Using OSSEC Open Source Host based IDS/IPS

rizthetechgeek 37 views 32 slides Jun 01, 2024
Slide 1
Slide 1 of 32
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23
Slide 24
24
Slide 25
25
Slide 26
26
Slide 27
27
Slide 28
28
Slide 29
29
Slide 30
30
Slide 31
31
Slide 32
32

About This Presentation

OSSEC HIDS

Size: 157.08 KB
Language: en
Added: Jun 01, 2024
Slides: 32 pages

Slide Content

Using OSSEC Open Source Host
Based Intrusion Detection
Justin C. Klein Keane
University of Pennsylvania
School of Arts & Sciences
Information Security and Unix Systems
©Justin C. Klein Keane
<[email protected]>

Presentation Format
Top down
-High level definition
-Capabilities
-Customization
-Our Implementation
-Logistics
©Justin C. Klein Keane
<[email protected]>

Network vs. App Security
•We've won network security
•Made it more expensive to compromise
networks than applications
•Defending applications requires new
approaches
•OSSEC fits easily and naturally into an
application security program
©Justin C. Klein Keane
<[email protected]>

About OSSEC
Open source host based intrusion detection
system (HIDS)
Written by Daniel Cid, who continues to
participate
Pronunciation varies
Acquired by Third Brigade in 2008, which was
then acquired by Trend Micro in 2009
©Justin C. Klein Keane
<[email protected]>

What is an IDS
Intrusion detection system (IDS)
Distinct from an intrusion prevention system
(IPS)
Monitor data points to identify malicious
behaviour
Anomaly detection or pattern matching
Basically just automated traffic monitoring
©Justin C. Klein Keane
<[email protected]>

Differences of HIDS vs. NIDS
HIDS – host based IDS
NIDS – network based IDS
NIDS uses data from the wire
HIDS can use filesystem as well as network
–Log files, file contents
–Filesystem attributes
Main difference: visibility
©Justin C. Klein Keane
<[email protected]>

Advantages of HIDS
Low(er) false positive rate
If your HIDS detected the traffic it was
definitely parsed by the target
Leverages existing hardware
Not very resource intensive
©Justin C. Klein Keane
<[email protected]>

Disadvantages of HIDS
Blind spots:
If it isn't logged, or stored on the filesystem,
it's invisible
Unable to parse unknown or unlogged traffic
Can't evaluate egress
Can't spot probes that don't hit active services
Requires an agent install on endpoints
Can be defeated with a host compromise
©Justin C. Klein Keane
<[email protected]>

Advantages of NIDS
All traffic becomes visible, ingress and egress
Requires just one point of installation
Failure doesn't affect endpoints
©Justin C. Klein Keane
<[email protected]>

Disadvantages of NIDS
High false positive rate
No way to tell if attack was “real”
Easy to overwhelm with bad traffic or evade
–Packet fragmentation, etc.
Can't see encrypted traffic
©Justin C. Klein Keane
<[email protected]>

OSSEC Beyond HIDS
Filesystem integrity checking
Registry monitoring on Windows
Active response
­Commonly used for RTBL
­Can be scripted for almost any behaviour
Rootkit detection
©Justin C. Klein Keane
<[email protected]>

Why Penn is Using OSSEC
•Found OSSEC in a search for open source
SEM and SIM solutions
•No access to network taps or span ports
•Looking for a sensor net to correlate alerts
•Using OSSEC for over 3 years now
©Justin C. Klein Keane
<[email protected]>

How OSSEC Works
Three modes
­Local, client, server
Client server model
­Clients receive configuration from server
­Clients send logs to server over an encrypted channel
©Justin C. Klein Keane
<[email protected]>

OSSEC Network Communication
•UDP port 1514
•Compressed messages (using zlib)
•Blowfish based encryption using pre-shared
keys
•Logs specified on client are collected and sent
to manager for analysis
©Justin C. Klein Keane
<[email protected]>

OSSEC Data Flow
Graphic concept courtesy http://ossec.net/ossec-docs/auscert-2007-dcid.pdf
©Justin C. Klein Keane
<[email protected]>

OSSEC Decoders
•OSSEC uses decoders to parse log files
•Decoders are written as XML
•Extracts useful data fields from log entries to
use for rule and alert matching including:
–Source IP and/or port
–Destination IP and/or port
–Program name or user name
–And more...
©Justin C. Klein Keane
<[email protected]>

OSSEC Rules
•OSSEC rules are stored as XML files
•Rules are hierarchical
•By default OSSEC includes rules for:
apache, arpwatch, asterisk, cisco-ios, courier, firewalls,
ftpd, horde/imp, IDS systems, IMAP, McAfee antivirus,
MS auth, MS DHCP, Exchange, Microsoft FTPD,
MySQL, Bind, Netscreen, PAM, postfix, Postgres,
ProFTP, Roundcube, sendmail, samba, Squit, SSH,
Symantec AV, Syslog, Telnet, VMWare, VSFTP,
Wordpress, and more...
©Justin C. Klein Keane
<[email protected]>

