Académique Documents
Professionnel Documents
Culture Documents
BrianE.Lavender
OSSIM
BrianE.Lavender
TableofContents
Introduction................................................................................................................................................2 HowOSSIMFunctions..............................................................................................................................2 Installation..................................................................................................................................................5 InitialConfigurationSteps....................................................................................................................6 CreatingASSETSandCalculatingRISK..................................................................................................6 Createahostassetvalue........................................................................................................................7 ACustomizedPlugin.................................................................................................................................8 SomeTheory.........................................................................................................................................9 OSSIMServerConfiguration................................................................................................................9 OSSIMAgentConfiguration...............................................................................................................10 Verification..........................................................................................................................................12 AsampleOSSIMdirectives.....................................................................................................................13 Conclusion................................................................................................................................................13 References................................................................................................................................................15
Introduction
AccordingtoO'Reilly'sbooktitledNetworkSecurityHackswithitsintroductiontoSnort(Hack#106) statesthefollowingobservation. Monitoringyourlogscantakeyouonlysofarindetectingintrusions.Iflogsarebeing generatedbyaservicethathasbeencompromised,welcometooneofthesecurityadmin's worstnightmares:youcannolongertrustyourlogs. Eventhisgivesadministratorsonlyacertainlevelofconfidence.SNORTanalyzesthenetworkfor suspiciouspackets.ItwillproducethesamealarmforamaliciouspackettargetedforaWindowshost asaUnixhost,eventhoughtheUnixhostmaynotbevulnerable.ASecurityInformationManagerisa toolthatcorrelatesinformationproducingahigherconfidencelevelforwhenanattackoccurs.Inthe opensourcecommunity,varioustoolshavebeencreatedtomonitordifferentaspectsofsecurity. OSSIMcombinesthedatafromthesetoolscorrelatingittoahigherconfidencewhenanattackoccurs orahosthasbeencompromisedandalsousesthedatatodeterminethehealthofournetwork.It integratesHostIntrusionDetectionSystems(HIDS)withNetworkIntrusionDetectionSystems(NIDS) todothis.
HowOSSIMFunctions
OSSIMconsistsofthreedifferentkeycomponents.Theserver,theframeworkd,andtheagent. Managementisperformedthroughawebbasedinterfaceandconfigurationisdonethroughaseriesof seriesofconfigurationfiles.Multipleagentscanbeplacedthroughoutthenetwork.Theagentgathers 2
OSSIM
BrianE.Lavender
informationfrompluginsandsendsthedatatotheserver.Belowarealistofpluginscontainedwith OSSIM.Custompluginscanalsobewrittenasdetailedinthisreport. ThebookNetworkSecurityHacks[1]detailshowtoconfiguremanyoftheseplugins(listedbesidethe pluginiffeaturedinthebook).Havinganunderstandingofeachpluginisbeneficialtowhatvaluethe pluginprovidestoOSSIM. Arpwatch,usedformacanomalydetection.(Lockart,185) P0f,usedforpassiveOSdetectionandoschangeanalisys.(Lockart,128) Pads,usedforserviceanomalydetection. Nessus,usedforvulnerabilityassessmentandforcrosscorrelation(IDSvsSecurityScanner). (Lockart,197) Snort,theIDS,alsousedforcrosscorrelationwithnessus.(Lockart,349) Spade,thestatisticalpacketanomalydetectionengine.Usedtogainknowledgeaboutattacks withoutsignature.(Lockart,384) Tcptrack,usedforsessiondatainformationwhichcangrantusefulinformationforattack correlation. Ntop,whichbuildsanimpressivenetworkinformationdatabasefromwhichwecangetaberrant behaviouranomalydetection.(Lockart,293) Nagios.Beingfedfromthehostassetdatabaseitmonitorshostandserviceavailability information.(Lockart,283) Osiris,aHostIntrusionDetectionSystem OCSNG,CrossPlatforminventorysolution. OSSEC,integrity,rootkit,registrydetectionandmore.(Lockart,274)
