OSSEC and OSSIM Unified Open Source Security

CSSLC & CSSlM
unled Cpen Source SecurlLy

sanuago[allenvaulL.com
Why CSSlM
Cpen Source SlLM - Cnu CL 3.0
rovldes threat detecnon capablllues
Mon|tors neLwork asseLs
CenLrallzes Informanon and Management
Assesses LhreaLs rellablllLy and r|sk
Collaborauvely learns abouL A1
hup://communlues.allenvaulL.com/
CSSlM ArchlLecLure
Congurauon &
ManagemenL
normallzed
LvenLs
CSSlM Lmbedded 1ools
Assets
nmap
prads
8ehav|ora| mon|tor|ng
fprobe
nfdump
nLop
Lcpdump
naglos
Vu|nerab|||ty assessment
osvdb
openvas
1hreat detecnon
ossec
snorL
surlcaLa
CSSlM CollecLors
CSSlM CollecLor AnaLomy
[apache.cfg]
event_type=evenL
regexp=((?<dsL>\S+)(:(?<porL>\d[1,3}))? )?(?<src>\S+) (?<ld>\S+) (?<user>\S+) \[(?<daLe>
\d[2}\/\w[3}\/\d[4}:\d[2}:\d[2}:\d[2})\s+[+-]\d[4}\] \"(?<requesL>.*)\" (?<code>\d[3}) ((?<slze>
\d+)|-)( \"(?<referer_url>.*)\" \"(?<useragenL>.*)\")?$"
src_|p=[resolv($src)}
dst_|p=[resolv($dsL)}
dst_port=[$porL}
date=[normallze_daLe($daLe)}
p|ug|n_s|d=[$code}
username=[$user}
userdata1=[$requesL}
userdata2=[$slze}
userdata3=[$referer_url}
userdata4=[$useragenL}
h|ename=[$ld}
[apache |og]
76.103.249.20 - - [1S]Iun]2013:10:14:32 -0700] "GL1 ]oss|m]sess|on]|og|n.php n11]1.1" 200
2612 "-" "Moz|||a]S.0 (Mac|ntosh, Inte| Mac CS k 10_8_3) App|eWebk|t]S37.36 (kn1ML, ||ke
Gecko) Chrome]27.0.14S3.110 Safar|]S37.36"
CSSlM 1hreaL assessmenL
SSP lalled
auLhenucauon evenL
SSP successful
auLhenucauon evenL
10 SSP lalled
auLhenucauon evenLs
100 SSP lalled
auLhenucauon evenLs
erslsLenL
connecuons
SSP successful
auLhenucauon evenL
1000 SSP lalled
auLhenucauon evenLs
SSP successful
auLhenucauon evenL
ke||ab|||ty

