OSSIM

BrianE.Lavender

OSSIM OpenSourceSecurityInformationManagement BrianE.Lavender SacState CSC250,Spring2008 FinalProject 2008

OSSIM

BrianE.Lavender

TableofContents
Introduction................................................................................................................................................2 HowOSSIMFunctions..............................................................................................................................2 Installation..................................................................................................................................................5 InitialConfigurationSteps....................................................................................................................6 CreatingASSETSandCalculatingRISK..................................................................................................6 Createahostassetvalue........................................................................................................................7 ACustomizedPlugin.................................................................................................................................8 SomeTheory.........................................................................................................................................9 OSSIMServerConfiguration................................................................................................................9 OSSIMAgentConfiguration...............................................................................................................10 Verification..........................................................................................................................................12 AsampleOSSIMdirectives.....................................................................................................................13 Conclusion................................................................................................................................................13 References................................................................................................................................................15

Introduction
AccordingtoO'Reilly'sbooktitledNetworkSecurityHackswithitsintroductiontoSnort(Hack#106) statesthefollowingobservation. Monitoringyourlogscantakeyouonlysofarindetectingintrusions.Iflogsarebeing generatedbyaservicethathasbeencompromised,welcometooneofthesecurityadmin's worstnightmares:youcannolongertrustyourlogs. Eventhisgivesadministratorsonlyacertainlevelofconfidence.SNORTanalyzesthenetworkfor suspiciouspackets.ItwillproducethesamealarmforamaliciouspackettargetedforaWindowshost asaUnixhost,eventhoughtheUnixhostmaynotbevulnerable.ASecurityInformationManagerisa toolthatcorrelatesinformationproducingahigherconfidencelevelforwhenanattackoccurs.Inthe opensourcecommunity,varioustoolshavebeencreatedtomonitordifferentaspectsofsecurity. OSSIMcombinesthedatafromthesetoolscorrelatingittoahigherconfidencewhenanattackoccurs orahosthasbeencompromisedandalsousesthedatatodeterminethehealthofournetwork.It integratesHostIntrusionDetectionSystems(HIDS)withNetworkIntrusionDetectionSystems(NIDS) todothis.

HowOSSIMFunctions
OSSIMconsistsofthreedifferentkeycomponents.Theserver,theframeworkd,andtheagent. Managementisperformedthroughawebbasedinterfaceandconfigurationisdonethroughaseriesof seriesofconfigurationfiles.Multipleagentscanbeplacedthroughoutthenetwork.Theagentgathers 2

OSSIM

BrianE.Lavender

informationfrompluginsandsendsthedatatotheserver.Belowarealistofpluginscontainedwith OSSIM.Custompluginscanalsobewrittenasdetailedinthisreport. ThebookNetworkSecurityHacks[1]detailshowtoconfiguremanyoftheseplugins(listedbesidethe pluginiffeaturedinthebook).Havinganunderstandingofeachpluginisbeneficialtowhatvaluethe pluginprovidestoOSSIM. Arpwatch,usedformacanomalydetection.(Lockart,185) P0f,usedforpassiveOSdetectionandoschangeanalisys.(Lockart,128) Pads,usedforserviceanomalydetection. Nessus,usedforvulnerabilityassessmentandforcrosscorrelation(IDSvsSecurityScanner). (Lockart,197) Snort,theIDS,alsousedforcrosscorrelationwithnessus.(Lockart,349) Spade,thestatisticalpacketanomalydetectionengine.Usedtogainknowledgeaboutattacks withoutsignature.(Lockart,384) Tcptrack,usedforsessiondatainformationwhichcangrantusefulinformationforattack correlation. Ntop,whichbuildsanimpressivenetworkinformationdatabasefromwhichwecangetaberrant behaviouranomalydetection.(Lockart,293) Nagios.Beingfedfromthehostassetdatabaseitmonitorshostandserviceavailability information.(Lockart,283) Osiris,aHostIntrusionDetectionSystem OCSNG,CrossPlatforminventorysolution. OSSEC,integrity,rootkit,registrydetectionandmore.(Lockart,274)

