Security Information Management



Similar documents
Intrusion Detection Systems Correlation: a Weapon of Mass Investigation

An Open Source IPS. IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan

Audit and IDS Steve Grubb, Red Hat

The Prelude security information management system receives both hostand network-based IDS messages and displays them in an easy web

2B0-023 ES Advanced Dragon IDS

By Jascha Wanger

NETWORK SECURITY HACKS *

Tk20 Network Infrastructure

DJRA1.6 FINAL RELEASE OF NEW GRID MIDDLEWARE SERVICES

Next Level. Elevated to the. 22 nd Chaos Communication Congress. Alien8 - Matthias Petermann

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

ArcSight Supports a Wide Range of Security Relevant Products

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

System Specification. Author: CMU Team

Blended Security Assessments

Course Title: Penetration Testing: Security Analysis

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Intrusion Detection Systems

OWASP Logging Project - Roadmap

GL550 - Enterprise Linux Security Administration

ENTERPRISE LINUX SECURITY ADMINISTRATION

SecurityCenter 4.4 Architecture

NETWORK SECURITY HACKS

Chapter 4: Security of the architecture, and lower layer security (network security) 1

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

COURCE TITLE DURATION LPI-202 Advanced Linux Professional Institute 40 H.

To read more Linux Journal or start your subscription, please visit

Linux Network Security

Open Source Security: Opportunity or Oxymoron?

Security Event Management. February 7, 2007 (Revision 5)

Architecture Overview

CiscoWorks SIMS(Netforensics)

Cesario Di Sarno. Security Information and Event Management in Critical Infrastructures

NETWORK SECURITY (W/LAB) Course Syllabus

Advanced Linux System Administration Knowledge GNU/LINUX Requirements

Intrusion Detection and Intrusion Prevention. Ed Sale VP of Security Pivot Group, LLC

Information Security Measures and Monitoring System at BARC. - R.S.Mundada Computer Division B.A.R.C., Mumbai-85

IDS / IPS. James E. Thiel S.W.A.T.

COORDINATED THREAT CONTROL

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Network Security Management

Intrusion Detection Systems (IDS)

Some Tools for Computer Security Incident Response Team (CSIRT)

1 Predictive Intruder monitoring and prevention

India. 2014, IJARCSSE All Rights Reserved Page 462

disect Systems Logging Snort alerts to Syslog and Splunk PRAVEEN DARSHANAM

Host Level IDS CSC 790 WAKE FOREST. U N I V E R S I T Y Department of Computer Science. Fall 2015

Security Event Monitoring (SEM) Working Group

VoIP Fraud and Misuse

Log Management with Open-Source Tools. Risto Vaarandi rvaarandi 4T Y4H00 D0T C0M

A Universal Logging System for LHCb Online

ACE Management Server Deployment Guide VMware ACE 2.0

GL-550: Red Hat Linux Security Administration. Course Outline. Course Length: 5 days

Introduction of Intrusion Detection Systems

Intrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12

Features. The Samhain HIDS. Overview of available features. Rainer Wichmann

CIT 380: Securing Computer Systems

Intrusion Detection Systems with Correlation Capabilities

Network Defense Tools

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

Using Entrust certificates with VPN

Snort Installation - Ubuntu FEUP. SSI - ProDEI Paulo Neto and Rui Chilro. December 7, 2010

Intrusion Detection Systems

Network monitoring systems & tools

Good evening. This presentation is based on my GIAC GSNA Gold technical paper entitled Auditing Mac OS X Compliance with the Center for Internet

CS2107 Introduction to Information and System Security (Slid. (Slide set 8)

TABLE OF CONTENTS NETWORK SECURITY 2...1

Intrusion Detection Systems

Hosts HARDENING WINDOWS NETWORKS TRAINING

Name. Description. Rationale

Realization of Security Events Management System via OPENSTF

Web Intrusion Detection with ModSecurity. Ivan Ristic

ENTERPRISE LINUX SECURITY ADMINISTRATION

Security Coordination with IF-MAP

Application Security Best Practices. Matt Tavis Principal Solutions Architect

Where can I install GFI EventsManager on my network?

Symantec Event Collectors Integration Guide for Symantec Security Information Manager 4.7

Intrusion Detection and Incident Response Breakout Session

Symantec Event Collector for Kiwi Syslog Daemon version 3.7 Quick Reference

Chapter 9 Firewalls and Intrusion Prevention Systems

Open Source Security Tools

Utility Modernization Cyber Security City of Glendale, California

Federated Network Security Administration Framework

GL254 - RED HAT ENTERPRISE LINUX SYSTEMS ADMINISTRATION III

Integration Misuse and Anomaly Detection Techniques on Distributed Sensors

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

Computer Security DD2395

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

INTRUSION DETECTION SYSTEMS and Network Security

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Building a Security Operations Center. Randy Marchany VA Tech IT Security Office and Lab marchany@vt.edu


Security Power Tools

Log Management with Open-Source Tools. Risto Vaarandi SEB Estonia

EventSentry Overview. Part I About This Guide 1. Part II Overview 2. Part III Installation & Deployment 4. Part IV Monitoring Architecture 13

Vulnerability Assessment Using Nessus

Distributed Intrusion Detection Systems MetalDS case study

Who am I? BlackHat RSA

Transcription:

Security Information Management b-i branding. technology. integration. www.b-i.com

Acronyms Main acronyms used in this talk : - IDS : Intrusion Detection System, commonly divided in > NIDS : Network Intrusion Detection System works at network level. > HIDS : Host-based Intrusion Detection System works at machine level by checking FS Integrity or monitoring logs - IDMEF : Intrusion Detection Message Exchange Format, XML based format used by sensors to exchange data with the SIM (RFC 4765) - SIM : Security Information Management, a software collecting events from security sensors to help users make sense of them.