OSSIM
BrianE.Lavender
Illustration1:Syslog
Illustration2:SNORT
OSSIM
BrianE.Lavender
Illustration3:Monitor
Installation
TheeasiestwaytoinstallOSSIMistodownloadtheAlienVaultinstallerfromtheOSSIMwebsite. http://www.ossim.com/home.php?id=download BurntheISOimagetoaCD.ItisaDebianInstallationCDthathasbeencustomizedtoinstallOSSIM. Itwillerasetheharddriveforthemachineonwhichitisbeinginstalled.Itcanbeusedtoinstalla virtualmachineaswell.Theinstallerwillaskafewbriefquestions.ItwillaskforastaticIPaddress. Onceithasaskedallitsquestions,itwillproceedtoinstalltheentireOSSIMsuite(server,frameworkd, andagent)ontothesystem.Onceinstallationfinishes,pointyourwebbrowsertothemachineonto whichitwasinstalled.Itwillgiveyoualoginscreen.Thedefaultloginis'admin'withapasswordof 'admin'.LogintoOSSIM.Youwillbegreetedwith'ExecutivePanel'whichgivesahighlevelsummary ofthenetwork,incidents,alarms,andvulnerabilities.Currently,itismonitoringthehostontowhichit isinstalled. IfyouwanttoseeyourbrandnewOSSIMserverinaction,youcannmapitandwatchasitdetectsthe nmap.Herearethestepstotake.Onthewebinterface,selecttheEvents=>RTEventsmenu 5
OSSIM options.
BrianE.Lavender
InitialConfigurationSteps
TobegintoseethevalueOSSIMprovides,policiesneedtobecreated.DominiqueKargoftheOSSIM developmentteamhaswrittenaseriesoftutorialsincludingonedescribinginitialstepsafter installation.http://www.ossim.com/home.php?id=download.Thefollowingisasummaryofthesteps describedinhistutorial.Iwillgothroughthestepsbriefly,butIhighlyrecommendfollowinghis tutorialdirectly. First,createanetworkpolicybygoingtotothescreenPolicy=>Networksandspecifyanetwork. Thisnetworkisgivenanassetvalue,acompromisethresholdandanattackthresholdvalues.In addition,youcanspecifywhetheryouwanthostsinthisnetworktobescannedbyNessusandifNagios isenabled.SeetheCreatingAssetsandCalculatingRisksectionbelowfordetailedinformationabout howtoassignrisk.Individualassetvaluescanalsobespecifiedforhosts,whichwilloverridethevalue giventothenetwork. ScanthenetworkyoujustspecifiedbygoingtothescreenTools=>Netscan.Thiswillrunan nmapscanacrosstherangeofIPaddressesthatyouspecifiedinthepreviousstep.Itwilllistthehostsit foundalongwiththeservicesforeachhost.Youcanchoosewhichonesareinsertedintothedatabase. Theriskvaluegivenfortheinsertedhostswillbesameasthenetwork.Itcanbemodifiedforeachhost bygoingtothescreenPolicy=>Hosts. PerformanOCSinventoryforeachhost.OCSautomaticallycollectsinformationaboutthehost operatingsystem,configuration,andinstalledsoftware.OSSIMintegratestheOCStoolsintoitsTools =>Downloadsscreen.ThetoolhasbeencustomizedbytheOSSIMinstaller,soallthatneedstobe doneisrunthesetupscript.TheconfigurationparametersarealreadysettoreportOCSdetailsbackto theOSSIMinstaller. NowdoaNESSUSscanfromtheEvents=>Vulnerabilitiesscreen.Thescanscanbesettorunona regularbasis.Karg'stutorialrecommendsraisingthevalueforvulnerability_incident_thresholdon theConfiguration=>Mainscreen. Atthispoint,aseventsarrive,ariskvaluewillbecalculated.Thehighertheassetvaluegiven,the 6
OSSIM highertheriskforareceivedeventagainstthathost.
BrianE.Lavender
CreatingASSETSandCalculatingRISK
Inthissection,Iwillshowthemeaningoftheassetvalueandhowriskiscalculated.Ossimusesasset valuesassignedtothesystemsasdescribedintheprevioussectioncombinedwithareliabilityand priorityvaluefromreceivedeventstocalculaterisk.Therearethreewaysthatahostreceivesanasset value:itisgivenone,throughtheassetvalueofthenetworkonwhichitresides,oritdoesnthavean assignedassetvalue.Inturn,thishostassetvalueisusedtocalculateriskwhenaneventisreceived.I willdescribebelowwherethepriorityandriskvaluescomefrom.