OSSIMgathersdatausingsensors.Therearethreeprimarywaystocollectdata.OSSIMalsouses someintegratedtoolsthatwon'tbediscussedher.Thefollowingillustrationswhichwereadoptedfrom JoelWinteregg'swriteup[5]onOSSIMshowthethreewaysOSSIMcollectsdata.Oneisprocessing logdatasuchassyslog(Illustration1).Thesecondisthroughpassivenetworkmonitoringonanetwork segmentusingatoolthatmonitoresnetworktrafficsuchasSNORT(Illustration2)througha promiscuousinterface.Thethirdisatoolthatcanbequeriedsuchastcpwatch(Illustration3).Nagiosis alsoanothertoolthatcanbequeriedtoshowthehealthofhostsonthenetwork.

OSSIM

BrianE.Lavender

Illustration1:Syslog

Illustration2:SNORT

OSSIM

BrianE.Lavender

Illustration3:Monitor

Installation
TheeasiestwaytoinstallOSSIMistodownloadtheAlienVaultinstallerfromtheOSSIMwebsite. http://www.ossim.com/home.php?id=download BurntheISOimagetoaCD.ItisaDebianInstallationCDthathasbeencustomizedtoinstallOSSIM. Itwillerasetheharddriveforthemachineonwhichitisbeinginstalled.Itcanbeusedtoinstalla virtualmachineaswell.Theinstallerwillaskafewbriefquestions.ItwillaskforastaticIPaddress. Onceithasaskedallitsquestions,itwillproceedtoinstalltheentireOSSIMsuite(server,frameworkd, andagent)ontothesystem.Onceinstallationfinishes,pointyourwebbrowsertothemachineonto whichitwasinstalled.Itwillgiveyoualoginscreen.Thedefaultloginis'admin'withapasswordof 'admin'.LogintoOSSIM.Youwillbegreetedwith'ExecutivePanel'whichgivesahighlevelsummary ofthenetwork,incidents,alarms,andvulnerabilities.Currently,itismonitoringthehostontowhichit isinstalled. IfyouwanttoseeyourbrandnewOSSIMserverinaction,youcannmapitandwatchasitdetectsthe nmap.Herearethestepstotake.Onthewebinterface,selecttheEvents=>RTEventsmenu 5

OSSIM options.

BrianE.Lavender

Selectthestartbutton.AseventsarereceivedbytheOSSIMserver,theyareshowninthiswindowin realtime.Now,executethenmapcommandagainstyourOSSIMserver.Dothisfromanotherhost. #nmap<IPAddressofnewlyinstalledOSSIMserver> TheSPADE(StatisticalPacketandAnomalyDetectionEngine)whichisapartofSNORT,willpickup theportscan.Andthenafterdetectingaseriesofthepackets,itwillissueadirectiveevent.Thiswill giveyouaquickfeedbackthattheOSSIMserverisrunning.ThereismuchmoretoOSSIMandwith someconfiguration,itcanmonitorotherhostsonthenetwork.

