Continuous monitoring with OSSIM
•
2 likes•1,153 views
This document provides an overview of setting up practical monitoring with the open source security information management (SIM) tool OSSIM. It discusses identifying assets and data sources, the OSSIM platform capabilities, architecture, requirements, and basic configuration steps. It also covers adding assets, configuring vulnerability assessment, setting up host and network intrusion detection systems, enabling plugins for integrating devices like CheckPoint firewalls, and configuring availability monitoring. The document provides details on key concepts like regular expressions, correlation rules, and using the OSSIM dashboard.
More Related Content
What's hot
What's hot (20)
Similar to Continuous monitoring with OSSIM
Similar to Continuous monitoring with OSSIM (20)
Recently uploaded
Recently uploaded (20)
Continuous monitoring with OSSIM
- 3. Contents
- 4. Contents Practical Monitoring with OSSIM Asset and Data Source Identification OSSIM Platform OSSIM Architecture Minimum Requirements Create OTX Account Factors to Consider Demo Environment OSSIM Installation Basic Configuration AddingAssets & ConfiguringVA IDS in OSSIM Setting up HIDS Setting up NIDS Adding Devices Enabling Plugins Plugins for CheckPoint Firewall Availability Monitoring
- 5. Practical Monitoring with OSSIM Cyber security is a challenge. 24 x 7 monitoring of critical networks. OSSIM is a open source product. PEOPLE PROCESSTECHNOLOGY Strengths and weaknesses of OSSIM tool.
- 6. Asset and data source Identification Asset –any device with an IP address. Data Source – Assets Capable of creating and sending logs. OSSIM support logs from databases, syslogs andWMI etc.
- 7. OSSIM Platform Asset Discovery Active Network Scanning Passive Network Scanning Asset Inventory VulnerabilityAssessment ContinuousVulnerability Monitoring Authenticated Unauthenticated Active Scan Threat Detection Network IDS Host IDS File Integrity Monitoring Behavioral Monitoring NetFlow Analysis Service Availability Monitoring Security Intelligence Log Collection Event Correlation Incident Response
- 8. OSSIM Architecture Sensor Asset Discovery Vulnerability Scanning Event Collection Server Policy RiskAssessment Correlation SQL Storage Forwarding Logger Log Storage for OSSIM Digitally Signed long term Storage
- 9. Minimum Requirements Hardware requirement 8 CPU cores 16 Gb RAM 1TB of HDD 3 Network Interfaces Additional requirement VMware or Hyper-V OSSIM ISO file OTX key (I’ll guide you on how to get it)
- 11. Factors to Consider Before the implementation of OSSIM it is necessary to check on the following areas. EPS (Events Per Seconds) Numbers of Assets Bandwidth Geographical locations Network Boundaries Time zones Storage
- 12. Demo Environment
- 14. Getting Started Wizard – Network Interfaces
- 15. Basic Configuration Setting up the correct time zone Configuring hostname Setting up the correct time zone for the user Configuring password for the configuration backup
- 16. Adding Assets & Configuring VA Any device with an IP address is an asset. Examples :- Firewalls servers IP cameras mobile device network printers
- 17. IDS in OSSIM HIDS – Host base intrusion detection system NIDS – network base intrusion detection system IDS HIDS NIDS
- 18. Setting up HIDS What is HIDS? Host base intrusion detection system means put the agent to the device and pull the device logs to the OSSIM and do the Correlations part inside the OSSIM and generate the alarms. Ossec Nxlog File beat
- 19. Setting up NIDS Network base intrusion detections means it’s analyzed in and out network traffic in the environment and analyzed the behavior of the traffic generated. OSSIM is doing those part with out agent that’s why it called NIDS.
- 20. Adding devices and Enabling Plugins Next we’re going to integrate devices that send syslogs. So first ask your network admin to forward syslogs towards UDP port 514 of the log collector IP of OSSIM
- 21. DEMO
- 22. Create Plugins
- 23. Plugins for CheckPoint firewall What is a plugin? OSSIM has nearly 1000 plugins for different devices For Example “Fw1.alt” is the plugin for CheckPoint
- 24. Fw1.alt Plugin
- 25. Creating a plugin Regular Expressions Regular Expressions – Combinations Regular Expressions — Occurrence Matches Regular Expressions — Complex Matches Regular Expressions — Special Characters
- 26. Regular Expressions Operator Meaning c A non special character matches itself c Adds the special meaning of the character c; The $ matches with $ ^ Indicates the position at the beginning of the line $ Indicates the position at the end of the line . Any individual character […] One or any of the characters …; accepts intervals of the type a-z, 0-9, A-Z [^…] A character different from … ; accepts intervals of the type a-z, 0-9, A-Z
- 27. Regular Expressions - Combinations Regular expression Matches with a.b axb aab abb aSb a#b ... a..b axxb aaab abbb a4$b ... [abc] a b c (one character strings) [aA] a (one character strings) [aA][bB] ab aB AB (two character strings) [0123456789] 0 1 2 3 4 5 6 7 8 9 [0-9] 0 1 2 3 4 5 6 7 8 9 [A-Za-z] A B C ... Z a b c ... z [0-9][0-9][0-9] 000 001 .. 009 010 .. 019 100 .. 999
- 28. Regular Expressions — Occurrence MatchesOperator Meaning r* 0 or more occurrences of r r+ 1 or more occurrences of r r? 0 or 1 occurrence of r, and no more r{n} n occurrences of r r{,m} 0 or at most m occurrences of r r{n,m} n or more occurrences of r, but at most m r1|r2 r1 or r2
- 29. Regular Expressions — Special Characters Regular expression Matches with Equals d Any decimal character [0-9] D Any non-decimal character [^0-9] s Any space character [ tnrfv] S Any non-space character [^ tnrfv] w Any alphanumeric character and “_” [a-zA-Z0-9_] W Any non-alphanumeric character [^a-zA-Z0-9_] Z End of line
- 30. Regular Expressions — Complex Matches Regular expression Matches with [0-9]+ 0 1 9 00 99 123 456 999 9999 99999 99999999 .. [0-9]? empty_string 0 1 2 .. 9 (ab)* empty_string ab ababab abababababab ([0-9]+ab)* empty_string 1234ab 9ab9ab9ab 9876543210ab 99ab99ab ...
