ACSA - OSSIM

8/15/2019 ACSA - OSSIM

1/309

ACSA AlienVault Certified Security Analyst

1


2/309

2


3/309

About this document

• ACSA (AlienVault Certified Security Analyst)

• Author: Juan Manuel Lorenzo ([email protected])

• Document Version 3.0

• Last revision: 01/2011

• Product version used: 3.0

Copyright © Alienvault 2010 All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, includ ing photocopying,

recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and publisher.

Any trademarks referenced herein are the property of their respective holders

3

mailto:[email protected]:[email protected]


4/309

Target Audience

• Professionals from Security Information

• System’s administrators

• Security Operators

4


5/309

Requirements

• Previous Knowledge

! Networking

! Security

! Basic Linux Skills (Edit files on the command line)

• Technical Requirements

• Computer per assistant

• Internet access

• AlienVault Virtual Machine

5


6/309

Recommendations

• Have you got any problem with AlienVault?

• Is there something you always wanted to know about AlienVault?

• Do you have any suggestion?

• Think about your environment:

! Do you have a network map?

! How would you integrate this device or application?

! What products would suit my needs?

!

Do I have any compliance requirement? (PCI? ISO?)?

• If you have any questions, please tell us

6


7/309

ACSA - Contents

• Introduction to AlienVault

• Components

• Architecture

• Installation

• Configuration

• Network Security Tools

• Integrated Tools

• Basic Concepts

• AlienVault Web Interface

• User Management

• Policies

• Logger

• Vulnerability Management

• Security Analysis

• Ticketing System

• Reporting System

7


8/309

8


9/309

AlienVault

9


10/309

What is AlienVault?

• AlienVault is a SIEM (Security Information and Event Management)

! Data Aggregation

! Correlation

! Alerting

! Dashboards

! Compliance

! Retention

10


11/309

AlienVault: Data Aggregation

Collection

S y s l o g

SC P

SQL

W M I

Other supported collection methods: SNMP, SDEE, OPSEC, Socket...

Sensor

11


12/309

AlienVault: Data Aggregation

Normalization

Authentication Failed for user root from X12.02.2009 12:02:21

DROP 192.168.1.1 21.2.2.2 Dec 02 2009 12:02:21

plugin_id=4003 plugin_sid=2 username=rootdate="1295472603" src_ip=192.168.2.2

plugin_id=4503 plugin_sid=21 date="1295472603"src_ip=192.168.1.1 dst_ip=21.2.2.2

Sensor

12


13/309

AlienVault: Correlation

SSH Authfailed eventfrom X to Y

SSH Authfailed eventfrom X to Y

SSH Authfailed event

from X to Y

SSH

Successful Authevent from X

to Y

Brute Force Attack?

Successful Brute Force Attack?

Sensor

SIEM

13


14/309

AlienVault: Alerting

Worm Detected on Port 80

DOS Attack Against

WebServer

No disk space left on the

SQL Server

Policy Violation: P2P Usage

Send a command to the firewall to isolate the attacker

Open a ticket in AlienVault or in any otherticketing management system

Send an e-mail or an SMS to the IT Department

Disable the switch port used by the hostgenerating the P2P Traffic

14


15/309

AlienVault: Dashboards

15


16/309

AlienVault: Compliance

16


17/309

AlienVault: Retention

SAN

NAS

Logger

- Forensically secure-storage of RAW Data- Massive Log-storage- Can be configured to store information on existing NAS or SAN

17


18/309

And What Makes AlienVault Different?

All SIEM Products

Data Aggregation

Correlation

Alerting

Dashboards

Compliance

Retention

AlienVault Unified SIEM

Data Aggregation

Correlation

Alerting

Dashboards

Compliance

Retention

Vulnerability Management

Situation Awareness

NIDS

HIDS

WIDS

Network Monitoring

18


19/309

Vulnerability Management

• Comprehensive Vulnerability Management

• Centralized Reports

• Compliance auditing

Sensor

The remote host is missing the DSA-1996 security update

A vulnerable SMB server is running on the remote host.

Default user and password enabled in the running service

19


20/309

Situation Awareness

Identity Monitoring

Network Auto-Discovery

Resource Monitoring

Technology

Active Directory

LDAP

Authentication Logs

Events / Network Profiles / Active-PassiveFingerprinting

Topology Map Recurrent SNMP Scans

Inventory Active / Passive Fingerprinting

Profiling Time-Service-Usage Profiling

Network Monitoring Flows

Network Availability SNMP / Agent / Remote Requests

Host resources SNMP / Agent / Remote Requests

Anomaly Detection

20


21/309

• Network level IDS (Intrusion Detection System)

• Monitor network traffic

• No impact on the network

NIDS

Sensor

Network Tap

Switch

N e t w o r k t r a f fi c

N e t w o r k t r a f fi c

N e t w o

r k t r a

f fi c

Policy Violations (Porn, P2P, IM...)

Malware

Network anomalies

User activity

Router

21


22/309

• Host-based IDS (Intrusion Detection System)

• Monitors and analyzes the internals of a computing system

• Clients for every major Operating Systems

• Log analysis, rootkit detection, system integrity checking and

Windows registry monitoring.

HIDS

Attempt to login using a non-existent user

Attempt to use mail server as relay (client host rejected).

Logon failure: Account currently disabled

Sensor

22

http://207.158.15.105/ossim/forensics/base_qry_alert.php?submit=%2332-%2811-64751%29&sort_order=time_dhttp://207.158.15.105/ossim/forensics/base_qry_alert.php?submit=%2332-%2811-64751%29&sort_order=time_dhttp://207.158.15.105/ossim/forensics/base_qry_alert.php?submit=%2332-%2811-64751%29&sort_order=time_dhttp://207.158.15.105/ossim/forensics/base_qry_alert.php?submit=%2332-%2811-64751%29&sort_order=time_dhttp://207.158.15.105/ossim/forensics/base_qry_alert.php?submit=%2332-%2811-64751%29&sort_order=time_dhttp://207.158.15.105/ossim/forensics/base_qry_alert.php?submit=%2332-%2811-64751%29&sort_order=time_dhttp://207.158.15.105/ossim/forensics/base_qry_alert.php?submit=%2332-%2811-64751%29&sort_order=time_d


23/309

• Wireless Intrusion Detection System

• Monitor Wireless Networks in multiple locations

• Meet PCI Wireless Compliance requirements

WIDS

Sensorrunning a WIDS

Rogue AP

Suspicious Client

Cloaked Networks with uncloaked APS

Wireless Network Traffic is analyzed in the AlienVault Sensor23


24/309

The Market

Large Vendors Pure SIEM Unified SIEM

Sold in combination withother products

Pure Management LayerIntegrate other

Security Functions

24


25/309

The Unification of SIEM and Security Context Technologies

delivered in a single Product: AlienVault Unified SIEM

Management

Technologies

Security Context

Technologies

AlienVault Unified SIEM

25


26/309

Data Abstraction

Security Events

AlienVault Logger

Security Events AlienVault SIEM

Risk

Incidents

Logs AlienVault SensorsLow Level

Millions of Logs

Medium Level Tens of Incidents

High LevelMetrics

26


27/309

S e c u r i t y

T e c h n o l o g y

M a n a g e m e n t

Unification of technologies

SIEM

Incident

Management

Risk

IntelligenceStorage

Detection

IDS / IPS / WIDS

HIDS

File integrity

Prevention

Vulnerability

AssessmentThreat

Assessment

Awareness

Identity

Inventory

Resources

27


28/309

AlienVault SIEM

Correlation Dashboards Events aggregation Action / Response

Reports Forensic Storage Alerting system Vulnerability Management

AlienVault SIEM

Operating Systems Security Devices Applications Network electronics

28


29/309

3 major components

SensorEvent Collection

NIDS / WIDS / HIDSNetwork monitoring

Vulnerability Scanning

LoggerMassive Log Storage

Legal evidenceEnsure integrity

SIEMCorrelation

Risk Assessment Vulnerability Management

Real-time Monitoring

29


30/309

How AlienVault works?

30


31/309

3 major components

SIEM

AlienVault SIEM processes all data provided by network devices and AlienVault Sensors.

The AlienVault SIEM leverages the Network Inventory created by AlienVault Sensors as well as external Threat Databases to Cross-Correlate events, weeding out False Positives and providing ActionableIntelligence.

