Nagios Conference 2013 - John Lowry - Using Nagios as a Security Monitoring Framework

•Télécharger en tant que ODP, PDF•

2 j'aime•1,244 vues

John Lowry's presentation on Using Nagios as a Security Monitoring Framework. The presentation was given during the Nagios World Conference North America held Sept 20-Oct 2nd, 2013 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/nwcna

Technologie Design

Using Nagios as a Security
Monitoring Framework
John Lowry
johnlowry@gmail.com

3
Frameworks > Out of the Box
OOTB is “one size fits all”

4
Frameworks > Out of the Box
OOTB is “one size fits all”
OOTB assumes things about your infrastructure

5
Frameworks > Out of the Box
OOTB is “one size fits all”
OOTB assumes things about your infrastructure
Frameworks require a lot more work upfront

6
Frameworks > Out of the Box
OOTB is “one size fits all”
OOTB assumes things about your infrastructure
Frameworks require a lot more work upfront
Frameworks mean a steeper learning curve

7
Frameworks > Out of the Box
OOTB is “one size fits all”
OOTB assumes things about your infrastructure
Frameworks require a lot more work upfront
Frameworks mean a steeper learning curve
Framework means it is infinitely configurable

8
Frameworks > Out of the Box
OOTB is “one size fits all”
OOTB assumes things about your infrastructure
Frameworks require a lot more work upfront
Frameworks mean a steeper learning curve
Framework means it is infinitely configurable
Framework means it is as good as you want it
to be.

10
Why Nagios for security?
Alert framework is robust

11
Why Nagios for security?
Alert framework is robust
Escalations for duty rotation and making sure
SOMEONE gets the alert

12
Why Nagios for security?
Alert framework is robust
Escalations for duty rotation and making sure
SOMEONE gets the alert
It is built for anomaly detection.

13
Why Nagios for security?
Alert framework is robust
Escalations for duty rotation and making sure
SOMEONE gets the alert
It is built for anomaly detection. <--HUGE PART
OF SECURITY

14
Basic Strategies for Anomaly Detection

15
Anomaly Detection
Basic “Out of the box” Nagios is pretty good at
this

16
Anomaly Detection
Basic “Out of the box” Nagios is pretty good at
this
Tells you when a service or a host has
problems.

17
Anomaly Detection
Basic “Out of the box” Nagios is pretty good at
this
Tells you when a service or a host has
problems.
Security and sysadmins ask: Why is this HTTP
server throwing 500 messages? Why is this
SNMP trap getting generated?

18
Anomaly Detection
Basic “Out of the box” Nagios is pretty good at
this
Tells you when a service or a host has
problems.
Security and sysadmins ask: Why is this HTTP
server throwing 500 messages? Why is this
SNMP trap getting generated?
Nagios, when setup correctly, knows what is
“normal” and when something anomalous
happens you get an alert.

20
Noise versus Signal
Rabbits versus the Army
There is such a thing as too much information
False positives train one to ignore alerts

21
Triage every alert
If it is a valid alert, you are SUPPOSED to fix it.
Make a ticket, prioritize it, fix it, DO
SOMETHING, do not ignore it.

22
Regularly update your monitoring
If you are getting false positives, fix the check
Tune the frequency, do not be the source of the
problem
Active tuning, daily, weekly, monthly.

23
Integrating External Tools
AV
IDS/IPS, HIDS, FIC
Log monitoring
Host and service detection (nmap)
SNMP Traps
If you get email from a tool and it runs under
cron, consider using Nagios to manage it.

25
Passive check strategies
Results of a passive check is submitted to
nagios.cmd and is picked up based on
check_results_reaper_event

26
Passive check strategies
Results of a passive check is submitted to
nagios.cmd and is picked up based on
check_results_reaper_event
Status goes back to “NORMAL” on the next
host check.

27
Passive check strategies
Results of a passive check is submitted to
nagios.cmd and is picked up based on
check_results_reaper_event
Status goes back to “NORMAL” on the next
host check.
So one alert, instead of multiple alerts.

28
Passive check strategies
Results of a passive check is submitted to
nagios.cmd and is picked up based on
check_results_reaper_event
Status goes back to “NORMAL” on the next
host check.
So one alert, instead of multiple alerts.
Good for some forensics, not so good if
someone misses it.

29
Passive check strategies
Results of a passive check is submitted to
nagios.cmd and is picked up based on
check_results_reaper_event
Status goes back to “NORMAL” on the next
host check.
So one alert, instead of multiple alerts.
Good for some forensics, not so good if
someone misses it.
But this happens anyway.

