Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

of

Continuous monitoring with OSSIM Slide 1 Continuous monitoring with OSSIM Slide 2 Continuous monitoring with OSSIM Slide 3 Continuous monitoring with OSSIM Slide 4 Continuous monitoring with OSSIM Slide 5 Continuous monitoring with OSSIM Slide 6 Continuous monitoring with OSSIM Slide 7 Continuous monitoring with OSSIM Slide 8 Continuous monitoring with OSSIM Slide 9 Continuous monitoring with OSSIM Slide 10 Continuous monitoring with OSSIM Slide 11 Continuous monitoring with OSSIM Slide 12 Continuous monitoring with OSSIM Slide 13 Continuous monitoring with OSSIM Slide 14 Continuous monitoring with OSSIM Slide 15 Continuous monitoring with OSSIM Slide 16 Continuous monitoring with OSSIM Slide 17 Continuous monitoring with OSSIM Slide 18 Continuous monitoring with OSSIM Slide 19 Continuous monitoring with OSSIM Slide 20 Continuous monitoring with OSSIM Slide 21 Continuous monitoring with OSSIM Slide 22 Continuous monitoring with OSSIM Slide 23 Continuous monitoring with OSSIM Slide 24 Continuous monitoring with OSSIM Slide 25 Continuous monitoring with OSSIM Slide 26 Continuous monitoring with OSSIM Slide 27 Continuous monitoring with OSSIM Slide 28 Continuous monitoring with OSSIM Slide 29 Continuous monitoring with OSSIM Slide 30 Continuous monitoring with OSSIM Slide 31 Continuous monitoring with OSSIM Slide 32 Continuous monitoring with OSSIM Slide 33 Continuous monitoring with OSSIM Slide 34 Continuous monitoring with OSSIM Slide 35
Upcoming SlideShare
What to Upload to SlideShare
Next

2 Likes

Share

Continuous monitoring with OSSIM

Learn how to manage your company’s security health using continuous monitoring with OSSIM, an Open Source Security Information and Event Management solution.

