OSSEC & OSSIM Unified Open Source Security

Download PDF
53 downloads 1982 Views 4MB Size Report
Comment
Centralizes Informadon and Management. • Assesses threats reliability and risk. • Collabora|vely learns about APT h&p://communi|es.alienvault.com/ ...
OSSEC  &  OSSIM    Unified  Open  Source  Security   [email protected]  

Why  OSSIM   Open  Source  SIEM  –  GNU  GPL  3.0   •  Provides  threat  detec)on  capabili8es   •  Monitors  network  assets   •  Centralizes  Informa)on  and  Management   •  Assesses  threats  reliability  and  risk   •  Collabora8vely  learns  about  APT   hLp://communi8es.alienvault.com/  

OSSIM  Architecture   Normalized   Events  

Configura8on  &   Management  

OSSIM  Embedded  Tools   Assets   •  nmap   •  prads   Behavioral  monitoring   •  fprobe   •  nfdump   •  ntop   •  tcpdump   •  nagios  

Threat  detec)on   •  ossec   •  snort   •  suricata   Vulnerability  assessment   •  osvdb   •  openvas  

OSSIM  Collectors  

OSSIM  Collector  Anatomy   [apache  log]  

76.103.249.20  -­‐  -­‐  [15/Jun/2013:10:14:32  -­‐0700]  "GET  /ossim/session/login.php  HTTP/1.1"  200   2612  "-­‐"  "Mozilla/5.0  (Macintosh;  Intel  Mac  OS  X  10_8_3)  AppleWebKit/537.36  (KHTML,  like   Gecko)  Chrome/27.0.1453.110  Safari/537.36"  

[apache.cfg]  

event_type=event   regexp=“((?P\S+)(:(?P\d{1,5}))?  )?(?P\S+)  (?P\S+)  (?P\S+)  \[(?P \d{2}\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2})\s+[+-­‐]\d{4}\]  \"(?P.*)\”  (?P\d{3})  ((?P \d+)|-­‐)(  \"(?P.*)\"  \”(?P.*)\")?$”   src_ip={resolv($src)}   dst_ip={resolv($dst)}   dst_port={$port}   date={normalize_date($date)}   plugin_sid={$code}   username={$user}   userdata1={$request}   userdata2={$size}   userdata3={$referer_uri}   userdata4={$useragent}   filename={$id}  

OSSIM  Threat  assessment   SSH  Failed   authen8ca8on  event  

SSH  successful   authen8ca8on  event  

Persistent   connec8ons  

10  SSH  Failed   authen8ca8on  events  

100  SSH  Failed   authen8ca8on  events  

SSH  successful   authen8ca8on  event  

SSH  successful   authen8ca8on  event  

1000  SSH  Failed   authen8ca8on  events  

Reliability    

OSSIM  Risk  assessment  

Source  

Event  Priority  =  2  

Des8na8on  

Event  Reliability  =  10   Asset  Value  =  2  

Asset  Value  =  5  

RISK  =  (ASSET  VALUE  *  EVENT  PRIORITY  *  EVENT  RELIABILITY)/25  

OSSIM  ALack  analysis  

OTX

Alert: Low reputation IP

Attacker X.X.X.X

Vulnerability: IIS Remote Command Execution

Attack

Accepted HTTP packet from X.X.X.X to Y.Y.Y.Y

Target Y.Y.Y.Y

Alert: IIS attack detected

Attack: WEB-IIS multiple decode attempt

Why  OSSEC   Open  Source  Host-­‐based  IDS  (HIDS)   •  Log  analysis  based  intrusion  detec8on   •  File  integrity  checking   •  Registry  keys  integrity  checking  (Windows  only)   •  Signature  based  malware/rootkits  detec)on   •  Real  8me  aler)ng  and  ac8ve  response   •  Feeds  SIEMs  (OSSIM)  

OSSEC  Architecture   OSSEC  Agent   •  Logcollectord:  Read  logs  (syslog,  wmi,  flat  files)   •  Syscheckd:  File  integrity  checking   •  Rootcheckd:  Malware  and  rootkits  detec8on   •  Agentd:  Forwards  data  to  the  server   OSSEC  Server   •  Remoted:  Receives  data  from  agents   •  Analysisd:  Processes  data  (main  process)   •  Monitord:  Monitor  agents  

OSSEC  Integra8on   Monitored  Host  

OSSIM  Sensor   Remoted  

Logcollector   Syscheckd  

Analysisd   Agentd  

Rootcheckd  

Decode   Analyze  

Alerts.log   Ossec   collector   Ossim-­‐agent  

OSSIM  Server  

Alarm   Ossim-­‐server   Correla8on   Risk  assessment  

Monitord   Logger  

OSSEC  Agent  

OSSEC  Server  

OSSIM  Agent  

OSSIM  Server  

OSSEC  Collector  Anatomy   [ossec.conf]  

AV  -­‐  Alert  -­‐  "$TIMESTAMP"  -­‐-­‐>  RID:  "$RULEID";  RL:  "$RULELEVEL";  RG:   "$RULEGROUP";  RC:  "$RULECOMMENT";  USER:  "$DSTUSER";  SRCIP:  "$SRCIP";  HOSTNAME:   "$HOSTNAME";  LOCATION:  "$LOCATION";  EVENT:  "[INIT]$FULLLOG[END]";    

[alerts.log]  

AV  -­‐  Alert  -­‐  "1374721595"  -­‐-­‐>  RID:  "3333";  RL:  "7";  RG:  "syslog,poscix,service_availability,";  RC:  "Poscix   stopped.";  USER:  "None";  SRCIP:  "None";  HOSTNAME:  "10.0.0.80";  LOCATION:  "/var/log/syslog";   EVENT:  "[INIT]May  16  14:47:19  10.0.0.80  pos{ix/master[2925]:  termina8ng  on  signal  15[END]";  

[ossec-­‐single-­‐line.cfg]  

event_type=event   regexp=“^AV\s-­‐\sAlert\s-­‐\s\"(?P\d+)\"\s-­‐-­‐>\sRID:\s\"(?P\d+)\";\sRL:\s\"(?P \d+)\";\sRG:\s\"(?P\S+)\";\sRC:\s\"(?P.*?)\";\sUSER:\s\"(?P\S +)\";\sSRCIP:\s\"(?P.*?)\";\sHOSTNAME:\s\"\(?(?P[A-­‐Za-­‐z0-­‐9_\.]+)\)?[^"]*";”   date={normalize_date($date)}   plugin_id={translate($rule_id)}   plugin_sid={$rule_id}   src_ip={resolv($srcip)}   dst_ip={resolv($hostname)}   username={$username}   userdata1={$rule_level}   userdata2={$rule_group}   userdata3={$rule_comment}  

OSSIM  Correla8on  Rules   [AV  Bruteforce  agack,  SSH  authen)ca)on  agack]   Correla8on  Engine  Alert  

Alert  Reliability  

OSSEC  Rule  ID  

OSSEC  Event  Type  

OSSIM  Alarm   [AV  Bruteforce  agack,  Windows  authen)ca)on  agack]   Risk  Value  

Correla8on  Engine   Alerts  

OSSEC  Event  

OSSEC  Embedded  GUI   •  •  •  •  • 

Status  monitor   Events  viewer   Agents  control  manager   Configura8on  manager   Rules  viewer/editor   •  •  •  •  • 

Logs  viewer   Server  control  manager   Deployment  manager   Rules  viewer/editor   PDF/HTML  Reports  

Ques8ons  /  Demo  8me   [email protected]   @san8agobasseL