Integrated Tools in OSSIM

32,295 views
31,670 views

Published on

Tools Integrated in OSSIM.

Published in: Technology
2 Comments
20 Likes
Statistics
Notes
No Downloads
Views
Total views
32,295
On SlideShare
0
From Embeds
0
Number of Embeds
383
Actions
Shares
0
Downloads
0
Comments
2
Likes
20
Embeds 0
No embeds

No notes for slide

Integrated Tools in OSSIM

  1. 1. Integrated Tools<br />http://www.alienvault.com<br />Juan Manuel Lorenzo (jmlorenzo@alienvault.com)<br />
  2. 2. Active / Passive<br />The different Tools integrated within OSSIM can be classified under the following categories:<br />Active: They generate traffic within the Network that is being monitored.<br />Passive: They analyze network traffic within generating any traffic within the monitored network.<br />The passive tools require a port mirroring/port span configured in the network equipment. <br />2<br />
  3. 3. Snort<br />NIDS (Network Intrusion Detection System)<br />http://www.snort.org<br />Snort analyzes the network traffic<br />Events are generated when the Snort patterns (Signatures) match the network traffic <br />Utility within OSSIM:<br />Portscans<br />Worms <br />Malware<br />Policy violations (P2P, IM, Porn, Games...)<br />PASSIVE<br />3<br />
  4. 4. Snort<br />PASSIVE<br />Policy violations<br />alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:&quot;ET POLICY Megaupload file download service access&quot;; flow:to_server,established; content:&quot;GET &quot;; depth: 4; uricontent:&quot;/?d=&quot;; content:&quot;|0d 0a|Host: &quot;; content:&quot;megaupload.com&quot;; within:25; nocase; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009301; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Download_Services; sid:2009301; rev:2;)<br />alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:&quot;ET POLICY Porn-Sports-Gambling site designed to bypass restrictions&quot;; flow:to_server,established; content:&quot;Host:&quot;; nocase; pcre:&quot;/Host:[^ ]+.(bodog|bodogbeat|bodognation|bodogmusic|bodogconference|bodogpokerchampionships).com/i&quot;; reference:url,www.bodog.com; classtype:policy-violation; reference:url,doc.emergingthreats.net/2003100; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_bodog.com; sid:2003100; rev:4;)<br />Malware<br />alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:&quot;ET CURRENT_EVENTS MALWARE Potential Malware Download, rogue antivirus (IAInstall.exe)&quot;; flow:established,to_server; uricontent:&quot;/download/IAInstall.exe&quot;; nocase; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; reference:url,doc.emergingthreats.net/2010447; sid:2010447; rev:2;)<br />alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET 1024: (msg:&quot;ET MALWARE 404 Response with an EXE Attached - Likely Malware Drop&quot;; flow:established,from_server; content:&quot;HTTP/1.1 404 Not Found|0d 0a|&quot;; depth:24; content:&quot;|0d 0a 0d 0a|MZ&quot;; distance:0; classtype:attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2009028; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_404_EXE; sid:2009028; rev:2;)<br />4<br />
  5. 5. Snort<br />PASSIVE<br />Virus and Trojans<br />alert tcp $HOME_NET any -&gt; $EXTERNAL_NET 25 (msg:&quot;ET VIRUS Bugbear@MM virus via SMTP&quot;; flow: established; content:&quot;uv+LRCQID7dIDFEECggDSLm9df8C/zSNKDBBAAoGA0AEUQ+FEN23f7doqAT/dCQk/xWcEQmDxCTD&quot;; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001764; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_BugBear; sid: 2001764; rev:6;)<br />alert tcp $EXTERNAL_NET any -&gt; $HOME_NET any (msg:&quot;ET WORM UPX encrypted file download - possible worm&quot;; flow: established; content:&quot;MZ&quot;; isdataat: 76,relative; content:&quot;This program cannot be run in DOS mode.