Your SlideShare is downloading. ×
Open Source Security
Open Source Security
Open Source Security
Open Source Security
Open Source Security
Open Source Security
Open Source Security
Open Source Security
Open Source Security
Open Source Security
Open Source Security
Open Source Security
Open Source Security
Open Source Security
Open Source Security
Open Source Security
Open Source Security
Open Source Security
Open Source Security
Open Source Security
Open Source Security
Open Source Security
Open Source Security
Open Source Security
Open Source Security
Open Source Security
Open Source Security
Open Source Security
Open Source Security
Open Source Security
Open Source Security
Open Source Security
Open Source Security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Open Source Security

1,498

Published on

This presentation was given at Excaliburcon in Wuxi, China and covers the use of open source solutions in a security infrastructure, with a special focus on OSSEC.

This presentation was given at Excaliburcon in Wuxi, China and covers the use of open source solutions in a security infrastructure, with a special focus on OSSEC.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,498
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
38
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. 大家好吗?大家好吗? 我 是我 是 Wim RemesWim Remes 比利时比利时
  • 2. http://www.eurotrashsecurity.eu http://www.twitter.com/eurotrashsec Chris-John Riley, Craig Balding, Dale Pearson & me. (shameless self-promotion)(shameless self-promotion)
  • 3. 今天的主题是今天的主题是 The value of open source solutions in a security infrastructure AN D
  • 4. Infosec Technology in the past decade
  • 5. Pwned by a vendor ?
  • 6. It's time to unleash the power ...
  • 7. What can't you do with open source solutions?
  • 8. YES WE CAN !YES WE CAN !
  • 9. It's about the bottom line. Your bottom and Your line!
  • 10. Open Source Security A host-based intrusion detection system
  • 11. Mr. Daniel CidMr. Daniel Cid His royal OSSECnessHis royal OSSECness http://www.twitter.comhttp://www.twitter.com/danielcid/danielcid dcid in #ossec on irc.freenode.netdcid in #ossec on irc.freenode.net
  • 12. OSSEC TechnicalOSSEC Technical OverviewOverview OSSEC Rollout ScenariosOSSEC Rollout Scenarios OSSEC Rule engineOSSEC Rule engine 1 2
  • 13. Host Based Intrusion DetectionHost Based Intrusion Detection Client/Server ArchitectureClient/Server Architecture Highly ScalableHighly Scalable Cross PlatformCross Platform Log AnalysisLog Analysis Integrity CheckingIntegrity Checking Rootkit DetectionRootkit Detection Active ResponseActive Response 1 2 OSSEC Technical Overview
  • 14. If a tree falls in a forest, andIf a tree falls in a forest, and nobody hears it, did it really fall?nobody hears it, did it really fall?
  • 15. OSSEC SERVER 1 2 syslog syslog ossec OSSEC Technical Overview
  • 16. 1 2 SIEM OSSEC Rollout Scenarios
  • 17. 1 2 customer 1 customer 2 OSSEC Rollout Scenarios
  • 18. And thy network shall be namedAnd thy network shall be named BabelBabel
  • 19. 1 2 ANALYZE PRE-DECODE DECODE LOG ALERT! MSG OSSEC Rule engine
  • 20. 1 2 AGENT SERVER ossec-logcollector ossec-analysisd ossec-maild ossec-execd Compressed (zlib) Encrypted (blowfish) OSSEC Rule engine
  • 21. Flexibility is the key word here!Flexibility is the key word here!
  • 22. 1 2 PRE-DECODING Feb 24 10:12:23Feb 24 10:12:23 beijing appdaemon:stoppedbeijing appdaemon:stopped time/datetime/date :: Feb 24 10:12:23Feb 24 10:12:23 HostnameHostname :: beijingbeijing Program_nameProgram_name :: appdaemonappdaemon LogLog :: stoppedstopped OSSEC Rule engine
