Ossec Lightning

1,858 views
1,690 views

Published on

A lightning talk prepared for www.brucon.org on the open source host-based intrusion detection system OSSEC (http://www.ossec.net)

Published in: Technology, Education
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,858
On SlideShare
0
From Embeds
0
Number of Embeds
24
Actions
Shares
0
Downloads
54
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Ossec Lightning

  1. 1. Introduction
  2. 2. What Host-based intrusion detection Log analysis System Integrity Rootkit checking Open Source Awesomeness !
  3. 3. X-Platform Windows NT,XP,2k,2k3,Vista,2008 Linux AIX Solaris HP-UX And any system that can produce syslog !
  4. 4. Basic Architecture UDP Encrypted Compressed Client Server Log Collection Log Analysis Alerting
  5. 5. Also ... Syslog Client Server Log Collection Log Analysis Alerting
  6. 6. Log Analysis PRE-DECODING DECODING ANALYSIS
  7. 7. An Example (1) PRE-DECODING Feb 24 10:12:23 beijing appdaemon:stopped time/date : Feb 24 10:12:23 Hostname : beijing Program_name : appdaemon Log : stopped
  8. 8. An Example (2) PRE-DECODING Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10 time/date : Feb 24 10:12:23 Hostname : beijing Program_name : appdaemon Log : user john logged on from 10.10.10.10
  9. 9. An Example (3) DECODING Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10 time/date : Feb 24 10:12:23 Hostname : beijing Program_name : appdaemon Log : user john logged on from 10.10.10.10 Srcip : 10.10.10.10 User : john
  10. 10. An Example (4) ANALYSIS <rule id=666 level=”0”> <decoded_as>appdaemon</decoded_as> <description>appdaemon rule</description> </rule> <rule id=”766” level=”5”> <if_sid>666</if_sid> <match>^logged on</match> <description>succesful logon</description> </rule>
  11. 11. An Example (4) ANALYSIS <rule id=866 level=”7”> <if_sid>766</if_sid> <hostname>^beijing</hostname> <srcip>!192.168.10.0/24</srcip> <description>unauthorized logon!</description> </rule> <rule id=”966” level=”13”> <if_sid>766</if_sid> <hostname>^shanghai</hostname> <user>!john</user> <description>unauthorised logon !</description> </rule>
  12. 12. The Ruletree ANALYSIS 666 766 866 966
  13. 13. Advanced rule options ANALYSIS <rule id=1066 level=”7”> <if_sid>666</if_sid> <match>^login failed</hostname> <description>failed login !</description> </rule> <rule id=”1166” level=”9” frequency=”10” timeframe=”100”> <if_matched_sid>1066</if_matched_sid> <same_source_ip /> <description>Probable Brute Force !</description> </rule>
  14. 14. http://www.ossec.net #ossec on irc.freenode.net @danielcid on twitter ← not me!

×