0
大家好吗?大家好吗?
我 是我 是 Wim RemesWim Remes
比利时比利时
http://www.eurotrashsecurity.eu
http://www.twitter.com/eurotrashsec
Chris-John Riley, Craig Balding, Dale Pearson & me.
(s...
今天的主题是今天的主题是
The value of open source
solutions in a
security infrastructure
AN
D
Infosec Technology
in the past decade
Pwned by a vendor ?
It's time to unleash the power ...
What can't you do with open
source solutions?
YES WE CAN !YES WE CAN !
It's about the bottom line.
Your bottom and Your line!
Open Source Security
A host-based intrusion detection system
Mr. Daniel CidMr. Daniel Cid
His royal OSSECnessHis royal OSSECness
http://www.twitter.comhttp://www.twitter.com/danielcid...
OSSEC TechnicalOSSEC Technical
OverviewOverview
OSSEC Rollout ScenariosOSSEC Rollout Scenarios
OSSEC Rule engineOSSEC Rule...
Host Based Intrusion DetectionHost Based Intrusion Detection
Client/Server ArchitectureClient/Server Architecture
Highly S...
If a tree falls in a forest, andIf a tree falls in a forest, and
nobody hears it, did it really fall?nobody hears it, did ...
OSSEC
SERVER
1
2
syslog
syslog
ossec
OSSEC Technical
Overview
1
2
SIEM
OSSEC Rollout Scenarios
1
2
customer 1 customer 2
OSSEC Rollout Scenarios
And thy network shall be namedAnd thy network shall be named
BabelBabel
1
2
ANALYZE
PRE-DECODE
DECODE
LOG ALERT!
MSG
OSSEC Rule engine
1
2
AGENT
SERVER
ossec-logcollector
ossec-analysisd
ossec-maild ossec-execd
Compressed (zlib)
Encrypted (blowfish)
OSSEC R...
Flexibility is the key word here!Flexibility is the key word here!
1
2
PRE-DECODING
Feb 24 10:12:23Feb 24 10:12:23 beijing appdaemon:stoppedbeijing appdaemon:stopped
time/datetime/date :: F...
1
2
Feb 25 12:00:47 beijing appdaemon:userFeb 25 12:00:47 beijing appdaemon:user
john logged on from 10.10.10.10john logge...
1
2
time/datetime/date :: Feb 25 12:00:47Feb 25 12:00:47
HostnameHostname :: beijingbeijing
Program_nameProgram_name :: ap...
1
2
<rule id=666 level=”0”><rule id=666 level=”0”>
<decoded_as><decoded_as>appdaemonappdaemon</decoded_as></decoded_as>
<d...
1
2
ANALYSIS
<rule id=866 level=”7”><rule id=866 level=”7”>
<if_sid>766</if_sid><if_sid>766</if_sid>
<hostname>^beijing</h...
1
2
ANALYSIS
666
766
866
966
OSSEC Rule engine
1
2
ANALYSIS
<rule id=1066 level=”7”><rule id=1066 level=”7”>
<if_sid>666</if_sid><if_sid>666</if_sid>
<match>^login faile...
1
2
AGENT
SERVER
ossec-logcollector
ossec-analysisd
ossec-maild ossec-execd
Compressed (zlib)
Encrypted (blowfish)
OSSEC R...
Real GoodnessReal Goodness
1
2
666
766
866
966
1066
1166
STOP!
1
2
ossec.conf
command1
command2
command3
...
<active-response>
<command>command2</command>
<location>local</location>
<ru...
谢谢谢谢
Thank youThank you
wim@remes-it.bewim@remes-it.be (mail)(mail)
blog.remes-it.be (blog)blog.remes-it.be (blog)
@wimrem...
Open Source Security
Upcoming SlideShare
Loading in...5
×

Open Source Security

1,522

Published on

This presentation was given at Excaliburcon in Wuxi, China and covers the use of open source solutions in a security infrastructure, with a special focus on OSSEC.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,522
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
38
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "Open Source Security"