Prelude SIM - Open Source Project - Can interoperate with NIDS and HDIS using IDMEF - Real-time correlation & visualization of security events and attacks scenarii in a centralized console - Secured Architecture : Redondancy, encrypted communications with sensors, works with networks restricted policy (DMZ..)

Prelude Components - Prelude Manager : high availability server that collects events from deployed sensors - Prelude LML : collects and normalize logs - Prelude Correlator : multistream correlation engine written in python - Prewikka : web vizualization interface written in python - libprelude : provides features to inject events inside Prelude in various languages such a C++, Perl, Python, Ruby - libpreludedb : for transparent DB access.

Prelude LML (Logs Monitoring Lackey) - Prelude LML is compatible with a large numbers of log files : > System Logs > Syslog > Apache > Postfix > PAM > Cisco IPS, VPN, Routers > Sudo > Nagios > Netfilter > OpenSSH > and a lot more... - Very extensible to custom applications by writing new rulesets

Prelude LML ruleset example Identify requests that generates 404 errors in apache logs : #LOG:[Sat Apr 16 14:30:12 2005] [error] [client ::1] File does not exist: /var/www/favicon.ico regex=\[error\] \[client ([A-Fa-f\d:]+)\] ((File Premature Directory client request)[\s+\s]+): (.+); \ classification.text=web server error; \ id=4101; \ revision=1; \ analyzer(0).name=httpd; \ analyzer(0).manufacturer=www.apache.org; \ analyzer(0).class=service; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=apache httpd '$2' error: '$4'; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).service.name=http; \ last;

Prelude sensors Some programs have a built-in Prelude compatibility : - Snort : well-known lightweight IDS - Samhain : provides file integrity checking - Nessus : vulnerability scanner - Nepenthes : honeypot - Auditd : the Linux audit daemon - Prelude-LML : the prelude log analyzer libprelude provides an easy way to build customs sensors that can talk with an existing prelude architecture. Secured sensors registration (OTP, SSL...) with the Prelude Manager

Prelude custom sensor example #!/usr/bin/python import PreludeEasy Client = PreludeEasy.ClientEasy( My beautiful sensor") client.start() idmef = PreludeEasy.IDMEF() idmef.set( alert.classification.text, There is a problem ) idmef.set( alert.source(0).node.address(0).address, 192.168.1.65 ) idmef.set( alert.target(0).node.address(0).address, 192.168.1.1 ) client << idmef print ( idmef )

Intrusion Detection Message Exchange Format IDMEF message example <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE IDMEF-Message PUBLIC "-//IETF//DTD RFC XXXX IDMEF v1.0//en" "idmef-message.dtd"> <IDMEF-Message> <Alert> <Analyzer model="myids"/> <Target> <Node> <name>mynode</name </Node> </Target> <AdditionalData meaning="data2 type="string">value2</additionaldata> <AdditionalData meaning="data1" type="string">value1</additionaldata> </Alert> </IDMEF-Message>

Prelude Correlator - As it can be easy to fool one security system, it becomes very difficult to fool multiple systems. - Prelude will help to identify an attack by correlating all the events in real-time - Improve events presentation by reducing false-positives - Can aggregate various events into a readable sequence (multiple connections on various ports...) - Can identify unknown attacks - Plugins support to improve correlation by adding system independant rules (ie : connections hours, already identified IP by other systems...)

Correlator Plugin Example Business Hours #!/usr/bin/python import time from PreludeCorrelator.idmef import IDMEF from PreludeCorrelator.pluginmanager import Plugin # By default, alert only on saturday and sunday, and everyday from 6:00pm to 9:00am. class BusinessHourPlugin(Plugin): BUSINESSHOUR_HWORKSTART = 9 BUSINESSHOUR_HWORKEND = 17 BUSINESSHOUR_OFFDAYS = '[5,6]' def init (self,env): Plugin. init (self, env) self. hworkstart = int(self.getconfigvalue("hworkstart", self.businesshour_hworkstart)) self. hworkend = int(self.getconfigvalue("hworkend", self.businesshour_hworkend)) self. offdays = eval(self.getconfigvalue("offdays", self.businesshour_offdays)) def run(self, idmef): self. t = time.localtime(int(idmef.get("alert.create_time"))) if not (self. t.tm_wday in self. offdays or self. t.tm_hour < self. hworkstart or self. t.tm_hour > self. hworkend): return if idmef.get("alert.assessment.impact.completion")!= "succeeded": return ca = IDMEF() ca.addalertreference(idmef) ca.set("alert.classification", idmef.get("alert.classification")) ca.set("alert.correlation_alert.name", "Critical system activity on day off") ca.alert()

Prelude Manager - Collects all events in real-time from all deployed sensors using IDMEF - Support secured architectures such as DMZ, using reverse-relaying - Redondancy - Encrypted communications with sensors (SSL) - Support of various databases (MySQL, PostgreSQL)

Prewikka - Written in Python, improved UI using JQuery - Events displayed in real-time - Screen to monitor sensors status - Asynchronous DNS resolution - Advanced lists filtering

References - Prelude IDS : http://www.prelude-ids.org - Prelude Development Site : https://dev.prelude-ids.org - IDMEF Standard : http://www.rfc-editor.org/rfc/rfc4765.txt - Iptables / Netfilter : http://www.netfilter.org

Questions??

thank you alexandre.dedommelin@b-i.com t: + 41.58.307.6603 b-i branding. technology. integration. www.b-i.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information