Createahostassetvalue
Assetvalueswerecoveredintheprevioussection.Forahostyoucanviewitsvalueunder policyhosts.Thisassetvaluerangesfrom1to5.1signifiesthehosthaslittlevalue.5isthehighest valueofimportanceonecangiveahost.Riskiscalculatedwiththefollowingformula. risk=asset*(reliability*priority/25) Belowisascreenshotshowingthedataforthehostnamedmojito.IthasanIPaddressof192.168.1.111 andhighestassetvalueof5.
OSSIM
BrianE.Lavender
Thebelowimageshowsthesameeventanditsimpactontwodifferenthosts.Inthefollowingcase,the eventfoobar:alienfooon(DST_IP)occuredtotwodifferenthosts.Thiseventisalogeventthatcame fromsyslogandisfurtherexplainedbelow.Theeventhasareliability=10andpriority=5(Shownin thetablebelow). foobar:alienfooon(DST_IP) Event reliability 10 priority 5 Andifyoulookatthefollowingdiagram,theriskforthefirsteventis10,andthesecondeventis2. Illustration4showsascreenshotasitisdisplayedintheeventstaboftheadministrativeinterface. risk=asset*(reliability*priority/25)
OSSIM
BrianE.Lavender
Host
IPAddress
Risk
Illustration4:EventsTab
ACustomizedPlugin
Thisisanareawherepriorityandreliabilityisassignedtoanevent.OSSIMallowsforthecreationof custompluginsthatwillcaptureeventsspecifictoauser'snetwork.Thiswillfocusonthestepsneeded tocreateanOSSIMplugin.Thiswillbeasimplepluginthatyoucantriggerusingasmallpythonscript 9
OSSIM
BrianE.Lavender
SomeTheory
Eachpluginhasanidandseriesofsubidsforeachtypeofeventitcangenerate.Foreachofthesesub ids,ithastheassociatedpriorityandreliabilityvalue.Whenaneventissenttotheserver,theserver givestheeventeachofthesetwovalues.Thentheeventisprocessedandariskiscalculatedin combinationwiththeassetvalueofthehostassociatedwiththeevent.
OSSIMServerConfiguration
Intheprevioustablesshowingrisk,aneventcamefromafoobarplugin.Thefollowingdemonstrates howtocreatetheapluginforfoobar.OntheOSSIMserver,theossimdatabaseneedstobeupdated withinformationregardingtheplugin.Youcancopyandpastethefollowinganditwillcreatethefile withthesql.Ifyoucreatethefilemanually,besuretoremovethebackslashesbeforeany$symbol.
cat > ./foobar.sql << __END__ -- foobar -- plugin_id: 20000 --- \$Id:\$ -DELETE FROM plugin WHERE id = "20000"; DELETE FROM plugin_sid where plugin_id = "20000"; INSERT INTO plugin (id, type, name, description) VALUES (20000, 1, 'foobar', 'Foobar demo detector'); INSERT INTO plugin_sid priority, name) VALUES (DST_IP)'); INSERT INTO plugin_sid priority, name) VALUES (DST_IP)'); INSERT INTO plugin_sid priority, name) VALUES (DST_IP)'); INSERT INTO plugin_sid priority, name) VALUES (DST_IP)'); INSERT INTO plugin_sid priority, name) VALUES (DST_IP)'); __END__ (plugin_id, sid, category_id, class_id, reliability, (20000, 1, NULL, NULL, 6, 4, 'foobar: new foo found on (plugin_id, sid, category_id, class_id, reliability, (20000, 2, NULL, NULL, 6, 1, 'foobar: foo the same on (plugin_id, sid, category_id, class_id, reliability, (20000, 3, NULL, NULL, 10, 2, 'foobar: foo changed on (plugin_id, sid, category_id, class_id, reliability, (20000, 4, NULL, NULL, 8, 3, 'foobar: foo deleted on (plugin_id, sid, category_id, class_id, reliability, (20000, 5, NULL, NULL, 10, 5, 'foobar: alien foo on
10
OSSIM NowtheplugincanbeinsertedintotheOSSIMserverusingthefollowingcommand.
cat foobar.sql | mysql -u root -p ossim
BrianE.Lavender
TheOSSIMservermustberestartedsothatitisawareofthenewplugininformation.
