Your SlideShare is downloading. ×
Ossec Lightning
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Ossec Lightning

1,462
views

Published on

A lightning talk prepared for www.brucon.org on the open source host-based intrusion detection system OSSEC (http://www.ossec.net)

A lightning talk prepared for www.brucon.org on the open source host-based intrusion detection system OSSEC (http://www.ossec.net)

Published in: Technology, Education

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,462
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
43
Comments
0
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Introduction
  • 2. What Host-based intrusion detection Log analysis System Integrity Rootkit checking Open Source Awesomeness !
  • 3. X-Platform Windows NT,XP,2k,2k3,Vista,2008 Linux AIX Solaris HP-UX And any system that can produce syslog !
  • 4. Basic Architecture UDP Encrypted Compressed Client Server Log Collection Log Analysis Alerting
  • 5. Also ... Syslog Client Server Log Collection Log Analysis Alerting
  • 6. Log Analysis PRE-DECODING DECODING ANALYSIS
  • 7. An Example (1) PRE-DECODING Feb 24 10:12:23 beijing appdaemon:stopped time/date : Feb 24 10:12:23 Hostname : beijing Program_name : appdaemon Log : stopped
  • 8. An Example (2) PRE-DECODING Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10 time/date : Feb 24 10:12:23 Hostname : beijing Program_name : appdaemon Log : user john logged on from 10.10.10.10
  • 9. An Example (3) DECODING Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10 time/date : Feb 24 10:12:23 Hostname : beijing Program_name : appdaemon Log : user john logged on from 10.10.10.10 Srcip : 10.10.10.10 User : john
  • 10. An Example (4) ANALYSIS <rule id=666 level=”0”> <decoded_as>appdaemon</decoded_as> <description>appdaemon rule</description> </rule> <rule id=”766” level=”5”> <if_sid>666</if_sid> <match>^logged on</match> <description>succesful logon</description> </rule>
  • 11. An Example (4) ANALYSIS <rule id=866 level=”7”> <if_sid>766</if_sid> <hostname>^beijing</hostname> <srcip>!192.168.10.0/24</srcip> <description>unauthorized logon!</description> </rule> <rule id=”966” level=”13”> <if_sid>766</if_sid> <hostname>^shanghai</hostname> <user>!john</user> <description>unauthorised logon !</description> </rule>
  • 12. The Ruletree ANALYSIS 666 766 866 966
  • 13. Advanced rule options ANALYSIS <rule id=1066 level=”7”> <if_sid>666</if_sid> <match>^login failed</hostname> <description>failed login !</description> </rule> <rule id=”1166” level=”9” frequency=”10” timeframe=”100”> <if_matched_sid>1066</if_matched_sid> <same_source_ip /> <description>Probable Brute Force !</description> </rule>
  • 14. http://www.ossec.net #ossec on irc.freenode.net @danielcid on twitter ← not me!