SlideShare une entreprise Scribd logo

Blackhat Workshop

W
wremes
1  sur  56
Télécharger pour lire hors ligne
OSSEC Workshop Wim Remes - Xavier Mertens BH EU 2011 Thursday 17 March 2011
About Us • Wim • Xavier • works for EY Belgium • Senior Security Consultant for a • Security Consultant Belgium company • Eurotrash • Security Blogger • InfoSec Mentors • • Brucon Thursday 17 March 2011
Technical Breakdown Thursday 17 March 2011
Technical Issues • Mix of OS / Application / Protocols • Thousands of events to process • Multiple consoles/tools • Keep Security at the highest level (“CIA” principle) Thursday 17 March 2011
Find the Differences... • Aug 27 14:33:01 macosx ipfw: 12190 Deny TCP 192.168.13.1:2060 192.168.13.104:5000 in via en1 • %PIX-3-313001: Denied ICMP type=11, code=0 from 192.168.30.2 on interface 2 Thursday 17 March 2011
Economic Issues • “Time is Money” (24x7, no downtime) • Reduced staff & budget • Happy shareholders • This costs $$$ and HH:MM! (Commercial as well as Free!) Thursday 17 March 2011
Legal Issues • Compliance requirements (by “group” or by business) • Local laws (retention, data protection) • Due diligence & due care Thursday 17 March 2011
Challenges • Creation and archiving of log files (centralized) • Analyze (Normalization) • Follow-up • Reporting Thursday 17 March 2011
Layers Model Reporting Correlation Search Storage Normalization Log Collection Thursday 17 March 2011
OSSEC in a Nutshell “Because everybody must take care of logs” Thursday 17 March 2011
Core Features • OSSEC is an free HIDS • Features • Log Analysis / File Integrity Checks • Policy Monitoring • Rootkit Detection • Actions (Alerts / Active Response) • Open to 3rd party products Thursday 17 March 2011
OSSEC Position Log Management SIEM Solutions Solutions Focus on Logs Focus on Security OSSEC Thursday 17 March 2011
OSSEC cannot... • Detect access to files (or based on info provided by the OS) • Use proprietary protocols > You have to convert them to Syslog (ex: CheckPoint) • Display nice graphs • OSSEC is just a (dumb) tool! Thursday 17 March 2011
It’s not a product... (c) Bruce • Problems? Results! • Proof of Concept with limited scope • Tests procedure from A to Z • Procedures! (yeah, boring) Thursday 17 March 2011
Starter’s Kit • A Linux box • Enough Storage • Some UNIX/networking knowledge • Script-Fu can be helpfull • Free time! Thursday 17 March 2011
Architecture • Architecture • Server • Agents (UNIX & Windows) • DB (optional) • 3rd Party Products (optional) Thursday 17 March 2011
Software Components Server Agent logcollector x x agentd (x) x execd x x syscheckd x x analysisd x maild x remoted x monitord x reportd x csyslogd x Thursday 17 March 2011
Supported Log Formats • UNIX & tools • FTP / SMTP / HTTP servers • Firewalls • DB’s • Security Tools • Commercial (CP,VMware, Bluecoat, ...) • Almost anything (custom decoders) Thursday 17 March 2011
Decoded Variables location • command • hostname • url • log_tag • data • srcip, dstip • srcport, dstport • protocol • action • user, dstuser • id Thursday 17 March 2011
Server Installation • Harden Your Linux Server • Allow traffic to UDP/1514 • ./install.sh && Answer questions • ./manage-agents && Create keys Thursday 17 March 2011
$HOME Sweet $HOME • ossec.conf • local_rules.conf • decoder.xml • ossec-logtest Thursday 17 March 2011
Agents Phone $HOME • Both directions UDP/1514! • Tools • manage_agents • list_agents • agent_control Thursday 17 March 2011
Centralized Management • $OSSECHOME/etc/shared/agent.conf • Setup config blocks as ossec.conf <agent_config name=”myagent”> <localfile> <location>/var/log/mylog</location> <log_format>syslog</log_format> </localfile> </agent_config Thursday 17 March 2011
Reporting • Simple reporting is provided thru ossec- reportd: -f <filter> <value> -r <filter> <value> Example: -f group authentication failed -f level 10 -f group authentication -r user srcip Thursday 17 March 2011
Reporting (cont) • Top-20 Offending IP addresses • Top-20 Offending users • Top-20 Suspicious alerts • Top-20 Triggered alerts Thursday 17 March 2011
Log Archives • Enable with the following keyword (default off): <logall>on</logall> • MD5/SHA1 for integrity • Raw event is stored! (evidences) Thursday 17 March 2011
Alerts Post Analysis • OSSEC has a WUI but outdated (IMHO) • Alternatives • Picviz • Prelude • Splunk or LaaS (Loggly) <syslog_output> <server>127.0.0.1</server> <port>10002</port> </syslog_output> Thursday 17 March 2011
Key Design & Implementation Issues Thursday 17 March 2011
Time Synchronization • Use NTP to synchronize your devices • Mandatory to investigate security incidents Thursday 17 March 2011
Access Raw Data • Safe & reliable collection of Syslog flows • Access to local files (agents) Thursday 17 March 2011
UDP 1514 • OSSEC adds confidentiality (packets are encrypted) but still relies on UDP • No caching or heart-beat mechanism Thursday 17 March 2011
High Availability • Full Virtual IP + storage sync (Active/ Passive) • Multiple Servers (Failover) # ossec.conf <client> <server-ip>192.168.0.10</server-ip> <server-ip>192.168.10.10</server-ip> </client> # internal_options.conf remoted.verify_msg_id=0 Thursday 17 March 2011
Long Term Retention • $OSSECHOME/logs/archives/YYYY/MMM • Could fill your filesystem very quickly! • Procedure must be implemented for long term retention (ex: NAS, DVDs) Thursday 17 March 2011