Logger

AlienVault Logger provides forensically-secure storage of all raw data. This creates a court-admissible record of network activity.

Sensor

Events generated in the Network are collected by the AlienVault Sensor.

Applications running in the AlienVault Sensor generate security eventsthat are also collec ted by the AlienVault Sensor.

The AlienVault Sensor generates a normalized event that is sent to theSIEM and to the Logger.

31


32/309

SIEM Challenges and Roadblocks

• Challenges

• Lack of control of security andnetwork

• Risk management andcompliance

• Inconsistency & lack ofreliability

• Complexity & informationoverload

• Inefficient use of valuableresources

• Roadblocks

• High vendor pricing

• Convoluted licensing models

• High implementation costs

• Underperformance

• Black box solutions withlimited customization

32


33/309

What is / is not Alienvault?

• AlienVault is:

! A tool that integrates more than 30 Open Source tools

! A tool that can aggregate events from both Open Source andCommercial tools

! A tool that can be easily adaptable (Use what you need)

• AlienVault is not:

! A linux distribution integrating security tools (Backtrack, WifiSlax...)

! A product designed for home use

! A software package (deb, rpm, exe) that can easily be installed onany operating system. (Agents can be installed to monitor everysingle Operating System)

33


34/309

What makes us different? - Technically

• Detection capabilities

! Using Open Source tools (No extra cost)

! Can replace tools that have already been deployed

! Can co-exist with tools that have already been deployed

• Adaptability

! Enable / Disable functionality based on customer needs

• Customization

• Scalability

34


35/309

What makes us different?- Commercially

• Low cost licensing

• Licensed based on EPS (Events per second)

• There is no license based on the number of monitored devices

• Extra value with no additional cost

! WIDS

! NIDS

! HIDS

! Vulnerability Management

! Network Monitoring

35


36/309

Open Source vs Professional

Open Source Professional SIEM

Support Community 7x24

Quality Assurance Community Professional Q&A

Security Not audited Audited

Performance Moderate 30 x Open Source, Assured

SIEM Intelligence Logical Correlat ion

Simple Taxonomy

Cross Correlation

Rich TaxonomyLogger N/A Unlimited Forensic Storage

Reports < 25 + Jasper > 2000 + Web Wizard

Scalability/HA N/A HA, Distributed ,Multi-tenant, UnlimitedScale

Compliance High Level Reports High and Low Taxonomy-based

Updates None Daily rules and reports

User Management Individual, simple controls Templates and Granular Controls

36


37/309

The Company

• AlienVault was founded in 2007 by the creators of OSSIM to

support OSSIM community and develop enhanced products

• In 2011 AlienVault has a global presence and offers its servicesworldwide through an extensive network of partners.

• AlienVault leads the development of AlienVault Open Source SIEM

and AlienVault Professional SIEM

37


38/309

A little bit of history

• 2003: First release of OSSIM (Open Source Security Information

Management)

• 2007: AlienVault founded to support the OSSIM community anddevelop enhanced products

• 2009: More than half all SIEM installations worldwide

• 2010: Offices in Spain, Germany, UK and Mexico

• 2010: HQ in Silicon Valley, California

38


39/309

The Offices

Sales & Operations

Sales

39


40/309

The products

• AlienVault Unified SIEM

• AlienVault Open Source SIEM

• AlienVault Professional Feed

40


41/309

The Appliances

41


42/309

The services

AlienVault Services

Training

Support

Basic

Support

Premium 8x5

Support

Premium

24x7 Support

Implementation

Installtion Configuration

Upgrades

Administration

Consulting Consultative

Architecture

Dimensioning

Performance

& Scalability ACSA

ACSE

On-site

Training

42


43/309

References

43


44/309

Partners

44


45/309

Partners

45


46/309

Open Source

• AlienVault Open Source SIEM is distributed under the GPL license.

• AlienVault includes more than 30 well-known Open Source tools

• AlienVault developed a system to connect and provide intelligence toall these components

• Extra functionality - No extra cost

46


47/309

Open Source - Help for the recession

"Open source software and solutions have a great opportunity to survive and benefit

in this economy as they provide better returns for the companies that are looking to savehuge licensing costs and greater availability of solutions and software that can be easilyadopted."

"Open-source consumption is in for a boom, and commercial open-source start-upsshould be able ride the wave...In this downturn, open source offers the best value for money,and with more mature supported products, enterprises can continue to innovate whilebudgets are frozen."

"In a down economy, open source has more appeal than ever, so volume will continueto increase for open source, making the model even stronger over time.”

"In these times you follow your grandparents’ wisdom: Make the best of what you have. Thatmeans maximizing utilization of existing infrastructure. I expect open source and Linux,systems management tools, and virtualization technology, all of which allow for betterutilization rates of existing infrastructure at a low cost, to do well in this market."

"...this recession will be great for free and open source because of the shortage of cash.Last recession saw the mainstream legitimization of open source operating systems because itwas clear and away the most cost-effective choice."

47


48/309

Components

48


49/309

Sensor

• AlienVault Sensors collect and normalize the events generated

by the tools and devices running in the monitored network(Data Sources).

• Normalized events are sent to the AlienVault SIEM, AlienVaultLogger or to both.

S y s l o g

SC P

SQL

W M I

Sensor

Normalized events

Logger SIEM

49


50/309

Sensor

• An AlienVault deployment can have as many sensors as

needed (There is no limit in the number of deployed Sensors)

• The number of Sensors is determined based on the numberof monitored network and on the geographical distribution ofthe corporation

NY HeadquartersNew Jersey Data CenterLas Vegas Call Center

Sensor 1Sensor 1

Sensor 3

50

S S


51/309

Sensor: Data Source

• Any Application or Device generating information subject to

be collected by AlienVault is a Data Source within the AlienVault deployment. E.g.:

! Security Devices: IDS, IPS, Firewall, Antivirus, VulnerabilityScanner...

! Network Devices: Routers, Switches, Wireless AP...

! Servers: Domain Controller, Email server, LDAP...

! Applications: Web Servers, Databases, Proxy...

! Operating Systems: Linux, Windows, Solaris...

51

S D S C


52/309

Sensor: Data Source Connectors

• The AlienVault Sensors can aggregate events from new sources by

creating a Data Source Connector

• Data Sources connectors include the information on how eventsare stored and formatted and regular expressions to help theSensor understanding how the information should be collectedand normalized

52

S


53/309

• The AlienVault Sensor can aggregate events using multiple

collection methods

Sensor

Collection Methods

SYSLOG

FTP

SCP

SAMBA

WMI

SQL

SDEEE

SOCKET

SNMP

Custom DS Connectors

F I L T E R I N G

C L A S S I F I C A T I O N

N

O R M A L I Z A T I O N

OUTPUT

LOGGER

SIEM

53

S


54/309

Sensor

• AlienVault Sensor includes detection functionalities in its

Sensor using well-known Open Source Software

• The AlienVault Data Sources can co-exist with the DataSources that have already been deployed on the monitorednetwork

• In some scenarios these Data Sources can replacecommercial software that was used in the monitored network

54

S


55/309

Sensor

• To get benefit of the detection capabilities of the AlienVault Sensor.

Networking on the Sensor must be configured to:

• Have access to the network that is being monitored

! Event collection (Syslog, FTP, SCP, Samba, WMI...)

! Vulnerability Scanning

! Availability Monitoring...

• Collect all traffic of the monitored network configuring orusing:

! Port mirroring or port span

! HUB

! Network Tap

55

L


56/309

Logger

• The Logger component stores events in raw format in the file

system.

• Events are digitally signed and stored en masse ensuring theiradmissibility as evidence in a court of law.

• The logger component allows storage of an unlimited number of

events with forensic purpose.

• For this purpose the logger is usually configured so that events arestored in a NAS / SAN network storage system.

56

SIEM


57/309

SIEM

• The SIEM component provides the system with Security

Intelligence and Data Mining capacities, featuring:

- Risk assessment

- Correlation

- Risk metrics

- Vulnerability scanning

- Data mining for events

- Real-time monitoring

• AlienVault SIEM uses a SQL database and stores informationnormalized allowing strong analysis and data mining capacities.

