Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
OSSEC in the Enterprise
Open Source Log Management, Analysis and Intrusion Detection
Rochester Security SummitOctober 29, 2009
Michael Starks, CISSP, CISA, GSNA
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Agenda
What is OSSEC?Log AnalysisIntegrity MonitoringRootkit DetectionPolicy MonitoringAlertingActive ResponseOSSEC WebUI
Why OSSEC?Risks & CountermeasuresEnterprise ConsiderationsDemoQuestions
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
What is OSSEC?
OSSEC is an Open Source Host-based Intrusion Detection System. It performs log
analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting
and active response.
Source: http://www.ossec.net
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
What is OSSEC?
Put another way...
OSSEC is security software that looks for bad stuff on the actual host
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Multi-Platform
Works on Windows and most Unix-like systems
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Centrally Managed
Client/server architecture
Almost everything can be managed from the OSSEC manager
Restart agentsStart integrity checks
Tune rulesBlock attacks
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Single Installation
Manager and agent on one machine
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Distributed
Centralized manager and distributed agents
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Distributed
Multiple managers and multiple agents
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Redundant
Fail over to one or more managers
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Flexible and Extensible
Easily add support for custom applications
Integrate with commercial SIEMs
Analyze logs on existing syslog servers
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Secure by Default
Privilege separated processes
Chroot where possible
Secure programming practices
Encrypted message transport using IP restrictions and replay prevention
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Supported
Community
IRC: #OSSEC on Freenode
Mailing lists:
ossec-list
ossec-dev
www.ossec.net
Commercial
Trend Micro
OSSEC Host-Based Intrusion Detection Guide
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Fast and Efficient
Analyze millions of events per day
...in real-time
...using commodity hardware
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Extensive Application Support
Dozens of decoders and hundreds of rules out of the box
Unix Pam, sshd (OpenSSH), Solaris telnetd, Samba, Su, Sudo, Proftpd, Pure-ftpd, vsftpd, Microsoft FTP server, Solaris ftpd, Imapd, Postfix, Sendmail, vpopmail, Microsoft Exchange, Apache, IIS5, IIS6,
Horde IMP, Iptables, IPF. PF, Netscreen, Cisco PIX/ASA/FWSM, Snort, Cisco IOS, Nmap, Symantec AV, Arpwatch, Named, Squid,
Windows event logs, VMWare
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Free
Open source
Budget friendly
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Log Analysis
The heart of OSSEC
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
LIDS
Log-based Intrusion Detection
Not a log management tool
Analyzes (but does not store) every log
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
A Slight Detour
What if the attacker deletes the logs?
Will you have all the pieces of the puzzle?
Robust log management strategies help OSSEC do its job
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Log Management
Corporate policy should define the need for logging
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Log Management
Corporate standards should define system audit settings, such as:
What to auditFrequency of log rotationLog formatMethod of communication
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Log Management
Logs should, wherever possible, be converted from a proprietary format to a standardized
and normalized format (e.g. syslog)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Log Management
Logs should be centralized and stored on ahardened, purpose-specific server, with nounnecessary or unrelated services running
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Log Management
Systems should be synchronized with a common, trusted time source
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Log Management
Logs contain sensitive information and should be encrypted in transit wherever possible
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Log Management
A copy of each log should be available both locally and centrally
In the event of a compromise, the trusted log server can be compared with the local logs
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Log Management
Logs should be maintained online and archived offline according to
regulatory or policy requirements
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Log Management
Access to logs should be on a need-to-know and least-privileged basis
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Log Management
Access to logs should always be read-only
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Log Flow Through OSSEC
Tree-like structure
Alert
Analysis
Decode
Pre-decode
Log enters system
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Log Enters System
Secure (encrypted)
Insecure (syslog)
Localhost
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Pre-Decoding and Decoding
Extracts individual parts of the log and places them into “buckets”
Useful later on when writing rules
Bob172.16.3.4
528 nsa.gov
user src_ip idurl
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
SSHd Log Pre-Decoded
Extracts known fields from logs (e.g. time) Compiled in for efficiency
Log comes in as:Apr 14 17:32:06 hostname sshd[1025]:
OSSEC pre-decodes it as:time/date -> Apr 14 17:32:06hostname -> hostnameprogram_name -> sshd
Pre-decoded
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
SSHd Log Fully Decoded
Log comes in as:Apr 14 17:32:06 hostname sshd[1025]: Accepted password for root from 192.168.2.190 port 1618 ssh2
OSSEC decodes it as:time/date -> Apr 14 17:32:06hostname -> hostnameprogram_name -> sshd
log -> Accepted password for root from 192.168.2.190 port ...srcip -> 192.168.2.190user -> root
Pre-decoded
Decoded
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
SSHd Log Decoder
<decoder name="sshd"><program_name>^sshd</program_name></decoder>
<decoder name="sshd-success"><parent>sshd</parent><prematch>^Accepted</prematch><regex offset="after_prematch">^ \S+ for (\S+) from (\S+) port </regex><order>user, srcip</order></decoder>
Will there be a test?