31
Example
Workstation Incident Response

32
Example
Workstation Incident Response
Palo Alto or ePO detects some activity, sends a
SNMP trap to NSTI

33
Example
Workstation Incident Response
Palo Alto or ePO detects some activity, sends a
SNMP trap to NSTI
Nagios then uses an event handler to grab 24
hours of pcap data. Use Bro to look for
interesting traffic, file a ticket, with attached files

34
Example
Workstation Incident Response
Palo Alto or ePO detects some activity, sends a
SNMP trap to NSTI
Nagios then uses an event handler to grab 24
hours of pcap data. Use Bro to look for
interesting traffic, file a ticket, with attached files
All while I am getting coffee

Contenu connexe

Plus de Nagios

Janice Singh - Writing Custom Nagios Plugins

Nagios

Dave Williams - Nagios Log Server - Practical Experience

Nagios

Mike Weber - Nagios and Group Deployment of Service Checks

Nagios

Mike Guthrie - Revamping Your 10 Year Old Nagios Installation

Nagios

Bryan Heden - Agile Networks - Using Nagios XI as the platform for Monitoring...

Nagios

Matt Bruzek - Monitor Public Cloud Use Nagios to monitor your public cloud. - No debian installer for Nagios 4? No problem! Deploy your public cloud with Juju and you can connect Nagios core services to your Ubuntu instances in the cloud. In this session, Matt will quickly go over the basic concepts of Juju and spend the rest of the time walking through examples of deploying Nagios monitoring solutions

Matt Bruzek - Monitoring Your Public Cloud With Nagios

Nagios

Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.

Nagios

Eric Loyd - Fractal Nagios

Nagios

Marcelo Perazolo, Lead Software Architect, IBM Corporation - Monitoring a Pow...

Nagios

Thomas Schmainda - Tracking Boeing Satellites With Nagios - Nagios World Conf...

Nagios

Nagios World Conference 2015 - Scott Wilkerson Opening

Nagios

NRPE - Nagios Remote Plugin Executor - NRPE enables users to remotely execute Nagios plugins on any Linux/Unix machine, allowing remote metrics monitoring. In addition, users can communicate with Windows agent add-ons, which executes scripts and metrics checks on remote Windows machines. ============ Version: 2.14, 2.15 Source: nrpe-2.1[4|5].tar.gz Platform: Centos 6.5 x64 (Nagios client) Compile1: ./configure --enable-ssl --with-nrpe-user=nagios --with-nrpe-group=nagios --with-nagios-user=nagios --with-nagios-group=nagios --libexecdir=/opt/nagios/libexec/ --bindir=/opt/nagios/bin/ --prefix=/opt/nagios Compile2: ./configure --enable-ssl --with-nrpe-user=nagios --with-nrpe-group=nagios --with-nagios-user=nagios --with-nagios-group=nagios --libexecdir=/opt/nagios/libexec/ --bindir=/opt/nagios/bin/ --prefix=/opt/nagios --with-cacert-file --with-privatekey-file

Nrpe - Nagios Remote Plugin Executor. NRPE plugin for Nagios Core

Nagios

Nagios Log Server greatly simplifies the process of searching your log data. Set up alerts to notify you when potential threats arise, or simply filter your data to quickly audit your system. With Log Server, you get all of your data in one location, with high availability and fail-over built right in. Quickly monitor your servers with configuration wizards and start monitoring your logs in minutes. Learn more here: https://www.nagios.com/products/nagios-log-server/ Free download (60 day trial): https://www.nagios.com/downloads/nagios-log-server/

Nagios Log Server - Features

Nagios

Nagios Network Analyzer - Features

Nagios

Nagios Conference 2014 - Dorance Martinez Cortes - Customizing Nagios

Nagios

Nagios Conference 2014 - Mike Weber - Nagios Rapid Deployment Options

Nagios

Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core

Nagios

Nagios Conference 2014 - Trevor McDonald - Monitoring The Physical World With...

Nagios

Nagios Conference 2014 - Andy Brist - Nagios XI Failover and HA Solutions

Nagios

Nagios Conference 2014 - Shamas Demoret - An Overview of Nagios Solutions

Nagios

Plus de Nagios (20)

Janice Singh - Writing Custom Nagios Plugins

Dave Williams - Nagios Log Server - Practical Experience

Mike Weber - Nagios and Group Deployment of Service Checks

Mike Guthrie - Revamping Your 10 Year Old Nagios Installation

Bryan Heden - Agile Networks - Using Nagios XI as the platform for Monitoring...