InitialConfigurationSteps
TobegintoseethevalueOSSIMprovides,policiesneedtobecreated.DominiqueKargoftheOSSIM developmentteamhaswrittenaseriesoftutorialsincludingonedescribinginitialstepsafter installation.http://www.ossim.com/home.php?id=download.Thefollowingisasummaryofthesteps describedinhistutorial.Iwillgothroughthestepsbriefly,butIhighlyrecommendfollowinghis tutorialdirectly. First,createanetworkpolicybygoingtotothescreenPolicy=>Networksandspecifyanetwork. Thisnetworkisgivenanassetvalue,acompromisethresholdandanattackthresholdvalues.In addition,youcanspecifywhetheryouwanthostsinthisnetworktobescannedbyNessusandifNagios isenabled.SeetheCreatingAssetsandCalculatingRisksectionbelowfordetailedinformationabout howtoassignrisk.Individualassetvaluescanalsobespecifiedforhosts,whichwilloverridethevalue giventothenetwork. ScanthenetworkyoujustspecifiedbygoingtothescreenTools=>Netscan.Thiswillrunan nmapscanacrosstherangeofIPaddressesthatyouspecifiedinthepreviousstep.Itwilllistthehostsit foundalongwiththeservicesforeachhost.Youcanchoosewhichonesareinsertedintothedatabase. Theriskvaluegivenfortheinsertedhostswillbesameasthenetwork.Itcanbemodifiedforeachhost bygoingtothescreenPolicy=>Hosts. PerformanOCSinventoryforeachhost.OCSautomaticallycollectsinformationaboutthehost operatingsystem,configuration,andinstalledsoftware.OSSIMintegratestheOCStoolsintoitsTools =>Downloadsscreen.ThetoolhasbeencustomizedbytheOSSIMinstaller,soallthatneedstobe doneisrunthesetupscript.TheconfigurationparametersarealreadysettoreportOCSdetailsbackto theOSSIMinstaller. NowdoaNESSUSscanfromtheEvents=>Vulnerabilitiesscreen.Thescanscanbesettorunona regularbasis.Karg'stutorialrecommendsraisingthevalueforvulnerability_incident_thresholdon theConfiguration=>Mainscreen. Atthispoint,aseventsarrive,ariskvaluewillbecalculated.Thehighertheassetvaluegiven,the 6

OSSIM highertheriskforareceivedeventagainstthathost.

BrianE.Lavender

CreatingASSETSandCalculatingRISK
Inthissection,Iwillshowthemeaningoftheassetvalueandhowriskiscalculated.Ossimusesasset valuesassignedtothesystemsasdescribedintheprevioussectioncombinedwithareliabilityand priorityvaluefromreceivedeventstocalculaterisk.Therearethreewaysthatahostreceivesanasset value:itisgivenone,throughtheassetvalueofthenetworkonwhichitresides,oritdoesnthavean assignedassetvalue.Inturn,thishostassetvalueisusedtocalculateriskwhenaneventisreceived.I willdescribebelowwherethepriorityandriskvaluescomefrom.

Createahostassetvalue
Assetvalueswerecoveredintheprevioussection.Forahostyoucanviewitsvalueunder policyhosts.Thisassetvaluerangesfrom1to5.1signifiesthehosthaslittlevalue.5isthehighest valueofimportanceonecangiveahost.Riskiscalculatedwiththefollowingformula. risk=asset*(reliability*priority/25) Belowisascreenshotshowingthedataforthehostnamedmojito.IthasanIPaddressof192.168.1.111 andhighestassetvalueof5.

OSSIM

BrianE.Lavender

Thebelowimageshowsthesameeventanditsimpactontwodifferenthosts.Inthefollowingcase,the eventfoobar:alienfooon(DST_IP)occuredtotwodifferenthosts.Thiseventisalogeventthatcame fromsyslogandisfurtherexplainedbelow.Theeventhasareliability=10andpriority=5(Shownin thetablebelow). foobar:alienfooon(DST_IP) Event reliability 10 priority 5 Andifyoulookatthefollowingdiagram,theriskforthefirsteventis10,andthesecondeventis2. Illustration4showsascreenshotasitisdisplayedintheeventstaboftheadministrativeinterface. risk=asset*(reliability*priority/25)

OSSIM

BrianE.Lavender

Host

IPAddress

Risk

mojito 192.168.1.111 10=5*(10*5/25) eldedo 192.168.1.135 2=1*(10*5/25)

Illustration4:EventsTab

ACustomizedPlugin
Thisisanareawherepriorityandreliabilityisassignedtoanevent.OSSIMallowsforthecreationof custompluginsthatwillcaptureeventsspecifictoauser'snetwork.Thiswillfocusonthestepsneeded tocreateanOSSIMplugin.Thiswillbeasimplepluginthatyoucantriggerusingasmallpythonscript 9

OSSIM

BrianE.Lavender

thatsendsamessagetosyslog.Thisprocesscanbeusedtoverifythattheagentandserverare functioningandthattheagentcansendinformationtotheserver.Itwillalsoserveasatutorialfor configuringandutilizingotherplugins.

