SlideShare a Scribd company logo

OSSEC @ ISSA Jan 21st 2010

W
wremes

OSSEC is an open source host-based intrusion detection system that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. It decodes and analyzes logs using rules to detect anomalies and security events. OSSEC includes components for log collection, rule-based analysis, alerting and active responses. It can be installed and configured in different modes and includes features for centralized management, file integrity monitoring, log source configuration, and rule management.

Technology
1 of 48
Download to read offline
OSSEC Log and event management the open source way ...
Introduction • Me (thx 4 the nice intro, maltego me) • Bull (not the bovine kind ...) • Eurotrash information security podcast • Brucon, Excaliburcon, FOSDEM, ...
Agenda • Logging 101 (what, how, why, ...) • OSSEC technical overview • break • OSSEC installation and configuration • OSSEC rules • OSSEC event management
Logging : what ? • Users • Systems • Network • Databases • Applications • .....
Logging: from ? Firewalls,VPN, IDS/IPS, routers, switches, ... Servers, workstations, virtualisation, UPS, ... anti-malware, applications, databases, ...
Logging : Why ? • System Monitoring (performance, management, troubleshooting, ...) • Compliance (regulatory, audit, internal policy, ...) • Incident Handling, Forensics, ...
Compliance PCI DSS 6.4. Follow change control procedures for all changes to system components 10. Track and monitor all access to network resources and cardholder data. 12. Maintain a policy that addresses information security for all employees and contractors
The Problem • There is NO standard !! • There is NO guidance !! • There is NO Consitency !!
Babel be thy name
We need to agree upon... • Format What does a log message look like ? • Content What do we put in a log message ? • Transport How do we send it ? • Guidelines How do we approach logging ? (ex. NIST 800-92)
It’s time for a standard !
not Syslog • RFC 3164 (08/2001) : BSD Syslog Protocol • It uses UDP • It’s a garbage bin • it’s a non-standard standard
Syslog Hell ! • Jun 11 03:06:38 (none) login [3432] : ROOT LOGIN on `tty1` • Jan 19 22:52:56 LT1 gdm-session- worker[1659]: pam_unix (gdm:session): session opened for user wim by (uid=0) • Jan 4 09:38:10 LT1 su[3510]: pam_unix(su:session): session opened for user root by wim (uid=1000)
Syslog Hell !! • <57> Jan 10 12:10:34:%SEC_LOGIN-5- LOGIN_SUCCESS:Login Success [user:frodo] [Source: 192.168.10.254] [localport:23] at ... • <13> Jan 18 10:15:45 2009 680 Security SYSTEM User Failure Audit ENTERPRISE ...
Can I continue ? • Jan 19 20:12:56 LT1 mycrappyapp [3526]: I’m the awesome programmer behind this crappy app and since you asked me to log something I’ve chosen to use syslog to dump all this meaningless events in here so you will still have to call and pay me to get the bugs that I left in there because I was surfing the internet instead of working for you solved. Eat that! And BTW, my app crashed for no apparent reason. kthxbai !
I promise to stop • Feb 24 15:10:24 server transact [5402]: user geoff transferred 500 dollars using credit card # XXX • Apr 1 10:14:28 server MEDIC [6420]: user kathy logged in to module patient using password selma1970
Then what ? • IDMF (by IETF) • XML based • Complex • Not widely adopted • Academic • WELF (by Webtrends) • Proprietary • didn’t scale
NEXT ! • CBE (by IBM) • also XML based • IBM didn’t even use it !
Event Taxonomy Standard terminology Log Syntax Consistent data elements and format Log Transport Standard communications mechanisms Log Recommendations Suggested events to log The future ?
OSSEC
Definition OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
SIEM (commercial)
Key Facts • 2005 • Daniel Cid • Third Brigade • TrendMicro
Install Modes • Local • Single Client • Windows, AIX, Solaris, HP-UX, Linux • Server • Central Logging Point (250 clients/server) • AIX,Solaris,HP-UX,Linux • Client • Reports to server • Windows,AIX,Solaris,HP-UX,Linux
