• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
OSSEC @ ISSA Jan 21st 2010
 

OSSEC @ ISSA Jan 21st 2010

on

  • 2,819 views

These are the slides of my presentation at the ISSA Brussels-European Chapter about OSSEC and Log Management standards and principles.

These are the slides of my presentation at the ISSA Brussels-European Chapter about OSSEC and Log Management standards and principles.

Statistics

Views

Total Views
2,819
Views on SlideShare
2,813
Embed Views
6

Actions

Likes
4
Downloads
71
Comments
0

2 Embeds 6

http://www.slideshare.net 5
http://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    OSSEC @ ISSA Jan 21st 2010 OSSEC @ ISSA Jan 21st 2010 Presentation Transcript

    • OSSEC Log and event management the open source way ...
    • Introduction • Me (thx 4 the nice intro, maltego me) • Bull (not the bovine kind ...) • Eurotrash information security podcast • Brucon, Excaliburcon, FOSDEM, ...
    • Agenda • Logging 101 (what, how, why, ...) • OSSEC technical overview • break • OSSEC installation and configuration • OSSEC rules • OSSEC event management
    • Logging : what ? • Users • Systems • Network • Databases • Applications • .....
    • Logging: from ? Firewalls,VPN, IDS/IPS, routers, switches, ... Servers, workstations, virtualisation, UPS, ... anti-malware, applications, databases, ...
    • Logging : Why ? • System Monitoring (performance, management, troubleshooting, ...) • Compliance (regulatory, audit, internal policy, ...) • Incident Handling, Forensics, ...
    • Compliance PCI DSS 6.4. Follow change control procedures for all changes to system components 10. Track and monitor all access to network resources and cardholder data. 12. Maintain a policy that addresses information security for all employees and contractors
    • The Problem • There is NO standard !! • There is NO guidance !! • There is NO Consitency !!
    • Babel be thy name
    • We need to agree upon... • Format What does a log message look like ? • Content What do we put in a log message ? • Transport How do we send it ? • Guidelines How do we approach logging ? (ex. NIST 800-92)
    • It’s time for a standard !
    • not Syslog • RFC 3164 (08/2001) : BSD Syslog Protocol • It uses UDP • It’s a garbage bin • it’s a non-standard standard
    • Syslog Hell ! • Jun 11 03:06:38 (none) login [3432] : ROOT LOGIN on `tty1` • Jan 19 22:52:56 LT1 gdm-session- worker[1659]: pam_unix (gdm:session): session opened for user wim by (uid=0) • Jan 4 09:38:10 LT1 su[3510]: pam_unix(su:session): session opened for user root by wim (uid=1000)
    • Syslog Hell !! • <57> Jan 10 12:10:34:%SEC_LOGIN-5- LOGIN_SUCCESS:Login Success [user:frodo] [Source: 192.168.10.254] [localport:23] at ... • <13> Jan 18 10:15:45 2009 680 Security SYSTEM User Failure Audit ENTERPRISE ...
    • Can I continue ? • Jan 19 20:12:56 LT1 mycrappyapp [3526]: I’m the awesome programmer behind this crappy app and since you asked me to log something I’ve chosen to use syslog to dump all this meaningless events in here so you will still have to call and pay me to get the bugs that I left in there because I was surfing the internet instead of working for you solved. Eat that! And BTW, my app crashed for no apparent reason. kthxbai !
    • I promise to stop • Feb 24 15:10:24 server transact [5402]: user geoff transferred 500 dollars using credit card # XXX • Apr 1 10:14:28 server MEDIC [6420]: user kathy logged in to module patient using password selma1970
    • Then what ? • IDMF (by IETF) • XML based • Complex • Not widely adopted • Academic • WELF (by Webtrends) • Proprietary • didn’t scale
    • NEXT ! • CBE (by IBM) • also XML based • IBM didn’t even use it !
    • Event Taxonomy Standard terminology Log Syntax Consistent data elements and format Log Transport Standard communications mechanisms Log Recommendations Suggested events to log The future ?
    • OSSEC
    • Definition OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
    • SIEM (commercial)
    • Key Facts • 2005 • Daniel Cid • Third Brigade • TrendMicro