Agents Mass-Deployment • ossec-batch-manager.pl (contrib) • Deployment tools • cfengine (UNIX) • Active Directory (Windows) • New!! • Server : # /var/ossec/bin/ossec-authd -p 1515 >/dev/null 2>&1 & • Client : # /var/ossec/bin/agent-auth -m 192.168.1.1 -p 1515 Thursday 17 March 2011
Building/Customizing OSSEC rules Thursday 17 March 2011
Basics • $OSSECHOME/rules • local_rules.xml 1 2 3 4 5 6 Thursday 17 March 2011
Basics step 1 : decoder.xml <decoder name="sshd"> <program_name>^sshd</program_name> </decoder> <decoder name="sshd-success"> <parent>sshd</parent> <prematch>^Accepted</prematch> <regex offset="after_prematch">^ S+ for (S+) from (S+) port </regex> <order>user, srcip</order> <fts>name, user, location</fts> </decoder> Thursday 17 March 2011
Basics step 1 : decoder.xml <decoder name="sshd"> <program_name>^sshd</program_name> </decoder> <decoder name="ssh-denied"> <parent>sshd</parent> <prematch>^User S+ from </prematch> <regex offset="after_parent">^User (S+) from (S+) </regex> <order>user, srcip</order> </decoder> Thursday 17 March 2011
Basics step 2 : /var/ossec/sshd_rules.xml <rule id="5700" level="0" noalert="1"> <decoded_as>sshd</decoded_as> <description>SSHD messages grouped.</description> </rule> 5700 <rule id="5716" level="5"> <if_sid>5700</if_sid> <match>^Failed|^error: PAM: Authentication</match> <description>SSHD authentication failed.</description> <group>authentication_failed,</group> 5716 </rule> <rule id="5720" level="10" frequency="6"> <if_matched_sid>5716</if_matched_sid> <same_source_ip /> <description>Multiple SSHD authentication failures.</description> 5720 <group>authentication_failures,</group> </rule> Thursday 17 March 2011
Basics step 3 : $OSSECHOME/rules/local_rules.xml <rule id="100001" level="0"> <if_sid>5711</if_sid> <srcip>1.1.1.1</srcip> <description>Example of rule that will ignore sshd </description> <description>failed logins from IP 1.1.1.1.</description> </rule> $OSSECHOME/bin/ossec-logtest Thursday 17 March 2011
Hands-on Thursday 17 March 2011
Lab Environment • ssh student@yourhost (Pass: 0SSEC4ever) • sudo -s • Stuff in $HOME/files/ • Live Syslog feed received in /var/log/ • Sendmail available • Do NOT abuse! Thursday 17 March 2011
Exercice #1 • Install OSSEC (stand-alone) • Start collecting events • Play with configuration files • Send notifications via e-mail Thursday 17 March 2011
Exercise #2 • Generate an (email) alert when accesses to Facebook are detected Thursday 17 March 2011
Solution #2 • In $OSSECHOME/rules/local_rules.xml: <!-- Facebook detection rule --> <rule id=”100030” level=”10”> <match>facebook.com</match> <description>Access to Facebook detected!</description> </rule> • Restart OSSEC Thursday 17 March 2011
Exercice #3 • Monitor (decode) an unknown file format: /var/log/application.log • Report activity for the user ‘admin’ • Tip: Use ossec-logtest Thursday 17 March 2011
Solution #3 • Log format: Mar 10 23:36:43 foo application[4583]: john created /data/report134.ppt • In $OSSECHOME/etc/decoder.xml: <decoder name=”newapp”> <program_name>application</program_name> </decoder> <decoder name=”newapp-event”> <parent>newapp</parent> <regex>^(S+)</regex> <order>user</order> </decoder> Thursday 17 March 2011
Solution #3 (cont) • In $OSSECHOME/etc/ossec.conf: <localfile> <log_format>syslog</format> <location>/var/log/application.log</location> </localfile> Thursday 17 March 2011
Solution #3 (cont) • In $OSSECHOME/rules/local_rules.xml: <rule id=”100040” level=”0”> <decoded_as>newapp</decoded_as> <description>New Application Event</description> </rule> <rule id=”100041” level=”10”> <if_sid>100040</if_sid> <user>admin</user> <description>User admin activity detected</description> </rule> • Restart OSSEC Thursday 17 March 2011
Exercice #4 • Suspicious access detection • Detect SSH access from Belgium • Tips • Use an Active-Response script • GeoIP API in $HOME/files/geoip Thursday 17 March 2011
Solution #4 • Install the GeoIP RPM • Copy the new Active-Response (geoip.sh) script in $OSSECHOME/active-response/ bin • Review the script content Thursday 17 March 2011
Solution #4 (cont) • Configure the Active-Response script in $OSSECHOME/etc/ossec.conf <command> <name>geoip-lookup</name> <executable>geoip.sh</executable> <expect>srcip</expect> </command> Thursday 17 March 2011
Solution #4 (cont) • Find the right rules to attach the Active- Response to (ex: #5501 - Login session opened) • Link the Active-Response to the rule: <active-response> <command>geoip-lookup</command> <location>server</location> <rules_id>5501</rules_id> <active_response> • Restart OSSEC Thursday 17 March 2011
Solution #4 (cont) • Monitor the new logfile <localfile> <location>/var/log/geoip.log</location> <log_format>syslog</log_format> </localfile> • Create a new rule <rule id=”100100” level=”10”> <regex>Detected S+ from BE, Belgium</regex> <description>Suspicious login from Belgium</description> </rule> • Restart OSSEC and watch alerts.log Thursday 17 March 2011
Other Examples • MySQL database integrity audit • USB-stick detection on Windows • Rogue access detection (using geo- localization) • Mapping data on Google Maps • Temporary lookup tables Thursday 17 March 2011
Happy Logging! xavier (at) rootshell (dot) be wremes (at) gmail (dot) com Thursday 17 March 2011