Architecture
Architecture syslog syslog virtualisation
Architecture SIEM virtualisation virtualisation
OSSEC Components logcollector Agent zlib compressed blowfish encrypted UDP 1514 Server ossec-analysisd ossec-maild ossec-execd
Time For a break
ossec-analysisd Predecoding Decoding Analysis
Predecoding • Feb 24 10:12:23 beijing appdaemon:stopped time/date : Feb 24 10:12:23 Hostname : beijing Program_name :appdaemon Log : stopped
Predecoding • Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10 time/date : Feb 25 12:00:47 Hostname : beijing Program_name :appdaemon Log : user john logged on from 10.10.10.10
Decoding • Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10 time/date : Feb 25 12:00:47 Hostname : beijing Program_name :appdaemon Log : user john logged on from 10.10.10.10 srcip : 10.10.10.10 user : john
Analysis <rule id=666 level=”0”> <decoded_as>appdaemon</decoded_as> <description>appdaemon rule</description> </rule> <rule id=”766” level=”5”> <if_sid>666</if_sid> <match>^logged on</match> <description>succesful logon</description> </rule>
Analysis <rule id=866 level=”7”> <if_sid>766</if_sid> <hostname>^beijing</hostname> <srcip>!192.168.10.0/24</srcip> <description>unauthorized logon!</description> </rule> <rule id=”966” level=”13”> <if_sid>766</if_sid> <hostname>^shanghai</hostname> <user>!john</user> <description>unauthorised logon !</description> </rule>
Analysis 666 766 866 966
Analysis <rule id=1066 level=”7”> <if_sid>666</if_sid> <match>^login failed</hostname> <description>failed login !</description> </rule> <rule id=”1166” level=”9” frequency=”10” timeframe=”100”> <if_matched_sid>1066</if_matched_sid> <same_source_ip /> <description>Probable Brute Force !</description> </rule>
Analysis 666 766 866 966 1066 1166
ossec.conf <command> <name>host-deny</name> <executable>host-deny.sh</executable> <expect>srcip</expect> <timeout_allowed>yes</timeout_allowed> </command> <active-response> <command>command2</command> <location>local</location> <rules_id>1166</rules_id> <timeout>600</timeout> </active-response>
ossec.conf syscheck <syscheck> <!-- Frequency that syscheck is executed - default to every 22 hours --> <frequency>79200</frequency> <!-- Directories to check (perform all possible verifications) --> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/bin,/sbin</directories> <!-- Files/directories to ignore --> <ignore>/etc/mtab</ignore> <ignore>/etc/mnttab</ignore> <ignore>/etc/hosts.deny</ignore> ... </syscheck>
ossec.conf rootcheck <rootcheck> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> </rootcheck>
ossec.conf varia <alerts> <log_alert_level>1</log_alert_level> </alerts> <localfile> <log_format>syslog</log_format> <location>/var/log/secure.log</location> </localfile> <ossec_config> <ossec_config> <!-- rules global entry --> <rules> <include>rules_config.xml</include> <include>pam_rules.xml</include> <include>sshd_rules.xml</include> <include>telnetd_rules.xml</include> ... </ossec_config>
Management /var/ossec/bin/ ossec-control stop|start|restart manage_agents (server) manage agent keys (client) import key
Management agent_control -lc agent_control -i [id] agent_control -R [id] agent_control -r -a agent_control -r -i [id]
Management syscheckcontrol -lc syscheckcontrol -i [id] syscheckcontrol -i [id] -f [file]
Centralized Management /var/ossec/etc/shared/agent.conf distributed to all agents specify config per client id specify config per OS pushed by server same syntax as ossec.conf
rolling out Deploy Customize Monitor Analyze
Thank you ! wim.remes@bull.be +32 495 58 59 12 http://www.twitter.com/wimremes wim@eurotrashsecurity.eu www.eurotrashsecurity.eu (itunes) http://www.ossec.net http://www.slideshare.net/anton_chuvakin

Recommended

Fosdem10
Fosdem10Fosdem10
Fosdem10
wremes
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Security
wremes
 