57

SIEM


58/309

SIEM

SIEM

SQL Storage

Correlation

Risk Assessment

Policy

Collection

E V E N T S

N e w

e v e n t s g e n e r a t e d d u r i n g c o r r e l a t i o n

• Events processing on the SIEM

58

SIEM


59/309

SIEM

SIEM

Events are stored in the Database

Events are correlated (Logical correlation,Cross Correlation and Inventory Correlation)

A Risk value (0-10) is calculated for everyevent

Policies configure how the SIEM will processthe events (To create exceptions)

SIEM collects events sent by the Sensors or byother SIEM or Logger

E V E N T S

N e w

e v e n t s g e n e r a t e d d u r i n g c o r r e l a t i o n

• Events processing on the SIEM

59

D t b


60/309

Database

• The AlienVault database runs on a MySQL server

• SIEM Events, configurations, and inventory are stored in theDatabase

• Database is a required component in any AlienVault deployment,even if only the Logger is been used

60

W b i t f


61/309

Web interface

• The AlienVault Web Interfaces provides access to:

! Inventory Management

! Configuration

! Reports and metrics

! Real time monitoring

! Forensic Analysis

! Vulnerability scanning

61


62/309

Architecture

62

AlienVa lt Architect re


63/309

SQL Database

AlienVault Architecture

Operating Systems Security Devices Applications Network electronics

Sensor

Logger

SIEM

Web Interface

Disk Storage

E V E N T S

63

AlienVault Deployment: Scenario


64/309

AlienVault Deployment: Scenario

64

Log collection


65/309

Log collection

S Y S L O G

W M I

W M I

S Y S L O G

SDEE

S Y S L O G

O P S E C

F T P

SDEE

O P S E C

S Y S L O G

S N A R E

S C P

S Q L

S A M B A

S Y S L O G

S Y S L O G

SDEE

SYSLOG

SNMP

SYSLOG

LOG COLLECTION

65

Port mirroring


66/309

Port mirroring

PORT MIRRORING

66

Vulnerability Scanning & Availability Monitoring


67/309

Vulnerability Scanning & Availability Monitoring

SENSOR 1

SENSOR 2

SENSOR 3

67

AlienVault Deployment


68/309

AlienVault Deployment

SENSOR 1

SENSOR 2

SENSOR 3

PORT MIRRORING

S Y S L O G

W M I

W M I

S Y S L O G

SDEE

S Y S L O G

O P S E C

F T P

SDEE

O P S E C

S Y S L O G

S N A R E

S C P

S Q L

S A M B A

S Y S L O G

S Y S L O G

SDEE

SYSLOG

SNMP

SYSLOG

LOG COLLECTION

ALIENVAULT INTERNALCOMMUNICATIONS

68

Simple Deployment


69/309

Simple Deployment

• A single Customer

• A single location

• Small amount of events to be collected

• Small number of networks to be monitored (Events collection,

Availability Monitoring, Vulnerability Scanning...)• Low network throughput to be analyzed

69

Simple Deployment


70/309

Simple Deployment

Events

Network 1

Network 2

Network 3

N e t w

o r k T r a f fi

c

Sensor

Logger

SIEM

Web Interface

SQL Database

Customer Premises

70

Simple Deployment II


71/309


• A single Customer

• Multiple locations

• AlienVault Sensors reduce the data transferred between thedifferent locations:

! Events are filtered

! Vulnerability and Availability Scanners are done from multiplelocations (Each Sensor scans the closest networks)

71



72/309


Headquarters

Office 1 Office 2 Office 3

SensorLogger SIEM

Sensor SensorSensor

Web InterfaceSQL Database

72

Complex Deployment


73/309

Complex Deployment

• Multiple Customers

• Multiple Locations

• Some Customers multiple Sensors

• Some Customers have their own Logger (E.g.: Compliance

Requirements)• Some Customers have a fully operational AlienVault Deployment

• Correlation and Storage at different levels

73

Complex Deployment


74/309

Complex Deployment

Services Provider Customer 1 Customer 2Customer 3

Logger

SIEM

Sensor SensorSensor

Web Interface

SQL Database

Sensor

Logger

SIEM

Web Interface

SQL Datab

Logger

74

National Deployment


75/309

National Deployment

Al Sensors send events to the Logger deployed in California

Some locations can have a fully functional AlienVaultdeployment, with SIEM, Logger, Database and Web

interface. Although the Logger in Texas will also forwardevents to California

Some locations can have multiple Sensors, with or without aLogger or SIEM, that can be used to consolidate at StateLevel or to provide Storage or Correlation at multiple levels

75

World Deployment


76/309

World Deployment

Sensors in Brazil send event to the Logger in Brazil. There isa SIEM, Logger and Database in Brazil. The Logger and

SIEM deployed in Brazil could also be used to consolidateevents from some other countries (Argentina, Chile...)

Sensors in USA send event to the Logger in USA. There is a fully

functional AlienVault deployment inthe USA.

Sensors deployed worldwide sendtheir events to the main Logger in

India.US and Brazil have their own SIEM

and Logger so it is possible toconfigure correlation at two levels

as well as creating forwardingpolicies to decide what kind of

information is forwarded to India.

76

Sensor


77/309

Sensor

• At least one Sensor in each Alienvault Deployment

• As many Sensors as required

• Usually one Sensor in each Customer Location

• A Sensor can monitor multiple networks within the same location

• AlienVault Sensors can send events to Logger and SIEM

• AlienVault Sensors can be configured to send events to more thanone SIEM or Logger

77

Logger


78/309

Logger

• There must be at least a Logger or a SIEM in each functional

deployment

• The Logger can send events to another SIEM or Logger

• The Logger stores raw data in the disk and it can beconfigured to use a NAS or SAN storage system

• As many Loggers as required

! Performance

! Requirements to store information securely in more than

one location

• The Logger collects events sent by the AlienVault Sensors orby another Logger or SIEM

78

SIEM


79/309

SIEM

• There must be at least a Logger or a SIEM in each functional

deployment

• The SIEM can send events to another SIEM or Logger

• The SIEM stores information in an SQL Database (DatabaseComponent)

• As many SIEM’s as required

! Performance

! Multiple correlation level

• The SIEM collects events sent by the AlienVault Sensors or byanother Logger or SIEM

79

Database


80/309

Database

• There must be at least a Database in each deployment

• If multiple SIEM components have been deployed these SIEM mayuse multiple Databases

• SIEM, Logger and the Web Interface will access the informationstored in the Database

• Some Custom Data Sources may also require access to theDatabase

80

Web Interface


81/309

Web Interface

• There must be at least a Web Interface in each functional

deployment

• If there are multiple storage points in the deployment (SIEM and/orLogger) multiple Web interfaces may also be deployed

• A single Web Interface can show information stored in multiple

Databases and in multiple Loggers

81


82/309

Installation

82

Hardware recommendations


83/309

Hardware recommendations

• For a production system:

! At least 4GB Ram

! 64 Processor

! DUAL Core Processor

• Depending on the amount of traffic being monitored and theamount of data captured RAM has to be increased, alwaysavoiding SWAP memory usage.

• If we don’t have the appropriate hardware:

! "Divide et vinces"

83

Network Requirements: Sensor


84/309

Network Requirements: Sensor

• Port mirroring/Port Span/Network tap avoiding:

! Duplicated traffic: May happen if we get the same traffic redirectedfrom two different port mirroring devices on the network

! Non-analyzable traffic: It makes little sense to configure a portmirror on a network segment where all the traffic will traverse a VPNor be otherwise encrypted

• Enough IP addresses and interfaces have to be reserved for:

! AlienVault Inter-component communication

! Sensor network access to targeted networks (OpenVas, Nmap,

Nagios, WMI, SCP require network access)

! Provide an IP address for external devices to send data to (Syslog,FTP, Samba, Snare, OSSEC)

84

Network Requirement: Sensor


85/309


• The most problems when configuring AlienVault happen with the

Sensor profiles:

The red line represents a port mirroring that’sbeen setup on a switch for the Sensor profileand it’s applications (Ntop, Snort, Pads, P0fand Arpwatch) to passively analyze traffic.

85



86/309


This second case represents a sensor profilewhere only log collection and analysis will beperformed, without listening to any traffic. Nolistening application should be running on thissystem since there is no configured port

mirroring.

This third case requires both an IP address as

well as a passively listening interface since oursensor profile will be both capturing trafficfrom a port mirror as well as collecting logs.

