SlideShare uma empresa Scribd logo

Implementing ossec

Jeronimo Zucco
Jeronimo Zucco

Tutorial in GTER 30/ GTS 16 - http://gter.nic.br/reunioes/gter-30/programa

Economia e finanças
1 de 60
Baixar para ler offline
Implementing OSSEC HIDS Jerônimo Zucco jczucco@gmail.com
/me • Security guy • blog: http://jczucco.blogspot.com • Twitter: @jczucco • zucco on freenode • http://www.linkedin.com/in/jeronimozucco
Agenda • Introduction • Arquiteture • Log Analysis • Integrity Monitoring • Rootkit Detection • Policy audit
Agenda • Alerts • Active Response • Server and Agents Instalations • Configuration Files • Rule Files • Customize Rules
Security Terminology
LIDS
Integrity Checking
Rootkit Detecion
HIDS ?
Log Management
Why Log ?
System monitoring
Compliance
Forensics
Why Log ? Because we want to 2% Because we have to: (PCI-DSS, HIPAA, ISO 27K, SOX)
Standards
Syslog: RFC 3164
WELF, CBE, CEF, IDMF
CEE Common Event Expression http://cee.mitre.org
What is OSSEC?
Daniel Cid @danielcid Third Brigade, Trend Micro
• Open Source Host­based IDS (HIDS) • File Integrity checking • Registry Integrity checking • Host­based anomaly detection • Policy monitoring/enforcement • Active response
OSSEC HIDS complements a SIEM
OSSEC in the News • OSSEC #1 open source security tool in the enterprise http://www.linuxworld.com/news/ 2007/031207-top-5-security.html • OSSEC #2 IDS tool in the security tools survey. http://sectools.org/ids.html • More: http://www.ossec.net/wiki/IntheNews
OSSEC Agents • GNU/Linux (all distributions, including RHEL, Ubuntu, Slackware, Debian, etc) • Windows XP,2000,2003,Vista,2008,Seven • VMWare ESX 3.0,3.5 (including CIS checks) • *BSD • Solaris 2.7,2.8,2.9 and 10 • AIX 5.3 • HP-UX 10, 11, 11i • MacOSX 10
Support via Syslog • Cisco PIX, ASA and FWSM (all versions) • Cisco IOS routers (all versions) • Juniper Netscreen (all versions) • SonicWall firewall (all versions) • Checkpoint firewall (all versions) • Cisco IOS IDS/IPS module (all versions) • Sourcefire (Snort) IDS/IPS (all versions)
Support via Syslog • Dragon NIDS • Checkpoint Smart Defense (all versions) • McAfee VirusScan Enterprise (v8 and v8.5) • Bluecoat proxy (all versions) • Cisco VPN concentrators (all versions)
Agentless • Cisco PIX, ASA and FWSM (all versions) • Cisco IOS routers (all versions) • Juniper Netscreen (all versions) • SonicWall firewall (all versions) • Checkpoint firewall (all versions) • All operating systems specified in the “operating systems” section
Supportted Log Formats • DB Logs (Mysql, PostgreSQL) • Unix like logs (dpkg, yum, su, sudo) • Mail Server, FTP, SSH, Xinetd logs • Web Server logs (apache, IIS, Zeus) • Web Apps (Horde, ModSecurity) • NIDS (Snort, Cisco IOS/IPS, Checkpoint) • Sec.Tools (Symantec and McAfee AV, nmap) • Windows Events
Secure by Default • Installation script does the chroot, user creation, permissions, etc • User has no choice to run it “less secure” • Each process with limited privileges and tasks
DOCS http://www.ossec.net #ossec on freenode - mailing lists - wiki, manuals, etc - source :-)
Network Communication
OSSEC Log Flow
OSSEC Log Flow Agent -> Server
Arquitetura OSSEC
Network Communication
Internal Log Flow
Agent -> Server • Zlib Compressed • Blowfish Encrypted • udp 1514 • Centralized Management
Integrity Check • each X time, or realtime • File / Directory Properties • Permissions • Size • Ownership • sha1sum • md5sum
Rootkit Checks • Signature (Adore, Knark, LOC) and anomaly- based • Files in /dev which aren't device files • Hidden directories • SUID files • Files owned by root world-writable • Running processes hidden from “ps” • Listening ports hidden from “netstat” • Promiscuous interfaces
Policy Monitoring • Identify situation which can lead to a breach • Benchmark system against CIS standard ( http://cisecurity.org ) or create your own • File, registry setting, or process exists or does not exist (win_audit_rcl.txt, win_applications_rcl.txt) • Is anti-virus installed but not running? • Has the host firewall been disabled? • How do you know your systems are still hardened?
OSSEC WebUI
Rules • XML Files • Levels -> 0 to 15
Rules • Atomic • Composite
Rule Sample <!-- SSHD messages --> <group name="syslog,sshd,"> <rule id="5700" level="0" noalert="1"> <decoded_as>sshd</decoded_as> <description>SSHD messages grouped.</description> </rule>
Rule Sample <rule id="5704" level="4"> <if_sid>5700</if_sid> <match>fatal: Timeout before authentication for</match> <description>Timeout while logging in (sshd).</description> </rule> <rule id="5705" level="10" frequency="4" timeframe="360"> <if_matched_sid>5704</if_matched_sid> <description>Possible scan or breakin attempt </description> <description>(high number of login timeouts).</description> </rule>
Analysys Tree
OSSEC in the real world • Authentication control • MSN usage • Integrity checking • Authentication logs
Authentication control • Alerting on every authentication success outside business hours ➔ Every authentication event is classified as “authentication success” (that's why we use if_group • Added to local_rules.xml: <rule id="100101" level="10"> <if_group>authentication_success</if_group> <time>7 pm ­ 6:30 am</time> <description>Login during non­business hours.</ description> </rule>
Authentication control 2 • Alerting on first time logins outside business hours • We have some FTS (first time seen) rules • Increased severity when a user logs in for the first time on a specific system outside business hours ➔ Added to local_rules.xml: <rule id="100101" level="13"> <if_sid>18119, 10100</if_sid> <time>7 pm ­ 6:30 am</time> <description>First time Login during non­bus. hours.<description> </rule>
MSN Usage • Alerting on new MSN users ➔ MSN logs to the event log (with the email address) every time it starts <rule id="100213" level="7"> <if_sid>18101</if_sid> <id>102</id> <match>The database engine started a new instance</match> <description>MSN login.</description> </rule> 2008 Apr 17 20:02:16 (xx) 192.168.2.190­>WinEvtLog WinEvtLog: Application: INFORMATION(102): ESENT: (no user): no domain: OSSEC­HM: msnmsgr (1240) .C: Documents and SettingsxyzLocal SettingsApplication DataMicrosoftMessenger xyz@hotmail.comSharingMetadataWorkingdatabase_F218_E 79B_18E7_5CDBdfsr.db: The database engine started a new instance (0)
Integrity Checking • Alerting with high severity on changes to /var/www/htdocs <rule id="100345" level="12"> <if_matched_group>syscheck</if_matched_group> <description>Changes to /var/www/htdocs – Critical file!</description> <match>/var/www/htdocs</match> </rule>
Auth Logs • Brute force attempts followed by a success Rule: 5720 (level 10) ­> 'Multiple SSHD authentication failures.' Src IP: 125.192.xx.xx Feb 11 09:31:58 wpor sshd[4565]: Failed password for root from 125.192.xx.xx port 42976 ssh2 Feb 11 09:31:58 wpor sshd[4565]: Failed password for admin from 125.192.xx.xx port 42976 ssh2 Feb 11 09:31:58 wpor sshd[4565]: Failed password for admin from 125.192.xx.xx port 42976 ssh2 Rule: 40112 (level 12) ­> 'Multiple authentication failures followed by a success.' Src IP: 125.192.67.136 User: admin Feb 11 09:31:58 wpor sshd[7235]: Accepted password for admin from 125.192.xx.xx port 42198 ssh2
And many more ! "Nobody knows your environment/applications as you"
The “OSSEC Efect”
Challenges • Deploying large amounts of agents • Attackers who know Active Response is in use may try to use that to their advantage • IPs can be spoofed, thereby triggering an incorrect response (whitelists, response timeouts) • Alert Flooding - By default, OSSEC will only send 12 alerts per hour • Log Injection • - Tuning rules never stops !
Let`s do it !
Implementing ossec