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
CODE BLUE
 
Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOps
Pichaya Morimoto
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Nahidul Kibria
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
Jen Andre
 
Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21
Max Kleiner
 

Recommended

Fosdem10
Fosdem10Fosdem10
Fosdem10
wremes
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Security
wremes
 
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
CODE BLUE
 
Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOps
Pichaya Morimoto
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Nahidul Kibria
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
Jen Andre
 
Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21
Max Kleiner
 
X64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 newX64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 newYiwei Ma
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
OWASP Russia
 
Logstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeLogstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtime
Andrea Cardinale
 
URL to HTML
URL to HTMLURL to HTML
URL to HTML
Francois Marier
 
Tecnicas monitoreo reportes con Asterisk
Tecnicas monitoreo reportes con AsteriskTecnicas monitoreo reportes con Asterisk
Tecnicas monitoreo reportes con AsteriskNicolás Gudiño
 
IstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShockIstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShock
BGA Cyber Security
 
Supporting Debian machines for friends and family
Supporting Debian machines for friends and familySupporting Debian machines for friends and family
Supporting Debian machines for friends and family
Francois Marier
 
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...
mfrancis
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017
Manich Koomsusi
 
Da APK al Golden Ticket
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden Ticket
Giuseppe Trotta
 
OpenStack Swift - MSST 2011 Tutorial Day
OpenStack Swift - MSST 2011 Tutorial DayOpenStack Swift - MSST 2011 Tutorial Day
OpenStack Swift - MSST 2011 Tutorial Day
Joshua McKenty
 
PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22
Yuya Takei
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
Pichaya Morimoto
 
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
RootedCON
 
Mise en place d'un client VPN l2tp IPsec sous docker
Mise en place d'un client VPN l2tp IPsec sous dockerMise en place d'un client VPN l2tp IPsec sous docker
Mise en place d'un client VPN l2tp IPsec sous docker
Nicolas Trauwaen
 
Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015
GregMefford
 
Instalasi Solr
Instalasi SolrInstalasi Solr
Instalasi Solr
Dwi Fajar Saputra
 
Analyse OpenLDAP logs with ELK
Analyse OpenLDAP logs with ELKAnalyse OpenLDAP logs with ELK
Analyse OpenLDAP logs with ELK
Clément OUDOT
 
Hack any website
Hack any websiteHack any website
Hack any websitesunil kumar
 
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
Retrieva inc.
 
Implementing ossec
Implementing ossecImplementing ossec
Implementing ossec
Jeronimo Zucco
 
Securing Hadoop with OSSEC
Securing Hadoop with OSSECSecuring Hadoop with OSSEC
Securing Hadoop with OSSECVic Hargrave
 

More Related Content

What's hot

X64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 newX64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 newYiwei Ma
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
OWASP Russia
 
Logstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeLogstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtime
Andrea Cardinale
 
URL to HTML
URL to HTMLURL to HTML
URL to HTML
Francois Marier
 
Tecnicas monitoreo reportes con Asterisk
Tecnicas monitoreo reportes con AsteriskTecnicas monitoreo reportes con Asterisk
Tecnicas monitoreo reportes con AsteriskNicolás Gudiño
 
IstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShockIstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShock
BGA Cyber Security
 
Supporting Debian machines for friends and family
Supporting Debian machines for friends and familySupporting Debian machines for friends and family
Supporting Debian machines for friends and family
Francois Marier
 
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...
mfrancis
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017
Manich Koomsusi
 
Da APK al Golden Ticket
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden Ticket
Giuseppe Trotta
 
OpenStack Swift - MSST 2011 Tutorial Day
OpenStack Swift - MSST 2011 Tutorial DayOpenStack Swift - MSST 2011 Tutorial Day
OpenStack Swift - MSST 2011 Tutorial Day
Joshua McKenty
 
PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22
Yuya Takei
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
Pichaya Morimoto
 
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
RootedCON
 
Mise en place d'un client VPN l2tp IPsec sous docker
Mise en place d'un client VPN l2tp IPsec sous dockerMise en place d'un client VPN l2tp IPsec sous docker
Mise en place d'un client VPN l2tp IPsec sous docker
Nicolas Trauwaen
 
Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015
GregMefford
 
Instalasi Solr
Instalasi SolrInstalasi Solr
Instalasi Solr
Dwi Fajar Saputra
 
Analyse OpenLDAP logs with ELK
Analyse OpenLDAP logs with ELKAnalyse OpenLDAP logs with ELK
Analyse OpenLDAP logs with ELK
Clément OUDOT
 
Hack any website
Hack any websiteHack any website
Hack any websitesunil kumar
 
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
Retrieva inc.
 