86

Recommendations


87/309

Recommendations

• Always use the latest installation image

• If you need performance you can’t use “any” Hardware

• Use only what you need (Disable unused Data Sources)

• If you install your system in English you’ll have an easier timefinding help

• For network traffic analysis ensure your NIC supports the e1000driver.

• Whenever possible setup a separate machine for the Databaseprofile

87

Recommendations II


88/309

Recommendations II

• It makes little sense to enable the listening applications (Snort,

Ntop, Arpwatch…) if we don’t have a port mirror setup.

• 64 Bits greatly improves performance

• The best network cards should always be used for the listeninginterfaces (promiscuous mode)

• The not-so-good network cards can be used for administration orcollection (Syslog, OpenVas, Nagios…)

88

Check List


89/309

Check List

• Check List for an AlienVault Installation

• Rack Space

• Power

• Network Configuration

! Port mirroring

! IP addresses

• Professional Key

• Internet Access (Required when installing the professional version)

89

Installation Profiles


90/309

Installation Profiles

• Depending on the role of the new host within the AlienVault

deployment it is possible to configure the profile in use. This canbe configured during the installation process or after installation.By default the Automated Installation will enable all profiles in thesame box.

90

Installation Profile: Sensor


91/309

Installation Profile: Sensor

• The Sensor Profile will enable the Sensor functionality of AlienVault.

• The following AlienVault Data Sources are enabled by default:

! Snort (Network Intrusion Detection System)

! Ntop (Network and usage Monitor)

! OpenVAS (Vulnerability Scanning)

! P0f (Passive operative system detection)

! Pads (Passive Asset Detection System)

! Arpwatch (Ethernet/Ip address parings monitor)

!

OSSEC (Host Intrusion Detection System)

! Nagios (Availability Monitoring)

! OCS (Inventory)

91

Installation Profile: Server


92/309

Installation Profile: Server

• This installation profiles combines the SIEM and Logger

component. The Sensors will connect to the AlienVault Server tosend the normalized events.

• Simple deployments will include a single Server in the deployment.More complex deployments could have more than one Server withdifferent roles or in case it is required to deploy the AlienVault

Server in high availability.

• The server installation profile also comes with a Sensor with limitedfunctionality to monitor the Server itself

92

Installation Profile: Database


93/309

Installation Profile: Database

• The Database profile will enable a MySQL database to store

configuration and events (If the SIEM functionality is in use). Atleast one Database is required in each deployment.

• Even if only the Logger profile is enabled (And not the SIEM) adatabase will be required to store the inventory information and theconfiguration parameters.

93


94/309

Installation Profile: All-in-one


95/309

Installation Profile: All in one

• The All-in-one profile will enable all profiles in a single box. This is

the default installation profile and it will be enabled if the user doesan automated installation

95

Installation Overview


96/309

s a a o O e e

Automated Installation

1.Boot the installation system

2.Configure networking

3.Create and mount the partitions on which AlienVault will be installed

4.Watch the automatic download/install/setup/update of the base

system.

5.Set up users and passwords

6.Load the newly installed system for the first time

Custom Installation

1.Boot the installation system

2.Select the installation language

3.Configure keyboard

4.Configure location

5.Select the installation AlienVault profiles for this installation

6.Configure networking

7.Create and mount the partitions on which AlienVault will be installed

8.Enter the professional license

9.Watch the automatic download/install/setup/update of the base

system.

10.Set up users and passwords

96


97/309

97


98/309

Configuration

98

Basic System Configuration


99/309

y g

• Changing the keyboard layout

! To change the keyboard layout simply type this command:

- # dpkg-reconfigure console-data

• Setting the Current System Date and Time

! To display the current system time, enter the date command

- # date

! To set the current system time, use the following form of the datecommand:

- # date MMDDhhmm[CC]YY[.ss]

99

Basic System Configuration


100/309

y g

• Set the date and time via NTP

! To set the date using an NTP server type the following command inthe terminal

- # ntpdate pool.ntp.org

- pool.ntp.org can be replaced by the NTP server in your corporation or

by any other NTP server in the Internet.

• Changing the time zone

! To change the timezone just type this command:

- # dpkg-reconfigure tzdata

100

AlienVault Basic Configuration


101/309

g

• The centralized configuration is stored in the following file:

! /etc/ossim/ossim_setup.conf

• You can edit this file using any text editor (vim, nano, pico…).

• Inexperienced users should be using the following command toedit this file:

! # alienvault-setup

• To apply the centralized configuration on every configuration fileyou will have to run the following command:

! # alienvault-reconfig

101



102/309

g

• Enable / Disable Plugins (Data Sources)

! To select the enabled Plugins (Data Sources) type the followingcommand:

- # alienvault-setup

! Then select the Option ‘Change Sensor Settings”, and then ‘Enable/

Disable detector plugins’, you will get a list of enabled and disabledplugins, just click on space when over the name of the plugin toenable or disable that plugin. To apply changes select ‘Save & Exit’in the main menu.

102



103/309

g

• Configure Plugins (Data Sources)

! Once the plugin has been enabled you may need to configure someplugins. Plugin configuration files are stored in the directory /etc/ ossim/agent/plugins. There you will find a .cfg file for each plugin.

! You may need to edit the location parameter to point the AlienVaultcollector to the file in which the log of that application are being

stored. If you modify the configuration file of one of your plugins typethe following command to restart the OSSIM Agent:

- # /etc/init.d/ossim-agent restart

103



104/309

g

• Configure listening interfaces

! The alienvault-setup script allows configuring the network interfacesin promiscuous mode. All the AlienVault detectors that requireanalyzing all network traffic will be configured to work on thesenetwork cards (Snort, Ntop, Fprobe, Pads...).

! Select only those interfaces that are connected to a mirrored port, or

to a network tap, as these applications will be useless if they are notanalyzing all traffic in the network.

! To select the listening interfaces type the following command

- # alienvault-setup

- and then choose ‘Change Sensor Settings’ and then ‘Select interfacesin promiscuous mode’, then select ‘Save & Exit’ to apply changes.

104

alienvault-reconfig


105/309

g

/etc/ossim/ossim-setup.conf

/etc/network/interfaces alienvault-reconfig

/etc/snort*

/etc/default/ntop

/etc/rsyslog.conf

/etc/ossim/agent/config.cfg

/etc/ossim/server/config.xml

/etc/ossim/framework.conf

/etc/mysql/my.cnf

/etc/logrotate*

.....

/etc/default/fprobe

105

VPN Configuration


106/309

g

• When performing a custom installation in different the installer will

automatically configure a VPN Network to encrypt communicationbetween the different AlienVault components. This feature has beenimplemented using OpenVPN.

• The VPN Server will be configured in the machine running the ServerProfile. If we want to include another AlienVault component in the

VPN we have to run this command in the machine running the ServerProfile. We will use in the following examples the IP address192.168.0.200, as if it were a box running the Collector profile:

! # alienvault-reconfig --add_vpnnode 192.168.0.200

! This command will generate a compressed file containing all required files

to configure the VPN network in the AlienVault component we want to putinside the VPN network. This file will be stored in the following directory:

! /etc/openvpn/nodes/

106

Network Configuration


107/309

• Setting the hostname

! To change the hostname, simply modify the value of the parameterhostname in the /etc/ossim/ossim_setup.conf and run thecommand:

- # alienvault-reconfig

• Setting up DNS

! You can add hostname and IP addresses to the file /etc/hosts forstatic lookups. To cause your machine to consult with a particularserver for name lookups you simply add their addresses to/etc/ resolv.conf.

! For example a machine which should perform lookups from the DNSserver at IP address 192.168.1.200 would have a resolv.conf filelooking like this: search my.domain

nameserver 192.168.1.1

107



108/309

• Setting up the IP address

- The IP addresses associated with any network cards you might haveare read from the file /etc/network/interfaces. This file hasdocumentation you can read with:

• # man interfaces

- A sample entry for a machine with a static address (eth0) would looklike this:

allow-hotplug eth0iface eth0 inet static address 192.168.1.133 netmask 255.255.0.0 network 192.168.0.0 broadcast 192.168.255.255 gateway 192.168.1.1 dns-nameservers 192.168.1.100

- If you make changes to this file you can cause them to take effect byrunning:

• # /etc/init.d/networking restart

108



109/309

• Setting up a network card in promiscuous mode

• If a network is going to be used to analyze all traffic in the network, itshould not have an assigned IP address. This will improveconsiderably the performance of the network card. To do this you willhave to include a new entry in the file /etc/network/interfaces :

up ifconfig eth0 0.0.0.0 promisc -arp

109



110/309

• Setting the default Gateway

• The default route for a host with a static IP address can be set in/ etc/network/interfaces.