  • 23. 1 2 Feb 25 12:00:47 beijing appdaemon:userFeb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10john logged on from 10.10.10.10 time/datetime/date :: Feb 25 12:00:47Feb 25 12:00:47 HostnameHostname :: beijingbeijing Program_nameProgram_name :: appdaemonappdaemon LogLog :: user john logged on from 10.10.10.10user john logged on from 10.10.10.10 PRE-DECODING OSSEC Rule engine
  • 24. 1 2 time/datetime/date :: Feb 25 12:00:47Feb 25 12:00:47 HostnameHostname :: beijingbeijing Program_nameProgram_name :: appdaemonappdaemon LogLog :: user john logged on from 10.10.10.10user john logged on from 10.10.10.10 SrcipSrcip :: 10.10.10.1010.10.10.10 UserUser : john: john DECODING OSSEC Rule engine Feb 25 12:00:47 beijing appdaemon:userFeb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10john logged on from 10.10.10.10
  • 25. 1 2 <rule id=666 level=”0”><rule id=666 level=”0”> <decoded_as><decoded_as>appdaemonappdaemon</decoded_as></decoded_as> <description>appdaemon rule</description><description>appdaemon rule</description> </rule></rule> <rule id=”766” level=”5”><rule id=”766” level=”5”> <if_sid>666</if_sid><if_sid>666</if_sid> <match>^<match>^logged onlogged on</match></match> <description>succesful logon</description><description>succesful logon</description> </rule></rule> ANALYSIS OSSEC Rule engine
  • 26. 1 2 ANALYSIS <rule id=866 level=”7”><rule id=866 level=”7”> <if_sid>766</if_sid><if_sid>766</if_sid> <hostname>^beijing</hostname><hostname>^beijing</hostname> <srcip><srcip>!192.168.10.0/24!192.168.10.0/24</srcip></srcip> <description>unauthorized logon!</description><description>unauthorized logon!</description> </rule></rule> <rule id=”966” level=”13”><rule id=”966” level=”13”> <if_sid>766</if_sid><if_sid>766</if_sid> <hostname>^shanghai</hostname><hostname>^shanghai</hostname> <user><user>!john!john</user></user> <description>unauthorised logon !</description><description>unauthorised logon !</description> </rule></rule> OSSEC Rule engine
  • 27. 1 2 ANALYSIS 666 766 866 966 OSSEC Rule engine
  • 28. 1 2 ANALYSIS <rule id=1066 level=”7”><rule id=1066 level=”7”> <if_sid>666</if_sid><if_sid>666</if_sid> <match>^login failed</hostname><match>^login failed</hostname> <description>failed login !</description><description>failed login !</description> </rule></rule> <rule id=”1166” level=”9”<rule id=”1166” level=”9” frequency=”10” timeframe=”100”frequency=”10” timeframe=”100”>> <if_matched_sid>1066</if_matched_sid><if_matched_sid>1066</if_matched_sid> <same_source_ip /><same_source_ip /> <description>Probable Brute Force !</description><description>Probable Brute Force !</description> </rule></rule> OSSEC Rule engine
  • 29. 1 2 AGENT SERVER ossec-logcollector ossec-analysisd ossec-maild ossec-execd Compressed (zlib) Encrypted (blowfish) OSSEC Rule engine
  • 30. Real GoodnessReal Goodness 1 2 666 766 866 966 1066 1166 STOP!
  • 31. 1 2 ossec.conf command1 command2 command3 ... <active-response> <command>command2</command> <location>local</location> <rules_id>1166</rules_id> <timeout>600</timeout> </active-response> action1 action2 action3 ... <command> <name>command2</name> <executable>command2.sh</executable> <expect>srcip</expect> <timeout_allowed>yes</timeout_allowed> </command> 1166 Real GoodnessReal Goodness
  • 32. 谢谢谢谢 Thank youThank you wim@remes-it.bewim@remes-it.be (mail)(mail) blog.remes-it.be (blog)blog.remes-it.be (blog) @wimremes (twitter)@wimremes (twitter) #ossec (irc)#ossec (irc)

×