&quot;; distance: 0; isdataat: 10,relative; content:&quot;PE&quot;; distance: 0; content:&quot;|00|code|00|&quot;; content:&quot;|00 C0|text|00|&quot;; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001047; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_Suspicious_Extensions; sid: 2001047; rev:6;)<br />Scans<br />alert tcp $HTTP_SERVERS $HTTP_PORTS -&gt; $EXTERNAL_NET any (msg:&quot;ET SCAN Unusually Fast 403 Error Messages, Possible Web Application Scan&quot;; flow:from_server,established; content:&quot;HTTP/1.1 403&quot;; depth:13; threshold: type threshold, track by_dst, count 35, seconds 60; classtype:attempted-recon; reference:url,www.checkupdown.com/status/E403.html; reference:url,doc.emergingthreats.net/2009749; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_403; sid:2009749; rev:2;)<br />alert tcp $EXTERNAL_NET any -&gt; $HOME_NET 110 (msg:&quot;ET SCAN Rapid POP3 Connections - Possible Brute Force Attack&quot;; flags: S,12; threshold: type both, track by_src, count 10, seconds 120; classtype: misc-activity; reference:url,doc.emergingthreats.net/2002992; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_General_Services; sid: 2002992; rev:5;)<br />5<br />
  6. 6. Ntop<br />Network and use monitor<br />http://www.ntop.org<br />Ntop analyzes all the network traffic<br />Ntop provides information (Real-time and historical) of the network usage <br />Utility within OSSIM:<br />Usage network statistics<br />Assets information<br />Time and activity matrixes<br />Real-time session monitoring<br />Network abuse<br />PASSIVE<br />6<br />
  7. 7. Ntop<br />PASSIVE<br />7<br />
  8. 8. Ntop<br />Ntop creates passively a profile for every Asset in our network<br />PASSIVE<br />8<br />
  9. 9. Ntop<br />Data & Time Matrixes<br />PASSIVE<br />9<br />
  10. 10. Ntop – RRD Aberrant Behaviour<br />Analyzing the historical data, Ntop uses the RRD Aberrant Behaviour algorithm to draw predictions of future behaviour of our assets and networks. <br />If the prediction differs from the real traffic an event is generated within OSSIM<br />PASSIVE<br />10<br />
  11. 11. NFSen /NFdump<br />Nfdump: The nfdump tools collect and process netflow data on the command line.<br />http://nfdump.sourceforge.net/<br />NFSen is a graphical web based front end for the nfdump netflow tools.<br />PASSIVE<br />11<br />
  12. 12. NFSen /NFdump<br />NetFlow is a network protocol developed by CiscoSystems to run on Cisco IOS-enabled equipment for collecting IP traffic information.<br />It is supported by platforms other than IOS such as Juniper, Linux, FreeBSD or OpenBSD.<br />PASSIVE<br />12<br />
  13. 13. OCS<br />Inventory Management<br />http://www.ocsinventory-ng.org<br />OCS requires an agent installed of every inventoried computer.<br />OCS can also be used to deploy software packages.<br />Utility within OSSIM<br />Inventory Management (Software & Hardware)<br />Vulnerability Management<br />Policy violations<br />Hardware monitoring<br />ACTIVE (AGENTS)<br />13<br />
  14. 14. OCS<br />ACTIVE (AGENTES)<br />14<br />
  15. 15. Nagios<br />Availability monitor<br />http://www.nagios.org<br />Nagios monitors the availability of assets and services in our network.<br />A service can be monitored with using different checks:<br />Ex: MySQL Server<br />Check whether the host is up or not<br />Check whether the MySQL port is opened or closed<br />Check whether there is a MySQL listening in that port<br />Do a query and check the result<br />ACTIVE <br />15<br />
  16. 16. Nagios<br />Utility within OSSIM:<br />Availability monitoring (As a detector and in real time) <br />Nagios can do checks remotely or with agent deployed on the host that is being monitored. <br />Nagios has a wide number of plugins to monitor different devices and applications.<br />ACTIVE <br />16<br />
  17. 17. OpenVas<br />Vulnerability Scanning<br />http://www.openvas.org<br />OpenVas uses signatures to identify vulnerabilities in the host of our network.<br />Utility within OSSIM<br />Attacks prevention (We know what is vulnerable)<br />Is the network policy being violated?<br />Shared folders, forbidden activities...<br />ACTIVE <br />17<br />
  18. 18. OpenVas<br />Some vulnerabilities can only be verified after actually exploiting them (Ex: DOS)<br />OpenVas allows for scanning aggressivenessfine-tuning.<br />Mis-configured scans may severely impact the scanned network. After installation, the first scanning profiles have to be defined and watched over very carefully. <br />ACTIVE <br />18<br />
