Uploaded on

These are the slides of my talk on OSSEC at FOSDEM '10 in Brussels, Belgium. …

These are the slides of my talk on OSSEC at FOSDEM '10 in Brussels, Belgium.

http://www.fosdem.org

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,245
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
47
Comments
0
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. OSSEC Know More, Protect Better
  • 2. Wim Remes (maltego me)
  • 3. 22-23 September (training) 24-25 September (conference) http://www.brucon.org
  • 4. Excaliburcon http://www.newcamelotcouncil.com 2010 CFP to be announced soon
  • 5. http://www.eurotrashsecurity.eu http://www.twitter.com/eurotrashsec feedback@eurotrashsecurity.eu
  • 6. OSSEC • Daniel Cid • 2005 • Third Brigade • Trend Micro • GPL v3
  • 7. Agenda Log Management OSSEC Features OSSEC Architecture Log Analysis with OSSEC Conclusion
  • 8. Log Management so easy the kid can do it ...
  • 9. Sources ? Users App App App App Systems
  • 10. Reasons Because we have to :-( Because we want to :-D 2% PCI-DSS ISO 27K HIPAA SOX 98%
  • 11. Standards ? • Syslog • 2001, RFC 3164 • The non-standard standard • WELF, CBE, CEF • Proprietary • We know what happens then ... • IDMF • Academic • Complex
  • 12. What do we need ? • Taxonomy • Syntax • Transport • Recommendations
  • 13. Common Event Expression http://cee.mitre.org
  • 14. OSSEC features
  • 15. OSSEC features Log Analysis Integrity Control Rootkit Detection
  • 16. OSSEC architecture
  • 17. OSSEC Architecture (root) logcollector chroot Agent zlib compressed blowfish encrypted UDP 1514 chroot Server chroot ossec-analysisd chroot ossec-maild ossec-execd chroot
  • 18. OSSEC Architecture Firewall IDS Switch SRV Router Database App1 App2 Client Client Client Client Client Virtualization
  • 19. I can haz rules ?
  • 20. Log Analysis with OSSEC
  • 21. Log Analysis with OSSEC predecoding decoding analysis
  • 22. Predecoding • Feb 24 10:12:23 beijing appdaemon:user john logged in from 10.10.10.10 • <decoder name="appdaemon"> <program_name>appdaemon</program_name> </decoder> time/date : Feb 24 10:12:23 Hostname : beijing Program_name :appdaemon Log : user john logged in from 10.10.10.10
  • 23. Predecoding • Feb 24 10:12:23 beijing switch:appdaemon quit unexpectedly • <decoder name="pam"> <program_name></program_name> <prematch>^appdaemon$</prematch> </decoder> time/date : Feb 24 10:12:23 Hostname : beijing Program_name : switch Log : appdaemon quit unexpectedly
  • 24. Decoding • Feb 24 10:12:23 beijing appdaemon:user john logged in from 10.10.10.10 • <decoder name="appdaemon-login"> <parent>appdaemon</parent> <prematch>^user$</prematch> <after_prematch>(S+)logged in from (S+)</after_prematch> <order>user,srcip</order> </decoder> time/date : Feb 24 10:12:23 Hostname : beijing Program_name :appdaemon user : John srcip : 10.10.10.10 Log : user john logged in from 10.10.10.10
  • 25. Analysis • Feb 24 10:12:23 beijing appdaemon:user john logged in from 10.10.10.10 • <rule id="10001" level=”3”> <decoded_as>appdaemon</decoded_as> <match>logged in</match> <description>Successful login</after_prematch> </rule> • <rule id=”10002” level=”7”> <if_sid>10001</if_sid> <user>!John</user> <description>Ok, this was not John !!</description> </rule> • <rule id=”10003” level=”7”> <if_sid>10001</if_sid> <srcip>!10.10.10.0/24</srcip> <description>login from unauthorized network!!</description> </rule>
  • 26. Analysis : The Rule Tree 10001 10002 10005 10003 10004 10006 10007 10008 N T IO AC
  • 27. Advanced rule building os_regex library (fast, not full regex) w -> A-Z, a-z, 0-9 characters d -> 0-9 characters s -> For spaces " " t -> For tabs. p -> ()*+,-.:;<=>?[] (punctuation characters) W -> For anything not w D -> For anything not d S -> For anything not s . -> For anything + -> To match one or more times (eg w+ or d+) * -> To match zero or more times (eg w* or p*) ^ -> To specify the beginning of the text. $ -> To specify the end of the text. | -> To create an "OR" between multiple patterns. <regex> </regex> (in rules) <regex> </regex> (in decoders) <prematch> </prematch> (in decoders) <if_matched_regex> </if_matched_regex> (in rules)
  • 28. Advanced rule building os_match library (more limited, faster) ^ -> To specify the beginning of the text. $ -> To specify the end of the text. | -> To create an "OR" between multiple patterns. (rules only !) <match> </match> <user> </user> <url> </url> <id> </id> <status> </status> <hostname> </hostname> <program_name> </program_name> <srcport> </srcport> <dstport> </dstport> use this whenever possible ! it beats the <regex> tag
  • 29. Integrity Checking
  • 30. ossec.conf <syscheck> <!-- Frequency that syscheck is executed - default to every 22 hours --> <frequency>79200</frequency> <!-- Directories to check (perform all possible verifications) --> <directories realtime=”yes” check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/bin,/sbin</directories> <!-- Files/directories to ignore --> <ignore>/etc/mtab</ignore> <ignore>/etc/mnttab</ignore> <syscheck>
  • 31. ossec_rules.xml <rule id="550" level="7"> <category>ossec</category> <decoded_as>syscheck_integrity_changed</decoded_as> <description>Integrity checksum changed.</description> <group>syscheck,</group> </rule> <rule id="551" level="7"> <category>ossec</category> <decoded_as>syscheck_integrity_changed_2nd</decoded_as> <description>Integrity checksum changed again (2nd time).</description> <group>syscheck,</group> </rule> <rule id="552" level="7"> <category>ossec</category> <decoded_as>syscheck_integrity_changed_3rd</decoded_as> <description>Integrity checksum changed again (3rd time).</description> <group>syscheck,</group> </rule> ...
  • 32. syscheck commands /var/ossec/bin/syscheck_update -a /var/ossec/bin/syscheck_control -l /var/ossec/bin/syscheck_control -i [agentid] /var/ossec/bin/syscheck_control -i [agentid] -f [filename]
  • 33. Management
  • 34. commands /var/ossec/manage_agents >server >agent /var/ossec/agent_control -lc /var/ossec/agent_control -i [agentid] /var/ossec/agent_control -r -a /var/ossec/agent_control -R [agentid] /var/ossec/agent_control -r -u [agentid]
  • 35. Conclusion
  • 36. Conclusion nobody knows your system/ application as well as you OSSEC is a mature starting point for your log management needs Tuning rules never stops ! Questions ? http://www.ossec.net
  • 37. Thank you! wremes@gmail.com (all pictures = creative commons)