/etc/init.d/ossim-server restart
OncethepluginexiststheOSSIMwebinterfacewillverifyitinthewindow:ConfigurationPlugins (Illustration5).
OSSIMAgentConfiguration
Thefollowingstepsdetailconfigurationoftheagentfortheplugin.Thispluginisgoingtomonitor syslogfortheoutput,soaconfigfileforthepluginmustexistcontainingthepluginIDandhowto matchinformationinsyslog.Inthiscase,itmatchesonlyonesid,butasyoucanseefromtheabovesql, therecouldbefivepatternsandfivesubids. Contentsof/etc/ossim/agent/plugins/foobar.cfgYoucancopyandpasteintotheshell.Ifyoucreatethe filemanually,besuretoremovethebackslashesbeforeany$symbol. 11
OSSIM
cat > /etc/ossim/agent/plugins/foobar.cfg << __END__ ;; foobar ;; plugin_id: 20000 ;; type: detector ;; description: foobar demo plugin ;; ;; URL: ;; ;; \$Id:\$ [DEFAULT] plugin_id=20000 [config] type=detector enable=yes source=log location=/var/log/user.log # create log file if it does not exists, # otherwise stop processing this plugin create_file=false process= start=no stop=no startup= shutdown= ## rules ## ## New foo found in bar ##
BrianE.Lavender
[foobar - New foo found] # Sep 7 12:40:55 eldedo FOOBAR[2054]: new foo found event_type=event regexp="(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P<dst_ip>[^\s]*).*?FOOBAR.*?new foo found" plugin_sid=1 dst_ip={resolv(\$dst_ip)} src_ip=0.0.0.0 date={normalize_date(\$1)} [foobar - foo the same] # Sep 7 12:40:55 eldedo FOOBAR[2054]: foo the same event_type=event regexp="(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P<dst_ip>[^\s]*).*?FOOBAR.*?foo the same" plugin_sid=2 dst_ip={resolv(\$dst_ip)}
12
OSSIM
src_ip=0.0.0.0 date={normalize_date(\$1)}
BrianE.Lavender
[foobar - New changed] # Sep 7 12:40:55 eldedo FOOBAR[2054]: foo changed event_type=event regexp="(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P<dst_ip>[^\s]*).*?FOOBAR.*?foo changed" plugin_sid=3 dst_ip={resolv(\$dst_ip)} src_ip=0.0.0.0 date={normalize_date(\$1)} [foobar - New deleted] # Sep 7 12:40:55 eldedo FOOBAR[2054]: foo deleted event_type=event regexp="(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P<dst_ip>[^\s]*).*?FOOBAR.*?foo deleted" plugin_sid=4 dst_ip={resolv(\$dst_ip)} src_ip=0.0.0.0 date={normalize_date(\$1)} [foobar - alien foo] # Sep 7 12:40:55 eldedo FOOBAR[2054]: alien foo event_type=event regexp="(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P<dst_ip>[^\s]*).*?FOOBAR.*?alien foo" plugin_sid=5 dst_ip={resolv(\$dst_ip)} src_ip=0.0.0.0 date={normalize_date(\$1)} __END__
Weneedtotelltheagentthatwehaveanewplugin.Editthefile/etc/ossim/agent/config.cfgandadd thefollowinglineinthe[plugin]section.
foobar=/etc/ossim/agent/plugins/foobar.cfg
Nowtorestarttheagentsothatitisawareofthenewplugininformation.
/etc/init.d/ossim-agent restart
Verification
Thisisasamplepythonscriptthatwillsendamessagetosyslog.Iparsestheoptiossentandsendsa logmessageforeachoptionthatmatchesthecase.Thefollowingcodecanberunasascriptonany hostthathasPythoninstalled.
