• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Ossec Lightning
 

Ossec Lightning

on

  • 2,153 views

A lightning talk prepared for www.brucon.org on the open source host-based intrusion detection system OSSEC (http://www.ossec.net)

A lightning talk prepared for www.brucon.org on the open source host-based intrusion detection system OSSEC (http://www.ossec.net)

Statistics

Views

Total Views
2,153
Views on SlideShare
2,147
Embed Views
6

Actions

Likes
1
Downloads
27
Comments
0

3 Embeds 6

http://www.slideshare.net 3
https://www.linkedin.com 2
http://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Ossec Lightning Ossec Lightning Presentation Transcript

    • Introduction
    • What Host-based intrusion detection Log analysis System Integrity Rootkit checking Open Source Awesomeness !
    • X-Platform Windows NT,XP,2k,2k3,Vista,2008 Linux AIX Solaris HP-UX And any system that can produce syslog !
    • Basic Architecture UDP Encrypted Compressed Client Server Log Collection Log Analysis Alerting
    • Also ... Syslog Client Server Log Collection Log Analysis Alerting
    • Log Analysis PRE-DECODING DECODING ANALYSIS
    • An Example (1) PRE-DECODING Feb 24 10:12:23 beijing appdaemon:stopped time/date : Feb 24 10:12:23 Hostname : beijing Program_name : appdaemon Log : stopped
    • An Example (2) PRE-DECODING Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10 time/date : Feb 24 10:12:23 Hostname : beijing Program_name : appdaemon Log : user john logged on from 10.10.10.10
    • An Example (3) DECODING Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10 time/date : Feb 24 10:12:23 Hostname : beijing Program_name : appdaemon Log : user john logged on from 10.10.10.10 Srcip : 10.10.10.10 User : john
    • An Example (4) ANALYSIS <rule id=666 level=”0”> <decoded_as>appdaemon</decoded_as> <description>appdaemon rule</description> </rule> <rule id=”766” level=”5”> <if_sid>666</if_sid> <match>^logged on</match> <description>succesful logon</description> </rule>
    • An Example (4) ANALYSIS <rule id=866 level=”7”> <if_sid>766</if_sid> <hostname>^beijing</hostname> <srcip>!192.168.10.0/24</srcip> <description>unauthorized logon!</description> </rule> <rule id=”966” level=”13”> <if_sid>766</if_sid> <hostname>^shanghai</hostname> <user>!john</user> <description>unauthorised logon !</description> </rule>
    • The Ruletree ANALYSIS 666 766 866 966
    • Advanced rule options ANALYSIS <rule id=1066 level=”7”> <if_sid>666</if_sid> <match>^login failed</hostname> <description>failed login !</description> </rule> <rule id=”1166” level=”9” frequency=”10” timeframe=”100”> <if_matched_sid>1066</if_matched_sid> <same_source_ip /> <description>Probable Brute Force !</description> </rule>
    • http://www.ossec.net #ossec on irc.freenode.net @danielcid on twitter ← not me!