Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

Like this? Share it with your network

Share

Open Source Security

  • 2,399 views
Uploaded on

This presentation was given at Excaliburcon in Wuxi, China and covers the use of open source solutions in a security infrastructure, with a special focus on OSSEC.

This presentation was given at Excaliburcon in Wuxi, China and covers the use of open source solutions in a security infrastructure, with a special focus on OSSEC.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
2,399
On Slideshare
2,322
From Embeds
77
Number of Embeds
6

Actions

Shares
Downloads
37
Comments
0
Likes
2

Embeds 77

http://blog.remes-it.be 52
http://www.slideshare.net 16
https://www.linkedin.com 4
http://www.linkedin.com 3
http://static.slidesharecdn.com 1
http://www.slideee.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. 大家好吗? 我 是 Wim Remes 比利时
  • 2. http://www.eurotrashsecurity.eu http://www.twitter.com/eurotrashsec Chris-John Riley, Craig Balding, Dale Pearson & me. (shameless self-promotion)
  • 3. 今天的主题是 The value of open source solutions in a security infrastructure AND
  • 4. Infosec Technology in the past decade
  • 5. Pwned by a vendor ?
  • 6. It's time to unleash the power ...
  • 7. What can't you do with open source solutions?
  • 8. YES WE CAN !
  • 9. It's about the bottom line. Your bottom and Your line!
  • 10. O pen S ource Sec urity A host-based intrusion detection system
  • 11. Mr. Daniel Cid His royal OSSECness http://www.twitter.com /danielcid dcid in #ossec on irc.freenode.net
  • 12. OSSEC Technical Overview OSSEC Rollout Scenarios OSSEC Rule engine 1 2 3
  • 13. Host Based Intrusion Detection Client/Server Architecture Highly Scalable Cross Platform Log Analysis Integrity Checking Rootkit Detection Active Response 1 2 3 OSSEC Technical Overview
  • 14. If a tree falls in a forest, and nobody hears it, did it really fall?
  • 15. OSSEC SERVER 1 2 3 syslog syslog ossec OSSEC Technical Overview
  • 16. 1 2 3 SIEM OSSEC Rollout Scenarios
  • 17. 1 2 3 customer 1 customer 2 OSSEC Rollout Scenarios
  • 18. And thy network shall be named Babel
  • 19. 1 2 3 OSSEC Rule engine ANALYZE PRE-DECODE DECODE LOG ALERT! MSG
  • 20. 1 2 3 Compressed (zlib) Encrypted (blowfish) OSSEC Rule engine AGENT SERVER ossec-logcollector ossec-analysisd ossec-maild ossec-execd
  • 21. Flexibility is the key word here!
  • 22. 1 2 3 Feb 24 10:12:23 beijing appdaemon:stopped time/date : Feb 24 10:12:23 Hostname : beijing Program_name : appdaemon Log : stopped OSSEC Rule engine PRE-DECODING
  • 23. 1 2 3 Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10 time/date : Feb 25 12:00:47 Hostname : beijing Program_name : appdaemon Log : user john logged on from 10.10.10.10 OSSEC Rule engine PRE-DECODING
  • 24. 1 2 3 time/date : Feb 25 12:00:47 Hostname : beijing Program_name : appdaemon Log : user john logged on from 10.10.10.10 Srcip : 10.10.10.10 User : john OSSEC Rule engine Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10 DECODING
  • 25. 1 2 3 <rule id=666 level=”0”> <decoded_as> appdaemon </decoded_as> <description>appdaemon rule</description> </rule> <rule id=”766” level=”5”> <if_sid>666</if_sid> <match>^ logged on </match> <description>succesful logon</description> </rule> OSSEC Rule engine ANALYSIS
  • 26. 1 2 3 <rule id=866 level=”7”> <if_sid>766</if_sid> <hostname>^beijing</hostname> <srcip> !192.168.10.0/24 </srcip> <description>unauthorized logon!</description> </rule> <rule id=”966” level=”13”> <if_sid>766</if_sid> <hostname>^shanghai</hostname> <user> !john </user> <description>unauthorised logon !</description> </rule> OSSEC Rule engine ANALYSIS
  • 27. 1 2 3 OSSEC Rule engine ANALYSIS 666 766 866 966
  • 28. 1 2 3 <rule id=1066 level=”7”> <if_sid>666</if_sid> <match>^login failed</hostname> <description>failed login !</description> </rule> <rule id=”1166” level=”9” frequency=”10” timeframe=”100” > <if_matched_sid>1066</if_matched_sid> <same_source_ip /> <description>Probable Brute Force !</description> </rule> OSSEC Rule engine ANALYSIS
  • 29. 1 2 3 Compressed (zlib) Encrypted (blowfish) OSSEC Rule engine AGENT SERVER ossec-logcollector ossec-analysisd ossec-maild ossec-execd
  • 30. Real Goodness 1 2 3 666 766 866 966 1066 1166 STOP!
  • 31. 1 2 3 <active-response> <command> command2 </command> <location>local</location> <rules_id>1166</rules_id> <timeout> 600 </timeout> </active-response> <command> <name>command2</name> <executable>command2 .sh </executable> <expect> srcip </expect> <timeout_allowed> yes </timeout_allowed> </command> Real Goodness 1166
  • 32.  
  • 33. 谢谢 Thank you [email_address] (mail) blog.remes-it.be (blog) @wimremes (twitter) #ossec (irc)