#! /usr/bin/python import syslog import sys
13
OSSIM
syslog.openlog("FOOBAR", syslog.LOG_PID , syslog.LOG_USER ) for arg in sys.argv: if arg == "1": syslog.syslog(syslog.LOG_WARNING, "new foo found") elif arg == "2": syslog.syslog(syslog.LOG_WARNING, "foo the same") elif arg == "3": syslog.syslog(syslog.LOG_WARNING, "foo changed") elif arg == "4": syslog.syslog(syslog.LOG_WARNING, "foo deleted") elif arg == "5": syslog.syslog(syslog.LOG_WARNING, "alien foo") syslog.closelog()
BrianE.Lavender
Runthisprogramontheserverforwhichyouwanttogeneratetheevent.Thefollowingwillsendthe firsttypesyslogmessage.
testfoobar.py 1
Thesecondwillsendthe5thtypesyslogmessage,the4thtypesyslogmessage,andthenfinallythe2nd typesyslogmessage.
testfoobar.py 5 4 2
Checkyoureventsandalarms.Aneventand/oranalarmshouldappearontheeventtabpreviously shown.
AsampleOSSIMdirective
OSSIMstoresitsrulesontheserverinafilenamed/etc/ossim/server/directives.xml.Therulesare separatedintodirectives.Thefollowingisanexamplesshbruteforcedirective.Thisrulesfromthis directiveobtainsitsinformationfromthesshauth.logplugin.Inthiscase,theattackercouldbe switchingdifferenthoststoattackinattempttoescapedetectiononasinglehost,butthisdirectivewill detectthoseattemptsbetweenswitchedtargethostsaswell.Thereliabilitybeginsat3afterthreefailed attempts.Threemorewillraiseitto4.Fivemorewillraiseit6,andthenanadditional10attemptswill raiseitto8.
<directiveid="20"name="PossibleSSHbruteforceloginattemptagainstDST_IP" priority="5"> <ruletype="detector"name="SSHAuthenticationfailure"reliability="3" occurrence="1"from="ANY"to="ANY"port_from="ANY"port_to="ANY" time_out="10"plugin_id="4003"plugin_sid="1,2,3,4,5,6"> <rules> <ruletype="detector"name="SSHAuthenticationfailure(3times)" reliability="+1"occurrence="3"from="1:SRC_IP"to="ANY" port_from="ANY"time_out="15"port_to="ANY"
14
OSSIM
BrianE.Lavender
plugin_id="4003"plugin_sid="1,2,3,4,5,6"sticky="true"> <rules> <ruletype="detector"name="SSHAuthenticationfailure(5times)" reliability="+2"occurrence="5"from="1:SRC_IP"to="ANY" port_from="ANY"time_out="20"port_to="ANY" plugin_id="4003"plugin_sid="1,2,3,4,5,6"sticky="true"> <rules> <ruletype="detector"name="SSHAuthenticationfailure(10times)" reliability="+2"occurrence="10"from="1:SRC_IP"to="ANY" port_from="ANY"time_out="30"port_to="ANY" plugin_id="4003"plugin_sid="1,2,3,4,5,6"sticky="true"> </rule> </rules> </rule> </rules> </rule> </rules> </rule> </directive>
Conclusion
TherearemanyaspectstoOSSIM.Morethanoneservercanbecreated.Thisdocumenthasskipped overthosedetailstocoverthebaseconcepts.OSSIMhashighcomplexity,yetatthesametime,ithas thesophisticationtohandlethethreatsnetworksandhostsareexposedtotoday.Itstrengthisderived fromintegrationofothertools.Itisadepttohandlethenewweaknessesinthenetwork.Partofthe issueofunderstandingOSSIMissettingupthenetworkandcomponents.Thegoalofsecurityistobe equallyasgoodastheattacker,andyetatthesametimetothinkaheadofhim.Andwhenoneisnot abletothinkahead,havetoolsthatlookforanomalies.ThroughthefactthatOSSIMisopensource,it hasthecapabilitytobuildthroughthecommunity.Manyeyesareitstoolsforsecurity.
OSSIM
BrianE.Lavender
16