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Analysis (Rules)
Rules are also called signatures
Simple XML files on the manager
Independent of original log format
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Two Types of Rules
Atomic: single event
Bob mistyped his password once
Composite: multiple events across logs
Bob mistyped his password 3,561 times in 3 minutes
on 16 different systems
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
That Looks Suspicious
I know Bob forgets his password, but...
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Rules
Rules pick up where decoders leave off
Instead of writing rules for raw logs, they can be written to normalized data
(e.g. “Bob” is a “user”)
Data flows through the tree until a rule matches or doesn't match
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Rules
Severity-based: levels 0 (low) to 15 (high)
Nest multiple rules for granular control
Rule groups further normalize data
●web_scan●firewall_drop●account_changed...
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Simplest Rule
If the log was decoded as SSHd, generate rule 111
Not very useful yet
<rule id = "111" level = "5"><decoded_as>sshd</decoded_as><description>Logging every decoded sshd message</description></rule>
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Dependent Rule
If rule 111 matched and the log contains “Failed Password”
set the severity (level) to 7 and the group to “authentication_failed”
<rule id=”122” level=”7”><if_sid>111</if_sid><match>^Failed password</match><description>Failed password attempt</description><group>authentication_failed</group></rule>
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
2nd Dependent Rule
If rule 122 matchedand it's that pesky Bob
Raise the severity (level) to 12
<rule id=”133” level=”12”><if_sid>122</if_sid><user>Bob</user><description>That pesky Bob again</description></rule>
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
In Other Words
Put another way...
Record all events decoded as SSHd
Alert at level 7 on every authentication failure
If the user is Bob, raise the alert level to 12
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Wait a Minute
What if Bob has 3,561 login failures again?
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Wait a Minute
What if his login failures aren't just through SSH?
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Revised Rule Thoughts
Alert me if Bob has a few authentication failures in a short time, from anywhere,
but don't flood me with alerts
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Revised Rule for Bob
Let's try that last rule again
<rule id=”133” level=”12” frequency=”10” timeframe=”300” ignore=”60”><if_matched_group>authentication_failed</if_matched_group><user>Bob</user><description>Bob is acting up</description></rule>
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Rule Examples
Other interesting rules
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Attack Followed by Account
<group name="syslog,elevation_of_privilege,"> <rule id="40501" level="15" timeframe="300" frequency="2"> <if_group>adduser</if_group> <if_matched_group>attacks</if_matched_group> <description>Attacks followed by the addition of an user.</description> </rule></group>
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Really Long URL
<rule id="31115" level="13" maxsize="2900"><if_sid>31100</if_sid><description>URL too long. Higher than allowed on most browsers. Possible attack.</description><group>invalid_access,</group></rule>
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Multiple Windows Errors
<rule id="18154" level="10" frequency="$MS_FREQ" timeframe="240"> <if_matched_sid>18103</if_matched_sid> <description>Multiple Windows error events.</description> </rule>
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Windows Application Installed
<rule id="18147" level="5"> <if_sid>18101</if_sid> <id>^11707</id> <options>alert_by_email</options> <description>Application Installed.</description> </rule>
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Windows Audit Policy Changed
<rule id="18113" level="8"> <if_sid>18104</if_sid> <id>^612|^643|^4719|^4907|^4912</id> <description>Windows Audit Policy changed.</description> <group>policy_changed,</group> </rule>
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Virus Found, Not Removed
<rule id="7504" level="12"> <if_sid>7500</if_sid> <regex>$MCAFEE_VIRUS</regex> <group>virus</group> <description>McAfee Windows AV - Virus detected and not removed.</description> </rule>
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Integrity Monitoring
Keeping a Known Good State
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
File Integrity
SHA-1 and MD5 of critical system files and registry keys
Performed in real-time or on a schedule
Auto-ignores files that change too often
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
File Integrity
Also checks owner, group, permissions
Hashes forwarded to manager for safe keeping (excellent for forensics)
Use the full power of rules to manage alerts(e.g. alert only on changes outside patch window)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
World Writable File
OSSEC HIDS Notification.2009 Oct 21 12:02:27
Received From: hostname->syscheckRule: 100018 fired (level 7) -> "World Writable File"Portion of the log(s):
Integrity checksum changed for: '/etc/httpd/conf/httpd.conf'Permissions changed from 'rw-------' to 'rw-r--rw-'
--END OF NOTIFICATION
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
No Longer World Writable
OSSEC HIDS Notification.2009 Oct 21 12:05:11
Received From: hostname->syscheckRule: 552 fired (level 7) -> "Integrity checksum changed again (3rd time)."Portion of the log(s):
Integrity checksum changed for: '/etc/httpd/conf/httpd.conf'Permissions changed from 'rw-r--rw-' to 'rw-------'
--END OF NOTIFICATION
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Agentless Integrity
Periodic diff of firewalls and routers
Checksum and diff of remote 'nix systems
It's nice to know something changed, but what?Agentless check of /etc/password
shows what changed
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Agentless Alerts
OSSEC HIDS Notification.2009 May 14 16:32:20
Received From: (ssh_pixconfig_diff) [email protected]>agentlessRule: 555 fired (level 7) -> "Integrity checksum for agentless device changed."Portion of the log(s):
ossec: agentless: Change detected:206a207> port-object eq 4241556c557
...
