Open Source Security

大家好吗？大家好吗？
我是我是 Wim RemesWim Remes
比利时比利时

http://www.eurotrashsecurity.eu
http://www.twitter.com/eurotrashsec
Chris-John Riley, Craig Balding, Dale Pearson & me.
(shameless self-promotion)(shameless self-promotion)

今天的主题是今天的主题是
The value of open source
solutions in a
security infrastructure
AN
D

Infosec Technology
in the past decade

It's time to unleash the power ...

What can't you do with open
source solutions?

It's about the bottom line.
Your bottom and Your line!

Open Source Security
A host-based intrusion detection system

Mr. Daniel CidMr. Daniel Cid
His royal OSSECnessHis royal OSSECness
http://www.twitter.comhttp://www.twitter.com/danielcid/danielcid
dcid in #ossec on irc.freenode.netdcid in #ossec on irc.freenode.net

OSSEC TechnicalOSSEC Technical
OverviewOverview
OSSEC Rollout ScenariosOSSEC Rollout Scenarios
OSSEC Rule engineOSSEC Rule engine
1
2

Host Based Intrusion DetectionHost Based Intrusion Detection
Client/Server ArchitectureClient/Server Architecture
Highly ScalableHighly Scalable
Cross PlatformCross Platform
Log AnalysisLog Analysis
Integrity CheckingIntegrity Checking
Rootkit DetectionRootkit Detection
Active ResponseActive Response
1
2
OSSEC Technical
Overview

If a tree falls in a forest, andIf a tree falls in a forest, and
nobody hears it, did it really fall?nobody hears it, did it really fall?

OSSEC
SERVER
1
2
syslog
syslog
ossec
OSSEC Technical
Overview

1
2
SIEM
OSSEC Rollout Scenarios

1
2
customer 1 customer 2
OSSEC Rollout Scenarios

And thy network shall be namedAnd thy network shall be named
BabelBabel

1
2
ANALYZE
PRE-DECODE
DECODE
LOG ALERT!
MSG
OSSEC Rule engine

1
2
AGENT
SERVER
ossec-logcollector
ossec-analysisd
ossec-maild ossec-execd
Compressed (zlib)
Encrypted (blowfish)
OSSEC Rule engine

Flexibility is the key word here!Flexibility is the key word here!

1
2
PRE-DECODING
Feb 24 10:12:23Feb 24 10:12:23 beijing appdaemon:stoppedbeijing appdaemon:stopped
time/datetime/date :: Feb 24 10:12:23Feb 24 10:12:23
HostnameHostname :: beijingbeijing
Program_nameProgram_name :: appdaemonappdaemon
LogLog :: stoppedstopped
OSSEC Rule engine

1
2
Feb 25 12:00:47 beijing appdaemon:userFeb 25 12:00:47 beijing appdaemon:user
john logged on from 10.10.10.10john logged on from 10.10.10.10
LogLog :: user john logged on from 10.10.10.10user john logged on from 10.10.10.10
PRE-DECODING
OSSEC Rule engine

1
2
LogLog :: user john logged on from 10.10.10.10user john logged on from 10.10.10.10
SrcipSrcip :: 10.10.10.1010.10.10.10
UserUser : john: john
DECODING
OSSEC Rule engine
Feb 25 12:00:47 beijing appdaemon:userFeb 25 12:00:47 beijing appdaemon:user
john logged on from 10.10.10.10john logged on from 10.10.10.10

1
2
<rule id=666 level=”0”><rule id=666 level=”0”>
<decoded_as><decoded_as>appdaemonappdaemon</decoded_as></decoded_as>
<description>appdaemon rule</description><description>appdaemon rule</description>
</rule></rule>
<rule id=”766” level=”5”><rule id=”766” level=”5”>
<if_sid>666</if_sid><if_sid>666</if_sid>
<match>^<match>^logged onlogged on</match></match>
<description>succesful logon</description><description>succesful logon</description>
</rule></rule>
ANALYSIS
OSSEC Rule engine

1
2
ANALYSIS
<hostname>^beijing</hostname><hostname>^beijing</hostname>
<srcip><srcip>!192.168.10.0/24!192.168.10.0/24</srcip></srcip>
<description>unauthorized logon!</description><description>unauthorized logon!</description>
</rule></rule>
<rule id=”966” level=”13”><rule id=”966” level=”13”>
<hostname>^shanghai</hostname><hostname>^shanghai</hostname>
<user><user>!john!john</user></user>
<description>unauthorised logon !</description><description>unauthorised logon !</description>
</rule></rule>
OSSEC Rule engine

1
2
ANALYSIS
666
766
866
966
OSSEC Rule engine

1
2
ANALYSIS
<match>^login failed</hostname><match>^login failed</hostname>
<description>failed login !</description><description>failed login !</description>
</rule></rule>
<rule id=”1166” level=”9”<rule id=”1166” level=”9” frequency=”10” timeframe=”100”frequency=”10” timeframe=”100”>>
<if_matched_sid>1066</if_matched_sid><if_matched_sid>1066</if_matched_sid>
<same_source_ip /><same_source_ip />
<description>Probable Brute Force !</description><description>Probable Brute Force !</description>
</rule></rule>
OSSEC Rule engine

Real GoodnessReal Goodness
1
2
666
766
866
966
1066
1166
STOP!

1
2
ossec.conf
command1
command2
command3
...
<active-response>
<command>command2</command>
<location>local</location>
<rules_id>1166</rules_id>
<timeout>600</timeout>
</active-response>
action1
action2
action3
...
<command>
<name>command2</name>
<executable>command2.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
1166
Real GoodnessReal Goodness

谢谢谢谢
Thank youThank you
wim@remes-it.bewim@remes-it.be (mail)(mail)
blog.remes-it.be (blog)blog.remes-it.be (blog)
@wimremes (twitter)@wimremes (twitter)
#ossec (irc)#ossec (irc)

Open Source Security

More Related Content

What's hot

Viewers also liked

Similar to Open Source Security

More from wremes

Recently uploaded

Open Source Security