What's hot (20)

X64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 newX64服务器 lnmp服务器部署标准 new
X64服务器 lnmp服务器部署标准 new
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
 
Logstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeLogstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtime
 
URL to HTML
URL to HTMLURL to HTML
URL to HTML
 
Tecnicas monitoreo reportes con Asterisk
Tecnicas monitoreo reportes con AsteriskTecnicas monitoreo reportes con Asterisk
Tecnicas monitoreo reportes con Asterisk
 
IstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShockIstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShock
 
Supporting Debian machines for friends and family
Supporting Debian machines for friends and familySupporting Debian machines for friends and family
Supporting Debian machines for friends and family
 
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017
 
Da APK al Golden Ticket
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden Ticket
 
OpenStack Swift - MSST 2011 Tutorial Day
OpenStack Swift - MSST 2011 Tutorial DayOpenStack Swift - MSST 2011 Tutorial Day
OpenStack Swift - MSST 2011 Tutorial Day
 
PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22PFIセミナー資料 H27.10.22
PFIセミナー資料 H27.10.22
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
 
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
 
Mise en place d'un client VPN l2tp IPsec sous docker
Mise en place d'un client VPN l2tp IPsec sous dockerMise en place d'un client VPN l2tp IPsec sous docker
Mise en place d'un client VPN l2tp IPsec sous docker
 
Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015
 
Instalasi Solr
Instalasi SolrInstalasi Solr
Instalasi Solr
 
Analyse OpenLDAP logs with ELK
Analyse OpenLDAP logs with ELKAnalyse OpenLDAP logs with ELK
Analyse OpenLDAP logs with ELK
 
Hack any website
Hack any websiteHack any website
Hack any website
 
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
 

Similar to OSSEC @ ISSA Jan 21st 2010

Implementing ossec
Implementing ossecImplementing ossec
Implementing ossec
Jeronimo Zucco
 
Securing Hadoop with OSSEC
Securing Hadoop with OSSECSecuring Hadoop with OSSEC
Securing Hadoop with OSSECVic Hargrave
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
Yossi Sassi
 
AEO Training - 2023.pdf
AEO Training - 2023.pdfAEO Training - 2023.pdf
AEO Training - 2023.pdf
Mohamed Taoufik TEKAYA
 
Ossec Lightning
Ossec LightningOssec Lightning
Ossec Lightning
wremes
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX Security
HelpSystems
 
Log Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxLog Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptx
JohnnyPlasten
 
AWS Meet-up: Logging At Scale on AWS
AWS Meet-up: Logging At Scale on AWSAWS Meet-up: Logging At Scale on AWS
AWS Meet-up: Logging At Scale on AWS
Chris Riddell
 
Elk its big log season
Elk its big log seasonElk its big log season
Elk its big log season
Eric Luellen
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawn
Gábor Nyers
 
OSSEC Holidaycon 2020.pdf
OSSEC Holidaycon 2020.pdfOSSEC Holidaycon 2020.pdf
OSSEC Holidaycon 2020.pdf
Mohamed Taoufik TEKAYA
 
IBM Think 2018 - IBM Connections Troubleshooting
IBM Think 2018 - IBM Connections TroubleshootingIBM Think 2018 - IBM Connections Troubleshooting
IBM Think 2018 - IBM Connections Troubleshooting
Nico Meisenzahl
 
Building and Scaling Node.js Applications
Building and Scaling Node.js ApplicationsBuilding and Scaling Node.js Applications
Building and Scaling Node.js Applications
Ohad Kravchick
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
Aj MaChInE
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.js
orkaplan
 