Recomendados

Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAlienVault
 
Ossec Lightning
Ossec LightningOssec Lightning
Ossec Lightningwremes
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with SnortNarudom Roongsiriwong, CISSP
 
Network Penetration Testing
Network Penetration TestingNetwork Penetration Testing
Network Penetration TestingMohammed Adam
 
Introduction to Snort
Introduction to SnortIntroduction to Snort
Introduction to SnortHossein Yavari
 
Snort
SnortSnort
SnortStickman Hai
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 

Recomendados

Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAlienVault
 
Ossec Lightning
Ossec LightningOssec Lightning
Ossec Lightningwremes
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with SnortNarudom Roongsiriwong, CISSP
 
Network Penetration Testing
Network Penetration TestingNetwork Penetration Testing
Network Penetration TestingMohammed Adam
 
Introduction to Snort
Introduction to SnortIntroduction to Snort
Introduction to SnortHossein Yavari
 
Snort
SnortSnort
SnortStickman Hai
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...Sam Bowne
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIMAlienVault
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageRoss Wolf
 
Suricata
SuricataSuricata
Suricatatex_morgan
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
Telesoft Cyber Threat Hunting Infographic
Telesoft Cyber Threat Hunting InfographicTelesoft Cyber Threat Hunting Infographic
Telesoft Cyber Threat Hunting InfographicSarah Chandley
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes IntroductionMartin Danielsson
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framworkDeepanshu Gajbhiye
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes IntroductionPeng Xiao
 
Containerizing your Security Operations Center
Containerizing your Security Operations CenterContainerizing your Security Operations Center
Containerizing your Security Operations CenterJimmy Mesta
 
Snort IDS
Snort IDSSnort IDS
Snort IDSprimeteacher32
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoTouhami Kasbaoui
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfTeymur Kheirkhabarov
 
IDS, IPS, IDPS
IDS, IPS, IDPSIDS, IPS, IDPS
IDS, IPS, IDPSMinhaz A V
 
Secure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of UsSecure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of UsEoin Woods
 
