OSSEC & OSSIM Unified Open Source Security. san8ago@alienvault.com

OSSEC & OSSIM Unified Open Source Security san8ago@alienvault.com

Why OSSIM Open Source SIEM GNU GPL 3.0 Provides threat detec)on capabili8es Monitors network assets Centralizes Informa)on and Management Assesses threats reliability and risk Collabora8vely learns about APT hlp://communi8es.alienvault.com/

OSSIM Architecture Normalized Events Configura8on & Management

OSSIM Embedded Tools Assets nmap prads Behavioral monitoring fprobe nfdump ntop tcpdump nagios Threat detec)on ossec snort suricata Vulnerability assessment osvdb openvas

OSSIM Collectors

OSSIM Collector Anatomy [apache log] 76.103.249.20 - - [15/Jun/2013:10:14:32-0700] "GET /ossim/session/login.php HTTP/1.1" 200 2612 "- " "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36" [apache.cfg] event_type=event regexp= ((?P<dst>\S+)(:(?P<port>\d{1,5}))? )?(?P<src>\S+) (?P<id>\S+) (?P<user>\S+) \[(?P<date> \d{2}\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2})\s+[+- ]\d{4}\] \"(?P<request>.*)\ (?P<code>\d{3}) ((?P<size> \d+) - )( \"(?P<referer_uri>.*)\" \ (?P<useragent>.*)\")?$ src_ip={resolv($src)} dst_ip={resolv($dst)} dst_port={$port} date={normalize_date($date)} plugin_sid={$code} username={$user} userdata1={$request} userdata2={$size} userdata3={$referer_uri} userdata4={$useragent} filename={$id}

OSSIM Threat assessment SSH Failed authen8ca8on event SSH successful authen8ca8on event 10 SSH Failed authen8ca8on events Reliability 100 SSH Failed authen8ca8on events SSH successful authen8ca8on event Persistent connec8ons SSH successful authen8ca8on event 1000 SSH Failed authen8ca8on events

OSSIM Risk assessment Source Asset Value = 2 Event Priority = 2 Event Reliability = 10 Des8na8on Asset Value = 5 RISK = (ASSET VALUE * EVENT PRIORITY * EVENT RELIABILITY)/25

OSSIM ALack analysis OTX Alert: Low reputation IP Vulnerability: IIS Remote Command Execution Attacker X.X.X.X Attack Target Y.Y.Y.Y Alert: IIS attack detected Accepted HTTP packet from X.X.X.X to Y.Y.Y.Y Attack: WEB-IIS multiple decode attempt

Why OSSEC Open Source Host- based IDS (HIDS) Log analysis based intrusion detec8on File integrity checking Registry keys integrity checking (Windows only) Signature based malware/rootkits detec)on Real 8me aler)ng and ac8ve response Feeds SIEMs (OSSIM)

OSSEC Architecture OSSEC Agent Logcollectord: Read logs (syslog, wmi, flat files) Syscheckd: File integrity checking Rootcheckd: Malware and rootkits detec8on Agentd: Forwards data to the server OSSEC Server Remoted: Receives data from agents Analysisd: Processes data (main process) Monitord: Monitor agents

OSSEC Integra8on Monitored Host OSSIM Sensor OSSIM Server Logcollector Remoted Analysisd Alerts.log Alarm Syscheckd Rootcheckd Agentd Decode Analyze Monitord Ossec collector Ossim- agent Ossim- server Correla8on Risk assessment Logger OSSEC Agent OSSEC Server OSSIM Agent OSSIM Server

OSSEC Collector Anatomy [ossec.conf] <custom_alert_output>av - Alert - "$TIMESTAMP" - - > RID: "$RULEID"; RL: "$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: "$DSTUSER"; SRCIP: "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT: "[INIT]$FULLLOG[END]"; </custom_alert_output> [alerts.log] AV - Alert - "1374721595" - - > RID: "3333"; RL: "7"; RG: "syslog,poscix,service_availability,"; RC: "Poscix stopped."; USER: "None"; SRCIP: "None"; HOSTNAME: "10.0.0.80"; LOCATION: "/var/log/syslog"; EVENT: "[INIT]May 16 14:47:19 10.0.0.80 pos{ix/master[2925]: termina8ng on signal 15[END]"; [ossec- single- line.cfg] event_type=event regexp= ^AV\s- \salert\s- \s\"(?p<date>\d+)\"\s- - >\srid:\s\"(?p<rule_id>\d+)\";\srl:\s\"(?p<rule_level> \d+)\";\srg:\s\"(?p<rule_group>\s+)\";\src:\s\"(?p<rule_comment>.*?)\";\suser:\s\"(?p<username>\s +)\";\ssrcip:\s\"(?p<srcip>.*?)\";\shostname:\s\"\(?(?p<hostname>[a- Za- z0-9_\.]+)\)?[^"]*"; date={normalize_date($date)} plugin_id={translate($rule_id)} plugin_sid={$rule_id} src_ip={resolv($srcip)} dst_ip={resolv($hostname)} username={$username} userdata1={$rule_level} userdata2={$rule_group} userdata3={$rule_comment}

OSSIM Correla8on Rules [AV Bruteforce agack, SSH authen)ca)on agack] Correla8on Engine Alert OSSEC Rule ID Alert Reliability OSSEC Event Type

OSSIM Alarm [AV Bruteforce agack, Windows authen)ca)on agack] Risk Value Correla8on Engine Alerts OSSEC Event

OSSEC Embedded GUI Status monitor Events viewer Agents control manager Configura8on manager Rules viewer/editor Logs viewer Server control manager Deployment manager Rules viewer/editor PDF/HTML Reports

Ques8ons / Demo 8me san8ago@alienvault.com @san8agobassel