Ossec Lightning

  • 1,367 views
Uploaded on

A lightning talk prepared for www.brucon.org on the open source host-based intrusion detection system OSSEC (http://www.ossec.net)

A lightning talk prepared for www.brucon.org on the open source host-based intrusion detection system OSSEC (http://www.ossec.net)

More in: Technology , Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,367
On Slideshare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
33
Comments
0
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Introduction
  • 2. What Host-based intrusion detection Log analysis System Integrity Rootkit checking Open Source Awesomeness !
  • 3. X-Platform Windows NT,XP,2k,2k3,Vista,2008 Linux AIX Solaris HP-UX And any system that can produce syslog !
  • 4. Basic Architecture UDP Encrypted Compressed Client Server Log Collection Log Analysis Alerting
  • 5. Also ... Syslog Client Server Log Collection Log Analysis Alerting
  • 6. Log Analysis PRE-DECODING DECODING ANALYSIS
  • 7. An Example (1) PRE-DECODING Feb 24 10:12:23 beijing appdaemon:stopped time/date : Feb 24 10:12:23 Hostname : beijing Program_name : appdaemon Log : stopped
  • 8. An Example (2) PRE-DECODING Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10 time/date : Feb 24 10:12:23 Hostname : beijing Program_name : appdaemon Log : user john logged on from 10.10.10.10
  • 9. An Example (3) DECODING Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10 time/date : Feb 24 10:12:23 Hostname : beijing Program_name : appdaemon Log : user john logged on from 10.10.10.10 Srcip : 10.10.10.10 User : john
  • 10. An Example (4) ANALYSIS <rule id=666 level=”0”> <decoded_as>appdaemon</decoded_as> <description>appdaemon rule</description> </rule> <rule id=”766” level=”5”> <if_sid>666</if_sid> <match>^logged on</match> <description>succesful logon</description> </rule>
  • 11. An Example (4) ANALYSIS <rule id=866 level=”7”> <if_sid>766</if_sid> <hostname>^beijing</hostname> <srcip>!192.168.10.0/24</srcip> <description>unauthorized logon!</description> </rule> <rule id=”966” level=”13”> <if_sid>766</if_sid> <hostname>^shanghai</hostname> <user>!john</user> <description>unauthorised logon !</description> </rule>
  • 12. The Ruletree ANALYSIS 666 766 866 966
  • 13. Advanced rule options ANALYSIS <rule id=1066 level=”7”> <if_sid>666</if_sid> <match>^login failed</hostname> <description>failed login !</description> </rule> <rule id=”1166” level=”9” frequency=”10” timeframe=”100”> <if_matched_sid>1066</if_matched_sid> <same_source_ip /> <description>Probable Brute Force !</description> </rule>
  • 14. http://www.ossec.net #ossec on irc.freenode.net @danielcid on twitter ← not me!