Linux Hardening
Linux HardeningLinux Hardening
Linux HardeningMichael Boelen
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
Introducao WAF Tchelinux 2012
Introducao WAF Tchelinux 2012Introducao WAF Tchelinux 2012
Introducao WAF Tchelinux 2012Jeronimo Zucco
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Santiago Bassett
 

Mais conteúdo relacionado

Mais procurados

Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...Sam Bowne
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIMAlienVault
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageRoss Wolf
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
Telesoft Cyber Threat Hunting Infographic
Telesoft Cyber Threat Hunting InfographicTelesoft Cyber Threat Hunting Infographic
Telesoft Cyber Threat Hunting InfographicSarah Chandley
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes IntroductionPeng Xiao
 
Containerizing your Security Operations Center
Containerizing your Security Operations CenterContainerizing your Security Operations Center
Containerizing your Security Operations CenterJimmy Mesta
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoTouhami Kasbaoui
 
IDS, IPS, IDPS
IDS, IPS, IDPSIDS, IPS, IDPS
IDS, IPS, IDPSMinhaz A V
 
Secure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of UsSecure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of UsEoin Woods
 

Mais procurados (20)

Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query Language
 
Suricata
SuricataSuricata
Suricata
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
 
Telesoft Cyber Threat Hunting Infographic
Telesoft Cyber Threat Hunting InfographicTelesoft Cyber Threat Hunting Infographic
Telesoft Cyber Threat Hunting Infographic
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
 
Containerizing your Security Operations Center
Containerizing your Security Operations CenterContainerizing your Security Operations Center
Containerizing your Security Operations Center
 
Snort IDS
Snort IDSSnort IDS
Snort IDS
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
IDS, IPS, IDPS
IDS, IPS, IDPSIDS, IPS, IDPS
IDS, IPS, IDPS
 
Secure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of UsSecure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of Us
 
Linux Hardening
Linux HardeningLinux Hardening
Linux Hardening
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
 

Destaque

Introducao WAF Tchelinux 2012
Introducao WAF Tchelinux 2012Introducao WAF Tchelinux 2012
Introducao WAF Tchelinux 2012Jeronimo Zucco
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Santiago Bassett
 
Introducão a Web Applications Firewalls
Introducão a Web Applications FirewallsIntroducão a Web Applications Firewalls
Introducão a Web Applications FirewallsJeronimo Zucco
 
Além do HTTPS - Como (tentar) Aumentar a Segurança de seu Website e Aplicação...
Além do HTTPS - Como (tentar) Aumentar a Segurança de seu Website e Aplicação...Além do HTTPS - Como (tentar) Aumentar a Segurança de seu Website e Aplicação...
Além do HTTPS - Como (tentar) Aumentar a Segurança de seu Website e Aplicação...Jeronimo Zucco
 
Segurança em desenvolvimento de software
Segurança em desenvolvimento de softwareSegurança em desenvolvimento de software
Segurança em desenvolvimento de softwareJeronimo Zucco
 
Aws security with HIDS, OSSEC
Aws security with HIDS, OSSECAws security with HIDS, OSSEC
Aws security with HIDS, OSSECMayank Gaikwad
 
Segurança Através de Gerência de Configurações
Segurança Através de Gerência de ConfiguraçõesSegurança Através de Gerência de Configurações
Segurança Através de Gerência de ConfiguraçõesJeronimo Zucco
 
Validando a Segurança de Software
Validando a Segurança de SoftwareValidando a Segurança de Software
Validando a Segurança de SoftwareJeronimo Zucco
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMAlienVault
 
Securing Hadoop with OSSEC
Securing Hadoop with OSSECSecuring Hadoop with OSSEC
Securing Hadoop with OSSECVic Hargrave
 
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Santiago Bassett
 
Fosdem10
Fosdem10Fosdem10
Fosdem10wremes
 
Centos 7 Installation Steps
Centos 7 Installation StepsCentos 7 Installation Steps
Centos 7 Installation StepsKeith Wright
 
OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010wremes
 
intro syslog syslogng
intro syslog syslogngintro syslog syslogng
intro syslog syslogngjuruntang
 
Configuring Syslog by Octavio
Configuring Syslog by OctavioConfiguring Syslog by Octavio
Configuring Syslog by OctavioRowell Dionicio
 
A Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsA Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsVictor Oluwajuwon Badejo
 

Destaque (20)

Introducao WAF Tchelinux 2012
Introducao WAF Tchelinux 2012Introducao WAF Tchelinux 2012
Introducao WAF Tchelinux 2012
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014
 
Introducão a Web Applications Firewalls
Introducão a Web Applications FirewallsIntroducão a Web Applications Firewalls
Introducão a Web Applications Firewalls
 
Além do HTTPS - Como (tentar) Aumentar a Segurança de seu Website e Aplicação...
Além do HTTPS - Como (tentar) Aumentar a Segurança de seu Website e Aplicação...Além do HTTPS - Como (tentar) Aumentar a Segurança de seu Website e Aplicação...
Além do HTTPS - Como (tentar) Aumentar a Segurança de seu Website e Aplicação...
 
