Download - Ossec Lightning
![Page 1: Ossec Lightning](https://reader035.vdocument.in/reader035/viewer/2022081907/54899773b479590a0d8b59de/html5/thumbnails/1.jpg)
IntroductionIntroduction
![Page 2: Ossec Lightning](https://reader035.vdocument.in/reader035/viewer/2022081907/54899773b479590a0d8b59de/html5/thumbnails/2.jpg)
WhatWhat
Host-based intrusion detectionHost-based intrusion detectionLog analysisLog analysis
System IntegritySystem IntegrityRootkit checkingRootkit checking
Open Source Awesomeness !Open Source Awesomeness !
![Page 3: Ossec Lightning](https://reader035.vdocument.in/reader035/viewer/2022081907/54899773b479590a0d8b59de/html5/thumbnails/3.jpg)
X-PlatformX-Platform
Windows NT,XP,2k,2k3,Vista,2008Windows NT,XP,2k,2k3,Vista,2008LinuxLinuxAIXAIX
SolarisSolarisHP-UXHP-UX
And any system that can produce syslog !And any system that can produce syslog !
![Page 4: Ossec Lightning](https://reader035.vdocument.in/reader035/viewer/2022081907/54899773b479590a0d8b59de/html5/thumbnails/4.jpg)
Basic ArchitectureBasic Architecture
Client ServerLog Collection Log Analysis
Alerting
UDPEncrypted
Compressed
![Page 5: Ossec Lightning](https://reader035.vdocument.in/reader035/viewer/2022081907/54899773b479590a0d8b59de/html5/thumbnails/5.jpg)
Also ...Also ...
Client ServerLog CollectionLog Analysis
Alerting
Syslog
![Page 6: Ossec Lightning](https://reader035.vdocument.in/reader035/viewer/2022081907/54899773b479590a0d8b59de/html5/thumbnails/6.jpg)
Log AnalysisLog Analysis
PRE-DECODING DECODING ANALYSIS
![Page 7: Ossec Lightning](https://reader035.vdocument.in/reader035/viewer/2022081907/54899773b479590a0d8b59de/html5/thumbnails/7.jpg)
An Example (1)An Example (1)PRE-DECODING
Feb 24 10:12:23 beijing appdaemon:stopped
time/date : Feb 24 10:12:23Hostname : beijingProgram_name : appdaemonLog : stopped
![Page 8: Ossec Lightning](https://reader035.vdocument.in/reader035/viewer/2022081907/54899773b479590a0d8b59de/html5/thumbnails/8.jpg)
An Example (2)An Example (2)PRE-DECODING
Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10
time/date : Feb 24 10:12:23Hostname : beijingProgram_name : appdaemonLog : user john logged on from 10.10.10.10
![Page 9: Ossec Lightning](https://reader035.vdocument.in/reader035/viewer/2022081907/54899773b479590a0d8b59de/html5/thumbnails/9.jpg)
An Example (3)An Example (3)DECODING
Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10
time/date : Feb 24 10:12:23Hostname : beijingProgram_name : appdaemonLog : user john logged on from 10.10.10.10Srcip : 10.10.10.10 User : john
![Page 10: Ossec Lightning](https://reader035.vdocument.in/reader035/viewer/2022081907/54899773b479590a0d8b59de/html5/thumbnails/10.jpg)
An Example (4)An Example (4)ANALYSIS
<rule id=666 level=”0”><decoded_as>appdaemon</decoded_as><description>appdaemon rule</description>
</rule><rule id=”766” level=”5”>
<if_sid>666</if_sid><match>^logged on</match><description>succesful logon</description>
</rule>
![Page 11: Ossec Lightning](https://reader035.vdocument.in/reader035/viewer/2022081907/54899773b479590a0d8b59de/html5/thumbnails/11.jpg)
An Example (4)An Example (4)ANALYSIS
<rule id=866 level=”7”><if_sid>766</if_sid><hostname>^beijing</hostname><srcip>!192.168.10.0/24</srcip><description>unauthorized logon!</description>
</rule><rule id=”966” level=”13”>
<if_sid>766</if_sid><hostname>^shanghai</hostname><user>!john</user><description>unauthorised logon !</description>
</rule>
![Page 12: Ossec Lightning](https://reader035.vdocument.in/reader035/viewer/2022081907/54899773b479590a0d8b59de/html5/thumbnails/12.jpg)
The RuletreeThe RuletreeANALYSIS
666
766
866
966
![Page 13: Ossec Lightning](https://reader035.vdocument.in/reader035/viewer/2022081907/54899773b479590a0d8b59de/html5/thumbnails/13.jpg)
Advanced rule optionsAdvanced rule optionsANALYSIS
<rule id=1066 level=”7”><if_sid>666</if_sid><match>^login failed</hostname><description>failed login !</description>
</rule><rule id=”1166” level=”9” frequency=”10” timeframe=”100”>
<if_matched_sid>1066</if_matched_sid><same_source_ip /><description>Probable Brute Force !</description>
</rule>
![Page 14: Ossec Lightning](https://reader035.vdocument.in/reader035/viewer/2022081907/54899773b479590a0d8b59de/html5/thumbnails/14.jpg)
http://www.ossec.nethttp://www.ossec.net#ossec on irc.freenode.net#ossec on irc.freenode.net
@danielcid on twitter ← not me!@danielcid on twitter ← not me!