Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Integrated Tools in OSSIM

28,175
views

Published on

Tools Integrated in OSSIM.

Tools Integrated in OSSIM.

Published in: Technology

2 Comments
14 Likes
Statistics
Notes
No Downloads
Views
Total Views
28,175
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
0
Comments
2
Likes
14
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Integrated Tools
    http://www.alienvault.com
    Juan Manuel Lorenzo (jmlorenzo@alienvault.com)
  • 2. Active / Passive
    The different Tools integrated within OSSIM can be classified under the following categories:
    Active: They generate traffic within the Network that is being monitored.
    Passive: They analyze network traffic within generating any traffic within the monitored network.
    The passive tools require a port mirroring/port span configured in the network equipment.
    2
  • 3. Snort
    NIDS (Network Intrusion Detection System)
    http://www.snort.org
    Snort analyzes the network traffic
    Events are generated when the Snort patterns (Signatures) match the network traffic
    Utility within OSSIM:
    Portscans
    Worms
    Malware
    Policy violations (P2P, IM, Porn, Games...)
    PASSIVE
    3
  • 4. Snort
    PASSIVE
    Policy violations
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Megaupload file download service access"; flow:to_server,established; content:"GET "; depth: 4; uricontent:"/?d="; content:"|0d 0a|Host: "; content:"megaupload.com"; within:25; nocase; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009301; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Download_Services; sid:2009301; rev:2;)
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Porn-Sports-Gambling site designed to bypass restrictions"; flow:to_server,established; content:"Host:"; nocase; pcre:"/Host:[^ ]+.(bodog|bodogbeat|bodognation|bodogmusic|bodogconference|bodogpokerchampionships).com/i"; reference:url,www.bodog.com; classtype:policy-violation; reference:url,doc.emergingthreats.net/2003100; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_bodog.com; sid:2003100; rev:4;)
    Malware
    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Potential Malware Download, rogue antivirus (IAInstall.exe)"; flow:established,to_server; uricontent:"/download/IAInstall.exe"; nocase; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; reference:url,doc.emergingthreats.net/2010447; sid:2010447; rev:2;)
    alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET 1024: (msg:"ET MALWARE 404 Response with an EXE Attached - Likely Malware Drop"; flow:established,from_server; content:"HTTP/1.1 404 Not Found|0d 0a|"; depth:24; content:"|0d 0a 0d 0a|MZ"; distance:0; classtype:attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2009028; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_404_EXE; sid:2009028; rev:2;)
    4
  • 5. Snort
    PASSIVE
    Virus and Trojans
    alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET VIRUS Bugbear@MM virus via SMTP"; flow: established; content:"uv+LRCQID7dIDFEECggDSLm9df8C/zSNKDBBAAoGA0AEUQ+FEN23f7doqAT/dCQk/xWcEQmDxCTD"; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001764; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_BugBear; sid: 2001764; rev:6;)
    alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM UPX encrypted file download - possible worm"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; content:"|00|code|00|"; content:"|00 C0|text|00|"; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001047; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_Suspicious_Extensions; sid: 2001047; rev:6;)
    Scans
    alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET SCAN Unusually Fast 403 Error Messages, Possible Web Application Scan"; flow:from_server,established; content:"HTTP/1.1 403"; depth:13; threshold: type threshold, track by_dst, count 35, seconds 60; classtype:attempted-recon; reference:url,www.checkupdown.com/status/E403.html; reference:url,doc.emergingthreats.net/2009749; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_403; sid:2009749; rev:2;)
    alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"ET SCAN Rapid POP3 Connections - Possible Brute Force Attack"; flags: S,12; threshold: type both, track by_src, count 10, seconds 120; classtype: misc-activity; reference:url,doc.emergingthreats.net/2002992; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_General_Services; sid: 2002992; rev:5;)
    5
  • 6. Ntop
    Network and use monitor
    http://www.ntop.org
    Ntop analyzes all the network traffic
    Ntop provides information (Real-time and historical) of the network usage
    Utility within OSSIM:
    Usage network statistics
    Assets information
    Time and activity matrixes
    Real-time session monitoring
    Network abuse
    PASSIVE
    6
  • 7. Ntop
    PASSIVE
    7
  • 8. Ntop
    Ntop creates passively a profile for every Asset in our network
    PASSIVE
    8
  • 9. Ntop
    Data & Time Matrixes
    PASSIVE
    9
  • 10. Ntop – RRD Aberrant Behaviour
    Analyzing the historical data, Ntop uses the RRD Aberrant Behaviour algorithm to draw predictions of future behaviour of our assets and networks.
    If the prediction differs from the real traffic an event is generated within OSSIM
    PASSIVE
    10
  • 11. NFSen /NFdump
    Nfdump: The nfdump tools collect and process netflow data on the command line.
    http://nfdump.sourceforge.net/
    NFSen is a graphical web based front end for the nfdump netflow tools.
    PASSIVE
    11
  • 12. NFSen /NFdump
    NetFlow is a network protocol developed by CiscoSystems to run on Cisco IOS-enabled equipment for collecting IP traffic information.
    It is supported by platforms other than IOS such as Juniper, Linux, FreeBSD or OpenBSD.
    PASSIVE
    12
  • 13. OCS
    Inventory Management
    http://www.ocsinventory-ng.org
