Centralizes Informadon and Management. • Assesses threats reliability and risk. •
Collabora|vely learns about APT h&p://communi|es.alienvault.com/ ...
OSSEC & OSSIM Unified Open Source Security
[email protected]
Why OSSIM Open Source SIEM – GNU GPL 3.0 • Provides threat detec)on capabili8es • Monitors network assets • Centralizes Informa)on and Management • Assesses threats reliability and risk • Collabora8vely learns about APT hLp://communi8es.alienvault.com/
OSSIM Architecture Normalized Events
Configura8on & Management
OSSIM Embedded Tools Assets • nmap • prads Behavioral monitoring • fprobe • nfdump • ntop • tcpdump • nagios
Threat detec)on • ossec • snort • suricata Vulnerability assessment • osvdb • openvas
OSSIM Collectors
OSSIM Collector Anatomy [apache log]
76.103.249.20 -‐ -‐ [15/Jun/2013:10:14:32 -‐0700] "GET /ossim/session/login.php HTTP/1.1" 200 2612 "-‐" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36"
[apache.cfg]
event_type=event regexp=“((?P\S+)(:(?P\d{1,5}))? )?(?P\S+) (?P\S+) (?P\S+) \[(?P \d{2}\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2})\s+[+-‐]\d{4}\] \"(?P.*)\” (?P
\d{3}) ((?P \d+)|-‐)( \"(?P.*)\" \”(?P.*)\")?$” src_ip={resolv($src)} dst_ip={resolv($dst)} dst_port={$port} date={normalize_date($date)} plugin_sid={$code} username={$user} userdata1={$request} userdata2={$size} userdata3={$referer_uri} userdata4={$useragent} filename={$id}
OSSIM Threat assessment SSH Failed authen8ca8on event
SSH successful authen8ca8on event
Persistent connec8ons
10 SSH Failed authen8ca8on events
100 SSH Failed authen8ca8on events
SSH successful authen8ca8on event
SSH successful authen8ca8on event
1000 SSH Failed authen8ca8on events
Reliability
OSSIM Risk assessment
Source
Event Priority = 2
Des8na8on
Event Reliability = 10 Asset Value = 2
Asset Value = 5
RISK = (ASSET VALUE * EVENT PRIORITY * EVENT RELIABILITY)/25
OSSIM ALack analysis
OTX
Alert: Low reputation IP
Attacker X.X.X.X
Vulnerability: IIS Remote Command Execution
Attack
Accepted HTTP packet from X.X.X.X to Y.Y.Y.Y
Target Y.Y.Y.Y
Alert: IIS attack detected
Attack: WEB-IIS multiple decode attempt
Why OSSEC Open Source Host-‐based IDS (HIDS) • Log analysis based intrusion detec8on • File integrity checking • Registry keys integrity checking (Windows only) • Signature based malware/rootkits detec)on • Real 8me aler)ng and ac8ve response • Feeds SIEMs (OSSIM)
OSSEC Architecture OSSEC Agent • Logcollectord: Read logs (syslog, wmi, flat files) • Syscheckd: File integrity checking • Rootcheckd: Malware and rootkits detec8on • Agentd: Forwards data to the server OSSEC Server • Remoted: Receives data from agents • Analysisd: Processes data (main process) • Monitord: Monitor agents
OSSEC Integra8on Monitored Host
OSSIM Sensor Remoted
Logcollector Syscheckd
Analysisd Agentd
Rootcheckd
Decode Analyze
Alerts.log Ossec collector Ossim-‐agent
OSSIM Server
Alarm Ossim-‐server Correla8on Risk assessment
Monitord Logger
OSSEC Agent
OSSEC Server
OSSIM Agent
OSSIM Server
OSSEC Collector Anatomy [ossec.conf]
AV -‐ Alert -‐ "$TIMESTAMP" -‐-‐> RID: "$RULEID"; RL: "$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: "$DSTUSER"; SRCIP: "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT: "[INIT]$FULLLOG[END]";
[alerts.log]
AV -‐ Alert -‐ "1374721595" -‐-‐> RID: "3333"; RL: "7"; RG: "syslog,poscix,service_availability,"; RC: "Poscix stopped."; USER: "None"; SRCIP: "None"; HOSTNAME: "10.0.0.80"; LOCATION: "/var/log/syslog"; EVENT: "[INIT]May 16 14:47:19 10.0.0.80 pos{ix/master[2925]: termina8ng on signal 15[END]";
[ossec-‐single-‐line.cfg]
event_type=event regexp=“^AV\s-‐\sAlert\s-‐\s\"(?P\d+)\"\s-‐-‐>\sRID:\s\"(?P\d+)\";\sRL:\s\"(?P \d+)\";\sRG:\s\"(?P\S+)\";\sRC:\s\"(?P.*?)\";\sUSER:\s\"(?P\S +)\";\sSRCIP:\s\"(?P.*?)\";\sHOSTNAME:\s\"\(?(?P[A-‐Za-‐z0-‐9_\.]+)\)?[^"]*";” date={normalize_date($date)} plugin_id={translate($rule_id)} plugin_sid={$rule_id} src_ip={resolv($srcip)} dst_ip={resolv($hostname)} username={$username} userdata1={$rule_level} userdata2={$rule_group} userdata3={$rule_comment}
OSSIM Correla8on Rules [AV Bruteforce agack, SSH authen)ca)on agack] Correla8on Engine Alert
Alert Reliability
OSSEC Rule ID
OSSEC Event Type
OSSIM Alarm [AV Bruteforce agack, Windows authen)ca)on agack] Risk Value
Correla8on Engine Alerts
OSSEC Event
OSSEC Embedded GUI • • • • •
Status monitor Events viewer Agents control manager Configura8on manager Rules viewer/editor • • • • •
Logs viewer Server control manager Deployment manager Rules viewer/editor PDF/HTML Reports
Ques8ons / Demo 8me [email protected] @san8agobasseL