• If you wish to view your current default route/gateway then youcan run:

! # netstat -nr

• To change your default route you must first remove the currentone:

! # /sbin/route del default gw 192.168.0.1

110



111/309

• In case you change the management IP address of one your AlienVault boxes you have to dothe following to make sure that all components using the old IP address are now using the new

one.

• To do that, once you will have modified /etc/network/interfaces and restarted networking youwill need to edit the file /etc/ossim_setup.conf

• In this file you could just do a search (Old IP Address) and replace (New IP Address) or take alook to the following parameters:

! admin_ip: Management IP (SSH and Web access)

! db_ip: IP address of the host running the Database Profile

! framework_ip: IP address of the host running the Web Management Interface

! server_ip: IP address of the host running the Server Profile

• Once you have set the correct ip addresses you can generate all configuration files by running:


111

Rename network interfaces


112/309

• Rename network interfaces

- # apt-get install ifrename

- Edit the file /etc/iftab

- Insert a line for each network interface with the following format :

eth0 mac 00:17:31:56:BC:2D

eth1 mac 00:16:3E:2F:0E:9C

- Network cards with more than one interface usually have consecutivesMAC addresses

• # ifconfig -a | grep HWaddr

112

AlienVault Local Firewall


113/309

• AlienVault configures a firewall during the installation process. If

you want to disable or enable the firewall you can do that bytyping:

! # alienvault-setup

• Select ‘Change General Settings’ and then select ‘ConfigureFirewall’. Then, in the main menu select ‘Save & Exit’.

• If you want to add exceptions to that firewall write your own rules(iptables firewall rules) in the following file:

! /etc/ossim/firewall_include

• and execute:


113


114/309

114


115/309

Basic Tools


116/309

• Ping: Check the connection status with a remote host or Gateway

• Telnet: Communicate with another host using the TELNETprotocol.

• Dig: Query a DNS server.

• Traceroute: Prints the route packets take to a network host.

• Whois: Looks up records in the databases maintained by severalNetwork Information Centers (NICs).

• Netstat: The Netstat command symbolically displays the contentsof various network-related data structures.

• Nslookup: Check whether a DNS server is resolving thehostnames correctly or not.

116

Tcpdump


117/309

• Tcpdump is a common packet analyzer that runs under the

command line. It allows the user to intercept and display TCP/IPand other packets being transmitted or received over a network towhich the computer is attached.

! See the list of interfaces on which tcpdump can listen:

- # tcpdump -D

! Listen on interface eth0:

- # tcpdump -i eth0

! Listen on any available interface :

- # tcpdump -i any

117

Tcpdump (Usage Examples)


118/309

• Display traffic from/to host 192.168.1.1

! # tcpdump host 192.168.1.1

• Display traffic in the port 22

! # tcpdump port 22

• Display all traffic but except the port 80

!

# tcpdump tcp and not port 80

• Capture any packets where the destination host is 192.168.1.1. Display IP addresses andport numbers:

! # tcpdump -n dst host 192.168.1.1

• Capture any packets where the source host is 192.168.1.1. Display IP addresses and port

numbers:

! # tcpdump -n src host 192.168.1.1

118

Tcpdump (Usage Examples II)


119/309

• Capture any packets where the destination network is 192.168.1.0/24. Display IPaddresses and port numbers:

! # tcpdump -n dst net 192.168.1.0/24

• Capture any packets where the source or destination network is 192.168.1.0/24. Display IPaddresses and port numbers:

! # tcpdump -n net 192.168.1.0/24

• Capture any packets where the destination port is 23. Display IP addresses and portnumbers:

! # tcpdump -n dst port 23

• Capture any packets where the destination port is is between 1 and 1023 inclusive. DisplayIP addresses and port numbers:

! # tcpdump -n dst portrange 1-1023

119

Tcpdump (Usage Examples III)


120/309

• Capture any packets with destination IP 192.168.1.1 and destination port 23. Display IPaddresses and port numbers:

! # tcpdump -n "dst host 192.168.1.1 and dst port 23"

• Capture any packets with destination IP 192.168.1.1 and destination port 80 or 443.Display IP addresses and port numbers:

! # tcpdump -n "dst host 192.168.1.1 and (dst port 80 or dst port 443)"

• Capture only TCP packets where the destination port is is between 1 and 1023 inclusive.Display IP addresses and port numbers:

! # tcpdump -n tcp dst portrange 1-1023

• Capture either ICMP or ARP packets:

! # tcpdump -v "icmp or arp"

• Capture any packets that are broadcast or multicast:

! # tcpdump -n "broadcast or multicast"

120

Tcpreplay


121/309

• Tcpreplay is a tool for replaying network traffic from files saved with

tcpdump or other tools which write pcap files (Ngrep, WireShark, Tshark...)

• The basic operation of tcpreplay is to resend all packets from theinput file(s) at the speed at which they were recorded, or aspecified data rate, up to as fast as the hardware is capable.

• Tcpreplay provides the ability to classify traffic as client or server,edit packets at layers 2-4 and replay the traffic at arbitrary speedsonto a network for sniffing or through a device.

121

Tcpreplay (Usage Examples)

http://linux.die.net/man/3/pcaphttp://linux.die.net/man/3/pcap


122/309

• Basic Usage: Replay sample.cap file (Send traffic out interface ‘eth0’)

! # tcpreplay -i eth0 pcap.cap

• To replay traffic as quickly as possible:

! # tcpreplay --topspeed -i eth0 sample.pcap

• To replay traffic at half-speed:

!

# tcpreplay --multiplier=0.5 --intf1=eth0 sample.pcap

• To replay at 25 packets per second:

! # tcpreplay --pps=25 --i eth0 sample.pcap

• To replay the sample.pcap file 10 times:

!

# tcpreplay --loop=10 -i eth0 sample.pcap

122

Tcpreplay (Usage Examples II)


123/309

• Capturing packets using Tcpdump

! The default tcpdump parameters result in a capture file whereeach packet is truncated. To ensure that you capture completepackets, use the following command:

- # tcpdump -i -s 65535 -w

! Capture all traffic in the port 53 (Interface ‘eth0’)

- # tcpdump -i eth0 -s 65535 port 80 -w sample.cap

! Download packet captures (PCAP):

- http://www.pcapr.net/

- https://www.evilfingers.com/repository/pcaps.php

- http://sourceforge.net/projects/networkminer/

123

Ngrep

http://sourceforge.net/projects/networkminer/https://www.evilfingers.com/repository/pcaps.phphttp://www.pcapr.net/http://sourceforge.net/projects/networkminer/http://sourceforge.net/projects/networkminer/https://www.evilfingers.com/repository/pcaps.phphttps://www.evilfingers.com/repository/pcaps.phphttp://www.pcapr.net/http://www.pcapr.net/


124/309

• Ngrep strives to provide most of GNU grep’s common features,

applying them to the network layer.• Ngrep is a pcap-aware tool (Wireshark, Tcpdump...)

• Ngrep allows you to specify extended regular expressions tomatch against data payloads of packets.

• Ngrep uses the same filtering syntax than Tcpdump

124

Ngrep (Usage Examples)


125/309

• Monitor all activity crossing source or destination port 25 (SMTP). On any interface.

! # ngrep -d any port 25

• Monitor FTP activity searching for user|pass

! # ngrep -wi -d any 'user|pass' port 21

• Monitor syslog events searching for errors

! # ngrep -d any 'error' port syslog

• Monitor all outgoing web requests from machine 12.13.14.15 (Interface eth0):

! # ngrep -d eth0 -q -t '^(GET|POST) ' 'src host 12.13.14.15 and tcp and dst port 80'

• Determine client application that client host is running

! # ngrep -q 'user-agent' tcp port 80

125

IPTraf


126/309

• IPTraf is a console-based network statistics utility

• It gathers a variety of figures such as TCP connection packet andbyte counts, interface statistics and activity indicators, TCP/UDPtraffic breakdowns, and LAN station packet and byte counts.

