• Like

Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Open Source Security

  • 1,452 views
Uploaded on

This presentation was given at Excaliburcon in Wuxi, China and covers the use of open source solutions in a security infrastructure, with a special focus on OSSEC.

This presentation was given at Excaliburcon in Wuxi, China and covers the use of open source solutions in a security infrastructure, with a special focus on OSSEC.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,452
On Slideshare
0
From Embeds
0
Number of Embeds
3

Actions

Shares
Downloads
38
Comments
0
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. 大家好吗? 我 是 Wim Remes 比利时
  • 2. http://www.eurotrashsecurity.eu http://www.twitter.com/eurotrashsec Chris-John Riley, Craig Balding, Dale Pearson & me. (shameless self-promotion)
  • 3. 今天的主题是 The value of open source solutions in a security infrastructure AND
  • 4. Infosec Technology in the past decade
  • 5. Pwned by a vendor ?
  • 6. It's time to unleash the power ...
  • 7. What can't you do with open source solutions?
  • 8. YES WE CAN !
  • 9. It's about the bottom line. Your bottom and Your line!
  • 10. O pen S ource Sec urity A host-based intrusion detection system
  • 11. Mr. Daniel Cid His royal OSSECness http://www.twitter.com /danielcid dcid in #ossec on irc.freenode.net
  • 12. OSSEC Technical Overview OSSEC Rollout Scenarios OSSEC Rule engine 1 2 3
  • 13. Host Based Intrusion Detection Client/Server Architecture Highly Scalable Cross Platform Log Analysis Integrity Checking Rootkit Detection Active Response 1 2 3 OSSEC Technical Overview
  • 14. If a tree falls in a forest, and nobody hears it, did it really fall?
  • 15. OSSEC SERVER 1 2 3 syslog syslog ossec OSSEC Technical Overview
  • 16. 1 2 3 SIEM OSSEC Rollout Scenarios
  • 17. 1 2 3 customer 1 customer 2 OSSEC Rollout Scenarios
  • 18. And thy network shall be named Babel
  • 19. 1 2 3 OSSEC Rule engine ANALYZE PRE-DECODE DECODE LOG ALERT! MSG
  • 20. 1 2 3 Compressed (zlib) Encrypted (blowfish) OSSEC Rule engine AGENT SERVER ossec-logcollector ossec-analysisd ossec-maild ossec-execd
  • 21. Flexibility is the key word here!
  • 22. 1 2 3 Feb 24 10:12:23 beijing appdaemon:stopped time/date : Feb 24 10:12:23 Hostname : beijing Program_name : appdaemon Log : stopped OSSEC Rule engine PRE-DECODING
  • 23. 1 2 3 Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10 time/date : Feb 25 12:00:47 Hostname : beijing Program_name : appdaemon Log : user john logged on from 10.10.10.10 OSSEC Rule engine PRE-DECODING
  • 24. 1 2 3 time/date : Feb 25 12:00:47 Hostname : beijing Program_name : appdaemon Log : user john logged on from 10.10.10.10 Srcip : 10.10.10.10 User : john OSSEC Rule engine Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10 DECODING
  • 25. 1 2 3 <rule id=666 level=”0”> <decoded_as> appdaemon </decoded_as> <description>appdaemon rule</description> </rule> <rule id=”766” level=”5”> <if_sid>666</if_sid> <match>^ logged on </match> <description>succesful logon</description> </rule> OSSEC Rule engine ANALYSIS
  • 26. 1 2 3 <rule id=866 level=”7”> <if_sid>766</if_sid> <hostname>^beijing</hostname> <srcip> !192.168.10.0/24 </srcip> <description>unauthorized logon!</description> </rule> <rule id=”966” level=”13”> <if_sid>766</if_sid> <hostname>^shanghai</hostname> <user> !john </user> <description>unauthorised logon !</description> </rule> OSSEC Rule engine ANALYSIS
  • 27. 1 2 3 OSSEC Rule engine ANALYSIS 666 766 866 966
  • 28. 1 2 3 <rule id=1066 level=”7”> <if_sid>666</if_sid> <match>^login failed</hostname> <description>failed login !</description> </rule> <rule id=”1166” level=”9” frequency=”10” timeframe=”100” > <if_matched_sid>1066</if_matched_sid> <same_source_ip /> <description>Probable Brute Force !</description> </rule> OSSEC Rule engine ANALYSIS
  • 29. 1 2 3 Compressed (zlib) Encrypted (blowfish) OSSEC Rule engine AGENT SERVER ossec-logcollector ossec-analysisd ossec-maild ossec-execd
  • 30. Real Goodness 1 2 3 666 766 866 966 1066 1166 STOP!
  • 31. 1 2 3 <active-response> <command> command2 </command> <location>local</location> <rules_id>1166</rules_id> <timeout> 600 </timeout> </active-response> <command> <name>command2</name> <executable>command2 .sh </executable> <expect> srcip </expect> <timeout_allowed> yes </timeout_allowed> </command> Real Goodness 1166
  • 32.  
  • 33. 谢谢 Thank you [email_address] (mail) blog.remes-it.be (blog) @wimremes (twitter) #ossec (irc)