ossec lightning

Report

Post on 05-Dec-2014

2.310 Views

Category:

Technology

3 Downloads

Preview:

Click to see full reader

DESCRIPTION

A lightning talk prepared for www.brucon.org on the open source host-based intrusion detection system OSSEC (http://www.ossec.net)

TRANSCRIPT

IntroductionIntroduction

WhatWhat

Host-based intrusion detectionHost-based intrusion detectionLog analysisLog analysis

System IntegritySystem IntegrityRootkit checkingRootkit checking

Open Source Awesomeness !Open Source Awesomeness !

X-PlatformX-Platform

Windows NT,XP,2k,2k3,Vista,2008Windows NT,XP,2k,2k3,Vista,2008LinuxLinuxAIXAIX

SolarisSolarisHP-UXHP-UX

And any system that can produce syslog !And any system that can produce syslog !

Basic ArchitectureBasic Architecture

Client ServerLog Collection Log Analysis

Alerting

UDPEncrypted

Compressed

Also ...Also ...

Client ServerLog CollectionLog Analysis

Alerting

Syslog

Log AnalysisLog Analysis

PRE-DECODING DECODING ANALYSIS

An Example (1)An Example (1)PRE-DECODING

Feb 24 10:12:23 beijing appdaemon:stopped

time/date : Feb 24 10:12:23Hostname : beijingProgram_name : appdaemonLog : stopped

An Example (2)An Example (2)PRE-DECODING

Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10

time/date : Feb 24 10:12:23Hostname : beijingProgram_name : appdaemonLog : user john logged on from 10.10.10.10

An Example (3)An Example (3)DECODING

Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10

time/date : Feb 24 10:12:23Hostname : beijingProgram_name : appdaemonLog : user john logged on from 10.10.10.10Srcip : 10.10.10.10 User : john

An Example (4)An Example (4)ANALYSIS

<rule id=666 level=”0”><decoded_as>appdaemon</decoded_as><description>appdaemon rule</description>

</rule><rule id=”766” level=”5”>

<if_sid>666</if_sid><match>^logged on</match><description>succesful logon</description>

</rule>

An Example (4)An Example (4)ANALYSIS

<rule id=866 level=”7”><if_sid>766</if_sid><hostname>^beijing</hostname><srcip>!192.168.10.0/24</srcip><description>unauthorized logon!</description>

</rule><rule id=”966” level=”13”>

<if_sid>766</if_sid><hostname>^shanghai</hostname><user>!john</user><description>unauthorised logon !</description>

</rule>

The RuletreeThe RuletreeANALYSIS

666

766

866

966

Advanced rule optionsAdvanced rule optionsANALYSIS

<rule id=1066 level=”7”><if_sid>666</if_sid><match>^login failed</hostname><description>failed login !</description>

</rule><rule id=”1166” level=”9” frequency=”10” timeframe=”100”>

<if_matched_sid>1066</if_matched_sid><same_source_ip /><description>Probable Brute Force !</description>

</rule>

http://www.ossec.nethttp://www.ossec.net#ossec on irc.freenode.net#ossec on irc.freenode.net

@danielcid on twitter ← not me!@danielcid on twitter ← not me!

http://www.ossec.net/

top related

ossec hids, host based intrusion detection system
Documents
ossec hids print
Documents
lightning protection systems - akihito...
Documents
lightning and lightning fires as ecological forces ·...
Documents
ossec log mangement with elasticsearch
Documents
ossec documentation - read the docs · 1 manual & faq 3 1.1...
Documents
ossec documentation · ossec documentation, release 2.7.1...
Documents
external lightning protection insulated lightning
Documents
protection against lightning lightning arrestor
Engineering
lightning how lightning hurts us
Documents
scan ubuntu with ossec + postfix prepare for pci-dss 0unmp9
Documents
implementing ossec
Economy & Finance
ossec project
Documents
hart-malone: lightning and lightning protection
Documents
ossec - mig5 system administration · ossec intrusion...
Documents
lightning & lightning protection - its … · lightning &...
Documents
decoding aws cloudtrail with ossec presented by: barry o...
Documents
lightning research in colombia: lightning parameters
Documents
advanced ossec training: integration strategies for open...
Technology
introducing ossec - host-based ids · introducing ossec...
Documents