• Usage:

! #iptraf

126

Wireshark


127/309

• Wireshark is a GUI network protocol analyzer. It lets you

interactively browse packet data from a live network or from apreviously saved capture file.

• Wireshark is a pcap-aware tool

• Wireshark is very similar to tcpdump, but has a graphical front-

end, and many more information sorting and filtering options

127

Etherape

http://en.wikipedia.org/wiki/Front-end_and_back-endhttp://en.wikipedia.org/wiki/Front-end_and_back-endhttp://en.wikipedia.org/wiki/Front-end_and_back-endhttp://en.wikipedia.org/wiki/Front-end_and_back-endhttp://en.wikipedia.org/wiki/Graphical_user_interfacehttp://en.wikipedia.org/wiki/Graphical_user_interfacehttp://en.wikipedia.org/wiki/Tcpdumphttp://en.wikipedia.org/wiki/Tcpdump


128/309

• EtherApe is a packet sniffer/network traffic monitoring tool

developed for Unix.• Network traffic is displayed using a graphical interface. Each node

represents a specific host.

• Links represent connections to hosts. Nodes and links are colorcoded to represent different protocols forming the various types oftraffic on the network. Individual nodes and their connecting linksgrow and shrink in size with increases and decreases in networktraffic.

128

Tshark

http://en.wikipedia.org/wiki/Graphical_interfacehttp://en.wikipedia.org/wiki/Graphical_interfacehttp://en.wikipedia.org/wiki/Packet_snifferhttp://en.wikipedia.org/wiki/Packet_sniffer


129/309

• TShark is a network protocol analyzer. It lets you capture packetdata from a live network, or read packets from a previously savedcapture file, either printing a decoded form of those packets to thestandard output or writing the packets to a file.

• TShark’s native capture file format is libpcap format (Tcpdump, Tcpreplay, Ngrep, Wireshark...).

129

Tshark (Usage Examples)


130/309

• Display the source port of all tcp packets in the file /tmp/capture.cap.

! # tshark -z "proto,colinfo,tcp.srcport,tcp.srcport" -r /tmp/capture.cap

• Display the network packets of an IP address in the file /tmp/capture.cap

! # tshark -R "ip.addr == 192.168.0.1" -r /tmp/capture.cap

• Display http response codes

! # tshark -o "tcp.desegment_tcp_streams:TRUE" -i eth0 -R "http.response" -T fields -ehttp.response.code

• Display MySQL queries sent to a MySQL Server

! # tshark -i any -T fields -R mysql.query -e mysql.query

130

Ethtool / mii-tool


131/309

• Ethtool

• Ethtool displays or changes ethernet card settings (Link,Negotiation info, Statistics...)

! Usage (# ethtool )

- # ethtool eth0

• Mii-tool

! Mii-tool checks or sets the status of a network interface

- Usage

• # mii-tool

131

Dsniff


132/309

• Dsniff automatically detects and minimally parses eachapplication protocol, only saving the interesting bits, and usesBerkeley DB as its output file format, only logging uniqueauthentication attempts.

! tcpkill: Kills specified in-progress TCP connections

! urlsnarf: Outputs all requested URLs sniffed from HTTPtraffic

! msgsnarf: Records selected messages from AOL InstantMessenger, ICQ 2000, IRC, MSN Messenger, or YahooMessenger chat sessions.

! filesnarf: Saves files sniffed from NFS traffic in the currentworking directory.

132

Nmap


133/309

• Nmap is a tool for network exploration and security auditing.

! Basic IP scan

- # nmap 172.18.1.1

! IP scan with OS and service detection

- # nmap –sV 172.18.1.1

! Network scan

- # nmap 172.18.1.*

- # nmap 172.18.1.0/16

! Scan port 22 of every host in the network

- # nmap –p22 192.168.1.0/16

! Find unused IPS on a given Subnet

- # nmap -T4 -sP 192.168.2.0/24 && egrep "00:00:00:00:00:00" /proc/net/arp

133

Honeypots


134/309

• A honeypot is a trap set to detect, deflect, or in some mannercounteract attempts at unauthorized use of information systems.

• A honeypot consists of a computer, data, or a network site thatappears to be part of a network, but is actually isolated andmonitored, and which seems to contain information or a resourceof value to attackers.

Port Scans

Shellcodes

Spam

Vulnerability Scan

Malware

134

Honeypots

http://en.wikipedia.org/wiki/Computer_networkhttp://en.wikipedia.org/wiki/Computer_networkhttp://en.wikipedia.org/wiki/Computerhttp://en.wikipedia.org/wiki/Computerhttp://en.wikipedia.org/wiki/Trap_(tactic)http://en.wikipedia.org/wiki/Trap_(tactic)


135/309

• mwcollect

! Mwcollect is a versatile malware collection daemon, uniting thebest features of nepenthes and honeytrap licensed under theLGPL.

! http://www.mwcollect.org

• Dionaea

! Dionaea is a malware collection honeypot focusing primarily onSMB emulation. Dionaea uses Python as scripting language,

using libemu to detect shellcodes, supporting ipv6 and tls

! http://www.mwcollect.org

135

Honeypots


136/309

• Amun

! Amun is a low-interaction honeypot designed to captureautonomous spreading malware in an automated fashion.

Amun is written in Python and therefore allows easy integrationof new features.

! http://amunhoney.sf.net

• Omnivora

! Omnivora is a low-interaction honeypot for systems runningWindows operating systems and is implemented using BorlandDelphi.

! http://www.ohloh.net/p/omnivora

136

Websites - Security

http://www/http://amunhoney.sf.net/http://www/http://www/http://amunhoney.sf.net/http://amunhoney.sf.net/


137/309

• http://www.shadowserver.org

!

Malware, Botnet activity, electronic fraud...

• http://isc.sans.edu

! Analysis and warning Service against malicious attackers

• http://www.osvdb.org

! Open Source Vulnerability Database

• http://www.securityfocus.org

! Discussion on computer security related topics

• http://www.exploit-db.com

! Archive of exploits and vulnerable software.

137

Websites - Malware

http://www.exploit-db.com/http://www.securityfocus.org/http://www.osvdb.org/http://www.exploit-db.com/http://www.exploit-db.com/http://www.securityfocus.org/http://www.securityfocus.org/http://www.osvdb.org/http://www.osvdb.org/http://isc.sans.org/http://isc.sans.org/http://www.shadowserver.org/http://www.shadowserver.org/


138/309

• Malware samples

! http://www.malwareurl.com

! http://www.malwaredomainlist.com

• Malware Analysis

! http://www.virustotal.com

! http://www.threatexpert.com

! http://www.offensivecomputing.net

WARNING: This sites contain samples of live malware. Use at your own risk.

138

Backtrack

http://www.threatexpert.com/http://www.threatexpert.com/http://www.virustotal.com/http://www.virustotal.com/http://www.malwaredomainlist.com/http://www.malwaredomainlist.com/http://www.malwareurl.com/http://www.malwareurl.com/


139/309

• BackTrack is a Linux-based penetration testing arsenal that aidssecurity professionals in the ability to perform assessments in apurely native environment dedicated to hacking.

! http://www.backtrack-linux.org/

139

Metasploit

http://www.backtrack-linux.org/http://www.backtrack-linux.org/


140/309

• The Metasploit Framework is the open source penetration testingframework with the world's largest database of public, testedexploits.

• Metasploit is part of the software included in BacTrack

! http://www.metasploit.com

140

Metasploitable

http://www.metasploit.com/http://www.metasploit.com/


141/309

• Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5image. A number of vulnerable packages are included, includingan install of tomcat 5.5 (with weak credentials), distcc, tikiwiki,twiki, and an older mysql.

! http://blog.metasploit.com/2010/05/introducing-metasploitable.html

! http://www.metasploit.com/documents/express/Metasploitable.zip.torrent

141

http://blog.metasploit.com/2010/05/introducing-metasploitable.htmlhttp://blog.metasploit.com/2010/05/introducing-metasploitable.htmlhttp://blog.metasploit.com/2010/05/introducing-metasploitable.htmlhttp://blog.metasploit.com/2010/05/introducing-metasploitable.html


142/309

142


143/309

Integrated Tools

143

Tools Classification


144/309

• Tools integrated in AlienVault can be classified into two categoriesaccording to the behavior of these tools within the network beingmonitored.

