AlienVault: Integrated Tools

AlienVault SIEM Integrated Tools

Tools Classiﬁcation • Tools integrated in AlienVault can be classified into two categories according to the behavior of these tools within the network being monitored. ‣ Active: They generate traffic within the Network that is being monitored. ‣ Passive: They analyze network traffic without generating any traffic within the monitored network. The passive tools require a port mirroring/port span configured in the network equipment to be able to analyze all traffic of the monitored network/s.2

PASSIVE TOOL Snort NIDS • Snort is a free and open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS). ‣ http://www.snort.org • Snort generates security events when analyzing the network traffic • Snort combines signature, protocol, and anomaly-based inspection • Utility within AlienVault: ‣ Port scans ‣ Worms ‣ Malware ‣ Policy violations (P2P, IM, Porn, Games...)3

PASSIVE TOOL Snort NIDS• Policy violations alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Megaupload file download service access"; flow:to_server,established; content:"GET "; depth: 4; uricontent:"/?d="; content:"|0d 0a|Host: "; content:"megaupload.com"; within:25; nocase; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009301; reference:url,www.emergingthreats.net/cgi-bin/ cvsweb.cgi/sigs/POLICY/POLICY_Download_Services; sid:2009301; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Porn-Sports-Gambling site designed to bypass restrictions"; flow:to_server,established; content:"Host:"; nocase; pcre:"/Host:[^n]+.(bodog|bodogbeat|bodognation|bodogmusic| bodogconference|bodogpokerchampionships).com/i"; reference:url,www.bodog.com; classtype:policy-violation; reference:url,doc.emergingthreats.net/2003100; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/ POLICY_bodog.com; sid:2003100; rev:4;)• Malware alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Potential Malware Download, rogue antivirus (IAInstall.exe)"; flow:established,to_server; uricontent:"/download/IAInstall.exe"; nocase; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/ CURRENT_Malwareurl_top_downloads; reference:url,doc.emergingthreats.net/2010447; sid:2010447; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET 1024: (msg:"ET MALWARE 404 Response with an EXE Attached - Likely Malware Drop"; flow:established,from_server; content:"HTTP/1.1 404 Not Found|0d 0a|"; depth:24; content:"|0d 0a 0d 0a|MZ"; distance: 0; classtype:attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2009028; reference:url,www.emergingthreats.net/ cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_404_EXE; sid:2009028; rev:2;)4

PASSIVE TOOL Snort NIDS• Virus and Trojans alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET VIRUS Bugbear@MM virus via SMTP"; flow: established; content:"uv +LRCQID7dIDFEECggDSLm9df8C/zSNKDBBAAoGA0AEUQ+FEN23f7doqAT/dCQk/xWcEQmDxCTD"; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001764; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_BugBear; sid: 2001764; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM UPX encrypted file download - possible worm"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; content:"|00|code|00|"; content:"|00 C0|text|00|"; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001047; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_Suspicious_Extensions; sid: 2001047; rev:6;)• Scans alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET SCAN Unusually Fast 403 Error Messages, Possible Web Application Scan"; flow:from_server,established; content:"HTTP/1.1 403"; depth:13; threshold: type threshold, track by_dst, count 35, seconds 60; classtype:attempted-recon; reference:url,www.checkupdown.com/status/E403.html; reference:url,doc.emergingthreats.net/ 2009749; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_403; sid:2009749; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"ET SCAN Rapid POP3 Connections - Possible Brute Force Attack"; flags: S, 12; threshold: type both, track by_src, count 10, seconds 120; classtype: misc-activity; reference:url,doc.emergingthreats.net/2002992; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_General_Services; sid: 2002992; rev:5;)5

PASSIVE TOOL Ntop Network Monitor • Ntop is a network probe that shows network usage in a way similar to what top does for processes. Ntop is a network and use monitor. ‣ http://www.ntop.org • Ntop provides information (Real-time and historical) of the network usage • Utility within AlienVault: ‣ Usage network statistics ‣ Assets information ‣ Time and activity matrixes ‣ Real-time session monitoring ‣ Network abuse6

PASSIVE TOOL Ntop - RRD Aberrant Behaviour Network Anomalies ‣ Analyzing the historical data, Ntop uses the RRD Aberrant Behaviour algorithm to draw predictions of future behaviour of our assets and networks. ‣ If the prediction differs from the real traffic an event is generated in AlienVault7

PASSIVE TOOL Fprobe NetFlows generator ‣ Fprobe is a tool that collects network traffic data and emits it as NetFlow flows towards the specified collector (NFdump in AlienVault). - http://fprobe.sf.net NetFlows AlienVault Sensor running Fprobe emits NetFlows when collecting the network traffic (Port mirroring / HUB / Network tap...) The AlienVault Web Interface (Framework) runs the Netflow collector. NetFlowsThe major manufacturers implement into their devices the ability to 8 send Netflows. in this case is not necessary using Fprobe.

PASSIVE TOOL NFDump Netflows collection ‣ The nfdump tools collect and process netflow data - http://nfdump.sourceforge.net/ NetFlows NFDump runs in the box running the AlienVault Web Interface NetFlows9

NFSen Web Based Tool ‣ NFSen is a graphical web based front end for the nfdump netflow tools. - http://nfsen.sourceforge.net/ ‣ NetFlow is a network protocol developed by Cisco Systems to run on Cisco IOS- enabled equipment for collecting IP traffic information. ‣ It is supported by platforms other than IOS such as Juniper, Linux, FreeBSD or OpenBSD.10

ACTIVE TOOL OCS Inventory Agent • Open Computer and Software Inventory Next Generation (OCS inventory NG) is free software that enables users to inventory their IT assets. ‣ http://www.ocsinventory-ng.org • OCS-NG collects information about the hard- and software of networked machines running the OCS client program ("OCS Inventory Agent"). • Utility within AlienVault ‣ Inventory Management (Software & Hardware) ‣ Vulnerability Management ‣ Policy violations ‣ Hardware monitoring11