Recommandé

Workshop ssh (OSSEC)
Workshop ssh (OSSEC)Workshop ssh (OSSEC)
Workshop ssh (OSSEC)Akram Rekik
 
Ossec – host based intrusion detection system
Ossec – host based intrusion detection systemOssec – host based intrusion detection system
Ossec – host based intrusion detection systemHai Dinh Tuan
 
Securing Hadoop with OSSEC
Securing Hadoop with OSSECSecuring Hadoop with OSSEC
Securing Hadoop with OSSECVic Hargrave
 
IDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleIDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleGregory Hanis
 
Managing Your Security Logs with Elasticsearch
Managing Your Security Logs with ElasticsearchManaging Your Security Logs with Elasticsearch
Managing Your Security Logs with ElasticsearchVic Hargrave
 
Security Onion Conference - 2015
Security Onion Conference - 2015Security Onion Conference - 2015
Security Onion Conference - 2015DefensiveDepth
 
Aws security with HIDS, OSSEC
Aws security with HIDS, OSSECAws security with HIDS, OSSEC
Aws security with HIDS, OSSECMayank Gaikwad
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideAlienVault
 

Recommandé

Workshop ssh (OSSEC)
Workshop ssh (OSSEC)Workshop ssh (OSSEC)
Workshop ssh (OSSEC)Akram Rekik
 
Ossec – host based intrusion detection system
Ossec – host based intrusion detection systemOssec – host based intrusion detection system
Ossec – host based intrusion detection systemHai Dinh Tuan
 
Securing Hadoop with OSSEC
Securing Hadoop with OSSECSecuring Hadoop with OSSEC
Securing Hadoop with OSSECVic Hargrave
 
IDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleIDS+Honeypots Making Security Simple
IDS+Honeypots Making Security SimpleGregory Hanis
 
Managing Your Security Logs with Elasticsearch
Managing Your Security Logs with ElasticsearchManaging Your Security Logs with Elasticsearch
Managing Your Security Logs with ElasticsearchVic Hargrave
 
Security Onion Conference - 2015
Security Onion Conference - 2015Security Onion Conference - 2015
Security Onion Conference - 2015DefensiveDepth
 
Aws security with HIDS, OSSEC
Aws security with HIDS, OSSECAws security with HIDS, OSSEC
Aws security with HIDS, OSSECMayank Gaikwad
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideAlienVault
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMAlienVault
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Santiago Bassett
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAlienVault
 
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Santiago Bassett
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...AlienVault
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMEAlienVault
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & BuildSameer Paradia
 
Cisco OpenSOC
Cisco OpenSOCCisco OpenSOC
Cisco OpenSOCJames Sirota
 
Apache storm vs. Spark Streaming
Apache storm vs. Spark StreamingApache storm vs. Spark Streaming
Apache storm vs. Spark StreamingP. Taylor Goetz
 
RunDeck
RunDeckRunDeck
RunDeckBruno Bonfils
 
1 Unix basics. Part 1
1 Unix basics. Part 11 Unix basics. Part 1
1 Unix basics. Part 1Roman Prykhodchenko
 
Integrating ECM (WebCenter Content) with your Enterprise! 5 Tips to Try, 5 Tr...
Integrating ECM (WebCenter Content) with your Enterprise! 5 Tips to Try, 5 Tr...Integrating ECM (WebCenter Content) with your Enterprise! 5 Tips to Try, 5 Tr...
Integrating ECM (WebCenter Content) with your Enterprise! 5 Tips to Try, 5 Tr...Brian Huff
 
How I stopped worrying about and loved DumpRenderTree
How I stopped worrying about and loved DumpRenderTreeHow I stopped worrying about and loved DumpRenderTree
How I stopped worrying about and loved DumpRenderTreeHajime Morrita
 
The Reluctant SysAdmin : 360|iDev Austin 2010
The Reluctant SysAdmin : 360|iDev Austin 2010The Reluctant SysAdmin : 360|iDev Austin 2010
The Reluctant SysAdmin : 360|iDev Austin 2010Voxilate
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierBasis Technology
 
Nuxeo introduction to ecr at the NYC Java meetup, April 2011
Nuxeo introduction to ecr at the NYC Java meetup, April 2011Nuxeo introduction to ecr at the NYC Java meetup, April 2011
Nuxeo introduction to ecr at the NYC Java meetup, April 2011Nuxeo
 