Rule Format
Rules are assigned priority levels, usually from 1
(lowest) to 15
Rules trigger based on:
-Pattern matching in strings
-Timing between matches
-Dependence on other rules
-Time of day
-Hostnames
-Applications
©Justin C. Klein Keane
<[email protected]>

OSSEC Alerts
•Default settings include alerting on:
–Web attacks
–SSH brute force
–Buffer overflows and program crashes
–Firewall events
–Users using sudo
–Many more...
•Creating custom alerts is relatively easy
©Justin C. Klein Keane
<[email protected]>

Alert Behavior
•When a rule triggers an alert several actions
can be configured:
–Logging
–Sending an e-mail alert
•Sending a SMS alert
–Executing an active response script
©Justin C. Klein Keane
<[email protected]>

Active Response
Initiates scripts
Default installations include firewall rules
-Time based
Whitelists prevent self denial of service
Active response can be delegated to multiple
hosts
©Justin C. Klein Keane
<[email protected]>

Custom Decoders and Logs
•OSSEC will monitor many common services
out of the box
•OSSEC can be extended to monitor custom
applications
•OSSEC can detect events in custom
application logs and trigger custom active
response scripts
©Justin C. Klein Keane
<[email protected]>

Log File Monitoring
•OSSEC monitors specific logs by default,
including:
–Syslog
–Apache http logs
–Mail logs
•OSSEC can be configured to monitor any log
it can gain access to
©Justin C. Klein Keane
<[email protected]>

Beyond HIDS: Monitoring Scripts
•OSSEC can be used to monitor the output of
custom scripts
•For instance, OSSEC can generate alerts
based on changes to NMAP scan results of
specific hosts
–http://www.ossec.net/wiki/Know_How:Nmap
•Can also log scripted alerts to common log
(syslog) and write a rule to augment existing
log monitoring
©Justin C. Klein Keane
<[email protected]>

Generating Reports
OSSEC includes ossec-reportd
-Can be used to generate summary reports
-Ex. show all brute force attempts and usernames
used and number of times attempted
OSSEC can also log to a database so that SQL
can be used for reporting
Custom scripts can be used to parse alert logs
Web based user interface (WUI) reporting
©Justin C. Klein Keane
<[email protected]>

OSSEC Community
Extremely active user community
-Developer mailing list
OSSEC mailing list (and Google group)
-http://groups.google.com/group/ossec-list
OSSEC wiki
-http://www.ossec.net/wiki
Commercial support from Trend Micro
[email protected]
©Justin C. Klein Keane
<[email protected]>

Solutions
•OSSEC is a service you can utilize internally
or offer your stakeholders
•OSSEC allows you to extend your security
impact
•OSSEC provide you greater visibility into your
security posture
©Justin C. Klein Keane
<[email protected]>

How Penn is Using OSSEC
•Server installed on a bastion host
•Agents deployed on critical hosts
•Separate server installed on cluster back ends
•Alerts go to queue monitored by security staff
•Per machine alerts go to individual sysadmins
•Using OSSEC to monitor custom alert scripts
©Justin C. Klein Keane
<[email protected]>

Logistical Considerations
•As with any intrusion detection system, expect
a timeframe for tuning
•Be extremely careful with active response to
avoid self denial of service
•Installation may require coordination with
sysadmins
©Justin C. Klein Keane
<[email protected]>

Overall Impact
•Develop metrics to justify security resource
allocation
•Verify effectiveness of security
countermeasures
•Track outlying machines, especially virtual
machines
•Extend service offerings to client groups
•Centralized log reporting
©Justin C. Klein Keane
<[email protected]>

Pitfalls of OSSEC
•Difficulty in upgrades between versions
•Coordinating pre-shared keys can be
problematic
•Sometimes agents become unresponsive
•Volume of alerts
•In testing OSSEC is great for early warning
but not so good in a post compromise situation
©Justin C. Klein Keane
<[email protected]>

Questions
Thank you.
©Justin C. Klein Keane
<[email protected]>
Tags
ossec
Categories
General
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 37
  • Slides 32
  • Age 549 days
Related Slideshows
Pray For The Peace Of Jerusalem and You Will Prosper 22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
Don_t_Waste_Your_Life_God.....powerpoint 26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
33 views
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf 31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
31 views
Fertility awareness methods for women in the society 14
Fertility awareness methods for women in the society
Isaiah47
30 views
Chapter 5 Arithmetic Functions Computer Organisation and Architecture 35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
27 views
syakira bhasa inggris (1) (1).pptx....... 5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
29 views
View More in This Category