Segurança em desenvolvimento de software
Segurança em desenvolvimento de softwareSegurança em desenvolvimento de software
Segurança em desenvolvimento de software
 
Aws security with HIDS, OSSEC
Aws security with HIDS, OSSECAws security with HIDS, OSSEC
Aws security with HIDS, OSSEC
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Segurança Através de Gerência de Configurações
Segurança Através de Gerência de ConfiguraçõesSegurança Através de Gerência de Configurações
Segurança Através de Gerência de Configurações
 
Validando a Segurança de Software
Validando a Segurança de SoftwareValidando a Segurança de Software
Validando a Segurança de Software
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USM
 
Securing Hadoop with OSSEC
Securing Hadoop with OSSECSecuring Hadoop with OSSEC
Securing Hadoop with OSSEC
 
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
 
Fosdem10
Fosdem10Fosdem10
Fosdem10
 
Centos 7 Installation Steps
Centos 7 Installation StepsCentos 7 Installation Steps
Centos 7 Installation Steps
 
How To Install CentOS 7
How To Install CentOS 7How To Install CentOS 7
How To Install CentOS 7
 
OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010
 
intro syslog syslogng
intro syslog syslogngintro syslog syslogng
intro syslog syslogng
 
Configuring Syslog by Octavio
Configuring Syslog by OctavioConfiguring Syslog by Octavio
Configuring Syslog by Octavio
 
A Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsA Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security Standards
 
What is firewall
What is firewallWhat is firewall
What is firewall
 

Semelhante a Implementing ossec

XML External Entity Null Meet 19_3_16.pptx
XML External Entity Null Meet 19_3_16.pptxXML External Entity Null Meet 19_3_16.pptx
XML External Entity Null Meet 19_3_16.pptxSamitAnwer2
 
Trusted extensions-gdansk-v1 0
Trusted extensions-gdansk-v1 0Trusted extensions-gdansk-v1 0
Trusted extensions-gdansk-v1 0Kevin Mayo
 
Application and Server Security
Application and Server SecurityApplication and Server Security
Application and Server SecurityBrian Pontarelli
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB DeploymentMongoDB
 
Aws security with HIDS using Ossec
Aws security with HIDS using OssecAws security with HIDS using Ossec
Aws security with HIDS using OssecGaurav Harsola
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Rahul
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX SecurityHelpSystems
 
SSecuring Your MongoDB Deployment
SSecuring Your MongoDB DeploymentSSecuring Your MongoDB Deployment
SSecuring Your MongoDB DeploymentMongoDB
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...Robert Conti Jr.
 
Creating a Single View Part 3: Securing Your Deployment
Creating a Single View Part 3: Securing Your DeploymentCreating a Single View Part 3: Securing Your Deployment
Creating a Single View Part 3: Securing Your DeploymentMongoDB
 
Elk its big log season
Elk its big log seasonElk its big log season
Elk its big log seasonEric Luellen
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPRafal Gancarz
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Xavier Ashe
 

Semelhante a Implementing ossec (20)

XML External Entity Null Meet 19_3_16.pptx
XML External Entity Null Meet 19_3_16.pptxXML External Entity Null Meet 19_3_16.pptx
XML External Entity Null Meet 19_3_16.pptx
 
Trusted extensions-gdansk-v1 0
Trusted extensions-gdansk-v1 0Trusted extensions-gdansk-v1 0
Trusted extensions-gdansk-v1 0
 
Application and Server Security
Application and Server SecurityApplication and Server Security
Application and Server Security
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
 
Aws security with HIDS using Ossec
Aws security with HIDS using OssecAws security with HIDS using Ossec
Aws security with HIDS using Ossec
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX Security
 
SSecuring Your MongoDB Deployment
SSecuring Your MongoDB DeploymentSSecuring Your MongoDB Deployment
SSecuring Your MongoDB Deployment
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
 
Rails Security
Rails SecurityRails Security
Rails Security
 
OSSEC Holidaycon 2020.pdf
OSSEC Holidaycon 2020.pdfOSSEC Holidaycon 2020.pdf
OSSEC Holidaycon 2020.pdf
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Creating a Single View Part 3: Securing Your Deployment
Creating a Single View Part 3: Securing Your DeploymentCreating a Single View Part 3: Securing Your Deployment
Creating a Single View Part 3: Securing Your Deployment
 
W982 05092004
W982 05092004W982 05092004
W982 05092004
 
Elk its big log season
Elk its big log seasonElk its big log season
Elk its big log season
 
Unity makes strength
Unity makes strengthUnity makes strength
Unity makes strength
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTP
 
Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016
 

Último

VIP Independent Call Girls in Mumbai 🌹 9920725232 ( Call Me ) Mumbai Escorts ...
VIP Independent Call Girls in Mumbai 🌹 9920725232 ( Call Me ) Mumbai Escorts ...VIP Independent Call Girls in Mumbai 🌹 9920725232 ( Call Me ) Mumbai Escorts ...
VIP Independent Call Girls in Mumbai 🌹 9920725232 ( Call Me ) Mumbai Escorts ...dipikadinghjn ( Why You Choose Us? ) Escorts
 
VIP Kalyan Call Girls 🌐 9920725232 🌐 Make Your Dreams Come True With Mumbai E...
VIP Kalyan Call Girls 🌐 9920725232 🌐 Make Your Dreams Come True With Mumbai E...VIP Kalyan Call Girls 🌐 9920725232 🌐 Make Your Dreams Come True With Mumbai E...
VIP Kalyan Call Girls 🌐 9920725232 🌐 Make Your Dreams Come True With Mumbai E...roshnidevijkn ( Why You Choose Us? ) Escorts
 