ACTIVE TOOL Nagios Availability Monitor Agent - Web • Nagios is a computer system and network monitoring software application. • It watches hosts and services, alerting users when things go wrong and again when they get better. ‣ http://www.nagios.org • Multiple checks (Different complexity) can be configured in Nagios. E.g.: MySQL Server ‣ Check whether the host is up or not ‣ Check whether the MySQL port is opened or closed ‣ Check whether there is a MySQL listening in that port ‣ Do a query and check the result12

ACTIVE TOOL Nagios Availability Monitor Agent - Web • Utility within AlienVault: ‣ Availability monitoring (As any other Data Source) ‣ Availability monitoring by request (During Logical Correlation) • Nagios can do checks remotely or with agent deployed on the host that is being monitored. • Nagios has a wide number of plugins to monitor different devices and applications.13

ACTIVE TOOL OpenVas Vulnerability Scanning • OpenVAS (Open Vulnerability Assessment System) is a framework of several services and tools offering a vulnerability scanning and vulnerability management solution. ‣ http://www.openvas.org • OpenVas uses signatures to identify vulnerabilities in the host of our network. • Utility within AlienVault ‣ Attacks prevention (We know what is vulnerable) ‣ Is the network policy being violated? ‣ Shared folders, forbidden activities... ‣ Compliance monitoring14

ACTIVE TOOL OpenVas Vulnerability Scanning • Some vulnerabilities can only be verified after actually exploiting them (E.g.: DOS) • OpenVas allows scanning aggressiveness fine-tuning. • OpenVas is able to perform local scans on remote machines if valid credentials for them are provided. The OpenVas component scanning the network is installed by default in each AlienVault Sensor Mis-configured scans may severely impact the scanned network. After installation, the first scanning profiles have to be defined and watched over very carefully.15

ACTIVE TOOL Nikto Vulnerability Scanning • Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items ‣ http://cirt.net/nikto2 • Nikto scans web servers to find potential problems and security vulnerabilities, including: ‣ Server and software misconfigurations ‣ Default files and programs ‣ Insecure files and programs ‣ Outdated servers and programs16

OSVDB Database • OSVDB is an independent and open source database created by and for the security community. • The goal of the project is to provide accurate, detailed, current and unbiased technical information on security vulnerabilities. ‣ http://www.osvdb.org ‣ Usage within AlienVault - Correlation rule creation - Vulnerability identifier cross-relation - Complements OpenVas scanning information17

OSVDB Database • Vulnerability Description • Indicators and references18

OSVDB Database • Tool relationships • CVSSv2 Score (Common Vulnerability Scoring System):19

ACTIVE TOOL OSSEC HIDS Agents • OSSEC is a HIDS (Host-level Intrusion Detection System) that features log analysis, rootkit detection, system integrity checking and Windows registry monitoring. ‣ http://www.ossec.org • OSSEC requires an agent to be installed for monitoring. (Except ssh-accesible systems) OSSEC Agent-less collection SSH-accessible system OSSEC Agent for Windows System The OSSEC Server runs in the AlienVault Sensor OSSEC Agent for MacOSX20

ACTIVE TOOL OSSEC HIDS Agents • OSSEC is based on a client -> server architecture, AlienVault collects events from the OSSEC server (Installed in the AlienVault Sensor). • OSSEC provides it’s own plugin system used for Windows and UNIX tool analysis. • Utility within OSSIM: ‣ Windows and Unix log collection ‣ Application log collection ‣ Registry, file and folder monitorization (DLP)21

PASSIVE TOOL Kismet WIDS • Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. • http://www.kismetwireless.net • Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and (with appropriate hardware) can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic. • Utility within AlienVault: ‣ WIFI network securization. ‣ Rogue AP detection ‣ Compliance enforcement (PCI Wireless requirements)22

ACTIVE TOOL Nmap Scanner • Nmap is a security scanner used to discover hosts and services on a computer network ‣ http://www.nmap.org • Nmap provides customizable options for host and network scanning (Speed, range, precision…) • Utility within AlienVault: ‣ Asset Discovery ‣ Open port discovery ‣ Service version discovery ‣ Operating System manufacturer and version discovery23

PASSIVE TOOL P0f OS Fingerprinting • P0f is a versatile passive OS fingerprinting tool ‣ http://lcamtuf.coredump.cx/p0f.shtml • Passive Operating System detection based on traffic pattern analysis. • Utility within AlienVault: ‣ Operating System changes ‣ Inventory Management ‣ Unauthorized network access24

PASSIVE TOOL Pads Services Fingerprinting • PADS is a signature based detection engine used to passively detect network assets. ‣ http://passive.sourceforge.net • Utility within AlienVault: ‣ Inventory Management ‣ Service version changes ‣ Policy violations ‣ Inventory correlation25

PASSIVE TOOL Arpwatch MAC Fingerprinting • Arpwatch is an ethernet monitor program that keeps tracks of ethernet/ip address pairing ‣ http://ee.lbl.gov • Utility within AlienVault: ‣ Inventory Management ‣ IP address change detection ‣ ARPSpoofing26

ACTIVE TOOL Nedi Network Discovery • NeDi is an open source network management framework which uses scheduled discovery to examine your network. ‣ http://nedi.ch • NeDI requires SNMP read access for all network hardware.27

http://a0.twimg.com	2
http://paper.li	1
https://twitter.com	1
http://twitter.com	1

AlienVault: Integrated Tools

by Alienvault on Mar 08, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

4 Embeds 5

Statistics

AlienVault: Integrated Tools — Presentation Transcript