Presentation is loading. Please wait.

Presentation is loading. Please wait.

©Justin C. Klein Keane Using OSSEC Open Source Host Based Intrusion Detection Justin C. Klein Keane University of Pennsylvania School of Arts & Sciences.

Published byCalvin Reynolds Modified over 8 years ago

Similar presentations

Presentation on theme: "©Justin C. Klein Keane Using OSSEC Open Source Host Based Intrusion Detection Justin C. Klein Keane University of Pennsylvania School of Arts & Sciences."— Presentation transcript:

1 ©Justin C. Klein Keane Using OSSEC Open Source Host Based Intrusion Detection Justin C. Klein Keane University of Pennsylvania School of Arts & Sciences Information Security and Unix Systems

2 ©Justin C. Klein Keane Presentation Format Top down - High level definition - Capabilities - Customization - Our Implementation - Logistics

3 ©Justin C. Klein Keane Network vs. App Security We've won network security Made it more expensive to compromise networks than applications Defending applications requires new approaches OSSEC fits easily and naturally into an application security program

4 ©Justin C. Klein Keane About OSSEC Open source host based intrusion detection system (HIDS) Written by Daniel Cid, who continues to participate Pronunciation varies Acquired by Third Brigade in 2008, which was then acquired by Trend Micro in 2009

5 ©Justin C. Klein Keane What is an IDS Intrusion detection system (IDS) Distinct from an intrusion prevention system (IPS) Monitor data points to identify malicious behaviour  Anomaly detection or pattern matching Basically just automated traffic monitoring

6 ©Justin C. Klein Keane Differences of HIDS vs. NIDS HIDS – host based IDS NIDS – network based IDS NIDS uses data from the wire HIDS can use filesystem as well as network – Log files, file contents – Filesystem attributes Main difference: visibility

7 ©Justin C. Klein Keane Advantages of HIDS Low(er) false positive rate  If your HIDS detected the traffic it was definitely parsed by the target Leverages existing hardware Not very resource intensive

8 ©Justin C. Klein Keane Disadvantages of HIDS Blind spots:  If it isn't logged, or stored on the filesystem, it's invisible  Unable to parse unknown or unlogged traffic  Can't evaluate egress  Can't spot probes that don't hit active services Requires an agent install on endpoints Can be defeated with a host compromise

9 ©Justin C. Klein Keane Advantages of NIDS All traffic becomes visible, ingress and egress Requires just one point of installation Failure doesn't affect endpoints

10 ©Justin C. Klein Keane Disadvantages of NIDS High false positive rate  No way to tell if attack was “real” Easy to overwhelm with bad traffic or evade – Packet fragmentation, etc. Can't see encrypted traffic

11 ©Justin C. Klein Keane OSSEC Beyond HIDS Filesystem integrity checking Registry monitoring on Windows Active response ­ Commonly used for RTBL ­ Can be scripted for almost any behaviour Rootkit detection

12 ©Justin C. Klein Keane Why Penn is Using OSSEC Found OSSEC in a search for open source SEM and SIM solutions No access to network taps or span ports Looking for a sensor net to correlate alerts Using OSSEC for over 3 years now

13 ©Justin C. Klein Keane How OSSEC Works Three modes ­ Local, client, server Client server model ­ Clients receive configuration from server ­ Clients send logs to server over an encrypted channel

14 ©Justin C. Klein Keane OSSEC Network Communication UDP port 1514 Compressed messages (using zlib) Blowfish based encryption using pre-shared keys Logs specified on client are collected and sent to manager for analysis

15 ©Justin C. Klein Keane OSSEC Data Flow Graphic concept courtesy http://ossec.net/ossec-docs/auscert-2007-dcid.pdf

16 ©Justin C. Klein Keane OSSEC Decoders OSSEC uses decoders to parse log files Decoders are written as XML Extracts useful data fields from log entries to use for rule and alert matching including: – Source IP and/or port – Destination IP and/or port – Program name or user name – And more...

17 ©Justin C. Klein Keane OSSEC Rules OSSEC rules are stored as XML files Rules are hierarchical By default OSSEC includes rules for: apache, arpwatch, asterisk, cisco-ios, courier, firewalls, ftpd, horde/imp, IDS systems, IMAP, McAfee antivirus, MS auth, MS DHCP, Exchange, Microsoft FTPD, MySQL, Bind, Netscreen, PAM, postfix, Postgres, ProFTP, Roundcube, sendmail, samba, Squit, SSH, Symantec AV, Syslog, Telnet, VMWare, VSFTP, Wordpress, and more...

