Fosdem10
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Fosdem10

on

  • 1,916 views

These are the slides of my talk on OSSEC at FOSDEM '10 in Brussels, Belgium.

These are the slides of my talk on OSSEC at FOSDEM '10 in Brussels, Belgium.

http://www.fosdem.org

Statistics

Views

Total Views
1,916
Views on SlideShare
1,913
Embed Views
3

Actions

Likes
2
Downloads
46
Comments
0

2 Embeds 3

http://www.slideshare.net 2
https://twitter.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Fosdem10 Presentation Transcript

  • 1. OSSEC Know More, Protect Better
  • 2. Wim Remes (maltego me)
  • 3. 22-23 September (training) 24-25 September (conference) http://www.brucon.org
  • 4. Excaliburcon http://www.newcamelotcouncil.com 2010 CFP to be announced soon
  • 5. http://www.eurotrashsecurity.eu http://www.twitter.com/eurotrashsec feedback@eurotrashsecurity.eu
  • 6. OSSEC • Daniel Cid • 2005 • Third Brigade • Trend Micro • GPL v3
  • 7. Agenda Log Management OSSEC Features OSSEC Architecture Log Analysis with OSSEC Conclusion
  • 8. Log Management so easy the kid can do it ...
  • 9. Sources ? Users App App App App Systems
  • 10. Reasons Because we have to :-( Because we want to :-D 2% PCI-DSS ISO 27K HIPAA SOX 98%
  • 11. Standards ? • Syslog • 2001, RFC 3164 • The non-standard standard • WELF, CBE, CEF • Proprietary • We know what happens then ... • IDMF • Academic • Complex
  • 12. What do we need ? • Taxonomy • Syntax • Transport • Recommendations
  • 13. Common Event Expression http://cee.mitre.org
  • 14. OSSEC features
  • 15. OSSEC features Log Analysis Integrity Control Rootkit Detection
  • 16. OSSEC architecture
  • 17. OSSEC Architecture (root) logcollector chroot Agent zlib compressed blowfish encrypted UDP 1514 chroot Server chroot ossec-analysisd chroot ossec-maild ossec-execd chroot
  • 18. OSSEC Architecture Firewall IDS Switch SRV Router Database App1 App2 Client Client Client Client Client Virtualization
  • 19. I can haz rules ?
  • 20. Log Analysis with OSSEC
  • 21. Log Analysis with OSSEC predecoding decoding analysis
  • 22. Predecoding • Feb 24 10:12:23 beijing appdaemon:user john logged in from 10.10.10.10 • <decoder name="appdaemon"> <program_name>appdaemon</program_name> </decoder> time/date : Feb 24 10:12:23 Hostname : beijing Program_name :appdaemon Log : user john logged in from 10.10.10.10
  • 23. Predecoding • Feb 24 10:12:23 beijing switch:appdaemon quit unexpectedly • <decoder name="pam"> <program_name></program_name> <prematch>^appdaemon$</prematch> </decoder> time/date : Feb 24 10:12:23 Hostname : beijing Program_name : switch Log : appdaemon quit unexpectedly
  • 24. Decoding • Feb 24 10:12:23 beijing appdaemon:user john logged in from 10.10.10.10 • <decoder name="appdaemon-login"> <parent>appdaemon</parent> <prematch>^user$</prematch> <after_prematch>(S+)logged in from (S+)</after_prematch> <order>user,srcip</order> </decoder> time/date : Feb 24 10:12:23 Hostname : beijing Program_name :appdaemon user : John srcip : 10.10.10.10 Log : user john logged in from 10.10.10.10
  • 25. Analysis • Feb 24 10:12:23 beijing appdaemon:user john logged in from 10.10.10.10 • <rule id="10001" level=”3”> <decoded_as>appdaemon</decoded_as> <match>logged in</match> <description>Successful login</after_prematch> </rule> • <rule id=”10002” level=”7”> <if_sid>10001</if_sid> <user>!John</user> <description>Ok, this was not John !!</description> </rule> • <rule id=”10003” level=”7”> <if_sid>10001</if_sid> <srcip>!10.10.10.0/24</srcip> <description>login from unauthorized network!!</description> </rule>
  • 26. Analysis : The Rule Tree 10001 10002 10005 10003 10004 10006 10007 10008 N T IO AC
  • 27. Advanced rule building os_regex library (fast, not full regex) w -> A-Z, a-z, 0-9 characters d -> 0-9 characters s -> For spaces " " t -> For tabs. p -> ()*+,-.:;<=>?[] (punctuation characters) W -> For anything not w D -> For anything not d S -> For anything not s . -> For anything + -> To match one or more times (eg w+ or d+) * -> To match zero or more times (eg w* or p*) ^ -> To specify the beginning of the text. $ -> To specify the end of the text. | -> To create an "OR" between multiple patterns. <regex> </regex> (in rules) <regex> </regex> (in decoders) <prematch> </prematch> (in decoders) <if_matched_regex> </if_matched_regex> (in rules)
  • 28. Advanced rule building os_match library (more limited, faster) ^ -> To specify the beginning of the text. $ -> To specify the end of the text. | -> To create an "OR" between multiple patterns. (rules only !) <match> </match> <user> </user> <url> </url> <id> </id> <status> </status> <hostname> </hostname> <program_name> </program_name> <srcport> </srcport> <dstport> </dstport> use this whenever possible ! it beats the <regex> tag
  • 29. Integrity Checking
  • 30. ossec.conf <syscheck> <!-- Frequency that syscheck is executed - default to every 22 hours --> <frequency>79200</frequency> <!-- Directories to check (perform all possible verifications) --> <directories realtime=”yes” check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/bin,/sbin</directories> <!-- Files/directories to ignore --> <ignore>/etc/mtab</ignore> <ignore>/etc/mnttab</ignore> <syscheck>
  • 31. ossec_rules.xml <rule id="550" level="7"> <category>ossec</category> <decoded_as>syscheck_integrity_changed</decoded_as> <description>Integrity checksum changed.</description> <group>syscheck,</group> </rule> <rule id="551" level="7"> <category>ossec</category> <decoded_as>syscheck_integrity_changed_2nd</decoded_as> <description>Integrity checksum changed again (2nd time).</description> <group>syscheck,</group> </rule> <rule id="552" level="7"> <category>ossec</category> <decoded_as>syscheck_integrity_changed_3rd</decoded_as> <description>Integrity checksum changed again (3rd time).</description> <group>syscheck,</group> </rule> ...
  • 32. syscheck commands /var/ossec/bin/syscheck_update -a /var/ossec/bin/syscheck_control -l /var/ossec/bin/syscheck_control -i [agentid] /var/ossec/bin/syscheck_control -i [agentid] -f [filename]
  • 33. Management
  • 34. commands /var/ossec/manage_agents >server >agent /var/ossec/agent_control -lc /var/ossec/agent_control -i [agentid] /var/ossec/agent_control -r -a /var/ossec/agent_control -R [agentid] /var/ossec/agent_control -r -u [agentid]
  • 35. Conclusion
  • 36. Conclusion nobody knows your system/ application as well as you OSSEC is a mature starting point for your log management needs Tuning rules never stops ! Questions ? http://www.ossec.net
  • 37. Thank you! wremes@gmail.com (all pictures = creative commons)