Fred - a new desktop window boosting Alfresco
Fred - a new desktop window boosting Alfresco Fred - a new desktop window boosting Alfresco
Fred - a new desktop window boosting Alfresco Alfresco Software
 
Spotify: Horizontal Scalability for Great Success
Spotify: Horizontal Scalability for Great SuccessSpotify: Horizontal Scalability for Great Success
Spotify: Horizontal Scalability for Great SuccessNick Barkas
 
Donating a mature project to Eclipse
Donating a mature project to EclipseDonating a mature project to Eclipse
Donating a mature project to Eclipseglynnormington
 
Webops dashboards
Webops dashboardsWebops dashboards
Webops dashboardsTheo Schlossnagle
 
GGUG:Practical DSL Design
GGUG:Practical DSL DesignGGUG:Practical DSL Design
GGUG:Practical DSL DesignSkills Matter
 
Autopsy 3.0 - Open Source Digital Forensics Conference
Autopsy 3.0 - Open Source Digital Forensics ConferenceAutopsy 3.0 - Open Source Digital Forensics Conference
Autopsy 3.0 - Open Source Digital Forensics ConferenceBasis Technology
 

Contenu connexe

En vedette

Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMAlienVault
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Santiago Bassett
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAlienVault
 
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Santiago Bassett
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...AlienVault
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMEAlienVault
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & BuildSameer Paradia
 
Apache storm vs. Spark Streaming
Apache storm vs. Spark StreamingApache storm vs. Spark Streaming
Apache storm vs. Spark StreamingP. Taylor Goetz
 

En vedette (9)

Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USM
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source Security
 
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & Build
 
Cisco OpenSOC
Cisco OpenSOCCisco OpenSOC
Cisco OpenSOC
 
Apache storm vs. Spark Streaming
Apache storm vs. Spark StreamingApache storm vs. Spark Streaming
Apache storm vs. Spark Streaming
 

Similaire à Blackhat Workshop

Integrating ECM (WebCenter Content) with your Enterprise! 5 Tips to Try, 5 Tr...
Integrating ECM (WebCenter Content) with your Enterprise! 5 Tips to Try, 5 Tr...Integrating ECM (WebCenter Content) with your Enterprise! 5 Tips to Try, 5 Tr...
Integrating ECM (WebCenter Content) with your Enterprise! 5 Tips to Try, 5 Tr...Brian Huff
 
How I stopped worrying about and loved DumpRenderTree
How I stopped worrying about and loved DumpRenderTreeHow I stopped worrying about and loved DumpRenderTree
How I stopped worrying about and loved DumpRenderTreeHajime Morrita
 
The Reluctant SysAdmin : 360|iDev Austin 2010
The Reluctant SysAdmin : 360|iDev Austin 2010The Reluctant SysAdmin : 360|iDev Austin 2010
The Reluctant SysAdmin : 360|iDev Austin 2010Voxilate
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierBasis Technology
 
Nuxeo introduction to ecr at the NYC Java meetup, April 2011
Nuxeo introduction to ecr at the NYC Java meetup, April 2011Nuxeo introduction to ecr at the NYC Java meetup, April 2011
Nuxeo introduction to ecr at the NYC Java meetup, April 2011Nuxeo
 
Fred - a new desktop window boosting Alfresco
Fred - a new desktop window boosting Alfresco Fred - a new desktop window boosting Alfresco
Fred - a new desktop window boosting Alfresco Alfresco Software
 
Spotify: Horizontal Scalability for Great Success
Spotify: Horizontal Scalability for Great SuccessSpotify: Horizontal Scalability for Great Success
Spotify: Horizontal Scalability for Great SuccessNick Barkas
 
Donating a mature project to Eclipse
Donating a mature project to EclipseDonating a mature project to Eclipse
Donating a mature project to Eclipseglynnormington
 
GGUG:Practical DSL Design
GGUG:Practical DSL DesignGGUG:Practical DSL Design
GGUG:Practical DSL DesignSkills Matter
 
Autopsy 3.0 - Open Source Digital Forensics Conference
Autopsy 3.0 - Open Source Digital Forensics ConferenceAutopsy 3.0 - Open Source Digital Forensics Conference
Autopsy 3.0 - Open Source Digital Forensics ConferenceBasis Technology
 
Debugging and Profiling Symfony Apps
Debugging and Profiling Symfony AppsDebugging and Profiling Symfony Apps
Debugging and Profiling Symfony AppsAlvaro Videla
 
Migration from Fast ESP to Lucene Solr - Michael McIntosh
Migration from Fast ESP to Lucene Solr - Michael McIntoshMigration from Fast ESP to Lucene Solr - Michael McIntosh
Migration from Fast ESP to Lucene Solr - Michael McIntoshlucenerevolution
 
Monitoring is easy, why are we so bad at it presentation
Monitoring is easy, why are we so bad at it presentationMonitoring is easy, why are we so bad at it presentation
Monitoring is easy, why are we so bad at it presentationTheo Schlossnagle
 
The Dark Depths of iOS [CodeMash 2011]
The Dark Depths of iOS [CodeMash 2011]The Dark Depths of iOS [CodeMash 2011]
The Dark Depths of iOS [CodeMash 2011]Chris Adamson
 
Node js techtalksto
Node js techtalkstoNode js techtalksto
Node js techtalkstoJason Diller
 
