This presentation was given at Excaliburcon in Wuxi, China and covers the use of open source solutions in a security infrastructure, with a special focus on OSSEC.

1. 大家好吗？大家好吗？
我 是我 是 Wim RemesWim Remes
比利时比利时

2. http://www.eurotrashsecurity.eu
http://www.twitter.com/eurotrashsec
Chris-John Riley, Craig Balding, Dale Pearson & me.
(shameless self-promotion)(shameless self-promotion)

3. 今天的主题是今天的主题是
The value of open source
solutions in a
security infrastructure
AN
D

4. Infosec Technology
in the past decade

5. Pwned by a vendor ?

6. It's time to unleash the power ...

7. What can't you do with open
source solutions?

8. YES WE CAN !YES WE CAN !

9. It's about the bottom line.
Your bottom and Your line!

10. Open Source Security
A host-based intrusion detection system

11. Mr. Daniel CidMr. Daniel Cid
His royal OSSECnessHis royal OSSECness
http://www.twitter.comhttp://www.twitter.com/danielcid/danielcid
dcid in #ossec on irc.freenode.netdcid in #ossec on irc.freenode.net

12. OSSEC TechnicalOSSEC Technical
OverviewOverview
OSSEC Rollout ScenariosOSSEC Rollout Scenarios
OSSEC Rule engineOSSEC Rule engine
1
2

13. Host Based Intrusion DetectionHost Based Intrusion Detection
Client/Server ArchitectureClient/Server Architecture
Highly ScalableHighly Scalable
Cross PlatformCross Platform
Log AnalysisLog Analysis
Integrity CheckingIntegrity Checking
Rootkit DetectionRootkit Detection
Active ResponseActive Response
1
2
OSSEC Technical
Overview

14. If a tree falls in a forest, andIf a tree falls in a forest, and
nobody hears it, did it really fall?nobody hears it, did it really fall?

15. OSSEC
SERVER
1
2
syslog
syslog
ossec
OSSEC Technical
Overview

16. 1
2
SIEM
OSSEC Rollout Scenarios

17. 1
2
customer 1 customer 2
OSSEC Rollout Scenarios

18. And thy network shall be namedAnd thy network shall be named
BabelBabel

19. 1
2
ANALYZE
PRE-DECODE
DECODE
LOG ALERT!
MSG
OSSEC Rule engine

20. 1
2
AGENT
SERVER
ossec-logcollector
ossec-analysisd
ossec-maild ossec-execd
Compressed (zlib)
Encrypted (blowfish)
OSSEC Rule engine

21. Flexibility is the key word here!Flexibility is the key word here!

22. 1
2
PRE-DECODING
Feb 24 10:12:23Feb 24 10:12:23 beijing appdaemon:stoppedbeijing appdaemon:stopped
time/datetime/date :: Feb 24 10:12:23Feb 24 10:12:23
HostnameHostname :: beijingbeijing
Program_nameProgram_name :: appdaemonappdaemon
LogLog :: stoppedstopped
OSSEC Rule engine

23. 1
2
Feb 25 12:00:47 beijing appdaemon:userFeb 25 12:00:47 beijing appdaemon:user
john logged on from 10.10.10.10john logged on from 10.10.10.10
time/datetime/date :: Feb 25 12:00:47Feb 25 12:00:47
HostnameHostname :: beijingbeijing
Program_nameProgram_name :: appdaemonappdaemon
LogLog :: user john logged on from 10.10.10.10user john logged on from 10.10.10.10
PRE-DECODING
OSSEC Rule engine

24. 1
2
time/datetime/date :: Feb 25 12:00:47Feb 25 12:00:47
HostnameHostname :: beijingbeijing
Program_nameProgram_name :: appdaemonappdaemon
LogLog :: user john logged on from 10.10.10.10user john logged on from 10.10.10.10
SrcipSrcip :: 10.10.10.1010.10.10.10
UserUser : john: john
DECODING
OSSEC Rule engine
Feb 25 12:00:47 beijing appdaemon:userFeb 25 12:00:47 beijing appdaemon:user
john logged on from 10.10.10.10john logged on from 10.10.10.10

25. 1
2
<rule id=666 level=”0”><rule id=666 level=”0”>
<decoded_as><decoded_as>appdaemonappdaemon</decoded_as></decoded_as>
<description>appdaemon rule</description><description>appdaemon rule</description>
</rule></rule>
<rule id=”766” level=”5”><rule id=”766” level=”5”>
<if_sid>666</if_sid><if_sid>666</if_sid>
<match>^<match>^logged onlogged on</match></match>
<description>succesful logon</description><description>succesful logon</description>
</rule></rule>
ANALYSIS
OSSEC Rule engine

26. 1
2
ANALYSIS
<rule id=866 level=”7”><rule id=866 level=”7”>
<if_sid>766</if_sid><if_sid>766</if_sid>
<hostname>^beijing</hostname><hostname>^beijing</hostname>
<srcip><srcip>!192.168.10.0/24!192.168.10.0/24</srcip></srcip>
<description>unauthorized logon!</description><description>unauthorized logon!</description>
</rule></rule>
<rule id=”966” level=”13”><rule id=”966” level=”13”>
<if_sid>766</if_sid><if_sid>766</if_sid>
<hostname>^shanghai</hostname><hostname>^shanghai</hostname>
<user><user>!john!john</user></user>
<description>unauthorised logon !</description><description>unauthorised logon !</description>
</rule></rule>
OSSEC Rule engine

27. 1
2
ANALYSIS
666
766
866
966
OSSEC Rule engine

28. 1
2
ANALYSIS
<rule id=1066 level=”7”><rule id=1066 level=”7”>
<if_sid>666</if_sid><if_sid>666</if_sid>
<match>^login failed</hostname><match>^login failed</hostname>
<description>failed login !</description><description>failed login !</description>
</rule></rule>
<rule id=”1166” level=”9”<rule id=”1166” level=”9” frequency=”10” timeframe=”100”frequency=”10” timeframe=”100”>>
<if_matched_sid>1066</if_matched_sid><if_matched_sid>1066</if_matched_sid>
<same_source_ip /><same_source_ip />
<description>Probable Brute Force !</description><description>Probable Brute Force !</description>
</rule></rule>
OSSEC Rule engine

29. 1
2
AGENT
SERVER
ossec-logcollector
ossec-analysisd
ossec-maild ossec-execd
Compressed (zlib)
Encrypted (blowfish)
OSSEC Rule engine

30. Real GoodnessReal Goodness
1
2
666
766
866
966
1066
1166
STOP!

31. 1
2
ossec.conf
command1
command2
command3
...
<active-response>
<command>command2</command>
<location>local</location>
<rules_id>1166</rules_id>
<timeout>600</timeout>
</active-response>
action1
action2
action3
...
<command>
<name>command2</name>
<executable>command2.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
1166
Real GoodnessReal Goodness

33. 谢谢谢谢
Thank youThank you
wim@remes-it.bewim@remes-it.be (mail)(mail)
blog.remes-it.be (blog)blog.remes-it.be (blog)
@wimremes (twitter)@wimremes (twitter)
#ossec (irc)#ossec (irc)