Matt Bruzek - Monitoring Your Public Cloud With Nagios

Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.

Eric Loyd - Fractal Nagios

Marcelo Perazolo, Lead Software Architect, IBM Corporation - Monitoring a Pow...

Thomas Schmainda - Tracking Boeing Satellites With Nagios - Nagios World Conf...

Nagios World Conference 2015 - Scott Wilkerson Opening

Nrpe - Nagios Remote Plugin Executor. NRPE plugin for Nagios Core

Nagios Log Server - Features

Nagios Network Analyzer - Features

Nagios Conference 2014 - Dorance Martinez Cortes - Customizing Nagios

Nagios Conference 2014 - Mike Weber - Nagios Rapid Deployment Options

Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core

Nagios Conference 2014 - Trevor McDonald - Monitoring The Physical World With...

Nagios Conference 2014 - Andy Brist - Nagios XI Failover and HA Solutions

Nagios Conference 2014 - Shamas Demoret - An Overview of Nagios Solutions

Dernier

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

Exploring Multimodal Embeddings with Milvus

Zilliz

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

MadyBayot

Accelerating FinTech Innovation: Unleashing API Economy and GenAI Vasa Krishnan, Chief Technology Officer - FinResults Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

apidays

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

Dubai, known for its towering skyscrapers, luxurious lifestyle, and relentless pursuit of innovation, often finds itself in the global spotlight. However, amidst the glitz and glamour, the emirate faces its own set of challenges, including the occasional threat of flooding. In recent years, Dubai has experienced sporadic but significant floods, disrupting normalcy and posing unique challenges to its infrastructure. Among the critical nodes in this bustling metropolis is the Dubai International Airport, a vital hub connecting the world. This article delves into the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Orbitshub

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

💥 You’re lucky! We’ve found two different (lead) developers that are willing to share their valuable lessons learned about using UiPath Document Understanding! Based on recent implementations in appealing use cases at Partou and SPIE. Don’t expect fancy videos or slide decks, but real and practical experiences that will help you with your own implementations. 📕 Topics that will be addressed: • Training the ML-model by humans: do or don't? • Rule-based versus AI extractors • Tips for finding use cases • How to start 👨‍🏫👨‍💻 Speakers: o Dion Morskieft, RPA Product Owner @Partou o Jack Klein-Schiphorst, Automation Developer @Tacstone Technology

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

UiPathCommunity

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

Dubai, often portrayed as a shimmering oasis in the desert, faces its own set of challenges, including the occasional threat of flooding. Despite its reputation for opulence and modernity, the emirate is not immune to the forces of nature. In recent years, Dubai has experienced sporadic but significant floods, testing the resilience of its infrastructure and communities. Among the critical lifelines in this bustling metropolis is the Dubai International Airport, a bustling hub that connects the city to the world. This article explores the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...

Orbitshub

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

Keynote 2: APIs in 2030: The Risk of Technological Sleepwalk Paolo Malinverno, Growth Advisor - The Business of Technology Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

apidays

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the deployment of external web forms using Jotform for Bonterra Impact Management. This solution can be customized to your organization’s needs and deployed to support the common use cases below: - Intake and consent - Assessments - Surveys - Applications - Program registration Interested in deploying web form automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Jeffrey Haguewood

DBX First Quarter 2024 Investor Presentation

Dropbox

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Zilliz

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Dernier (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

Exploring Multimodal Embeddings with Milvus

How to Troubleshoot Apps for the Modern Connected Worker

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

presentation ICT roal in 21st century education

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Artificial Intelligence Chap.5 : Uncertainty

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

DBX First Quarter 2024 Investor Presentation

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Nagios Conference 2013 - John Lowry - Using Nagios as a Security Monitoring Framework

1. Using Nagios as a Security Monitoring Framework John Lowry johnlowry@gmail.com

2. 2 Frameworks > Out of the Box

3. 3 Frameworks > Out of the Box OOTB is “one size fits all”

4. 4 Frameworks > Out of the Box OOTB is “one size fits all” OOTB assumes things about your infrastructure

5. 5 Frameworks > Out of the Box OOTB is “one size fits all” OOTB assumes things about your infrastructure Frameworks require a lot more work upfront

6. 6 Frameworks > Out of the Box OOTB is “one size fits all” OOTB assumes things about your infrastructure Frameworks require a lot more work upfront Frameworks mean a steeper learning curve

7. 7 Frameworks > Out of the Box OOTB is “one size fits all” OOTB assumes things about your infrastructure Frameworks require a lot more work upfront Frameworks mean a steeper learning curve Framework means it is infinitely configurable

8. 8 Frameworks > Out of the Box OOTB is “one size fits all” OOTB assumes things about your infrastructure Frameworks require a lot more work upfront Frameworks mean a steeper learning curve Framework means it is infinitely configurable Framework means it is as good as you want it to be.