Gaelyk - Guillaume Laforge - GR8Conf Europe 2011
Gaelyk - Guillaume Laforge - GR8Conf Europe 2011Gaelyk - Guillaume Laforge - GR8Conf Europe 2011
Gaelyk - Guillaume Laforge - GR8Conf Europe 2011Guillaume Laforge
 

Similaire à Blackhat Workshop (20)

RunDeck
RunDeckRunDeck
RunDeck
 
1 Unix basics. Part 1
1 Unix basics. Part 11 Unix basics. Part 1
1 Unix basics. Part 1
 
Integrating ECM (WebCenter Content) with your Enterprise! 5 Tips to Try, 5 Tr...
Integrating ECM (WebCenter Content) with your Enterprise! 5 Tips to Try, 5 Tr...Integrating ECM (WebCenter Content) with your Enterprise! 5 Tips to Try, 5 Tr...
Integrating ECM (WebCenter Content) with your Enterprise! 5 Tips to Try, 5 Tr...
 
How I stopped worrying about and loved DumpRenderTree
How I stopped worrying about and loved DumpRenderTreeHow I stopped worrying about and loved DumpRenderTree
How I stopped worrying about and loved DumpRenderTree
 
The Reluctant SysAdmin : 360|iDev Austin 2010
The Reluctant SysAdmin : 360|iDev Austin 2010The Reluctant SysAdmin : 360|iDev Austin 2010
The Reluctant SysAdmin : 360|iDev Austin 2010
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
 
Nuxeo introduction to ecr at the NYC Java meetup, April 2011
Nuxeo introduction to ecr at the NYC Java meetup, April 2011Nuxeo introduction to ecr at the NYC Java meetup, April 2011
Nuxeo introduction to ecr at the NYC Java meetup, April 2011
 
Fred - a new desktop window boosting Alfresco
Fred - a new desktop window boosting Alfresco Fred - a new desktop window boosting Alfresco
Fred - a new desktop window boosting Alfresco
 
Spotify: Horizontal Scalability for Great Success
Spotify: Horizontal Scalability for Great SuccessSpotify: Horizontal Scalability for Great Success
Spotify: Horizontal Scalability for Great Success
 
Donating a mature project to Eclipse
Donating a mature project to EclipseDonating a mature project to Eclipse
Donating a mature project to Eclipse
 
Webops dashboards
Webops dashboardsWebops dashboards
Webops dashboards
 
GGUG:Practical DSL Design
GGUG:Practical DSL DesignGGUG:Practical DSL Design
GGUG:Practical DSL Design
 
Autopsy 3.0 - Open Source Digital Forensics Conference
Autopsy 3.0 - Open Source Digital Forensics ConferenceAutopsy 3.0 - Open Source Digital Forensics Conference
Autopsy 3.0 - Open Source Digital Forensics Conference
 
Debugging and Profiling Symfony Apps
Debugging and Profiling Symfony AppsDebugging and Profiling Symfony Apps
Debugging and Profiling Symfony Apps
 
Migration from Fast ESP to Lucene Solr - Michael McIntosh
Migration from Fast ESP to Lucene Solr - Michael McIntoshMigration from Fast ESP to Lucene Solr - Michael McIntosh
Migration from Fast ESP to Lucene Solr - Michael McIntosh
 
Monitoring is easy, why are we so bad at it presentation
Monitoring is easy, why are we so bad at it presentationMonitoring is easy, why are we so bad at it presentation
Monitoring is easy, why are we so bad at it presentation
 
The Dark Depths of iOS [CodeMash 2011]
The Dark Depths of iOS [CodeMash 2011]The Dark Depths of iOS [CodeMash 2011]
The Dark Depths of iOS [CodeMash 2011]
 
Node js techtalksto
Node js techtalkstoNode js techtalksto
Node js techtalksto
 
Stardog talk-dc-march-17
Stardog talk-dc-march-17Stardog talk-dc-march-17
Stardog talk-dc-march-17
 
Gaelyk - Guillaume Laforge - GR8Conf Europe 2011
Gaelyk - Guillaume Laforge - GR8Conf Europe 2011Gaelyk - Guillaume Laforge - GR8Conf Europe 2011
Gaelyk - Guillaume Laforge - GR8Conf Europe 2011
 

Plus de wremes

Distributed Denial Of Service Introduction
Distributed Denial Of Service IntroductionDistributed Denial Of Service Introduction
Distributed Denial Of Service Introductionwremes
 
Intro to Malware Analysis
Intro to Malware AnalysisIntro to Malware Analysis
Intro to Malware Analysiswremes
 
Crème Brulée :-)
Crème Brulée :-)Crème Brulée :-)
Crème Brulée :-)wremes
 
Vinnes jayson koken
Vinnes jayson kokenVinnes jayson koken
Vinnes jayson kokenwremes
 
Build Your Own Incident Response
Build Your Own Incident ResponseBuild Your Own Incident Response
Build Your Own Incident Responsewremes
 
Secure Abu Dhabi talk
Secure Abu Dhabi talkSecure Abu Dhabi talk
Secure Abu Dhabi talkwremes
 
Collaborate, Innovate, Secure
Collaborate, Innovate, SecureCollaborate, Innovate, Secure
Collaborate, Innovate, Securewremes
 
