McGyver's SIEM -- Building the best free HUD

McGyver’s SIEMBuilding the best free HUD

Wim Remes

Thursday 21 October 2010

What we won’t need today ...


The views and opinions expressed in this presentation arethose of the presenter and do not reflect those of past,

current or future employers, associates or clients.


FOSS will never ever provide you with a complete SIEMsolution. Implementing SIEM is hard work and requires

dedication and vision. The premise of this talk is to enable you to build the skillset required to implement a SIEM solution and

for you to understand your needs using free and open source software. With that skillset you will then be enabled to to make an informed choice, lower the

actual implementation cost and improve ROI.

More importantly, it will teach your technical people how to interpret data, build use cases and apply a common-sensical methodology.

Instead of making them button-clicking drones (again),here’s your chance to make your people the strongest link not the weakest.


Who am I ?

Wim Remes

Ernst & Young (Belgium)

infosecmentors.com

eurotrashsecurity.eu


1. What is SIEM ?2. A common-sensical approach.3. Let’s get it on !4. Ask away ...

What is this about ?


What is SIEM ?1

(Definition)


Security Information & Event Management

Software/Hardware that gathers, analyzes and presents information from multiple sources

of security-relevant data.(thanks to wikipedia)


Security Information & Event Management

SIEM

SEM SIMESIM

Log Management

(+ everything your vendor wants it or it’s name to be)


DATA INFORMATION


Information

Knowledge

Understanding

Wisdom


What is SIEM ?1

(Functionality we want)


Collection

syslog

scp

ftp


Normalization

FW_1

FW_2

I dropped a packet from x to z on port 80 at 13:22

rejected x:1234 to z:22 at 1:23pm

time : 13:22action : droppedsource: xdestination : zport : 80

time : 13:23action : droppedsource: xdestination : zport : 22


Correlationtime : 04:22action : failedsrc_ip : a.b.c.duser : craig

time : 04:23action : failedsrc_ip : a.b.c.duser : craig

time : 04:24action : failedsrc_ip : a.b.c.duser : craig

time : 04:25action : successsrc_ip : a.b.c.duser : craig

Brute-forceattack ? Brute-force

attack ?(look at this in the morning)

(wake the f* up now !)


3 base use cases

React Faster

Improve Efficiency

Automate Compliance

Securosis : Understanding and Selecting SIEM/Log Management


common-sensical approach2


Architecture

FLAT


Architecture

HIERARCHICAL


Architecture

MESH


Data Sources

Data Points

Use Cases

integrating SIEM


Let’s get it on !3


Our arsenal

ossechttp://www.ossec.net

syslog-nghttp://www.balabit.com/network-security/syslog-ng

ossimhttp://www.alienvault.com

davixhttp://www.secviz.org

(+ some golden nuggets)


http://www.ossec.net


http://www.balabit.com/network-security/syslog-ng

http://www.balabit.com/network-security/syslog-ng

http://www.alienvault.com




OSSEC

Host Based Intrusion Detection/Prevention

- Log Monitoring- Integrity Control & Host Checking- Policy Monitoring- Real-time alerting & Active Response

Running on :Windows, AIX,Solaris,HP-UX,MacOS & Linux


OSSEC

ossec-logcollector

agentd remoted

analysisd

maild execdClient

Server


OSSEC

OSSECOSSEC

SIEM

syslog

= OSSEC agent

agentless !

* observation : none of the leading SIEM solutions support OSSEC as an event source out of the box, why ?


OSSEC

pre-decoding

decoding

signatures


OSSEC

thanks to Xavier Mertens (@xme)

Aug 26 13:56:07 192.168.0.5 1,2010/08/26 13:56:07,0003A100245,THREAT,\ vulnerability,8,2010/08/26 13:56:01,10.0.0.1,10.0.0.2,0.0.0.0,\ 0.0.0.0,rule2,domain\user,,netbios-ns,vsys1,TAP-ZONE,TAP-ZONE,ethernet1/1,\ ethernet1/1,Logger,2010/08/26 13:56:07,136674,3,137,137,0,0,0x8000,udp,\ alert,"",NetBIOS nbtstat query(31707),any,low,client-to-server

palo alto threat detection


OSSECpalo alto threat detection

(decoder)

<-- Custom decoder for PaloAlto Firewalls Threat Events --><decoder name="paloalto-threat"> <prematch>^\d,\d\d\d\d/\d\d/\d\d \d\d:\d\d:\d\d,\.+,THREAT,</prematch> <regex>(\d+.\d+.\d+.\d+),(\d+.\d+.\d+.\d+),\d+.\d+.\d+.\d+,\d+.\d+.\d+.\d+,\.+,(\.*),(\.*),\.+,alert,\.+,(\.+),\.+$</regex> <order>srcip,dstip,srcuser,dstuser,extra_data</order></decoder>



<group name="syslog,paloalto-threat,"> <rule id="150000" level="0"> <decoded_as>paloalto-threat</decoded_as> <description>PaloAlto Firewalls Threat Events</description> </rule>

<rule id="150001" level="10"> <if_sid>150000</if_sid> <match>NetBIOs</match> <description>Possible NetBIOS attack detected!</description> </rule>

<rule id="150002" level="10"> <if_sid>150000</if_sid> <user>domain\administrator</user> <description>Possible attack detected against Administrator!</description> </rule></group>

OSSECpalo alto threat detection

(rules)



OSSEC

rules

login

success

from unauthorized ip address !

failed

100 times in the last 10

minutes

on critical server wake the f* up !


OSSEC

rules

login

success

from unauthorized ip address !

failed

100 times in the last 10

minutes

on critical server

AR

AR don’t bother, everything is under control


OSSIM(includes OSSEC)

sensor sensor sensor

serverDB

frontend

snort, nessus, Spade, p0f,Ntop, arpwatch, OSSEC, ...

normalization, prioritization, collection, risk assessment,

correlation, ...

< you are here !


OSSIMrisk maps


OSSIMcompliance reporting


OSSIMevent analysis


OSSIMincident response


Let’s get it on !3

a few words on data visualization(because it’s important !)


Choosing the right chart !

http://ebiquity.umbc.edu/blogger/2009/01/25/how-to-choose-the-right-chart-for-your-data/


http://bit.ly/13QLv

http://bit.ly/13QLv

DAVIX

Data visualization Live CD

- free data processing and visualization tools- Bootable CD- available from http://www.secviz.org- part of “Applied Security Visualization” by Raffael Marty


http://www.secviz.org


source : http://www.secviz.org

a firewall log treemap





radial firewall visualization





windows event log types





1 day of firewall logs




gl-tail

http://www.fudgie.org/


http://www.fudgie.org

http://www.fudgie.org

Recap

Focus on approach, not tools

Use open source to facilitate & learn

Integrate in architecture later


Thank you !interesting people to follow :

@andrewsmhay@zrlram

@anton_chuvakin@rockyd

@xme

podcast :LogChat (see Anton’s blog or iTunes)

websites : http://www.securosis.com

http://www.secviz.orghttp://www.ossec.net

http://www.alienvault.comhttp://chuvakin.blogspot.com/

http://blog.rootshell.behttp://www.decurity.com

[email protected]@wimremes


http://www.securosis.com

http://www.securosis.com







http://chuvakin.blogspot.com

http://chuvakin.blogspot.com

http://blog.rootshell.be




mailto:[email protected]

mailto:[email protected]

McGyver's SIEM -- Building the best free HUD

Technology

Transcript of McGyver's SIEM -- Building the best free HUD