From zero to hero - Easy log centralization with Logstash and Elasticsearch
From zero to hero - Easy log centralization with Logstash and ElasticsearchFrom zero to hero - Easy log centralization with Logstash and Elasticsearch
From zero to hero - Easy log centralization with Logstash and Elasticsearch
Rafał Kuć
 
From Zero to Hero - Centralized Logging with Logstash & Elasticsearch
From Zero to Hero - Centralized Logging with Logstash & ElasticsearchFrom Zero to Hero - Centralized Logging with Logstash & Elasticsearch
From Zero to Hero - Centralized Logging with Logstash & Elasticsearch
Sematext Group, Inc.
 
Docker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic StackDocker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic Stack
Jakub Hajek
 
Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek
PROIDEA
 

Similar to OSSEC @ ISSA Jan 21st 2010 (20)

Implementing ossec
Implementing ossecImplementing ossec
Implementing ossec
 
Securing Hadoop with OSSEC
Securing Hadoop with OSSECSecuring Hadoop with OSSEC
Securing Hadoop with OSSEC
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
 
AEO Training - 2023.pdf
AEO Training - 2023.pdfAEO Training - 2023.pdf
AEO Training - 2023.pdf
 
Ossec Lightning
Ossec LightningOssec Lightning
Ossec Lightning
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX Security
 
Rails Security
Rails SecurityRails Security
Rails Security
 
Log Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxLog Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptx
 
AWS Meet-up: Logging At Scale on AWS
AWS Meet-up: Logging At Scale on AWSAWS Meet-up: Logging At Scale on AWS
AWS Meet-up: Logging At Scale on AWS
 
Elk its big log season
Elk its big log seasonElk its big log season
Elk its big log season
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawn
 
OSSEC Holidaycon 2020.pdf
OSSEC Holidaycon 2020.pdfOSSEC Holidaycon 2020.pdf
OSSEC Holidaycon 2020.pdf
 
IBM Think 2018 - IBM Connections Troubleshooting
IBM Think 2018 - IBM Connections TroubleshootingIBM Think 2018 - IBM Connections Troubleshooting
IBM Think 2018 - IBM Connections Troubleshooting
 
Building and Scaling Node.js Applications
Building and Scaling Node.js ApplicationsBuilding and Scaling Node.js Applications
Building and Scaling Node.js Applications
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.js
 
From zero to hero - Easy log centralization with Logstash and Elasticsearch
From zero to hero - Easy log centralization with Logstash and ElasticsearchFrom zero to hero - Easy log centralization with Logstash and Elasticsearch
From zero to hero - Easy log centralization with Logstash and Elasticsearch
 
From Zero to Hero - Centralized Logging with Logstash & Elasticsearch
From Zero to Hero - Centralized Logging with Logstash & ElasticsearchFrom Zero to Hero - Centralized Logging with Logstash & Elasticsearch
From Zero to Hero - Centralized Logging with Logstash & Elasticsearch
 
Docker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic StackDocker Logging and analysing with Elastic Stack
Docker Logging and analysing with Elastic Stack
 
Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek Docker Logging and analysing with Elastic Stack - Jakub Hajek
Docker Logging and analysing with Elastic Stack - Jakub Hajek
 

More from wremes

Distributed Denial Of Service Introduction
Distributed Denial Of Service IntroductionDistributed Denial Of Service Introduction
Distributed Denial Of Service Introduction
wremes
 
Intro to Malware Analysis
Intro to Malware AnalysisIntro to Malware Analysis
Intro to Malware Analysis
wremes
 
Crème Brulée :-)
Crème Brulée :-)Crème Brulée :-)
Crème Brulée :-)wremes
 
Vinnes jayson koken
Vinnes jayson kokenVinnes jayson koken
Vinnes jayson kokenwremes
 
Build Your Own Incident Response
Build Your Own Incident ResponseBuild Your Own Incident Response
Build Your Own Incident Response
wremes
 