! Active: They generate traffic within the Network that is beingmonitored.

! Passive: They analyze network traffic without generating any traffic

within the monitored network.

The passive tools require a port mirroring/port span configured in the network

equipment to be able to analyze all traffic of the monitored network/s.

144

Snort

PASSIVE TOOL

NIDS


145/309

• Snort is a free and open source network intrusion preventionsystem (NIPS) and network intrusion detection system (NIDS).

! http://www.snort.org

• Snort generates security events when analyzing the network traffic

• Snort combines signature, protocol, and anomaly-based

inspection

• Utility within AlienVault:

! Port scans

! Worms

! Malware

! Policy violations (P2P, IM, Porn, Games...)

145

http://www.snort.org/http://www.snort.org/http://www.snort.org/http://en.wikipedia.org/wiki/Network_intrusion_detection_systemhttp://en.wikipedia.org/wiki/Network_intrusion_detection_systemhttp://en.wikipedia.org/wiki/Intrusion-prevention_systemhttp://en.wikipedia.org/wiki/Intrusion-prevention_systemhttp://en.wikipedia.org/wiki/Intrusion-prevention_systemhttp://en.wikipedia.org/wiki/Intrusion-prevention_systemhttp://en.wikipedia.org/wiki/Open_source_softwarehttp://en.wikipedia.org/wiki/Open_source_softwarehttp://en.wikipedia.org/wiki/Free_softwarehttp://en.wikipedia.org/wiki/Free_software


146/309

Snort

PASSIVE TOOL

NIDS


147/309

• Virus and Trojans

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET VIRUS Bugbear@MM virus via SMTP"; flow: established; content:"uv+LRCQID7dIDFEECggDSLm9df8C/zSNKDBBAAoGA0AEUQ+FEN23f7doqAT/dCQk/xWcEQmDxCTD";reference:url,www.symantec.com/avcenter/venc/data/[email protected]; classtype: misc-activity;reference:url,doc.emergingthreats.net/2001764; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_BugBear;sid: 2001764; rev:6;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM UPX encrypted file download - possible worm"; flow: established;content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE";distance: 0; content:"|00|code|00|"; content:"|00 C0|text|00|"; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001047;reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_Suspicious_Extensions; sid: 2001047; rev:6;)

• Scans

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET SCAN Unusually Fast 403 Error Messages, Possible Web Application Scan"; flow:from_server,established; content:"HTTP/1.1 403"; depth:13; threshold: type threshold, track by_dst, count 35,seconds 60; classtype:attempted-recon; reference:url,www.checkupdown.com/status/E403.html; reference:url,doc.emergingthreats.net/ 2009749; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_403; sid:2009749; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"ET SCAN Rapid POP3 Connections - Possible Brute Force A ttack"; flags: S,12; threshold: type both, track by_src, count 10, seconds 120; classtype: misc-activity; reference:url,doc.emergingthreats.net/2002992;reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_General_Services; sid: 2002992; rev:5;)

147

Ntop

PASSIVE TOOL

Network Monitor

http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_General_Serviceshttp://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_General_Serviceshttp://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_Suspicious_Extensionshttp://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_Suspicious_Extensionshttp://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_General_Serviceshttp://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_General_Serviceshttp://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_403http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_403http://www.checkupdown.com/status/E403.htmlhttp://www.checkupdown.com/status/E403.htmlhttp://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_Suspicious_Extensionshttp://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_Suspicious_Extensionshttp://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_BugBearhttp://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_BugBearhttp://www.symantec.com/avcenter/venc/data/[email protected]://www.symantec.com/avcenter/venc/data/[email protected]


148/309

• Ntop is a network probe that shows network usage in a waysimilar to what top does for processes. Ntop is a network and usemonitor.

! http://www.ntop.org

• Ntop provides information (Real-time and historical) of the networkusage


! Usage network statistics

! Assets information

! Time and activity matrixes

! Real-time session monitoring

148

Ntop - RRD Aberrant Behaviour PASSIVE TOOL

Network Anomalies

http://www.ntop.org/http://www.ntop.org/http://www.ntop.org/http://en.wikipedia.org/wiki/Top_(Unix)http://en.wikipedia.org/wiki/Top_(Unix)


149/309

! Analyzing the historical data, Ntop uses the RRD AberrantBehaviour algorithm to draw predictions of future behaviour ofour assets and networks.

!

If the prediction differs from the real traffic an event is generatedin AlienVault

149

Fprobe

PASSIVE TOOL

NetFlows generator


150/309

! Fprobe is a tool that collects network traffic data and emits it asNetFlow flows towards the specified collector (NFdump in

AlienVault).

- http://fprobe.sf.net

AlienVault Sensor running Fprobe emits NetFlows when collectingthe network traffic (Port mirroring / HUB / Network tap...)

NetFlows

The AlienVault Web Interface (Framework) runs the Netflow collector.

The major manufacturers implement into their devices the ability tosend Netflows. in this case is not necessary using Fprobe.

NetFlows

150

NFDump

PASSIVE TOOL

Netflows collection

http://www.ntop.org/http://www.ntop.org/


151/309

! The nfdump tools collect and process netflow data

- http://nfdump.sourceforge.net/

NetFlows

NFDump runs in the box running the AlienVault Web Interface

NetFlows

151

Web Based ToolNFSen

http://www.ntop.org/http://www.ntop.org/


152/309

! NFSen is a graphical web based front end for the nfdumpnetflow tools.

- http://nfsen.sourceforge.net/

! NetFlow is a network protocol developed by Cisco Systems to run on Cisco IOS-enabled equipment for collecting IP traffic information.

! It is supported by platforms other than IOS such as Juniper, Linux, FreeBSD orOpenBSD.

152

OCS

Inventory

Agent

ACTIVE TOOL

http://www.ntop.org/http://www.ntop.org/http://www.ntop.org/http://en.wikipedia.org/wiki/Cisco_Systemshttp://en.wikipedia.org/wiki/Cisco_Systemshttp://www.ntop.org/http://www.ntop.org/http://www.ntop.org/http://www.ntop.org/http://www.ntop.org/http://www.ntop.org/http://www.ntop.org/http://www.ntop.org/http://www.ntop.org/http://www.ntop.org/


153/309

• Open Computer and Software Inventory Next Generation (OCSinventory NG) is free software that enables users to inventory theirIT assets.

! http://www.ocsinventory-ng.org

• OCS-NG collects information about the hard- and software ofnetworked machines running the OCS client program ("OCS

Inventory Agent").

• Utility within AlienVault

! Inventory Management (Software & Hardware)

! Vulnerability Management

! Policy violations

! Hardware monitoring

153

Nagios

ACTIVE TOOL

Availability Monitor

Agent - Web

http://en.wikipedia.org/wiki/Free_softwarehttp://en.wikipedia.org/wiki/Free_softwarehttp://en.wikipedia.org/wiki/Software_applicationhttp://en.wikipedia.org/wiki/Network_monitoringhttp://en.wikipedia.org/wiki/Computer_system


154/309

• Nagios is a computer system and network monitoring softwareapplication.

• It watches hosts and services, alerting users when things gowrong and again when they get better.

! http://www.nagios.org

• Multiple checks (Different complexity) can be configured in Nagios.E.g.: MySQL Server

! Check whether the host is up or not

! Check whether the MySQL port is opened or closed

!

Check whether there is a MySQL listening in that port

! Do a query and check the result

154

Nagios ACTIVE TOOL

Availability Monitor

Agent - Web

http://en.wikipedia.org/wiki/Node_(networking)http://en.wikipedia.org/wiki/Node_(networking)http://en.wikipedia.org/wiki/Software_applicationhttp://en.wikipedia.org/wiki/Software_applicationhttp://en.wikipedia.org/wiki/Software_applicationhttp://en.wikipedia.org/wiki/Software_applicationhttp://en.wikipedia.org/wiki/Network_monitoringhttp://en.wikipedia.org/wiki/Network_monitoringhttp://en.wikipedia.org/wiki/Computer_systemhttp://en.wikipedia.org/wiki/Computer_system


155/309


! Availability monitoring (As any other Data Source)

! Availability monitoring by request (During Logical Correlation)

• Nagios can do checks remotely or with agent deployed on thehost that is being monitored.