VIP Independent Call Girls in Taloja 🌹 9920725232 ( Call Me ) Mumbai Escorts ...
VIP Independent Call Girls in Taloja 🌹 9920725232 ( Call Me ) Mumbai Escorts ...VIP Independent Call Girls in Taloja 🌹 9920725232 ( Call Me ) Mumbai Escorts ...
VIP Independent Call Girls in Taloja 🌹 9920725232 ( Call Me ) Mumbai Escorts ...dipikadinghjn ( Why You Choose Us? ) Escorts
 
Vip Call US 📞 7738631006 ✅Call Girls In Sakinaka ( Mumbai )
Vip Call US 📞 7738631006 ✅Call Girls In Sakinaka ( Mumbai )Vip Call US 📞 7738631006 ✅Call Girls In Sakinaka ( Mumbai )
Vip Call US 📞 7738631006 ✅Call Girls In Sakinaka ( Mumbai )Pooja Nehwal
 
Webinar on E-Invoicing for Fintech Belgium
Webinar on E-Invoicing for Fintech BelgiumWebinar on E-Invoicing for Fintech Belgium
Webinar on E-Invoicing for Fintech BelgiumFinTech Belgium
 
20240419-SMC-submission-Annual-Superannuation-Performance-Test-–-design-optio...
20240419-SMC-submission-Annual-Superannuation-Performance-Test-–-design-optio...20240419-SMC-submission-Annual-Superannuation-Performance-Test-–-design-optio...
20240419-SMC-submission-Annual-Superannuation-Performance-Test-–-design-optio...Henry Tapper
 
cost-volume-profit analysis.ppt(managerial accounting).pptx
cost-volume-profit analysis.ppt(managerial accounting).pptxcost-volume-profit analysis.ppt(managerial accounting).pptx
cost-volume-profit analysis.ppt(managerial accounting).pptxazadalisthp2020i
 
VIP Call Girl in Mumbai Central 💧 9920725232 ( Call Me ) Get A New Crush Ever...
VIP Call Girl in Mumbai Central 💧 9920725232 ( Call Me ) Get A New Crush Ever...VIP Call Girl in Mumbai Central 💧 9920725232 ( Call Me ) Get A New Crush Ever...
VIP Call Girl in Mumbai Central 💧 9920725232 ( Call Me ) Get A New Crush Ever...dipikadinghjn ( Why You Choose Us? ) Escorts
 
Call Girls Koregaon Park Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Koregaon Park Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Koregaon Park Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Koregaon Park Call Me 7737669865 Budget Friendly No Advance Bookingroncy bisnoi
 
Call Girls Banaswadi Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
Call Girls Banaswadi Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...Call Girls Banaswadi Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
Call Girls Banaswadi Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...amitlee9823
 
Mira Road Memorable Call Grls Number-9833754194-Bhayandar Speciallty Call Gir...
Mira Road Memorable Call Grls Number-9833754194-Bhayandar Speciallty Call Gir...Mira Road Memorable Call Grls Number-9833754194-Bhayandar Speciallty Call Gir...
Mira Road Memorable Call Grls Number-9833754194-Bhayandar Speciallty Call Gir...priyasharma62062
 
VIP Call Girl in Mumbai 💧 9920725232 ( Call Me ) Get A New Crush Everyday Wit...
VIP Call Girl in Mumbai 💧 9920725232 ( Call Me ) Get A New Crush Everyday Wit...VIP Call Girl in Mumbai 💧 9920725232 ( Call Me ) Get A New Crush Everyday Wit...
VIP Call Girl in Mumbai 💧 9920725232 ( Call Me ) Get A New Crush Everyday Wit...dipikadinghjn ( Why You Choose Us? ) Escorts
 
call girls in Sant Nagar (DELHI) 🔝 >༒9953056974 🔝 genuine Escort Service 🔝✔️✔️
call girls in Sant Nagar (DELHI) 🔝 >༒9953056974 🔝 genuine Escort Service 🔝✔️✔️call girls in Sant Nagar (DELHI) 🔝 >༒9953056974 🔝 genuine Escort Service 🔝✔️✔️
call girls in Sant Nagar (DELHI) 🔝 >༒9953056974 🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Pension dashboards forum 1 May 2024 (1).pdf
Pension dashboards forum 1 May 2024 (1).pdfPension dashboards forum 1 May 2024 (1).pdf
Pension dashboards forum 1 May 2024 (1).pdfHenry Tapper
 
Stock Market Brief Deck (Under Pressure).pdf
Stock Market Brief Deck (Under Pressure).pdfStock Market Brief Deck (Under Pressure).pdf
Stock Market Brief Deck (Under Pressure).pdfMichael Silva
 
falcon-invoice-discounting-unlocking-prime-investment-opportunities
falcon-invoice-discounting-unlocking-prime-investment-opportunitiesfalcon-invoice-discounting-unlocking-prime-investment-opportunities
falcon-invoice-discounting-unlocking-prime-investment-opportunitiesFalcon Invoice Discounting
 