Secure Abu Dhabi talk
Secure Abu Dhabi talkSecure Abu Dhabi talk
Secure Abu Dhabi talk
wremes
 
Collaborate, Innovate, Secure
Collaborate, Innovate, SecureCollaborate, Innovate, Secure
Collaborate, Innovate, Secure
wremes
 
Data Driven Infosec Services
Data Driven Infosec ServicesData Driven Infosec Services
Data Driven Infosec Services
wremes
 
SOPA 4 dummies
SOPA 4 dummiesSOPA 4 dummies
SOPA 4 dummies
wremes
 
In the land of the blind the squinter rules
In the land of the blind the squinter rulesIn the land of the blind the squinter rules
In the land of the blind the squinter rules
wremes
 
And suddenly I see ... IDC IT Security Brussels 2011
And suddenly I see ... IDC IT Security Brussels 2011And suddenly I see ... IDC IT Security Brussels 2011
And suddenly I see ... IDC IT Security Brussels 2011wremes
 
Blackhat Workshop
Blackhat WorkshopBlackhat Workshop
Blackhat Workshopwremes
 
SIEM brown-bag presentation
SIEM brown-bag presentationSIEM brown-bag presentation
SIEM brown-bag presentation
wremes
 
10 things we're doing wrong with SIEM
10 things we're doing wrong with SIEM10 things we're doing wrong with SIEM
10 things we're doing wrong with SIEM
wremes
 
Teaser
TeaserTeaser
Teaser
wremes
 
Brucon presentation
Brucon presentationBrucon presentation
Brucon presentation
wremes
 
Pareto chart using Openoffice.org
Pareto chart using Openoffice.orgPareto chart using Openoffice.org
Pareto chart using Openoffice.org
wremes
 

More from wremes (17)

Distributed Denial Of Service Introduction
Distributed Denial Of Service IntroductionDistributed Denial Of Service Introduction
Distributed Denial Of Service Introduction
 
Intro to Malware Analysis
Intro to Malware AnalysisIntro to Malware Analysis
Intro to Malware Analysis
 
Crème Brulée :-)
Crème Brulée :-)Crème Brulée :-)
Crème Brulée :-)
 
Vinnes jayson koken
Vinnes jayson kokenVinnes jayson koken
Vinnes jayson koken
 
Build Your Own Incident Response
Build Your Own Incident ResponseBuild Your Own Incident Response
Build Your Own Incident Response
 
Secure Abu Dhabi talk
Secure Abu Dhabi talkSecure Abu Dhabi talk
Secure Abu Dhabi talk
 
Collaborate, Innovate, Secure
Collaborate, Innovate, SecureCollaborate, Innovate, Secure
Collaborate, Innovate, Secure
 
Data Driven Infosec Services
Data Driven Infosec ServicesData Driven Infosec Services
Data Driven Infosec Services
 
SOPA 4 dummies
SOPA 4 dummiesSOPA 4 dummies
SOPA 4 dummies
 
In the land of the blind the squinter rules
In the land of the blind the squinter rulesIn the land of the blind the squinter rules
In the land of the blind the squinter rules
 
And suddenly I see ... IDC IT Security Brussels 2011
And suddenly I see ... IDC IT Security Brussels 2011And suddenly I see ... IDC IT Security Brussels 2011
And suddenly I see ... IDC IT Security Brussels 2011
 
Blackhat Workshop
Blackhat WorkshopBlackhat Workshop
Blackhat Workshop
 
SIEM brown-bag presentation
SIEM brown-bag presentationSIEM brown-bag presentation
SIEM brown-bag presentation
 
10 things we're doing wrong with SIEM
10 things we're doing wrong with SIEM10 things we're doing wrong with SIEM
10 things we're doing wrong with SIEM
 
Teaser
TeaserTeaser
Teaser
 
Brucon presentation
Brucon presentationBrucon presentation
Brucon presentation
 
Pareto chart using Openoffice.org
Pareto chart using Openoffice.orgPareto chart using Openoffice.org
Pareto chart using Openoffice.org
 

Recently uploaded

FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
Jen Stirrup
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..
UiPathCommunity
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..
 