Data Driven Infosec Services
Data Driven Infosec ServicesData Driven Infosec Services
Data Driven Infosec Serviceswremes
 
SOPA 4 dummies
SOPA 4 dummiesSOPA 4 dummies
SOPA 4 dummieswremes
 
In the land of the blind the squinter rules
In the land of the blind the squinter rulesIn the land of the blind the squinter rules
In the land of the blind the squinter ruleswremes
 
And suddenly I see ... IDC IT Security Brussels 2011
And suddenly I see ... IDC IT Security Brussels 2011And suddenly I see ... IDC IT Security Brussels 2011
And suddenly I see ... IDC IT Security Brussels 2011wremes
 
SIEM brown-bag presentation
SIEM brown-bag presentationSIEM brown-bag presentation
SIEM brown-bag presentationwremes
 
10 things we're doing wrong with SIEM
10 things we're doing wrong with SIEM10 things we're doing wrong with SIEM
10 things we're doing wrong with SIEMwremes
 
Fosdem10
Fosdem10Fosdem10
Fosdem10wremes
 
OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010wremes
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Securitywremes
 
Teaser
TeaserTeaser
Teaserwremes
 
Ossec Lightning
Ossec LightningOssec Lightning
Ossec Lightningwremes
 
Brucon presentation
Brucon presentationBrucon presentation
Brucon presentationwremes
 
Pareto chart using Openoffice.org
Pareto chart using Openoffice.orgPareto chart using Openoffice.org
Pareto chart using Openoffice.orgwremes
 

Plus de wremes (20)

Distributed Denial Of Service Introduction
Distributed Denial Of Service IntroductionDistributed Denial Of Service Introduction
Distributed Denial Of Service Introduction
 
Intro to Malware Analysis
Intro to Malware AnalysisIntro to Malware Analysis
Intro to Malware Analysis
 
Crème Brulée :-)
Crème Brulée :-)Crème Brulée :-)
Crème Brulée :-)
 
Vinnes jayson koken
Vinnes jayson kokenVinnes jayson koken
Vinnes jayson koken
 
Build Your Own Incident Response
Build Your Own Incident ResponseBuild Your Own Incident Response
Build Your Own Incident Response
 
Secure Abu Dhabi talk
Secure Abu Dhabi talkSecure Abu Dhabi talk
Secure Abu Dhabi talk
 
Collaborate, Innovate, Secure
Collaborate, Innovate, SecureCollaborate, Innovate, Secure
Collaborate, Innovate, Secure
 
Data Driven Infosec Services
Data Driven Infosec ServicesData Driven Infosec Services
Data Driven Infosec Services
 
SOPA 4 dummies
SOPA 4 dummiesSOPA 4 dummies
SOPA 4 dummies
 
In the land of the blind the squinter rules
In the land of the blind the squinter rulesIn the land of the blind the squinter rules
In the land of the blind the squinter rules
 
And suddenly I see ... IDC IT Security Brussels 2011
And suddenly I see ... IDC IT Security Brussels 2011And suddenly I see ... IDC IT Security Brussels 2011
And suddenly I see ... IDC IT Security Brussels 2011
 
SIEM brown-bag presentation
SIEM brown-bag presentationSIEM brown-bag presentation
SIEM brown-bag presentation
 
10 things we're doing wrong with SIEM
10 things we're doing wrong with SIEM10 things we're doing wrong with SIEM
10 things we're doing wrong with SIEM
 
Fosdem10
Fosdem10Fosdem10
Fosdem10
 
OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Security
 
Teaser
TeaserTeaser
Teaser
 
Ossec Lightning
Ossec LightningOssec Lightning
Ossec Lightning
 
Brucon presentation
Brucon presentationBrucon presentation
Brucon presentation
 
Pareto chart using Openoffice.org
Pareto chart using Openoffice.orgPareto chart using Openoffice.org
Pareto chart using Openoffice.org
 

