0
Introduction
What

Host-based intrusion detection
        Log analysis
       System Integrity
      Rootkit checking

Open Source Awes...
X-Platform

Windows NT,XP,2k,2k3,Vista,2008
            Linux
             AIX
           Solaris
           HP-UX
    And...
Basic Architecture


                      UDP
                    Encrypted
                   Compressed
     Client    ...
Also ...


         Syslog


Client              Server
                  Log Collection
                   Log Analysis
 ...
Log Analysis


PRE-DECODING   DECODING   ANALYSIS
An Example (1)
                PRE-DECODING



Feb 24 10:12:23 beijing appdaemon:stopped




         time/date      : Feb...
An Example (2)
                    PRE-DECODING



Feb 25 12:00:47 beijing appdaemon:user john
logged on from 10.10.10.10
...
An Example (3)
                      DECODING



Feb 25 12:00:47 beijing appdaemon:user john
logged on from 10.10.10.10


...
An Example (4)
                    ANALYSIS


<rule id=666 level=”0”>
   <decoded_as>appdaemon</decoded_as>
   <descriptio...
An Example (4)
                    ANALYSIS

<rule id=866 level=”7”>
   <if_sid>766</if_sid>
   <hostname>^beijing</hostna...
The Ruletree
        ANALYSIS


  666

             766

                   866

                   966
Advanced rule options
                         ANALYSIS


 <rule id=1066 level=”7”>
    <if_sid>666</if_sid>
    <match>^l...
http://www.ossec.net
  #ossec on irc.freenode.net
@danielcid on twitter ← not me!
Upcoming SlideShare
Loading in...5
×

Ossec Lightning

1,512

Published on

A lightning talk prepared for www.brucon.org on the open source host-based intrusion detection system OSSEC (http://www.ossec.net)

Published in: Technology, Education
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,512
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
45
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Transcript of "Ossec Lightning"

  1. 1. Introduction
  2. 2. What Host-based intrusion detection Log analysis System Integrity Rootkit checking Open Source Awesomeness !
  3. 3. X-Platform Windows NT,XP,2k,2k3,Vista,2008 Linux AIX Solaris HP-UX And any system that can produce syslog !
  4. 4. Basic Architecture UDP Encrypted Compressed Client Server Log Collection Log Analysis Alerting
  5. 5. Also ... Syslog Client Server Log Collection Log Analysis Alerting
  6. 6. Log Analysis PRE-DECODING DECODING ANALYSIS
  7. 7. An Example (1) PRE-DECODING Feb 24 10:12:23 beijing appdaemon:stopped time/date : Feb 24 10:12:23 Hostname : beijing Program_name : appdaemon Log : stopped
  8. 8. An Example (2) PRE-DECODING Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10 time/date : Feb 24 10:12:23 Hostname : beijing Program_name : appdaemon Log : user john logged on from 10.10.10.10
  9. 9. An Example (3) DECODING Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10 time/date : Feb 24 10:12:23 Hostname : beijing Program_name : appdaemon Log : user john logged on from 10.10.10.10 Srcip : 10.10.10.10 User : john
  10. 10. An Example (4) ANALYSIS <rule id=666 level=”0”> <decoded_as>appdaemon</decoded_as> <description>appdaemon rule</description> </rule> <rule id=”766” level=”5”> <if_sid>666</if_sid> <match>^logged on</match> <description>succesful logon</description> </rule>
  11. 11. An Example (4) ANALYSIS <rule id=866 level=”7”> <if_sid>766</if_sid> <hostname>^beijing</hostname> <srcip>!192.168.10.0/24</srcip> <description>unauthorized logon!</description> </rule> <rule id=”966” level=”13”> <if_sid>766</if_sid> <hostname>^shanghai</hostname> <user>!john</user> <description>unauthorised logon !</description> </rule>
  12. 12. The Ruletree ANALYSIS 666 766 866 966
  13. 13. Advanced rule options ANALYSIS <rule id=1066 level=”7”> <if_sid>666</if_sid> <match>^login failed</hostname> <description>failed login !</description> </rule> <rule id=”1166” level=”9” frequency=”10” timeframe=”100”> <if_matched_sid>1066</if_matched_sid> <same_source_ip /> <description>Probable Brute Force !</description> </rule>
  14. 14. http://www.ossec.net #ossec on irc.freenode.net @danielcid on twitter ← not me!
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×