SomeTheory
Eachpluginhasanidandseriesofsubidsforeachtypeofeventitcangenerate.Foreachofthesesub ids,ithastheassociatedpriorityandreliabilityvalue.Whenaneventissenttotheserver,theserver givestheeventeachofthesetwovalues.Thentheeventisprocessedandariskiscalculatedin combinationwiththeassetvalueofthehostassociatedwiththeevent.

OSSIMServerConfiguration
Intheprevioustablesshowingrisk,aneventcamefromafoobarplugin.Thefollowingdemonstrates howtocreatetheapluginforfoobar.OntheOSSIMserver,theossimdatabaseneedstobeupdated withinformationregardingtheplugin.Youcancopyandpastethefollowinganditwillcreatethefile withthesql.Ifyoucreatethefilemanually,besuretoremovethebackslashesbeforeany$symbol.
cat > ./foobar.sql << __END__ -- foobar -- plugin_id: 20000 --- \$Id:\$ -DELETE FROM plugin WHERE id = "20000"; DELETE FROM plugin_sid where plugin_id = "20000"; INSERT INTO plugin (id, type, name, description) VALUES (20000, 1, 'foobar', 'Foobar demo detector'); INSERT INTO plugin_sid priority, name) VALUES (DST_IP)'); INSERT INTO plugin_sid priority, name) VALUES (DST_IP)'); INSERT INTO plugin_sid priority, name) VALUES (DST_IP)'); INSERT INTO plugin_sid priority, name) VALUES (DST_IP)'); INSERT INTO plugin_sid priority, name) VALUES (DST_IP)'); __END__ (plugin_id, sid, category_id, class_id, reliability, (20000, 1, NULL, NULL, 6, 4, 'foobar: new foo found on (plugin_id, sid, category_id, class_id, reliability, (20000, 2, NULL, NULL, 6, 1, 'foobar: foo the same on (plugin_id, sid, category_id, class_id, reliability, (20000, 3, NULL, NULL, 10, 2, 'foobar: foo changed on (plugin_id, sid, category_id, class_id, reliability, (20000, 4, NULL, NULL, 8, 3, 'foobar: foo deleted on (plugin_id, sid, category_id, class_id, reliability, (20000, 5, NULL, NULL, 10, 5, 'foobar: alien foo on

10

OSSIM NowtheplugincanbeinsertedintotheOSSIMserverusingthefollowingcommand.
cat foobar.sql | mysql -u root -p ossim

BrianE.Lavender

TheOSSIMservermustberestartedsothatitisawareofthenewplugininformation.
/etc/init.d/ossim-server restart

OncethepluginexiststheOSSIMwebinterfacewillverifyitinthewindow:ConfigurationPlugins (Illustration5).

Illustration5:Plugin Modificationofthevaluesintheaboveillustrationforreliabilityandpriorityforeachplugin_sid, requiresrestartoftheOSSIMserverinorderforittotakeeffect.

OSSIMAgentConfiguration
Thefollowingstepsdetailconfigurationoftheagentfortheplugin.Thispluginisgoingtomonitor syslogfortheoutput,soaconfigfileforthepluginmustexistcontainingthepluginIDandhowto matchinformationinsyslog.Inthiscase,itmatchesonlyonesid,butasyoucanseefromtheabovesql, therecouldbefivepatternsandfivesubids. Contentsof/etc/ossim/agent/plugins/foobar.cfgYoucancopyandpasteintotheshell.Ifyoucreatethe filemanually,besuretoremovethebackslashesbeforeany$symbol. 11

OSSIM
cat > /etc/ossim/agent/plugins/foobar.cfg << __END__ ;; foobar ;; plugin_id: 20000 ;; type: detector ;; description: foobar demo plugin ;; ;; URL: ;; ;; \$Id:\$ [DEFAULT] plugin_id=20000 [config] type=detector enable=yes source=log location=/var/log/user.log # create log file if it does not exists, # otherwise stop processing this plugin create_file=false process= start=no stop=no startup= shutdown= ## rules ## ## New foo found in bar ##