VIP Independent Call Girls in Bandra West 🌹 9920725232 ( Call Me ) Mumbai Esc...
VIP Independent Call Girls in Bandra West 🌹 9920725232 ( Call Me ) Mumbai Esc...VIP Independent Call Girls in Bandra West 🌹 9920725232 ( Call Me ) Mumbai Esc...
VIP Independent Call Girls in Bandra West 🌹 9920725232 ( Call Me ) Mumbai Esc...dipikadinghjn ( Why You Choose Us? ) Escorts
 
Kopar Khairane Russian Call Girls Number-9833754194-Navi Mumbai Fantastic Unl...
Kopar Khairane Russian Call Girls Number-9833754194-Navi Mumbai Fantastic Unl...Kopar Khairane Russian Call Girls Number-9833754194-Navi Mumbai Fantastic Unl...
Kopar Khairane Russian Call Girls Number-9833754194-Navi Mumbai Fantastic Unl...priyasharma62062
 

Último (20)

VIP Independent Call Girls in Mumbai 🌹 9920725232 ( Call Me ) Mumbai Escorts ...
VIP Independent Call Girls in Mumbai 🌹 9920725232 ( Call Me ) Mumbai Escorts ...VIP Independent Call Girls in Mumbai 🌹 9920725232 ( Call Me ) Mumbai Escorts ...
VIP Independent Call Girls in Mumbai 🌹 9920725232 ( Call Me ) Mumbai Escorts ...
 
VIP Kalyan Call Girls 🌐 9920725232 🌐 Make Your Dreams Come True With Mumbai E...
VIP Kalyan Call Girls 🌐 9920725232 🌐 Make Your Dreams Come True With Mumbai E...VIP Kalyan Call Girls 🌐 9920725232 🌐 Make Your Dreams Come True With Mumbai E...
VIP Kalyan Call Girls 🌐 9920725232 🌐 Make Your Dreams Come True With Mumbai E...
 
VIP Independent Call Girls in Taloja 🌹 9920725232 ( Call Me ) Mumbai Escorts ...
VIP Independent Call Girls in Taloja 🌹 9920725232 ( Call Me ) Mumbai Escorts ...VIP Independent Call Girls in Taloja 🌹 9920725232 ( Call Me ) Mumbai Escorts ...
VIP Independent Call Girls in Taloja 🌹 9920725232 ( Call Me ) Mumbai Escorts ...
 
Vip Call US 📞 7738631006 ✅Call Girls In Sakinaka ( Mumbai )
Vip Call US 📞 7738631006 ✅Call Girls In Sakinaka ( Mumbai )Vip Call US 📞 7738631006 ✅Call Girls In Sakinaka ( Mumbai )
Vip Call US 📞 7738631006 ✅Call Girls In Sakinaka ( Mumbai )
 
Webinar on E-Invoicing for Fintech Belgium
Webinar on E-Invoicing for Fintech BelgiumWebinar on E-Invoicing for Fintech Belgium
Webinar on E-Invoicing for Fintech Belgium
 
20240419-SMC-submission-Annual-Superannuation-Performance-Test-–-design-optio...
20240419-SMC-submission-Annual-Superannuation-Performance-Test-–-design-optio...20240419-SMC-submission-Annual-Superannuation-Performance-Test-–-design-optio...
20240419-SMC-submission-Annual-Superannuation-Performance-Test-–-design-optio...
 
cost-volume-profit analysis.ppt(managerial accounting).pptx
cost-volume-profit analysis.ppt(managerial accounting).pptxcost-volume-profit analysis.ppt(managerial accounting).pptx
cost-volume-profit analysis.ppt(managerial accounting).pptx
 
W.D. Gann Theory Complete Information.pdf
W.D. Gann Theory Complete Information.pdfW.D. Gann Theory Complete Information.pdf
W.D. Gann Theory Complete Information.pdf
 
VIP Call Girl in Mumbai Central 💧 9920725232 ( Call Me ) Get A New Crush Ever...
VIP Call Girl in Mumbai Central 💧 9920725232 ( Call Me ) Get A New Crush Ever...VIP Call Girl in Mumbai Central 💧 9920725232 ( Call Me ) Get A New Crush Ever...
VIP Call Girl in Mumbai Central 💧 9920725232 ( Call Me ) Get A New Crush Ever...
 
Call Girls Koregaon Park Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Koregaon Park Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Koregaon Park Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Koregaon Park Call Me 7737669865 Budget Friendly No Advance Booking
 
Call Girls Banaswadi Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
Call Girls Banaswadi Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...Call Girls Banaswadi Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
Call Girls Banaswadi Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
 
Mira Road Memorable Call Grls Number-9833754194-Bhayandar Speciallty Call Gir...
Mira Road Memorable Call Grls Number-9833754194-Bhayandar Speciallty Call Gir...Mira Road Memorable Call Grls Number-9833754194-Bhayandar Speciallty Call Gir...
Mira Road Memorable Call Grls Number-9833754194-Bhayandar Speciallty Call Gir...
 