CSSlM 8lsk assessmenL
kISk = (ASSL1 vALuL * LvLn1 8lC8l1? * LvLn1 8LLlA8lLl1?)/23
Source uesunauon
LvenL rlorlLy = 2
LvenL 8ellablllLy = 10
AsseL value = 2 AsseL value = 3
CSSlM Auack analysls
Attack
Attacker
X.X.X.X
Accepted HTTP packet
from X.X.X.X to Y.Y.Y.Y
Attack: WEB-IIS multiple
decode attempt
Vulnerability: IIS Remote
Command Execution
Alert: Low
reputation IP
OTX
Alert: IIS attack
detected
Target
Y.Y.Y.Y
Why CSSLC
Cpen Source PosL-based luS (PluS)
Log ana|ys|s based lnLruslon deLecuon
llle |ntegr|ty check|ng
8eglsLry keys lnLegrlLy checklng (Wlndows only)
SlgnaLure based malware/rootk|ts detecnon
8eal ume a|ernng and acuve response
leeds SlLMs (CSSlM)
CSSLC ArchlLecLure
CSSLC AgenL
Logco||ectord: 8ead logs (syslog, wml, aL les)
Syscheckd: llle lnLegrlLy checklng
kootcheckd: Malware and rooLklLs deLecuon
Agentd: lorwards daLa Lo Lhe server
CSSLC Server
kemoted: 8ecelves daLa from agenLs
Ana|ys|sd: rocesses daLa (maln process)
Mon|tord: MonlLor agenLs
CSSLC lnLegrauon
LogcollecLor
AgenLd
8emoLed
Analyslsd
uecode
Analyze
MonlLord
AlerLs.log
CSSLC AgenL CSSLC Server
Syscheckd
8ooLcheckd
Cssec
collecLor
Csslm-agenL
Csslm-server
Correlauon
8lsk assessmenL
Alarm
Logger
CSSlM AgenL CSSlM Server
MonlLored PosL CSSlM Sensor CSSlM Server
CSSLC CollecLor AnaLomy
[ossec-s|ng|e-||ne.cfg]
event_type=evenL
regexp=^Av\s-\sAlerL\s-\s\"(?<daLe>\d+)\"\s-->\s8lu:\s\"(?<rule_ld>\d+)\",\s8L:\s\"(?<rule_level>
\d+)\",\s8C:\s\"(?<rule_group>\S+)\",\s8C:\s\"(?<rule_commenL>.*?)\",\suSL8:\s\"(?<username>\S
+)\",\sS8Cl:\s\"(?<srclp>.*?)\",\sPCS1nAML:\s\"$?(?<hosLname>[A-Za-z0-9_\.]+)$?[^"]*","
date=[normallze_daLe($daLe)}
p|ug|n_|d=[LranslaLe($rule_ld)}
p|ug|n_s|d=[$rule_ld}
src_|p=[resolv($srclp)}
dst_|p=[resolv($hosLname)}
username=[$username}
userdata1=[$rule_level}
userdata2=[$rule_group}
userdata3=[$rule_commenL}
[a|erts.|og]
Av - AlerL - "1374721S9S" --> 8lu: "3333", 8L: "7", 8C: "sys|og,posu|x,serv|ce_ava||ab|||ty,", 8C: "osu|x
stopped.", uSL8: "None", S8Cl: "None", PCS1nAML: "10.0.0.80", LCCA1lCn: "/var/log/syslog",
LvLn1: "[lnl1]May 16 14:47:19 10.0.0.80 posulx/masLer[2923]: Lermlnaung on slgnal 13[Lnu]",
[ossec.conf]
<custom_a|ert_output>Av - AlerL - "$1lMLS1AM" --> 8lu: "$8uLLlu", 8L: "$8uLLLLvLL", 8C:
"$8uLLC8Cu", 8C: "$8uLLCCMMLn1", uSL8: "$uS1uSL8", S8Cl: "$S8Cl", PCS1nAML:
"$PCS1nAML", LCCA1lCn: "$LCCA1lCn", LvLn1: "[lnl1]$luLLLCC[Lnu]", <]custom_a|ert_output>
CSSlM Correlauon 8ules
CSSLC 8ule lu
CSSLC LvenL 1ype
Correlauon Lnglne AlerL
AlerL 8ellablllLy
[AV 8ruteforce auack, SSn authenncanon auack]
CSSlM Alarm
[AV 8ruteforce auack, W|ndows authenncanon auack]
CSSLC LvenL
Correlauon Lnglne
AlerLs
8lsk value
CSSLC Lmbedded Cul
SLaLus monlLor
LvenLs vlewer
AgenLs conLrol manager
Congurauon manager
8ules vlewer/edlLor
Logs vlewer
Server conLrol manager
ueploymenL manager
8ules vlewer/edlLor
ul/P1ML 8eporLs
Cuesuons / uemo ume
sanuago[allenvaulL.com
[sanuagobasseu

OSSEC and OSSIM Unified Open Source Security

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

OSSEC and OSSIM Unified Open Source Security

Uploaded by

Copyright:

Available Formats

CSSLC & CSSlM

unled Cpen Source SecurlLy

You might also like