BrianE.Lavender

[foobar - New foo found] # Sep 7 12:40:55 eldedo FOOBAR[2054]: new foo found event_type=event regexp="(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P<dst_ip>[^\s]*).*?FOOBAR.*?new foo found" plugin_sid=1 dst_ip={resolv(\$dst_ip)} src_ip=0.0.0.0 date={normalize_date(\$1)} [foobar - foo the same] # Sep 7 12:40:55 eldedo FOOBAR[2054]: foo the same event_type=event regexp="(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P<dst_ip>[^\s]*).*?FOOBAR.*?foo the same" plugin_sid=2 dst_ip={resolv(\$dst_ip)}

12

OSSIM
src_ip=0.0.0.0 date={normalize_date(\$1)}

BrianE.Lavender

[foobar - New changed] # Sep 7 12:40:55 eldedo FOOBAR[2054]: foo changed event_type=event regexp="(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P<dst_ip>[^\s]*).*?FOOBAR.*?foo changed" plugin_sid=3 dst_ip={resolv(\$dst_ip)} src_ip=0.0.0.0 date={normalize_date(\$1)} [foobar - New deleted] # Sep 7 12:40:55 eldedo FOOBAR[2054]: foo deleted event_type=event regexp="(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P<dst_ip>[^\s]*).*?FOOBAR.*?foo deleted" plugin_sid=4 dst_ip={resolv(\$dst_ip)} src_ip=0.0.0.0 date={normalize_date(\$1)} [foobar - alien foo] # Sep 7 12:40:55 eldedo FOOBAR[2054]: alien foo event_type=event regexp="(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+(?P<dst_ip>[^\s]*).*?FOOBAR.*?alien foo" plugin_sid=5 dst_ip={resolv(\$dst_ip)} src_ip=0.0.0.0 date={normalize_date(\$1)} __END__

Weneedtotelltheagentthatwehaveanewplugin.Editthefile/etc/ossim/agent/config.cfgandadd thefollowinglineinthe[plugin]section.
foobar=/etc/ossim/agent/plugins/foobar.cfg

Nowtorestarttheagentsothatitisawareofthenewplugininformation.
/etc/init.d/ossim-agent restart

Verification
Thisisasamplepythonscriptthatwillsendamessagetosyslog.Iparsestheoptiossentandsendsa logmessageforeachoptionthatmatchesthecase.Thefollowingcodecanberunasascriptonany hostthathasPythoninstalled.
#! /usr/bin/python import syslog import sys

13

OSSIM
syslog.openlog("FOOBAR", syslog.LOG_PID , syslog.LOG_USER ) for arg in sys.argv: if arg == "1": syslog.syslog(syslog.LOG_WARNING, "new foo found") elif arg == "2": syslog.syslog(syslog.LOG_WARNING, "foo the same") elif arg == "3": syslog.syslog(syslog.LOG_WARNING, "foo changed") elif arg == "4": syslog.syslog(syslog.LOG_WARNING, "foo deleted") elif arg == "5": syslog.syslog(syslog.LOG_WARNING, "alien foo") syslog.closelog()

BrianE.Lavender

Runthisprogramontheserverforwhichyouwanttogeneratetheevent.Thefollowingwillsendthe firsttypesyslogmessage.
testfoobar.py 1

Thesecondwillsendthe5thtypesyslogmessage,the4thtypesyslogmessage,andthenfinallythe2nd typesyslogmessage.
testfoobar.py 5 4 2

Checkyoureventsandalarms.Aneventand/oranalarmshouldappearontheeventtabpreviously shown.

