Académique Documents
Professionnel Documents
Culture Documents
Source: http://www.ossec.net
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
What is OSSEC?
Restart agents
Start integrity checks
Tune rules
Block attacks
Community Commercial
...in real-time
Dozens of decoders
and hundreds of rules out of the box
Open source
Budget friendly
What to audit
Frequency of log rotation
Log format
Method of communication
Alert
Analysis
Decode
Pre-decode
Secure
(encrypted)
Insecure
(syslog)
Localhost
.4 o v
. 3 .g
b 6 a
o .1 ns
B 72 5 28
1
user url
src_ip id
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
SSHd Log Pre-Decoded
<decoder name="sshd">
<program_name>^sshd</program_name>
</decoder>
<decoder name="sshd-success">
<parent>sshd</parent>
<prematch>^Accepted</prematch>
<regex offset="after_prematch">^ \S+ for (\S+) from
(\S+) port </regex>
<order>user, srcip</order>
</decoder>
●web_scan
●firewall_drop
●account_changed...
<group name="syslog,elevation_of_privilege,">
<rule id="40501" level="15" timeframe="300"
frequency="2">
<if_group>adduser</if_group>
<if_matched_group>attacks</if_matched_group>
<description>Attacks followed by the addition of an
user.</description>
</rule>
</group>
Keeping a
Known Good State
--END OF NOTIFICATION
--END OF NOTIFICATION
...
“Unusual” files
(hidden directories, files owned by root
which are world-writable)
--END OF NOTIFICATION
Source: http://www.void.gr/kargig/blog/2009/10/06/ossec-to-the-rescue/
Detect Insecure
Conditions
Getting Notified
<email_alerts>
<email_to>sec-workling@example.com</email_to>
<rule_id>144</rule_id>
<format>sms</format>
</email_alerts>
Preventing Breaches
1. Reconnaissance
2. Scan
3. Exploit
(D+R)>P
This is good!
Worldwide?
A Face to OSSEC
Splunk
OSSIM
Picviz
Network-based IDS
Host-based IDS
Is anti-virus running?
Normal Log
Mon Jun 2 21:05:30 2007 [pid 1448] [myuser] FAIL LOGIN:
Client “192.168.3.1″
Log Injection
Mon Jun 2 21:06:02 2007 [pid 1452] [lala] FAIL LOGIN:
Client “2.3.4.54″ ] FAIL LOGIN: Client “192.168.3.1″
E-mail flooding
By default, OSSEC will only send 12 alerts
per hour, queuing the rest until the next hour
Active Response
Response timeout
IP whitelists
Log Injection
Tight regular expressions
Trend Micro
The following images were used under fair use provisions of US copyright
and trademark law:
Logos: Windows, Tux, FreeBSD, PCI and AIX
OSSEC WebUI screenshots
Attribution — You must attribute the work in the manner specified by the author or licensor (but not in
any way that suggests that they endorse you or your use of the work).
Noncommercial — You may not use this work for commercial purposes.
Share Alike — If you alter, transform, or build upon this work, you may distribute the resulting work
only under the same or similar license to this one.
Waiver — Any of the above conditions can be waived if you get permission from the copyright holder.
Other Rights — In no way are any of the following rights affected by the license:
Your fair dealing or fair use rights;
Apart from the remix rights granted under this license, the author's moral rights;
Rights other persons may have either in the work itself or in how the work is used, such as publicity or
privacy rights.
Notice — For any reuse or distribution, you must make clear to others the license terms of this work.