Blackhat Workshop

  • 1. OSSEC Workshop Wim Remes - Xavier Mertens BH EU 2011 Thursday 17 March 2011
  • 2. About Us • Wim • Xavier • works for EY Belgium • Senior Security Consultant for a • Security Consultant Belgium company • Eurotrash • Security Blogger • InfoSec Mentors • • Brucon Thursday 17 March 2011
  • 4. Technical Issues • Mix of OS / Application / Protocols • Thousands of events to process • Multiple consoles/tools • Keep Security at the highest level (“CIA” principle) Thursday 17 March 2011
  • 5. Find the Differences... • Aug 27 14:33:01 macosx ipfw: 12190 Deny TCP 192.168.13.1:2060 192.168.13.104:5000 in via en1 • %PIX-3-313001: Denied ICMP type=11, code=0 from 192.168.30.2 on interface 2 Thursday 17 March 2011
  • 6. Economic Issues • “Time is Money” (24x7, no downtime) • Reduced staff & budget • Happy shareholders • This costs $$$ and HH:MM! (Commercial as well as Free!) Thursday 17 March 2011
  • 7. Legal Issues • Compliance requirements (by “group” or by business) • Local laws (retention, data protection) • Due diligence & due care Thursday 17 March 2011
  • 8. Challenges • Creation and archiving of log files (centralized) • Analyze (Normalization) • Follow-up • Reporting Thursday 17 March 2011
  • 9. Layers Model Reporting Correlation Search Storage Normalization Log Collection Thursday 17 March 2011
  • 10. OSSEC in a Nutshell “Because everybody must take care of logs” Thursday 17 March 2011
  • 11. Core Features • OSSEC is an free HIDS • Features • Log Analysis / File Integrity Checks • Policy Monitoring • Rootkit Detection • Actions (Alerts / Active Response) • Open to 3rd party products Thursday 17 March 2011
  • 12. OSSEC Position Log Management SIEM Solutions Solutions Focus on Logs Focus on Security OSSEC Thursday 17 March 2011
  • 13. OSSEC cannot... • Detect access to files (or based on info provided by the OS) • Use proprietary protocols > You have to convert them to Syslog (ex: CheckPoint) • Display nice graphs • OSSEC is just a (dumb) tool! Thursday 17 March 2011
  • 14. It’s not a product... (c) Bruce • Problems? Results! • Proof of Concept with limited scope • Tests procedure from A to Z • Procedures! (yeah, boring) Thursday 17 March 2011
  • 15. Starter’s Kit • A Linux box • Enough Storage • Some UNIX/networking knowledge • Script-Fu can be helpfull • Free time! Thursday 17 March 2011
  • 16. Architecture • Architecture • Server • Agents (UNIX & Windows) • DB (optional) • 3rd Party Products (optional) Thursday 17 March 2011
  • 17. Software Components Server Agent logcollector x x agentd (x) x execd x x syscheckd x x analysisd x maild x remoted x monitord x reportd x csyslogd x Thursday 17 March 2011
  • 18. Supported Log Formats • UNIX & tools • FTP / SMTP / HTTP servers • Firewalls • DB’s • Security Tools • Commercial (CP,VMware, Bluecoat, ...) • Almost anything (custom decoders) Thursday 17 March 2011
  • 19. Decoded Variables location • command • hostname • url • log_tag • data • srcip, dstip • srcport, dstport • protocol • action • user, dstuser • id Thursday 17 March 2011
  • 20. Server Installation • Harden Your Linux Server • Allow traffic to UDP/1514 • ./install.sh && Answer questions • ./manage-agents && Create keys Thursday 17 March 2011
  • 21. $HOME Sweet $HOME • ossec.conf • local_rules.conf • decoder.xml • ossec-logtest Thursday 17 March 2011
  • 22. Agents Phone $HOME • Both directions UDP/1514! • Tools • manage_agents • list_agents • agent_control Thursday 17 March 2011
  • 23. Centralized Management • $OSSECHOME/etc/shared/agent.conf • Setup config blocks as ossec.conf <agent_config name=”myagent”> <localfile> <location>/var/log/mylog</location> <log_format>syslog</log_format> </localfile> </agent_config Thursday 17 March 2011
  • 24. Reporting • Simple reporting is provided thru ossec- reportd: -f <filter> <value> -r <filter> <value> Example: -f group authentication failed -f level 10 -f group authentication -r user srcip Thursday 17 March 2011
  • 25. Reporting (cont) • Top-20 Offending IP addresses • Top-20 Offending users • Top-20 Suspicious alerts • Top-20 Triggered alerts Thursday 17 March 2011
  • 26. Log Archives • Enable with the following keyword (default off): <logall>on</logall> • MD5/SHA1 for integrity • Raw event is stored! (evidences) Thursday 17 March 2011
  • 27. Alerts Post Analysis • OSSEC has a WUI but outdated (IMHO) • Alternatives • Picviz • Prelude • Splunk or LaaS (Loggly) <syslog_output> <server>127.0.0.1</server> <port>10002</port> </syslog_output> Thursday 17 March 2011
  • 28. Key Design & Implementation Issues Thursday 17 March 2011
  • 29. Time Synchronization • Use NTP to synchronize your devices • Mandatory to investigate security incidents Thursday 17 March 2011
  • 30. Access Raw Data • Safe & reliable collection of Syslog flows • Access to local files (agents) Thursday 17 March 2011
  • 31. UDP 1514 • OSSEC adds confidentiality (packets are encrypted) but still relies on UDP • No caching or heart-beat mechanism Thursday 17 March 2011
  • 32. High Availability • Full Virtual IP + storage sync (Active/ Passive) • Multiple Servers (Failover) # ossec.conf <client> <server-ip>192.168.0.10</server-ip> <server-ip>192.168.10.10</server-ip> </client> # internal_options.conf remoted.verify_msg_id=0 Thursday 17 March 2011
  • 33. Long Term Retention • $OSSECHOME/logs/archives/YYYY/MMM • Could fill your filesystem very quickly! • Procedure must be implemented for long term retention (ex: NAS, DVDs) Thursday 17 March 2011