• Nagios has a wide number of plugins to monitor different devicesand applications.

155

OpenVas ACTIVE TOOL



156/309

• OpenVAS (Open Vulnerability Assessment System) is a frameworkof several services and tools offering a vulnerability scanning andvulnerability management solution.

! http://www.openvas.org

• OpenVas uses signatures to identify vulnerabilities in the host ofour network.

• Utility within AlienVault

! Attacks prevention (We know what is vulnerable)

! Is the network policy being violated?

! Shared folders, forbidden activities...

! Compliance monitoring

156

OpenVas ACTIVE TOOL



157/309

• Some vulnerabilities can only be verified after actually exploitingthem (E.g.: DOS)

• OpenVas allows scanning aggressiveness fine-tuning.

• OpenVas is able to perform local scans on remote machines ifvalid credentials for them are provided.

Mis-configured scans may severely impact the scanned network. After installation,the first scanning profiles have to be defined and watched over very carefully.

The OpenVas component scanning the network is installed bydefault in each AlienVault Sensor

157

Nikto

ACTIVE TOOL


http://www.gnu.org/licenses/licenses.html#GPL


158/309

• Nikto is an Open Source (GPL) web server scanner whichperforms comprehensive tests against web servers for multipleitems

! http://cirt.net/nikto2

• Nikto scans web servers to find potential problems and securityvulnerabilities, including:

! Server and software misconfigurations

! Default files and programs

! Insecure files and programs

! Outdated servers and programs

158

OSVDB Database

http://cirt/http://cirt/http://cirt/http://www.gnu.org/licenses/licenses.html#GPLhttp://www.gnu.org/licenses/licenses.html#GPL


159/309

• OSVDB is an independent and open source database created byand for the security community.

• The goal of the project is to provide accurate, detailed, current andunbiased technical information on security vulnerabilities.

! http://www.osvdb.org

! Usage within AlienVault

- Correlation rule creation

- Vulnerability identifier cross-relation

- Complements OpenVas scanning information

159

OSVDB Database

V l bili D i i

http://www.osvdb.org/http://www.osvdb.org/http://www.osvdb.org/


160/309

• Vulnerability Description

• Indicators and references

160

OSVDB Database

T l l ti hi


161/309

• Tool relationships

• CVSSv2 Score (Common Vulnerability Scoring System):

161

OSSEC i HIDS (H t l l I t i D t ti S t ) th t

ACTIVE TOOL

HIDS

Agents

OSSEC


162/309

• OSSEC is a HIDS (Host-level Intrusion Detection System) thatfeatures log analysis, rootkit detection, system integrity checking

and Windows registry monitoring.

! http://www.ossec.org

• OSSEC requires an agent to be installed for monitoring. (Exceptssh-accesible systems)

The OSSEC Server runs in the AlienVault Sensor

OSSEC Agent-less collectionSSH-accessible system

OSSEC Agent for Windows System

OSSEC Agent for MacOSX

162

ACTIVE TOOL

HIDS

Agents

OSSEC

OSSEC i b d li t hit t Ali V lt


163/309

• OSSEC is based on a client -> server architecture, AlienVaultcollects events from the OSSEC server (Installed in the AlienVault

Sensor).

• OSSEC provides it’s own plugin system used for Windows andUNIX tool analysis.

• Utility within OSSIM:

! Windows and Unix log collection

! Application log collection

! Registry, file and folder monitor (DLP)

163

WIDSKismet

Ki t i 802 11 l 2 i l t k d t t iff d

PASSIVE TOOL


164/309

• Kismet is an 802.11 layer2 wireless network detector, sniffer, andintrusion detection system.

• http://www.kismetwireless.net

• Kismet will work with any wireless card which supports rawmonitoring (rfmon) mode, and (with appropriate hardware) can sniff802.11b, 802.11a, 802.11g, and 802.11n traffic.


! Securing WIFI network.

! Rogue AP detection

! Compliance enforcement (PCI Wireless requirements)

164

ScannerNmap

• Nmap is a security scanner used to discover hosts and services

ACTIVE TOOL

http://www.kismetwireless.net/http://www.kismetwireless.net/http://en.wikipedia.org/wiki/Web_servicehttp://en.wikipedia.org/wiki/Host_(network)http://en.wikipedia.org/wiki/Network_scanner


165/309

• Nmap is a security scanner used to discover hosts and serviceson a computer network

! http://www.nmap.org

• Nmap provides customizable options for host and networkscanning (Speed, range, precision…)


! Asset Discovery

! Open port discovery

!

Service version discovery! Operating System manufacturer and version discovery

165

P0f

• P0f is a versatile passive OS fingerprinting tool

PASSIVE TOOL

OS Fingerprinting

http://www.kismetwireless.net/http://www.kismetwireless.net/http://www.kismetwireless.net/http://en.wikipedia.org/wiki/Computer_networkhttp://en.wikipedia.org/wiki/Computer_networkhttp://en.wikipedia.org/wiki/Web_servicehttp://en.wikipedia.org/wiki/Web_servicehttp://en.wikipedia.org/wiki/Host_(network)http://en.wikipedia.org/wiki/Host_(network)http://en.wikipedia.org/wiki/Network_scannerhttp://en.wikipedia.org/wiki/Network_scanner


166/309

• P0f is a versatile passive OS fingerprinting tool

! http://lcamtuf.coredump.cx/p0f.shtml

• Passive Operating System detection based on traffic patternanalysis.


! Operating System changes


! Unauthorized network access

166

Pads

• PADS is a signature based detection engine used to passively

PASSIVE TOOLServices Fingerprinting

http://lcamtuf.coredump.cx/p0f.shtmlhttp://lcamtuf.coredump.cx/p0f.shtml


167/309

• PADS is a signature based detection engine used to passivelydetect network assets.

! http://passive.sourceforge.net



! Service version changes

! Policy violations

! Inventory correlation

167

Arpwatch

• Arpwatch is an ethernet monitor program that keeps tracks of

PASSIVE TOOLMAC Fingerprinting

http://passive.sourceforge.net/http://passive.sourceforge.net/


168/309

• Arpwatch is an ethernet monitor program that keeps tracks ofethernet/ip address pairing

! http://ee.lbl.gov



! IP address change detection

! ARPSpoofing

168

Nedi

• NeDi is an open source network management framework which

ACTIVE TOOLNetwork Discovery


169/309

• NeDi is an open source network management framework whichuses scheduled discovery to examine your network.

! http://nedi.ch

• NeDI requires SNMP read access for all network hardware.

169


170/309

170


171/309

Basic Concepts

171

Detection

• The process of identifying behaviour that leads to the generation of


172/309

• The process of identifying behaviour that leads to the generation ofan event is called Detection.

• Multiple elements are used by AlienVault to provide detectioncapabilities:

! Snort, Ntop, Arpwatch… (Data Sources included in AlienVault)

! Existing corporate applications/tools

! Tools that have been deployed prior to AlienVault installation(Firewalls, Antivirus…)

139

ET VIRUS -W32.Opaserv Worm Infection

FirewallTraffic Dropped Port 139

172

Collection

• The task that determines which events shall be collected into


173/309

• The task that determines which events shall be collected into AlienVault is called Collection. Collection is done by the AlienVault

Sensors

• AlienVault can collect events using multiple methods, some ofthem require configuring the Data Source to send events to the

AlienVault Sensor (E.g.: Syslog, FTP...). When other collectionmethods are use the AlienVault Sensor gathers the events from theapplication or device (WMI, SQL, SCP...)

• AlienVault uses regular expressions to determine the format inwhich the events will be arriving at the system

S y sl o g

SQL

W M I

The Regular Expression in the AlienVaultSensor determines filters the events that

have to be collected.

173

Normalization

• The process of translating the events generated by different tools


174/309

The process of translating the events generated by different toolsinto an unique and normalized format is called Normalization

• Normalization is done in the AlienVault Sensor

• Information is normalized using regular expressions

Mar 22 20:40:15 ossim-A su[27992]: Successful su for root by root

event type="detector" date="2008-03-22 20:40:15" sensor="192.168.1.109" interface="eth0"plugin_id="4005" plugin_sid="2" src_ip="192.168.1.109" dst_ip="192.168.1.109" userna

Documents

ACSA - OSSIM