  1. 1. 大家好吗?大家好吗? 我 是我 是 Wim RemesWim Remes 比利时比利时
  2. 2. http://www.eurotrashsecurity.eu http://www.twitter.com/eurotrashsec Chris-John Riley, Craig Balding, Dale Pearson & me. (shameless self-promotion)(shameless self-promotion)
  3. 3. 今天的主题是今天的主题是 The value of open source solutions in a security infrastructure AN D
  4. 4. Infosec Technology in the past decade
  5. 5. Pwned by a vendor ?
  6. 6. It's time to unleash the power ...
  7. 7. What can't you do with open source solutions?
  8. 8. YES WE CAN !YES WE CAN !
  9. 9. It's about the bottom line. Your bottom and Your line!
  10. 10. Open Source Security A host-based intrusion detection system
  11. 11. Mr. Daniel CidMr. Daniel Cid His royal OSSECnessHis royal OSSECness http://www.twitter.comhttp://www.twitter.com/danielcid/danielcid dcid in #ossec on irc.freenode.netdcid in #ossec on irc.freenode.net
  12. 12. OSSEC TechnicalOSSEC Technical OverviewOverview OSSEC Rollout ScenariosOSSEC Rollout Scenarios OSSEC Rule engineOSSEC Rule engine 1 2
  13. 13. Host Based Intrusion DetectionHost Based Intrusion Detection Client/Server ArchitectureClient/Server Architecture Highly ScalableHighly Scalable Cross PlatformCross Platform Log AnalysisLog Analysis Integrity CheckingIntegrity Checking Rootkit DetectionRootkit Detection Active ResponseActive Response 1 2 OSSEC Technical Overview
  14. 14. If a tree falls in a forest, andIf a tree falls in a forest, and nobody hears it, did it really fall?nobody hears it, did it really fall?
  15. 15. OSSEC SERVER 1 2 syslog syslog ossec OSSEC Technical Overview
  16. 16. 1 2 SIEM OSSEC Rollout Scenarios
  17. 17. 1 2 customer 1 customer 2 OSSEC Rollout Scenarios
  18. 18. And thy network shall be namedAnd thy network shall be named BabelBabel
  19. 19. 1 2 ANALYZE PRE-DECODE DECODE LOG ALERT! MSG OSSEC Rule engine
  20. 20. 1 2 AGENT SERVER ossec-logcollector ossec-analysisd ossec-maild ossec-execd Compressed (zlib) Encrypted (blowfish) OSSEC Rule engine
  21. 21. Flexibility is the key word here!Flexibility is the key word here!
  22. 22. 1 2 PRE-DECODING Feb 24 10:12:23Feb 24 10:12:23 beijing appdaemon:stoppedbeijing appdaemon:stopped time/datetime/date :: Feb 24 10:12:23Feb 24 10:12:23 HostnameHostname :: beijingbeijing Program_nameProgram_name :: appdaemonappdaemon LogLog :: stoppedstopped OSSEC Rule engine
  23. 23. 1 2 Feb 25 12:00:47 beijing appdaemon:userFeb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10john logged on from 10.10.10.10 time/datetime/date :: Feb 25 12:00:47Feb 25 12:00:47 HostnameHostname :: beijingbeijing Program_nameProgram_name :: appdaemonappdaemon LogLog :: user john logged on from 10.10.10.10user john logged on from 10.10.10.10 PRE-DECODING OSSEC Rule engine
  24. 24. 1 2 time/datetime/date :: Feb 25 12:00:47Feb 25 12:00:47 HostnameHostname :: beijingbeijing Program_nameProgram_name :: appdaemonappdaemon LogLog :: user john logged on from 10.10.10.10user john logged on from 10.10.10.10 SrcipSrcip :: 10.10.10.1010.10.10.10 UserUser : john: john DECODING OSSEC Rule engine Feb 25 12:00:47 beijing appdaemon:userFeb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10john logged on from 10.10.10.10
  25. 25. 1 2 <rule id=666 level=”0”><rule id=666 level=”0”> <decoded_as><decoded_as>appdaemonappdaemon</decoded_as></decoded_as> <description>appdaemon rule</description><description>appdaemon rule</description> </rule></rule> <rule id=”766” level=”5”><rule id=”766” level=”5”> <if_sid>666</if_sid><if_sid>666</if_sid> <match>^<match>^logged onlogged on</match></match> <description>succesful logon</description><description>succesful logon</description> </rule></rule> ANALYSIS OSSEC Rule engine
  26. 26. 1 2 ANALYSIS <rule id=866 level=”7”><rule id=866 level=”7”> <if_sid>766</if_sid><if_sid>766</if_sid> <hostname>^beijing</hostname><hostname>^beijing</hostname> <srcip><srcip>!192.168.10.0/24!192.168.10.0/24</srcip></srcip> <description>unauthorized logon!</description><description>unauthorized logon!</description> </rule></rule> <rule id=”966” level=”13”><rule id=”966” level=”13”> <if_sid>766</if_sid><if_sid>766</if_sid> <hostname>^shanghai</hostname><hostname>^shanghai</hostname> <user><user>!john!john</user></user> <description>unauthorised logon !</description><description>unauthorised logon !</description> </rule></rule> OSSEC Rule engine
  27. 27. 1 2 ANALYSIS 666 766 866 966 OSSEC Rule engine
  28. 28. 1 2 ANALYSIS <rule id=1066 level=”7”><rule id=1066 level=”7”> <if_sid>666</if_sid><if_sid>666</if_sid> <match>^login failed</hostname><match>^login failed</hostname> <description>failed login !</description><description>failed login !</description> </rule></rule> <rule id=”1166” level=”9”<rule id=”1166” level=”9” frequency=”10” timeframe=”100”frequency=”10” timeframe=”100”>> <if_matched_sid>1066</if_matched_sid><if_matched_sid>1066</if_matched_sid> <same_source_ip /><same_source_ip /> <description>Probable Brute Force !</description><description>Probable Brute Force !</description> </rule></rule> OSSEC Rule engine
  29. 29. 1 2 AGENT SERVER ossec-logcollector ossec-analysisd ossec-maild ossec-execd Compressed (zlib) Encrypted (blowfish) OSSEC Rule engine
  30. 30. Real GoodnessReal Goodness 1 2 666 766 866 966 1066 1166 STOP!
  31. 31. 1 2 ossec.conf command1 command2 command3 ... <active-response> <command>command2</command> <location>local</location> <rules_id>1166</rules_id> <timeout>600</timeout> </active-response> action1 action2 action3 ... <command> <name>command2</name> <executable>command2.sh</executable> <expect>srcip</expect> <timeout_allowed>yes</timeout_allowed> </command> 1166 Real GoodnessReal Goodness
  32. 32. 谢谢谢谢 Thank youThank you wim@remes-it.bewim@remes-it.be (mail)(mail) blog.remes-it.be (blog)blog.remes-it.be (blog) @wimremes (twitter)@wimremes (twitter) #ossec (irc)#ossec (irc)
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×