VIP Call Girl in Mumbai 💧 9920725232 ( Call Me ) Get A New Crush Everyday Wit...
VIP Call Girl in Mumbai 💧 9920725232 ( Call Me ) Get A New Crush Everyday Wit...VIP Call Girl in Mumbai 💧 9920725232 ( Call Me ) Get A New Crush Everyday Wit...
VIP Call Girl in Mumbai 💧 9920725232 ( Call Me ) Get A New Crush Everyday Wit...
 
call girls in Sant Nagar (DELHI) 🔝 >༒9953056974 🔝 genuine Escort Service 🔝✔️✔️
call girls in Sant Nagar (DELHI) 🔝 >༒9953056974 🔝 genuine Escort Service 🔝✔️✔️call girls in Sant Nagar (DELHI) 🔝 >༒9953056974 🔝 genuine Escort Service 🔝✔️✔️
call girls in Sant Nagar (DELHI) 🔝 >༒9953056974 🔝 genuine Escort Service 🔝✔️✔️
 
Pension dashboards forum 1 May 2024 (1).pdf
Pension dashboards forum 1 May 2024 (1).pdfPension dashboards forum 1 May 2024 (1).pdf
Pension dashboards forum 1 May 2024 (1).pdf
 
Stock Market Brief Deck (Under Pressure).pdf
Stock Market Brief Deck (Under Pressure).pdfStock Market Brief Deck (Under Pressure).pdf
Stock Market Brief Deck (Under Pressure).pdf
 
Call Girls in New Ashok Nagar, (delhi) call me [9953056974] escort service 24X7
Call Girls in New Ashok Nagar, (delhi) call me [9953056974] escort service 24X7Call Girls in New Ashok Nagar, (delhi) call me [9953056974] escort service 24X7
Call Girls in New Ashok Nagar, (delhi) call me [9953056974] escort service 24X7
 
falcon-invoice-discounting-unlocking-prime-investment-opportunities
falcon-invoice-discounting-unlocking-prime-investment-opportunitiesfalcon-invoice-discounting-unlocking-prime-investment-opportunities
falcon-invoice-discounting-unlocking-prime-investment-opportunities
 
VIP Independent Call Girls in Bandra West 🌹 9920725232 ( Call Me ) Mumbai Esc...
VIP Independent Call Girls in Bandra West 🌹 9920725232 ( Call Me ) Mumbai Esc...VIP Independent Call Girls in Bandra West 🌹 9920725232 ( Call Me ) Mumbai Esc...
VIP Independent Call Girls in Bandra West 🌹 9920725232 ( Call Me ) Mumbai Esc...
 
Kopar Khairane Russian Call Girls Number-9833754194-Navi Mumbai Fantastic Unl...
Kopar Khairane Russian Call Girls Number-9833754194-Navi Mumbai Fantastic Unl...Kopar Khairane Russian Call Girls Number-9833754194-Navi Mumbai Fantastic Unl...
Kopar Khairane Russian Call Girls Number-9833754194-Navi Mumbai Fantastic Unl...
 

