Ossec Lightning
14
Introduction Introduction
-
Upload
wremes -
Category
Technology
-
view
2.310 -
download
3
description
A lightning talk prepared for www.brucon.org on the open source host-based intrusion detection system OSSEC (http://www.ossec.net)
Transcript of Ossec Lightning
IntroductionIntroduction
WhatWhat
Host-based intrusion detectionHost-based intrusion detectionLog analysisLog analysis
System IntegritySystem IntegrityRootkit checkingRootkit checking
Open Source Awesomeness !Open Source Awesomeness !
X-PlatformX-Platform
Windows NT,XP,2k,2k3,Vista,2008Windows NT,XP,2k,2k3,Vista,2008LinuxLinuxAIXAIX
SolarisSolarisHP-UXHP-UX
And any system that can produce syslog !And any system that can produce syslog !
Basic ArchitectureBasic Architecture
Client ServerLog Collection Log Analysis
Alerting
UDPEncrypted
Compressed
Also ...Also ...
Client ServerLog CollectionLog Analysis
Alerting
Syslog
Log AnalysisLog Analysis
PRE-DECODING DECODING ANALYSIS
An Example (1)An Example (1)PRE-DECODING
Feb 24 10:12:23 beijing appdaemon:stopped
time/date : Feb 24 10:12:23Hostname : beijingProgram_name : appdaemonLog : stopped
An Example (2)An Example (2)PRE-DECODING
Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10
time/date : Feb 24 10:12:23Hostname : beijingProgram_name : appdaemonLog : user john logged on from 10.10.10.10
An Example (3)An Example (3)DECODING
Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10
time/date : Feb 24 10:12:23Hostname : beijingProgram_name : appdaemonLog : user john logged on from 10.10.10.10Srcip : 10.10.10.10 User : john
An Example (4)An Example (4)ANALYSIS
<rule id=666 level=”0”><decoded_as>appdaemon</decoded_as><description>appdaemon rule</description>
</rule><rule id=”766” level=”5”>
<if_sid>666</if_sid><match>^logged on</match><description>succesful logon</description>
</rule>
An Example (4)An Example (4)ANALYSIS
<rule id=866 level=”7”><if_sid>766</if_sid><hostname>^beijing</hostname><srcip>!192.168.10.0/24</srcip><description>unauthorized logon!</description>
</rule><rule id=”966” level=”13”>
<if_sid>766</if_sid><hostname>^shanghai</hostname><user>!john</user><description>unauthorised logon !</description>
</rule>
The RuletreeThe RuletreeANALYSIS
666
766
866
966
Advanced rule optionsAdvanced rule optionsANALYSIS
<rule id=1066 level=”7”><if_sid>666</if_sid><match>^login failed</hostname><description>failed login !</description>
</rule><rule id=”1166” level=”9” frequency=”10” timeframe=”100”>
<if_matched_sid>1066</if_matched_sid><same_source_ip /><description>Probable Brute Force !</description>
</rule>
http://www.ossec.nethttp://www.ossec.net#ossec on irc.freenode.net#ossec on irc.freenode.net
@danielcid on twitter ← not me!@danielcid on twitter ← not me!