    • Install Modes • Local • Single Client • Windows, AIX, Solaris, HP-UX, Linux • Server • Central Logging Point (250 clients/server) • AIX,Solaris,HP-UX,Linux • Client • Reports to server • Windows,AIX,Solaris,HP-UX,Linux
    • Architecture
    • Architecture syslog syslog virtualisation
    • Architecture SIEM virtualisation virtualisation
    • OSSEC Components logcollector Agent zlib compressed blowfish encrypted UDP 1514 Server ossec-analysisd ossec-maild ossec-execd
    • Time For a break
    • ossec-analysisd Predecoding Decoding Analysis
    • Predecoding • Feb 24 10:12:23 beijing appdaemon:stopped time/date : Feb 24 10:12:23 Hostname : beijing Program_name :appdaemon Log : stopped
    • Predecoding • Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10 time/date : Feb 25 12:00:47 Hostname : beijing Program_name :appdaemon Log : user john logged on from 10.10.10.10
    • Decoding • Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10 time/date : Feb 25 12:00:47 Hostname : beijing Program_name :appdaemon Log : user john logged on from 10.10.10.10 srcip : 10.10.10.10 user : john
    • Analysis <rule id=666 level=”0”> <decoded_as>appdaemon</decoded_as> <description>appdaemon rule</description> </rule> <rule id=”766” level=”5”> <if_sid>666</if_sid> <match>^logged on</match> <description>succesful logon</description> </rule>
    • Analysis <rule id=866 level=”7”> <if_sid>766</if_sid> <hostname>^beijing</hostname> <srcip>!192.168.10.0/24</srcip> <description>unauthorized logon!</description> </rule> <rule id=”966” level=”13”> <if_sid>766</if_sid> <hostname>^shanghai</hostname> <user>!john</user> <description>unauthorised logon !</description> </rule>
    • Analysis 666 766 866 966
    • Analysis <rule id=1066 level=”7”> <if_sid>666</if_sid> <match>^login failed</hostname> <description>failed login !</description> </rule> <rule id=”1166” level=”9” frequency=”10” timeframe=”100”> <if_matched_sid>1066</if_matched_sid> <same_source_ip /> <description>Probable Brute Force !</description> </rule>
    • Analysis 666 766 866 966 1066 1166
    • ossec.conf <command> <name>host-deny</name> <executable>host-deny.sh</executable> <expect>srcip</expect> <timeout_allowed>yes</timeout_allowed> </command> <active-response> <command>command2</command> <location>local</location> <rules_id>1166</rules_id> <timeout>600</timeout> </active-response>
    • ossec.conf syscheck <syscheck> <!-- Frequency that syscheck is executed - default to every 22 hours --> <frequency>79200</frequency> <!-- Directories to check (perform all possible verifications) --> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/bin,/sbin</directories> <!-- Files/directories to ignore --> <ignore>/etc/mtab</ignore> <ignore>/etc/mnttab</ignore> <ignore>/etc/hosts.deny</ignore> ... </syscheck>
    • ossec.conf rootcheck <rootcheck> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> </rootcheck>
    • ossec.conf varia <alerts> <log_alert_level>1</log_alert_level> </alerts> <localfile> <log_format>syslog</log_format> <location>/var/log/secure.log</location> </localfile> <ossec_config> <ossec_config> <!-- rules global entry --> <rules> <include>rules_config.xml</include> <include>pam_rules.xml</include> <include>sshd_rules.xml</include> <include>telnetd_rules.xml</include> ... </ossec_config>
    • Management /var/ossec/bin/ ossec-control stop|start|restart manage_agents (server) manage agent keys (client) import key
    • Management agent_control -lc agent_control -i [id] agent_control -R [id] agent_control -r -a agent_control -r -i [id]
    • Management syscheckcontrol -lc syscheckcontrol -i [id] syscheckcontrol -i [id] -f [file]
    • Centralized Management /var/ossec/etc/shared/agent.conf distributed to all agents specify config per client id specify config per OS pushed by server same syntax as ossec.conf
    • rolling out Deploy Customize Monitor Analyze
    • Thank you ! wim.remes@bull.be +32 495 58 59 12 http://www.twitter.com/wimremes wim@eurotrashsecurity.eu www.eurotrashsecurity.eu (itunes) http://www.ossec.net http://www.slideshare.net/anton_chuvakin