Implementing ossec

  • 1. Implementing OSSEC HIDS Jerônimo Zucco jczucco@gmail.com
  • 2. /me • Security guy • blog: http://jczucco.blogspot.com • Twitter: @jczucco • zucco on freenode • http://www.linkedin.com/in/jeronimozucco
  • 3. Agenda • Introduction • Arquiteture • Log Analysis • Integrity Monitoring • Rootkit Detection • Policy audit
  • 4. Agenda • Alerts • Active Response • Server and Agents Instalations • Configuration Files • Rule Files • Customize Rules
  • 15. Why Log ? Because we want to 2% Because we have to: (PCI-DSS, HIPAA, ISO 27K, SOX)
  • 19. CEE Common Event Expression http://cee.mitre.org
  • 20.
  • 22. Daniel Cid @danielcid Third Brigade, Trend Micro
  • 23. • Open Source Host­based IDS (HIDS) • File Integrity checking • Registry Integrity checking • Host­based anomaly detection • Policy monitoring/enforcement • Active response
  • 25. OSSEC in the News • OSSEC #1 open source security tool in the enterprise http://www.linuxworld.com/news/ 2007/031207-top-5-security.html • OSSEC #2 IDS tool in the security tools survey. http://sectools.org/ids.html • More: http://www.ossec.net/wiki/IntheNews
  • 26. OSSEC Agents • GNU/Linux (all distributions, including RHEL, Ubuntu, Slackware, Debian, etc) • Windows XP,2000,2003,Vista,2008,Seven • VMWare ESX 3.0,3.5 (including CIS checks) • *BSD • Solaris 2.7,2.8,2.9 and 10 • AIX 5.3 • HP-UX 10, 11, 11i • MacOSX 10
  • 27. Support via Syslog • Cisco PIX, ASA and FWSM (all versions) • Cisco IOS routers (all versions) • Juniper Netscreen (all versions) • SonicWall firewall (all versions) • Checkpoint firewall (all versions) • Cisco IOS IDS/IPS module (all versions) • Sourcefire (Snort) IDS/IPS (all versions)
  • 28. Support via Syslog • Dragon NIDS • Checkpoint Smart Defense (all versions) • McAfee VirusScan Enterprise (v8 and v8.5) • Bluecoat proxy (all versions) • Cisco VPN concentrators (all versions)
  • 29. Agentless • Cisco PIX, ASA and FWSM (all versions) • Cisco IOS routers (all versions) • Juniper Netscreen (all versions) • SonicWall firewall (all versions) • Checkpoint firewall (all versions) • All operating systems specified in the “operating systems” section
  • 30. Supportted Log Formats • DB Logs (Mysql, PostgreSQL) • Unix like logs (dpkg, yum, su, sudo) • Mail Server, FTP, SSH, Xinetd logs • Web Server logs (apache, IIS, Zeus) • Web Apps (Horde, ModSecurity) • NIDS (Snort, Cisco IOS/IPS, Checkpoint) • Sec.Tools (Symantec and McAfee AV, nmap) • Windows Events
  • 31. Secure by Default • Installation script does the chroot, user creation, permissions, etc • User has no choice to run it “less secure” • Each process with limited privileges and tasks
  • 32. DOCS http://www.ossec.net #ossec on freenode - mailing lists - wiki, manuals, etc - source :-)
  • 35. OSSEC Log Flow Agent -> Server
  • 39. Agent -> Server • Zlib Compressed • Blowfish Encrypted • udp 1514 • Centralized Management
  • 40. Integrity Check • each X time, or realtime • File / Directory Properties • Permissions • Size • Ownership • sha1sum • md5sum
  • 41. Rootkit Checks • Signature (Adore, Knark, LOC) and anomaly- based • Files in /dev which aren't device files • Hidden directories • SUID files • Files owned by root world-writable • Running processes hidden from “ps” • Listening ports hidden from “netstat” • Promiscuous interfaces
  • 42. Policy Monitoring • Identify situation which can lead to a breach • Benchmark system against CIS standard ( http://cisecurity.org ) or create your own • File, registry setting, or process exists or does not exist (win_audit_rcl.txt, win_applications_rcl.txt) • Is anti-virus installed but not running? • Has the host firewall been disabled? • How do you know your systems are still hardened?
  • 44. Rules • XML Files • Levels -> 0 to 15
  • 45. Rules • Atomic • Composite
  • 46. Rule Sample <!-- SSHD messages --> <group name="syslog,sshd,"> <rule id="5700" level="0" noalert="1"> <decoded_as>sshd</decoded_as> <description>SSHD messages grouped.</description> </rule>
  • 47. Rule Sample <rule id="5704" level="4"> <if_sid>5700</if_sid> <match>fatal: Timeout before authentication for</match> <description>Timeout while logging in (sshd).</description> </rule> <rule id="5705" level="10" frequency="4" timeframe="360"> <if_matched_sid>5704</if_matched_sid> <description>Possible scan or breakin attempt </description> <description>(high number of login timeouts).</description> </rule>
  • 49. OSSEC in the real world • Authentication control • MSN usage • Integrity checking • Authentication logs
  • 50. Authentication control • Alerting on every authentication success outside business hours ➔ Every authentication event is classified as “authentication success” (that's why we use if_group • Added to local_rules.xml: <rule id="100101" level="10"> <if_group>authentication_success</if_group> <time>7 pm ­ 6:30 am</time> <description>Login during non­business hours.</ description> </rule>
  • 51. Authentication control 2 • Alerting on first time logins outside business hours • We have some FTS (first time seen) rules • Increased severity when a user logs in for the first time on a specific system outside business hours ➔ Added to local_rules.xml: <rule id="100101" level="13"> <if_sid>18119, 10100</if_sid> <time>7 pm ­ 6:30 am</time> <description>First time Login during non­bus. hours.<description> </rule>
  • 52. MSN Usage • Alerting on new MSN users ➔ MSN logs to the event log (with the email address) every time it starts <rule id="100213" level="7"> <if_sid>18101</if_sid> <id>102</id> <match>The database engine started a new instance</match> <description>MSN login.</description> </rule> 2008 Apr 17 20:02:16 (xx) 192.168.2.190­>WinEvtLog WinEvtLog: Application: INFORMATION(102): ESENT: (no user): no domain: OSSEC­HM: msnmsgr (1240) .C: Documents and SettingsxyzLocal SettingsApplication DataMicrosoftMessenger xyz@hotmail.comSharingMetadataWorkingdatabase_F218_E 79B_18E7_5CDBdfsr.db: The database engine started a new instance (0)
  • 53. Integrity Checking • Alerting with high severity on changes to /var/www/htdocs <rule id="100345" level="12"> <if_matched_group>syscheck</if_matched_group> <description>Changes to /var/www/htdocs – Critical file!</description> <match>/var/www/htdocs</match> </rule>
  • 54. Auth Logs • Brute force attempts followed by a success Rule: 5720 (level 10) ­> 'Multiple SSHD authentication failures.' Src IP: 125.192.xx.xx Feb 11 09:31:58 wpor sshd[4565]: Failed password for root from 125.192.xx.xx port 42976 ssh2 Feb 11 09:31:58 wpor sshd[4565]: Failed password for admin from 125.192.xx.xx port 42976 ssh2 Feb 11 09:31:58 wpor sshd[4565]: Failed password for admin from 125.192.xx.xx port 42976 ssh2 Rule: 40112 (level 12) ­> 'Multiple authentication failures followed by a success.' Src IP: 125.192.67.136 User: admin Feb 11 09:31:58 wpor sshd[7235]: Accepted password for admin from 125.192.xx.xx port 42198 ssh2
  • 55. And many more ! "Nobody knows your environment/applications as you"
  • 57. Challenges • Deploying large amounts of agents • Attackers who know Active Response is in use may try to use that to their advantage • IPs can be spoofed, thereby triggering an incorrect response (whitelists, response timeouts) • Alert Flooding - By default, OSSEC will only send 12 alerts per hour • Log Injection • - Tuning rules never stops !
  • 58.