- 31. Create a Simple Correlation Logical correlation uses correlation directives to detect attacks. By default, OSSIM includes almost 80 built-in directives. Users can customize existing directives or create custom ones.
- 32. Availability Monitoring The last option to enable in OSSIM will be the Availability monitoring. As the word means, it simply checks whether the resource/service is available or not. Service Available Monitoring Device Available Monitoring
- 34. THANK YOU
- 35. FOLLOW US ON /econIntconference @econ_int @int.econ
Editor's Notes
- I have been working soc analyst in past year and did
- Cyber security is the key challenge for any kind or any size of a company . Because of the rapid development of new technology There are multiple solutions to overcome this challenge. But when considering effectiveness of these solutions, Security operating center or we simply called SOC, leads the industry, with it’s continues monitoring capability. You know when it’s come to soc people believe it as an expensive solution . But to overcome this any one can go for an open solutions So let me introduce you a world recognize open source tool with many useful features Cyber security is a challenge for many organization today. Rapid Changes in the threat landscape forces many organizations to adopt expensive security solutions even when the organizations is not ready for such solution. Establishing an organization wide security operation center (SOC) is perceived as a solution to meet the challenges of cyber security by introducing 24 x 7 monitoring of critical networks. OSSIM is a open source product with many useful features that will allow you to take the first steps towards establishing a SOC. It will also allow you to adopt PEOPLE PROCESS TECHNOLOGY approach for your cyber security solution. It is important to understand the strengths and weaknesses of OSSIM tool.
- Anything that has any IP address can be declared as an Asset. If those assets are capable of creating and sending any type of logs in to an SIEM, then it is a data source. OSSIM support logs from databases, syslogs and WMI etc. In addition to that we also forward a copy of the network traffic (SPAN) towards OSSIM. I’ve seen some Antivirus engines do not support syslogs , but it dumps it’s events in local database. In such cases we configure the OSSIM to manually login to those databases and fetch logs at regular intervals.
- Anything that has any IP address can be declared as an Asset. If those assets are capable of creating and sending any type of logs in to an SIEM, then it is a data source. OSSIM support logs from databases, syslogs and WMI etc. In addition to that we also forward a copy of the network traffic (SPAN) towards OSSIM. I’ve seen some Antivirus engines do not support syslogs , but it dumps it’s events in local database. In such cases we configure the OSSIM to manually login to those databases and fetch logs at regular intervals.
- Anything that has any IP address can be declared as an Asset. If those assets are capable of creating and sending any type of logs in to an SIEM, then it is a data source. OSSIM support logs from databases, syslogs and WMI etc. In addition to that we also forward a copy of the network traffic (SPAN) towards OSSIM. I’ve seen some Antivirus engines do not support syslogs , but it dumps it’s events in local database. In such cases we configure the OSSIM to manually login to those databases and fetch logs at regular intervals.
- To perform the basic ossime functionality these are the requirement
- Anything that has any IP address can be declared as an Asset. If those assets are capable of creating and sending any type of logs in to an SIEM, then it is a data source. OSSIM support logs from databases, syslogs and WMI etc. In addition to that we also forward a copy of the network traffic (SPAN) towards OSSIM. I’ve seen some Antivirus engines do not support syslogs , but it dumps it’s events in local database. In such cases we configure the OSSIM to manually login to those databases and fetch logs at regular intervals.
- Anything that has any IP address can be declared as an Asset. If those assets are capable of creating and sending any type of logs in to an SIEM, then it is a data source. OSSIM support logs from databases, syslogs and WMI etc. In addition to that we also forward a copy of the network traffic (SPAN) towards OSSIM. I’ve seen some Antivirus engines do not support syslogs , but it dumps it’s events in local database. In such cases we configure the OSSIM to manually login to those databases and fetch logs at regular intervals.
- Anything that has any IP address can be declared as an Asset. If those assets are capable of creating and sending any type of logs in to an SIEM, then it is a data source. OSSIM support logs from databases, syslogs and WMI etc. In addition to that we also forward a copy of the network traffic (SPAN) towards OSSIM. I’ve seen some Antivirus engines do not support syslogs , but it dumps it’s events in local database. In such cases we configure the OSSIM to manually login to those databases and fetch logs at regular intervals.
- Anything that has any IP address can be declared as an Asset. If those assets are capable of creating and sending any type of logs in to an SIEM, then it is a data source. OSSIM support logs from databases, syslogs and WMI etc. In addition to that we also forward a copy of the network traffic (SPAN) towards OSSIM. I’ve seen some Antivirus engines do not support syslogs , but it dumps it’s events in local database. In such cases we configure the OSSIM to manually login to those databases and fetch logs at regular intervals.
- Any body know what is plugin?
- Let’s move to the simple correlation
- I’ll show simple dashboard and let’s try to understand it