OSSEC @ ISSA Jan 21st 2010

  • 1. OSSEC Log and event management the open source way ...
  • 2. Introduction • Me (thx 4 the nice intro, maltego me) • Bull (not the bovine kind ...) • Eurotrash information security podcast • Brucon, Excaliburcon, FOSDEM, ...
  • 3. Agenda • Logging 101 (what, how, why, ...) • OSSEC technical overview • break • OSSEC installation and configuration • OSSEC rules • OSSEC event management
  • 4. Logging : what ? • Users • Systems • Network • Databases • Applications • .....
  • 5. Logging: from ? Firewalls,VPN, IDS/IPS, routers, switches, ... Servers, workstations, virtualisation, UPS, ... anti-malware, applications, databases, ...
  • 6. Logging : Why ? • System Monitoring (performance, management, troubleshooting, ...) • Compliance (regulatory, audit, internal policy, ...) • Incident Handling, Forensics, ...
  • 7. Compliance PCI DSS 6.4. Follow change control procedures for all changes to system components 10. Track and monitor all access to network resources and cardholder data. 12. Maintain a policy that addresses information security for all employees and contractors
  • 8. The Problem • There is NO standard !! • There is NO guidance !! • There is NO Consitency !!
  • 10. We need to agree upon... • Format What does a log message look like ? • Content What do we put in a log message ? • Transport How do we send it ? • Guidelines How do we approach logging ? (ex. NIST 800-92)
  • 11. It’s time for a standard !
  • 12. not Syslog • RFC 3164 (08/2001) : BSD Syslog Protocol • It uses UDP • It’s a garbage bin • it’s a non-standard standard
  • 13. Syslog Hell ! • Jun 11 03:06:38 (none) login [3432] : ROOT LOGIN on `tty1` • Jan 19 22:52:56 LT1 gdm-session- worker[1659]: pam_unix (gdm:session): session opened for user wim by (uid=0) • Jan 4 09:38:10 LT1 su[3510]: pam_unix(su:session): session opened for user root by wim (uid=1000)
  • 14. Syslog Hell !! • <57> Jan 10 12:10:34:%SEC_LOGIN-5- LOGIN_SUCCESS:Login Success [user:frodo] [Source: 192.168.10.254] [localport:23] at ... • <13> Jan 18 10:15:45 2009 680 Security SYSTEM User Failure Audit ENTERPRISE ...
  • 15. Can I continue ? • Jan 19 20:12:56 LT1 mycrappyapp [3526]: I’m the awesome programmer behind this crappy app and since you asked me to log something I’ve chosen to use syslog to dump all this meaningless events in here so you will still have to call and pay me to get the bugs that I left in there because I was surfing the internet instead of working for you solved. Eat that! And BTW, my app crashed for no apparent reason. kthxbai !
  • 16. I promise to stop • Feb 24 15:10:24 server transact [5402]: user geoff transferred 500 dollars using credit card # XXX • Apr 1 10:14:28 server MEDIC [6420]: user kathy logged in to module patient using password selma1970
  • 17. Then what ? • IDMF (by IETF) • XML based • Complex • Not widely adopted • Academic • WELF (by Webtrends) • Proprietary • didn’t scale
  • 18. NEXT ! • CBE (by IBM) • also XML based • IBM didn’t even use it !
  • 19. Event Taxonomy Standard terminology Log Syntax Consistent data elements and format Log Transport Standard communications mechanisms Log Recommendations Suggested events to log The future ?
  • 20. OSSEC
  • 21. Definition OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
  • 23. Key Facts • 2005 • Daniel Cid • Third Brigade • TrendMicro
  • 24. Install Modes • Local • Single Client • Windows, AIX, Solaris, HP-UX, Linux • Server • Central Logging Point (250 clients/server) • AIX,Solaris,HP-UX,Linux • Client • Reports to server • Windows,AIX,Solaris,HP-UX,Linux
  • 26. Architecture syslog syslog virtualisation
  • 27. Architecture SIEM virtualisation virtualisation