9. 9 Why Nagios for security?

10. 10 Why Nagios for security? Alert framework is robust

11. 11 Why Nagios for security? Alert framework is robust Escalations for duty rotation and making sure SOMEONE gets the alert

12. 12 Why Nagios for security? Alert framework is robust Escalations for duty rotation and making sure SOMEONE gets the alert It is built for anomaly detection.

13. 13 Why Nagios for security? Alert framework is robust Escalations for duty rotation and making sure SOMEONE gets the alert It is built for anomaly detection. <--HUGE PART OF SECURITY

14. 14 Basic Strategies for Anomaly Detection

15. 15 Anomaly Detection Basic “Out of the box” Nagios is pretty good at this

16. 16 Anomaly Detection Basic “Out of the box” Nagios is pretty good at this Tells you when a service or a host has problems.

17. 17 Anomaly Detection Basic “Out of the box” Nagios is pretty good at this Tells you when a service or a host has problems. Security and sysadmins ask: Why is this HTTP server throwing 500 messages? Why is this SNMP trap getting generated?

18. 18 Anomaly Detection Basic “Out of the box” Nagios is pretty good at this Tells you when a service or a host has problems. Security and sysadmins ask: Why is this HTTP server throwing 500 messages? Why is this SNMP trap getting generated? Nagios, when setup correctly, knows what is “normal” and when something anomalous happens you get an alert.

19. 20 Noise versus Signal Rabbits versus the Army There is such a thing as too much information False positives train one to ignore alerts

20. 21 Triage every alert If it is a valid alert, you are SUPPOSED to fix it. Make a ticket, prioritize it, fix it, DO SOMETHING, do not ignore it.

21. 22 Regularly update your monitoring If you are getting false positives, fix the check Tune the frequency, do not be the source of the problem Active tuning, daily, weekly, monthly.

22. 23 Integrating External Tools AV IDS/IPS, HIDS, FIC Log monitoring Host and service detection (nmap) SNMP Traps If you get email from a tool and it runs under cron, consider using Nagios to manage it.

23. 24 Passive check strategies

24. 25 Passive check strategies Results of a passive check is submitted to nagios.cmd and is picked up based on check_results_reaper_event

25. 26 Passive check strategies Results of a passive check is submitted to nagios.cmd and is picked up based on check_results_reaper_event Status goes back to “NORMAL” on the next host check.

26. 27 Passive check strategies Results of a passive check is submitted to nagios.cmd and is picked up based on check_results_reaper_event Status goes back to “NORMAL” on the next host check. So one alert, instead of multiple alerts.

27. 28 Passive check strategies Results of a passive check is submitted to nagios.cmd and is picked up based on check_results_reaper_event Status goes back to “NORMAL” on the next host check. So one alert, instead of multiple alerts. Good for some forensics, not so good if someone misses it.

28. 29 Passive check strategies Results of a passive check is submitted to nagios.cmd and is picked up based on check_results_reaper_event Status goes back to “NORMAL” on the next host check. So one alert, instead of multiple alerts. Good for some forensics, not so good if someone misses it. But this happens anyway.

29. 30 Some Automation

30. 31 Example Workstation Incident Response

31. 32 Example Workstation Incident Response Palo Alto or ePO detects some activity, sends a SNMP trap to NSTI

32. 33 Example Workstation Incident Response Palo Alto or ePO detects some activity, sends a SNMP trap to NSTI Nagios then uses an event handler to grab 24 hours of pcap data. Use Bro to look for interesting traffic, file a ticket, with attached files

33. 34 Example Workstation Incident Response Palo Alto or ePO detects some activity, sends a SNMP trap to NSTI Nagios then uses an event handler to grab 24 hours of pcap data. Use Bro to look for interesting traffic, file a ticket, with attached files All while I am getting coffee

34. 35 FIN Questions?

Nagios Conference 2013 - John Lowry - Using Nagios as a Security Monitoring Framework

Recommandé

Recommandé

Contenu connexe

Plus de Nagios

Plus de Nagios (20)

Dernier

Dernier (20)

Nagios Conference 2013 - John Lowry - Using Nagios as a Security Monitoring Framework