Related Books

Free with a 30 day trial from Scribd

See all

Continuous monitoring with OSSIM

  1. 1. Contents
  2. 2. Contents  Practical Monitoring with OSSIM  Asset and Data Source Identification  OSSIM Platform  OSSIM Architecture  Minimum Requirements  Create OTX Account  Factors to Consider  Demo Environment  OSSIM Installation  Basic Configuration  AddingAssets & ConfiguringVA  IDS in OSSIM  Setting up HIDS  Setting up NIDS  Adding Devices Enabling Plugins  Plugins for CheckPoint Firewall  Availability Monitoring
  3. 3. Practical Monitoring with OSSIM  Cyber security is a challenge.  24 x 7 monitoring of critical networks.  OSSIM is a open source product.  PEOPLE PROCESSTECHNOLOGY  Strengths and weaknesses of OSSIM tool.
  4. 4. Asset and data source Identification  Asset –any device with an IP address.  Data Source – Assets Capable of creating and sending logs.  OSSIM support logs from databases, syslogs andWMI etc.
  5. 5. OSSIM Platform  Asset Discovery  Active Network Scanning  Passive Network Scanning  Asset Inventory  VulnerabilityAssessment  ContinuousVulnerability Monitoring  Authenticated Unauthenticated Active Scan  Threat Detection  Network IDS  Host IDS  File Integrity Monitoring  Behavioral Monitoring  NetFlow Analysis  Service Availability Monitoring  Security Intelligence  Log Collection  Event Correlation  Incident Response
  6. 6. OSSIM Architecture  Sensor  Asset Discovery  Vulnerability Scanning  Event Collection  Server  Policy  RiskAssessment  Correlation  SQL Storage  Forwarding  Logger  Log Storage for OSSIM  Digitally Signed long term Storage
  7. 7. Minimum Requirements  Hardware requirement  8 CPU cores  16 Gb RAM  1TB of HDD  3 Network Interfaces  Additional requirement  VMware or Hyper-V  OSSIM ISO file  OTX key (I’ll guide you on how to get it)
  8. 8. Create OTX Account
  9. 9. Factors to Consider Before the implementation of OSSIM it is necessary to check on the following areas.  EPS (Events Per Seconds)  Numbers of Assets  Bandwidth  Geographical locations  Network Boundaries  Time zones  Storage
  10. 10. Demo Environment
  11. 11. OSSIM Installation
  12. 12. Getting Started Wizard – Network Interfaces
  13. 13. Basic Configuration  Setting up the correct time zone  Configuring hostname  Setting up the correct time zone for the user  Configuring password for the configuration backup
  14. 14. Adding Assets & Configuring VA  Any device with an IP address is an asset.  Examples :-  Firewalls  servers  IP cameras  mobile device  network printers
  15. 15. IDS in OSSIM  HIDS – Host base intrusion detection system  NIDS – network base intrusion detection system IDS HIDS NIDS
  16. 16. Setting up HIDS  What is HIDS? Host base intrusion detection system means put the agent to the device and pull the device logs to the OSSIM and do the Correlations part inside the OSSIM and generate the alarms.  Ossec  Nxlog  File beat
  17. 17. Setting up NIDS Network base intrusion detections means it’s analyzed in and out network traffic in the environment and analyzed the behavior of the traffic generated. OSSIM is doing those part with out agent that’s why it called NIDS.
  18. 18. Adding devices and Enabling Plugins Next we’re going to integrate devices that send syslogs. So first ask your network admin to forward syslogs towards UDP port 514 of the log collector IP of OSSIM
  19. 19. DEMO
  20. 20. Create Plugins
  21. 21. Plugins for CheckPoint firewall  What is a plugin?  OSSIM has nearly 1000 plugins for different devices  For Example “Fw1.alt” is the plugin for CheckPoint
  22. 22. Fw1.alt Plugin
  23. 23. Creating a plugin  Regular Expressions  Regular Expressions – Combinations  Regular Expressions — Occurrence Matches  Regular Expressions — Complex Matches  Regular Expressions — Special Characters
  24. 24. Regular Expressions Operator Meaning c A non special character matches itself c Adds the special meaning of the character c; The $ matches with $ ^ Indicates the position at the beginning of the line $ Indicates the position at the end of the line . Any individual character […] One or any of the characters …; accepts intervals of the type a-z, 0-9, A-Z [^…] A character different from … ; accepts intervals of the type a-z, 0-9, A-Z
  25. 25. Regular Expressions - Combinations Regular expression Matches with a.b axb aab abb aSb a#b ... a..b axxb aaab abbb a4$b ... [abc] a b c (one character strings) [aA] a (one character strings) [aA][bB] ab aB AB (two character strings) [0123456789] 0 1 2 3 4 5 6 7 8 9 [0-9] 0 1 2 3 4 5 6 7 8 9 [A-Za-z] A B C ... Z a b c ... z [0-9][0-9][0-9] 000 001 .. 009 010 .. 019 100 .. 999
  26. 26. Regular Expressions — Occurrence MatchesOperator Meaning r* 0 or more occurrences of r r+ 1 or more occurrences of r r? 0 or 1 occurrence of r, and no more r{n} n occurrences of r r{,m} 0 or at most m occurrences of r r{n,m} n or more occurrences of r, but at most m r1|r2 r1 or r2
  27. 27. Regular Expressions — Special Characters Regular expression Matches with Equals d Any decimal character [0-9] D Any non-decimal character [^0-9] s Any space character [ tnrfv] S Any non-space character [^ tnrfv] w Any alphanumeric character and “_” [a-zA-Z0-9_] W Any non-alphanumeric character [^a-zA-Z0-9_] Z End of line
  28. 28. Regular Expressions — Complex Matches Regular expression Matches with [0-9]+ 0 1 9 00 99 123 456 999 9999 99999 99999999 .. [0-9]? empty_string 0 1 2 .. 9 (ab)* empty_string ab ababab abababababab ([0-9]+ab)* empty_string 1234ab 9ab9ab9ab 9876543210ab 99ab99ab ...
  29. 29. Create a Simple Correlation  Logical correlation uses correlation directives to detect attacks.  By default, OSSIM includes almost 80 built-in directives.  Users can customize existing directives or create custom ones.
  30. 30. Availability Monitoring The last option to enable in OSSIM will be the Availability monitoring. As the word means, it simply checks whether the resource/service is available or not.  Service Available Monitoring  Device Available Monitoring
  31. 31. Understanding the Dashboard
  32. 32. THANK YOU
  33. 33. FOLLOW US ON /econIntconference @econ_int @int.econ
  • IanLi1

    May. 23, 2020
  • gt0ne

    Jan. 2, 2020

Learn how to manage your company’s security health using continuous monitoring with OSSIM, an Open Source Security Information and Event Management solution.

Views

Total views

918

On Slideshare

0

From embeds

0

Number of embeds

2

Actions

Downloads

0

Shares

0

Comments

0

Likes

2

×