  • 28. OSSEC Components logcollector Agent zlib compressed blowfish encrypted UDP 1514 Server ossec-analysisd ossec-maild ossec-execd
  • 30. ossec-analysisd Predecoding Decoding Analysis
  • 31. Predecoding • Feb 24 10:12:23 beijing appdaemon:stopped time/date : Feb 24 10:12:23 Hostname : beijing Program_name :appdaemon Log : stopped
  • 32. Predecoding • Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10 time/date : Feb 25 12:00:47 Hostname : beijing Program_name :appdaemon Log : user john logged on from 10.10.10.10
  • 33. Decoding • Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10 time/date : Feb 25 12:00:47 Hostname : beijing Program_name :appdaemon Log : user john logged on from 10.10.10.10 srcip : 10.10.10.10 user : john
  • 34. Analysis <rule id=666 level=”0”> <decoded_as>appdaemon</decoded_as> <description>appdaemon rule</description> </rule> <rule id=”766” level=”5”> <if_sid>666</if_sid> <match>^logged on</match> <description>succesful logon</description> </rule>
  • 35. Analysis <rule id=866 level=”7”> <if_sid>766</if_sid> <hostname>^beijing</hostname> <srcip>!192.168.10.0/24</srcip> <description>unauthorized logon!</description> </rule> <rule id=”966” level=”13”> <if_sid>766</if_sid> <hostname>^shanghai</hostname> <user>!john</user> <description>unauthorised logon !</description> </rule>
  • 36. Analysis 666 766 866 966
  • 37. Analysis <rule id=1066 level=”7”> <if_sid>666</if_sid> <match>^login failed</hostname> <description>failed login !</description> </rule> <rule id=”1166” level=”9” frequency=”10” timeframe=”100”> <if_matched_sid>1066</if_matched_sid> <same_source_ip /> <description>Probable Brute Force !</description> </rule>
  • 38. Analysis 666 766 866 966 1066 1166
  • 39. ossec.conf <command> <name>host-deny</name> <executable>host-deny.sh</executable> <expect>srcip</expect> <timeout_allowed>yes</timeout_allowed> </command> <active-response> <command>command2</command> <location>local</location> <rules_id>1166</rules_id> <timeout>600</timeout> </active-response>
  • 40. ossec.conf syscheck <syscheck> <!-- Frequency that syscheck is executed - default to every 22 hours --> <frequency>79200</frequency> <!-- Directories to check (perform all possible verifications) --> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/bin,/sbin</directories> <!-- Files/directories to ignore --> <ignore>/etc/mtab</ignore> <ignore>/etc/mnttab</ignore> <ignore>/etc/hosts.deny</ignore> ... </syscheck>
  • 41. ossec.conf rootcheck <rootcheck> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> </rootcheck>
  • 42. ossec.conf varia <alerts> <log_alert_level>1</log_alert_level> </alerts> <localfile> <log_format>syslog</log_format> <location>/var/log/secure.log</location> </localfile> <ossec_config> <ossec_config> <!-- rules global entry --> <rules> <include>rules_config.xml</include> <include>pam_rules.xml</include> <include>sshd_rules.xml</include> <include>telnetd_rules.xml</include> ... </ossec_config>
  • 43. Management /var/ossec/bin/ ossec-control stop|start|restart manage_agents (server) manage agent keys (client) import key
  • 44. Management agent_control -lc agent_control -i [id] agent_control -R [id] agent_control -r -a agent_control -r -i [id]
  • 45. Management syscheckcontrol -lc syscheckcontrol -i [id] syscheckcontrol -i [id] -f [file]
  • 46. Centralized Management /var/ossec/etc/shared/agent.conf distributed to all agents specify config per client id specify config per OS pushed by server same syntax as ossec.conf
  • 47. rolling out Deploy Customize Monitor Analyze
  • 48. Thank you ! wim.remes@bull.be +32 495 58 59 12 http://www.twitter.com/wimremes wim@eurotrashsecurity.eu www.eurotrashsecurity.eu (itunes) http://www.ossec.net http://www.slideshare.net/anton_chuvakin