  • 34. Agents Mass-Deployment • ossec-batch-manager.pl (contrib) • Deployment tools • cfengine (UNIX) • Active Directory (Windows) • New!! • Server : # /var/ossec/bin/ossec-authd -p 1515 >/dev/null 2>&1 & • Client : # /var/ossec/bin/agent-auth -m 192.168.1.1 -p 1515 Thursday 17 March 2011
  • 35. Building/Customizing OSSEC rules Thursday 17 March 2011
  • 36. Basics • $OSSECHOME/rules • local_rules.xml 1 2 3 4 5 6 Thursday 17 March 2011
  • 37. Basics step 1 : decoder.xml <decoder name="sshd"> <program_name>^sshd</program_name> </decoder> <decoder name="sshd-success"> <parent>sshd</parent> <prematch>^Accepted</prematch> <regex offset="after_prematch">^ S+ for (S+) from (S+) port </regex> <order>user, srcip</order> <fts>name, user, location</fts> </decoder> Thursday 17 March 2011
  • 38. Basics step 1 : decoder.xml <decoder name="sshd"> <program_name>^sshd</program_name> </decoder> <decoder name="ssh-denied"> <parent>sshd</parent> <prematch>^User S+ from </prematch> <regex offset="after_parent">^User (S+) from (S+) </regex> <order>user, srcip</order> </decoder> Thursday 17 March 2011
  • 39. Basics step 2 : /var/ossec/sshd_rules.xml <rule id="5700" level="0" noalert="1"> <decoded_as>sshd</decoded_as> <description>SSHD messages grouped.</description> </rule> 5700 <rule id="5716" level="5"> <if_sid>5700</if_sid> <match>^Failed|^error: PAM: Authentication</match> <description>SSHD authentication failed.</description> <group>authentication_failed,</group> 5716 </rule> <rule id="5720" level="10" frequency="6"> <if_matched_sid>5716</if_matched_sid> <same_source_ip /> <description>Multiple SSHD authentication failures.</description> 5720 <group>authentication_failures,</group> </rule> Thursday 17 March 2011
  • 40. Basics step 3 : $OSSECHOME/rules/local_rules.xml <rule id="100001" level="0"> <if_sid>5711</if_sid> <srcip>1.1.1.1</srcip> <description>Example of rule that will ignore sshd </description> <description>failed logins from IP 1.1.1.1.</description> </rule> $OSSECHOME/bin/ossec-logtest Thursday 17 March 2011
  • 42. Lab Environment • ssh student@yourhost (Pass: 0SSEC4ever) • sudo -s • Stuff in $HOME/files/ • Live Syslog feed received in /var/log/ • Sendmail available • Do NOT abuse! Thursday 17 March 2011
  • 43. Exercice #1 • Install OSSEC (stand-alone) • Start collecting events • Play with configuration files • Send notifications via e-mail Thursday 17 March 2011
  • 44. Exercise #2 • Generate an (email) alert when accesses to Facebook are detected Thursday 17 March 2011
  • 45. Solution #2 • In $OSSECHOME/rules/local_rules.xml: <!-- Facebook detection rule --> <rule id=”100030” level=”10”> <match>facebook.com</match> <description>Access to Facebook detected!</description> </rule> • Restart OSSEC Thursday 17 March 2011
  • 46. Exercice #3 • Monitor (decode) an unknown file format: /var/log/application.log • Report activity for the user ‘admin’ • Tip: Use ossec-logtest Thursday 17 March 2011
  • 47. Solution #3 • Log format: Mar 10 23:36:43 foo application[4583]: john created /data/report134.ppt • In $OSSECHOME/etc/decoder.xml: <decoder name=”newapp”> <program_name>application</program_name> </decoder> <decoder name=”newapp-event”> <parent>newapp</parent> <regex>^(S+)</regex> <order>user</order> </decoder> Thursday 17 March 2011
  • 48. Solution #3 (cont) • In $OSSECHOME/etc/ossec.conf: <localfile> <log_format>syslog</format> <location>/var/log/application.log</location> </localfile> Thursday 17 March 2011
  • 49. Solution #3 (cont) • In $OSSECHOME/rules/local_rules.xml: <rule id=”100040” level=”0”> <decoded_as>newapp</decoded_as> <description>New Application Event</description> </rule> <rule id=”100041” level=”10”> <if_sid>100040</if_sid> <user>admin</user> <description>User admin activity detected</description> </rule> • Restart OSSEC Thursday 17 March 2011
  • 50. Exercice #4 • Suspicious access detection • Detect SSH access from Belgium • Tips • Use an Active-Response script • GeoIP API in $HOME/files/geoip Thursday 17 March 2011
  • 51. Solution #4 • Install the GeoIP RPM • Copy the new Active-Response (geoip.sh) script in $OSSECHOME/active-response/ bin • Review the script content Thursday 17 March 2011
  • 52. Solution #4 (cont) • Configure the Active-Response script in $OSSECHOME/etc/ossec.conf <command> <name>geoip-lookup</name> <executable>geoip.sh</executable> <expect>srcip</expect> </command> Thursday 17 March 2011
  • 53. Solution #4 (cont) • Find the right rules to attach the Active- Response to (ex: #5501 - Login session opened) • Link the Active-Response to the rule: <active-response> <command>geoip-lookup</command> <location>server</location> <rules_id>5501</rules_id> <active_response> • Restart OSSEC Thursday 17 March 2011
  • 54. Solution #4 (cont) • Monitor the new logfile <localfile> <location>/var/log/geoip.log</location> <log_format>syslog</log_format> </localfile> • Create a new rule <rule id=”100100” level=”10”> <regex>Detected S+ from BE, Belgium</regex> <description>Suspicious login from Belgium</description> </rule> • Restart OSSEC and watch alerts.log Thursday 17 March 2011
  • 55. Other Examples • MySQL database integrity audit • USB-stick detection on Windows • Rogue access detection (using geo- localization) • Mapping data on Google Maps • Temporary lookup tables Thursday 17 March 2011
  • 56. Happy Logging! xavier (at) rootshell (dot) be wremes (at) gmail (dot) com Thursday 17 March 2011