18 ©Justin C. Klein Keane Rule Format Rules are assigned priority levels, usually from 1 (lowest) to 15 Rules trigger based on: - Pattern matching in strings - Timing between matches - Dependence on other rules - Time of day - Hostnames - Applications

19 ©Justin C. Klein Keane OSSEC Alerts Default settings include alerting on: – Web attacks – SSH brute force – Buffer overflows and program crashes – Firewall events – Users using sudo – Many more... Creating custom alerts is relatively easy

20 ©Justin C. Klein Keane Alert Behavior When a rule triggers an alert several actions can be configured: – Logging – Sending an e-mail alert Sending a SMS alert – Executing an active response script

21 ©Justin C. Klein Keane Active Response Initiates scripts Default installations include firewall rules - Time based Whitelists prevent self denial of service Active response can be delegated to multiple hosts

22 ©Justin C. Klein Keane Custom Decoders and Logs OSSEC will monitor many common services out of the box OSSEC can be extended to monitor custom applications OSSEC can detect events in custom application logs and trigger custom active response scripts

23 ©Justin C. Klein Keane Log File Monitoring OSSEC monitors specific logs by default, including: – Syslog – Apache http logs – Mail logs OSSEC can be configured to monitor any log it can gain access to

24 ©Justin C. Klein Keane Beyond HIDS: Monitoring Scripts OSSEC can be used to monitor the output of custom scripts For instance, OSSEC can generate alerts based on changes to NMAP scan results of specific hosts – http://www.ossec.net/wiki/Know_How:Nmap Can also log scripted alerts to common log (syslog) and write a rule to augment existing log monitoring

25 ©Justin C. Klein Keane Generating Reports OSSEC includes ossec-reportd - Can be used to generate summary reports - Ex. show all brute force attempts and usernames used and number of times attempted OSSEC can also log to a database so that SQL can be used for reporting Custom scripts can be used to parse alert logs Web based user interface (WUI) reporting

26 ©Justin C. Klein Keane OSSEC Community Extremely active user community - Developer mailing list OSSEC mailing list (and Google group) - http://groups.google.com/group/ossec-list OSSEC wiki - http://www.ossec.net/wiki Commercial support from Trend Micro - ossec.purchase@trendmicro.com

27 ©Justin C. Klein Keane Solutions OSSEC is a service you can utilize internally or offer your stakeholders OSSEC allows you to extend your security impact OSSEC provide you greater visibility into your security posture

28 ©Justin C. Klein Keane How Penn is Using OSSEC Server installed on a bastion host Agents deployed on critical hosts Separate server installed on cluster back ends Alerts go to queue monitored by security staff Per machine alerts go to individual sysadmins Using OSSEC to monitor custom alert scripts

29 ©Justin C. Klein Keane Logistical Considerations As with any intrusion detection system, expect a timeframe for tuning Be extremely careful with active response to avoid self denial of service Installation may require coordination with sysadmins

30 ©Justin C. Klein Keane Overall Impact Develop metrics to justify security resource allocation Verify effectiveness of security countermeasures Track outlying machines, especially virtual machines Extend service offerings to client groups Centralized log reporting

31 ©Justin C. Klein Keane Pitfalls of OSSEC Difficulty in upgrades between versions Coordinating pre-shared keys can be problematic Sometimes agents become unresponsive Volume of alerts In testing OSSEC is great for early warning but not so good in a post compromise situation

32 ©Justin C. Klein Keane Questions Thank you.

Download ppt "©Justin C. Klein Keane Using OSSEC Open Source Host Based Intrusion Detection Justin C. Klein Keane University of Pennsylvania School of Arts & Sciences."

Similar presentations

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
©Justin C. Klein Keane Using OSSEC Open Source Host Based Intrusion Detection Justin C. Klein Keane University of Pennsylvania School of Arts & Sciences.

©Justin C. Klein Keane Using OSSEC Open Source Host Based Intrusion Detection Justin C. Klein Keane University of Pennsylvania School of Arts & Sciences.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Copyright 2010 Justin C. Klein Keane Using Kojoney Open Source Low Interaction Honeypot to Develop Defensive Strategies and Fingerprint Post-Compromise.

Copyright 2010 Justin C. Klein Keane Using Kojoney Open Source Low Interaction Honeypot to Develop Defensive Strategies and Fingerprint Post-Compromise.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Department Of Computer Engineering

Department Of Computer Engineering
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]
INTRUSION DETECTION SYSTEM

INTRUSION DETECTION SYSTEM
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.

Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
Security SIG August 19, 2010 Justin C. Klein Keane

Security SIG August 19, 2010 Justin C. Klein Keane
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

Similar presentations

Ads by Google