    OCS requires an agent installed of every inventoried computer.
    OCS can also be used to deploy software packages.
    Utility within OSSIM
    Inventory Management (Software & Hardware)
    Vulnerability Management
    Policy violations
    Hardware monitoring
    ACTIVE (AGENTS)
    13
  • 14. OCS
    ACTIVE (AGENTES)
    14
  • 15. Nagios
    Availability monitor
    http://www.nagios.org
    Nagios monitors the availability of assets and services in our network.
    A service can be monitored with using different checks:
    Ex: MySQL Server
    Check whether the host is up or not
    Check whether the MySQL port is opened or closed
    Check whether there is a MySQL listening in that port
    Do a query and check the result
    ACTIVE
    15
  • 16. Nagios
    Utility within OSSIM:
    Availability monitoring (As a detector and in real time)
    Nagios can do checks remotely or with agent deployed on the host that is being monitored.
    Nagios has a wide number of plugins to monitor different devices and applications.
    ACTIVE
    16
  • 17. OpenVas
    Vulnerability Scanning
    http://www.openvas.org
    OpenVas uses signatures to identify vulnerabilities in the host of our network.
    Utility within OSSIM
    Attacks prevention (We know what is vulnerable)
    Is the network policy being violated?
    Shared folders, forbidden activities...
    ACTIVE
    17
  • 18. OpenVas
    Some vulnerabilities can only be verified after actually exploiting them (Ex: DOS)
    OpenVas allows for scanning aggressivenessfine-tuning.
    Mis-configured scans may severely impact the scanned network. After installation, the first scanning profiles have to be defined and watched over very carefully.
    ACTIVE
    18
  • 19. OpenVas
    OpenVas is able to perform local scans on remote machines if valid credentials for them are provided.
    This way OpenVas will have an exact listing of software installed on remote hosts being able to determine existing vulnerabilities with a high degree of accuracy.
    OpenVas provides it’s own plugin creation language.
    ACTIVE
    19
  • 20. OSVDB
    Vulnerability Database
    http://www.osvdb.org
    OSVDB is a compendium of vulnerabilities.
    Usage within OSSIM
    Correlation rule creation
    Vulnerability identifier cross-relation
    Complements OpenVas scanning information
    20
  • 21. OSVDB
    Vulnerability Description:
    Indicators and references:
    21
  • 22. OSVDB
    Inter-tool relationships:
    CVSSv2 Score (Common Vulnerability Scoring System):
    22
  • 23. OSSEC
    HIDS (Host level IDS)
    http://www.ossec.org
    OSSEC requires an agent to be installed for monitoring. (Except ssh-accesible systems)
    OSSEC features log analisys, rootkit detection, system integrity checking and Windows registry monitorization.
    ACTIVE (AGENTS)
    23
  • 24. OSSEC
    OSSEC is based on a client -> server architecture, OSSIM collects events from the OSSEC server.
    OSSEC provides it’s own plugin system used for Windows and UNIX tool analysis.
    Utility within OSSIM:
    Windows and Unix log collection
    Application log collection
    Registry, file and folder monitorization (DLP)
    ACTIVE (AGENTS)
    24
  • 25. Kismet
    Wireless network sniffer and IDS
    http://www.kismetwireless.net
    Kismet requires a compatible wifi nic allowing for raw monitoring and 802.11b, 802.11a, 802.11n and 802.11g sniffing
    Utility within OSSIM:
    WIFI network securization.
    Rogue AP detection
    Compliance enforcement (PCI)
    PASIVE
    25
  • 26. Nmap
    Port Scanner
    http://www.insecure.org
    Nmap provides customizable options for host and network scanning (Speed, range, precision…)
    Utility within OSSIM:
    Asset Discovery
    Open port discovery
    Service version discovery
    Operating System manufacturer and version discovery
    May determine some hardware details about the scanned host
    ACTIVE
    26
  • 27. P0f
    Operating System anomaly detection
    http://lcamtuf.coredump.cx/p0f.shtml
    Passive Operating System detection based on traffic pattern analysis.
    Utility within OSSIM:
    Operating System changes
    Inventory Management
    Unauthorized network access
    PASIVE
    27
  • 28. Pads
    Service anomaly detection
    http://passive.sourceforge.net/
    Passively detect running services based on traffic pattern matching.
    Utility within OSSIM:
    Inventory Management
    Service version changes
    Policy violations
    Inventory correlation
    PASIVE
    28
  • 29. Arpwatch
    MAC address anomaly detection.
    http://ee.lbl.gov/
    Based on network asset generated traffic, Arpwatch is able to identify the MAC addresses associated to each IP address.
    Utility within OSSIM:
    Inventory Management
    IP address change detection
    ARPSpoofing
    PASIVE
    29
  • 30. Tcptrack
    Session Monitor (network)
    http://www.rhythm.cx/~steve/devel/tcptrack/
    Tcptrack provides information about network sessions (Duration, transferred data…)
    Utility within OSSIM:
    Session information used for correlation.
    PASIVE
    30
  • 31. Nepenthes
    Honeypot
    http://nepenthes.mwcollect.org
    Nepenthes emulates known services and vulnerabilities in order to collect information about potential attackers (Attack patterns, files, …)
    Utility within OSSIM
    Detect infected systems (They’ll target the Honeypot)
    Rule and directive creation based on captured files/attacks
    Malware collection
    PASIVE
    31
  • 32. About this document
    This Document is part of the OCSA Training Material (OSSIM Certified Security Analyst)
    Author: Juan Manuel Lorenzo (jmlorenzo@alienvault.com)
    Copyright © Alienvault 2010
    All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and publisher.
    Any trademarks referenced herein are the property of their respectiveholders.
    32