  19. 19. OpenVas<br />OpenVas is able to perform local scans on remote machines if valid credentials for them are provided.<br />This way OpenVas will have an exact listing of software installed on remote hosts being able to determine existing vulnerabilities with a high degree of accuracy.<br />OpenVas provides it’s own plugin creation language.<br />ACTIVE <br />19<br />
  20. 20. OSVDB<br />Vulnerability Database<br />http://www.osvdb.org<br />OSVDB is a compendium of vulnerabilities. <br />Usage within OSSIM<br />Correlation rule creation<br />Vulnerability identifier cross-relation<br />Complements OpenVas scanning information<br />20<br />
  21. 21. OSVDB<br />Vulnerability Description:<br />Indicators and references:<br />21<br />
  22. 22. OSVDB<br />Inter-tool relationships:<br />CVSSv2 Score (Common Vulnerability Scoring System):<br />22<br />
  23. 23. OSSEC<br />HIDS (Host level IDS)<br />http://www.ossec.org<br />OSSEC requires an agent to be installed for monitoring. (Except ssh-accesible systems)<br />OSSEC features log analisys, rootkit detection, system integrity checking and Windows registry monitorization.<br />ACTIVE (AGENTS) <br />23<br />
  24. 24. OSSEC<br />OSSEC is based on a client -&gt; server architecture, OSSIM collects events from the OSSEC server.<br />OSSEC provides it’s own plugin system used for Windows and UNIX tool analysis.<br />Utility within OSSIM:<br />Windows and Unix log collection<br />Application log collection<br />Registry, file and folder monitorization (DLP)<br />ACTIVE (AGENTS) <br />24<br />
  25. 25. Kismet<br />Wireless network sniffer and IDS<br />http://www.kismetwireless.net<br />Kismet requires a compatible wifi nic allowing for raw monitoring and 802.11b, 802.11a, 802.11n and 802.11g sniffing<br />Utility within OSSIM:<br />WIFI network securization.<br />Rogue AP detection<br />Compliance enforcement (PCI)<br />PASIVE<br />25<br />
  26. 26. Nmap<br />Port Scanner<br />http://www.insecure.org<br />Nmap provides customizable options for host and network scanning (Speed, range, precision…)<br />Utility within OSSIM:<br />Asset Discovery<br />Open port discovery<br />Service version discovery <br />Operating System manufacturer and version discovery<br />May determine some hardware details about the scanned host <br />ACTIVE <br />26<br />
  27. 27. P0f<br />Operating System anomaly detection<br />http://lcamtuf.coredump.cx/p0f.shtml<br />Passive Operating System detection based on traffic pattern analysis.<br />Utility within OSSIM:<br />Operating System changes<br />Inventory Management<br />Unauthorized network access<br />PASIVE<br />27<br />
  28. 28. Pads<br />Service anomaly detection<br />http://passive.sourceforge.net/<br />Passively detect running services based on traffic pattern matching.<br />Utility within OSSIM:<br />Inventory Management<br />Service version changes<br />Policy violations<br />Inventory correlation<br />PASIVE<br />28<br />
  29. 29. Arpwatch<br />MAC address anomaly detection.<br />http://ee.lbl.gov/<br />Based on network asset generated traffic, Arpwatch is able to identify the MAC addresses associated to each IP address.<br />Utility within OSSIM:<br />Inventory Management<br />IP address change detection<br />ARPSpoofing<br />PASIVE<br />29<br />
  30. 30. Tcptrack<br />Session Monitor (network)<br />http://www.rhythm.cx/~steve/devel/tcptrack/<br />Tcptrack provides information about network sessions (Duration, transferred data…)<br />Utility within OSSIM:<br />Session information used for correlation.<br />PASIVE<br />30<br />
  31. 31. Nepenthes<br />Honeypot<br />http://nepenthes.mwcollect.org<br />Nepenthes emulates known services and vulnerabilities in order to collect information about potential attackers (Attack patterns, files, …)<br />Utility within OSSIM<br />Detect infected systems (They’ll target the Honeypot)<br />Rule and directive creation based on captured files/attacks<br />Malware collection<br />PASIVE<br />31<br />
  32. 32. About this document<br />This Document is part of the OCSA Training Material (OSSIM Certified Security Analyst)<br />Author: Juan Manuel Lorenzo (jmlorenzo@alienvault.com)<br />Copyright © Alienvault 2010<br />All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and publisher.<br />Any trademarks referenced herein are the property of their respectiveholders.<br />32<br />

×