• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content

Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

Open Source Security

on

  • 2,278 views

This presentation was given at Excaliburcon in Wuxi, China and covers the use of open source solutions in a security infrastructure, with a special focus on OSSEC.

This presentation was given at Excaliburcon in Wuxi, China and covers the use of open source solutions in a security infrastructure, with a special focus on OSSEC.

Statistics

Views

Total Views
2,278
Views on SlideShare
2,204
Embed Views
74

Actions

Likes
2
Downloads
37
Comments
0

6 Embeds 74

http://blog.remes-it.be 52
http://www.slideshare.net 16
http://www.linkedin.com 3
http://static.slidesharecdn.com 1
https://www.linkedin.com 1
http://www.slideee.com 1

Accessibility

Categories

Upload Details

Uploaded via as OpenOffice

Usage Rights

CC Attribution-NonCommercial LicenseCC Attribution-NonCommercial License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Open Source Security Open Source Security Presentation Transcript

    • 大家好吗? 我 是 Wim Remes 比利时
    • http://www.eurotrashsecurity.eu http://www.twitter.com/eurotrashsec Chris-John Riley, Craig Balding, Dale Pearson & me. (shameless self-promotion)
    • 今天的主题是 The value of open source solutions in a security infrastructure AND
    • Infosec Technology in the past decade
    • Pwned by a vendor ?
    • It's time to unleash the power ...
    • What can't you do with open source solutions?
    • YES WE CAN !
    • It's about the bottom line. Your bottom and Your line!
    • O pen S ource Sec urity A host-based intrusion detection system
    • Mr. Daniel Cid His royal OSSECness http://www.twitter.com /danielcid dcid in #ossec on irc.freenode.net
    • OSSEC Technical Overview OSSEC Rollout Scenarios OSSEC Rule engine 1 2 3
    • Host Based Intrusion Detection Client/Server Architecture Highly Scalable Cross Platform Log Analysis Integrity Checking Rootkit Detection Active Response 1 2 3 OSSEC Technical Overview
    • If a tree falls in a forest, and nobody hears it, did it really fall?
    • OSSEC SERVER 1 2 3 syslog syslog ossec OSSEC Technical Overview
    • 1 2 3 SIEM OSSEC Rollout Scenarios
    • 1 2 3 customer 1 customer 2 OSSEC Rollout Scenarios
    • And thy network shall be named Babel
    • 1 2 3 OSSEC Rule engine ANALYZE PRE-DECODE DECODE LOG ALERT! MSG
    • 1 2 3 Compressed (zlib) Encrypted (blowfish) OSSEC Rule engine AGENT SERVER ossec-logcollector ossec-analysisd ossec-maild ossec-execd
    • Flexibility is the key word here!
    • 1 2 3 Feb 24 10:12:23 beijing appdaemon:stopped time/date : Feb 24 10:12:23 Hostname : beijing Program_name : appdaemon Log : stopped OSSEC Rule engine PRE-DECODING
    • 1 2 3 Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10 time/date : Feb 25 12:00:47 Hostname : beijing Program_name : appdaemon Log : user john logged on from 10.10.10.10 OSSEC Rule engine PRE-DECODING
    • 1 2 3 time/date : Feb 25 12:00:47 Hostname : beijing Program_name : appdaemon Log : user john logged on from 10.10.10.10 Srcip : 10.10.10.10 User : john OSSEC Rule engine Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10 DECODING
    • 1 2 3 <rule id=666 level=”0”> <decoded_as> appdaemon </decoded_as> <description>appdaemon rule</description> </rule> <rule id=”766” level=”5”> <if_sid>666</if_sid> <match>^ logged on </match> <description>succesful logon</description> </rule> OSSEC Rule engine ANALYSIS
    • 1 2 3 <rule id=866 level=”7”> <if_sid>766</if_sid> <hostname>^beijing</hostname> <srcip> !192.168.10.0/24 </srcip> <description>unauthorized logon!</description> </rule> <rule id=”966” level=”13”> <if_sid>766</if_sid> <hostname>^shanghai</hostname> <user> !john </user> <description>unauthorised logon !</description> </rule> OSSEC Rule engine ANALYSIS
    • 1 2 3 OSSEC Rule engine ANALYSIS 666 766 866 966
    • 1 2 3 <rule id=1066 level=”7”> <if_sid>666</if_sid> <match>^login failed</hostname> <description>failed login !</description> </rule> <rule id=”1166” level=”9” frequency=”10” timeframe=”100” > <if_matched_sid>1066</if_matched_sid> <same_source_ip /> <description>Probable Brute Force !</description> </rule> OSSEC Rule engine ANALYSIS
    • 1 2 3 Compressed (zlib) Encrypted (blowfish) OSSEC Rule engine AGENT SERVER ossec-logcollector ossec-analysisd ossec-maild ossec-execd
    • Real Goodness 1 2 3 666 766 866 966 1066 1166 STOP!
    • 1 2 3 <active-response> <command> command2 </command> <location>local</location> <rules_id>1166</rules_id> <timeout> 600 </timeout> </active-response> <command> <name>command2</name> <executable>command2 .sh </executable> <expect> srcip </expect> <timeout_allowed> yes </timeout_allowed> </command> Real Goodness 1166
    •  
    • 谢谢 Thank you [email_address] (mail) blog.remes-it.be (blog) @wimremes (twitter) #ossec (irc)