AsampleOSSIMdirective
OSSIMstoresitsrulesontheserverinafilenamed/etc/ossim/server/directives.xml.Therulesare separatedintodirectives.Thefollowingisanexamplesshbruteforcedirective.Thisrulesfromthis directiveobtainsitsinformationfromthesshauth.logplugin.Inthiscase,theattackercouldbe switchingdifferenthoststoattackinattempttoescapedetectiononasinglehost,butthisdirectivewill detectthoseattemptsbetweenswitchedtargethostsaswell.Thereliabilitybeginsat3afterthreefailed attempts.Threemorewillraiseitto4.Fivemorewillraiseit6,andthenanadditional10attemptswill raiseitto8.
<directiveid="20"name="PossibleSSHbruteforceloginattemptagainstDST_IP" priority="5"> <ruletype="detector"name="SSHAuthenticationfailure"reliability="3" occurrence="1"from="ANY"to="ANY"port_from="ANY"port_to="ANY" time_out="10"plugin_id="4003"plugin_sid="1,2,3,4,5,6"> <rules> <ruletype="detector"name="SSHAuthenticationfailure(3times)" reliability="+1"occurrence="3"from="1:SRC_IP"to="ANY" port_from="ANY"time_out="15"port_to="ANY"

14

OSSIM

BrianE.Lavender

plugin_id="4003"plugin_sid="1,2,3,4,5,6"sticky="true"> <rules> <ruletype="detector"name="SSHAuthenticationfailure(5times)" reliability="+2"occurrence="5"from="1:SRC_IP"to="ANY" port_from="ANY"time_out="20"port_to="ANY" plugin_id="4003"plugin_sid="1,2,3,4,5,6"sticky="true"> <rules> <ruletype="detector"name="SSHAuthenticationfailure(10times)" reliability="+2"occurrence="10"from="1:SRC_IP"to="ANY" port_from="ANY"time_out="30"port_to="ANY" plugin_id="4003"plugin_sid="1,2,3,4,5,6"sticky="true"> </rule> </rules> </rule> </rules> </rule> </rules> </rule> </directive>

Theabovedirectiveonlyexploredrulesthataresensors.YouYouinhispaperwalksthroughanattack withasampleDCOMexploit(YouYou).DominiqueKargalsogoesthroughthemeaningofthedetails fortheXMLsyntaxsuchassticky.

Conclusion
TherearemanyaspectstoOSSIM.Morethanoneservercanbecreated.Thisdocumenthasskipped overthosedetailstocoverthebaseconcepts.OSSIMhashighcomplexity,yetatthesametime,ithas thesophisticationtohandlethethreatsnetworksandhostsareexposedtotoday.Itstrengthisderived fromintegrationofothertools.Itisadepttohandlethenewweaknessesinthenetwork.Partofthe issueofunderstandingOSSIMissettingupthenetworkandcomponents.Thegoalofsecurityistobe equallyasgoodastheattacker,andyetatthesametimetothinkaheadofhim.Andwhenoneisnot abletothinkahead,havetoolsthatlookforanomalies.ThroughthefactthatOSSIMisopensource,it hasthecapabilitytobuildthroughthecommunity.Manyeyesareitstoolsforsecurity.

References 1. Lockhart,Andrew,NetworkSecurityHacks,O'ReillyMedia,Inc.,ISBN0596006438,1st Edition,2004 2. ,YouYou<chensyatnetway.net.cn>,Lance<lanceatantpower.org>APracticeof OSSIM,.http://www.ossim.net/docs/A_Practice_for_Ossim.pdf,2004. 3. Casal,Julio,OSSIMFastGuide,http://www.ossim.net/docs/OSSIMfastguide.pdf,2004. 15

OSSIM

BrianE.Lavender

4. Draves,Curtis,OSSIM,http://www.ossim.net/docs/OSSIMdescen.pdf,2003. 5. Winteregg,Jol,Fonctionnementd'OSSIM,http://www.ossim.net/docs/OssimJWinteregg.pdf, 2005. 6. Lavender,Brian,CreateaSimpleOSSIMPlugin,http://www.ossim.net/dokuwiki/doku.php? id=architecture:plugin_writing,2007. 7. Lavender,Brian,CreateaHostAsset,http://www.ossim.net/dokuwiki/doku.php? id=architecture:hostcreate,2007. 8. Karg,Dominique,OSSIMCorrelationEngineExplained, http://www.ossim.net/docs/correlation_engine_explained_rpc_dcom_example.pdf,2004.

16