds SIEMs (OSSIM)

integrity checking (Windows only) Signature based

11 OSSEC Architecture OSSEC Agent Logcollectord: Read logs (syslog, wmi, flat files) Syscheckd: File integrity checking Rootcheckd: Malware and rootkits detec8on Agentd: Forwards data to the server OSSEC Server Remoted: Receives data from agents Analysisd: Processes data (main process) Monitord: Monitor agents

detec8on Agentd: Forwards data to the server OSSEC Server Remoted: Receives

12 OSSEC Integra8on Monitored Host OSSIM Sensor OSSIM Server Logcollector Remoted Analysisd Alerts.log Alarm Syscheckd Rootcheckd Agentd Decode Analyze Monitord Ossec collector Ossim- agent Ossim- server Correla8on Risk assessment Logger OSSEC Agent OSSEC Server OSSIM Agent OSSIM Server

log Alarm Syscheckd Rootcheckd Agentd Decode Analyze Monitord Ossec

13 OSSEC Collector Anatomy [ossec.conf] <custom_alert_output>av - Alert - "$TIMESTAMP" - - > RID: "$RULEID"; RL: "$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: "$DSTUSER"; SRCIP: "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT: "[INIT]$FULLLOG[END]"; </custom_alert_output> [alerts.log] AV - Alert - " " - - > RID: "3333"; RL: "7"; RG: "syslog,poscix,service_availability,"; RC: "Poscix stopped."; USER: "None"; SRCIP: "None"; HOSTNAME: " "; LOCATION: "/var/log/syslog"; EVENT: "[INIT]May 16 14:47: pos{ix/master[2925]: termina8ng on signal 15[END]"; [ossec- single- line.cfg] event_type=event regexp= ^AV\s- \salert\s- \s\"(?p<date>\d+)\"\s- - >\srid:\s\"(?p<rule_id>\d+)\";\srl:\s\"(?p<rule_level> \d+)\";\srg:\s\"(?p<rule_group>\s+)\";\src:\s\"(?p<rule_comment>.*?)\";\suser:\s\"(?p<username>\s +)\";\ssrcip:\s\"(?p<srcip>.*?)\";\shostname:\s\"$?(?p<hostname>[a- Za- z0-9_\.]+)$?[^"]*"; date={normalize_date($date)} plugin_id={translate($rule_id)} plugin_sid={$rule_id} src_ip={resolv($srcip)} dst_ip={resolv($hostname)} username={$username} userdata1={$rule_level} userdata2={$rule_group} userdata3={$rule_comment}

"$LOCATION"; EVENT: "[INIT]$FULLLOG[END]"; </custom_alert_output> [alerts.log] AV - Alert - "1374721595" - - > RID: "3333"; RL: "7"; RG: "syslog,poscix,service_availability,"; RC: "Poscix stopped.

14 OSSIM Correla8on Rules [AV Bruteforce agack, SSH authen)ca)on agack] Correla8on Engine Alert OSSEC Rule ID Alert Reliability OSSEC Event Type

15 OSSIM Alarm [AV Bruteforce agack, Windows authen)ca)on agack] Risk Value Correla8on Engine Alerts OSSEC Event

16 OSSEC Embedded GUI Status monitor Events viewer Agents control manager Configura8on manager Rules viewer/editor Logs viewer Server control manager Deployment manager Rules viewer/editor PDF/HTML Reports

viewer/editor Logs viewer Server control manager

17 Ques8ons / Demo 8me

Log Analysis using OSSEC

Log Analysis using OSSEC Daniel B. Cid dcid@ossec.net Agenda OSSEC Overview Installation demo Log decoding and analysis with OSSEC Writing decoders Writing rules Examples of rules and alerts in the real