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Rootkit Detection
Exposing the Hidden
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Unix Rootkit Detection
Signature and anomaly-based
Signatures automatically sent to agents
Can be run stand-alone
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Signature Method
Signatures for Adore, Knark, LOC, etc
Attempt to stats, fopen and opendir each specified file
Some rootkits don't fully hide themselves
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Anomaly Method
Detects known and unknown rootkits
Files in /dev which aren't device files
“Unusual” files(hidden directories, files owned by root
which are world-writable)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Anomaly Method
Running processes hidden from “ps”
Listening ports hidden from “netstat”
Promiscuous interfaces hidden from “ifconfig”
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Rootcheck Alert
OSSEC HIDS Notification.2009 Oct 06 17:45:17
Received From: XXXX->rootcheckRule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."Portion of the log(s):
Rootkit 'Suspicious' detected by the presence of file '/var/www/vhosts/YYYY.com/httpdocs/language/lang_english/ /... /.log'.
--END OF NOTIFICATION
Source: http://www.void.gr/kargig/blog/2009/10/06/ossec-to-the-rescue/
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Windows Rootkit Detection
Not as advanced as Unix-based detection
Alternate data streams
(Files hidden within files)
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Policy Monitoring
Detect Insecure Conditions
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Policy Monitoring
Is your system configured securely?
Identify situation which can lead to a breach
Benchmark system against CIS standard or create your own
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Policy Monitoring
File, registry setting, or process exists or does not exist
Combine values with logical AND/OR
Is anti-virus installed but not running?
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Policy Monitoring
Has the host firewall been disabled?
Is LanMan authentication allowed?
*Does not alert by default
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Alerting
Getting Notified
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Alerting
E-mail, syslog and database output
Built-in e-mail flood protection
Send alerts to different teamsbased on granular rules, severity or group
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Alerting
On second thought, maybe it wasn'tBob who tried to login to his account
Someone should get a page if this happens again
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Can't Miss the Game
What if it's the weekend and I'm watching the game?
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Alerting
That someone should beHenry, the Jr. Security Analyst
What a wonderful opportunityfor “professional development”
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Alerting
Create another rule without restricting it to Bob,which will only fire on the weekends
<rule id=”144” level=”12” frequency=”10” timeframe=”300” ignore=”60”><if_matched_group>authentication_failed</if_matched_group><weekday>Saturday,Sunday</weekday><description>Multiple Weekend Authentication Failures</description></rule>
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Alerting
Followed by an alert configuration is ossec.conf
<email_alerts> <email_to>[email protected]</email_to> <rule_id>144</rule_id> <format>sms</format></email_alerts>
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Alerting
Syslog or database output easilyintegrated with commercial SIEMs
Use OSSEC for the analysis
Use the SIEM GUI for advanced correlation
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Rule Examples
Other interesting alerts
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Excessive Events
OSSEC HIDS Notification.2009 Oct 21 04:31:50
Received From: hostname->/var/log/httpd/error_logRule: 11 fired (level 8) -> "Excessive number of events (above normal)."Portion of the log(s):
The average number of logs between 4:00 and 5:00 is 936. We reached 1218.
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
First-Time Login
OSSEC HIDS Notification.2009 Oct 22 11:24:34
Received From: hostname->/var/log/secureRule: 10100 fired (level 4) -> "First time user logged in."Portion of the log(s):
Oct 22 11:24:33 hostname sshd[2998]: Accepted password for kevin_mitnick from 12.174.169.111 port 52387 ssh2
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
First Sudo Attempt
OSSEC HIDS Notification.2009 Oct 22 11:27:49
Received From: hostname->/var/log/secureRule: 5403 fired (level 4) -> "First time user executed sudo."Portion of the log(s):
Oct 22 11:27:49 hostname sudo: kevin_mitnick : user NOT in sudoers ; TTY=pts/1 ; PWD=/ ; USER=root ; COMMAND=/bin/su -
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Active Response
Preventing Breaches
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Active Response
Attackers follow common patterns
1. Reconnaissance2. Scan3. Exploit
OSSEC can often prevent breaches by detecting attacks in the early stages
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Active Response
Not an IPS, but effective
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Active Response
Time-based security implementation
Protection time should be greater than the sum of detection time, plus reaction time
(D+R)>P
This is good!
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Active Response
If severity > 6, add the attacker's IPto the host firewall for 10 minutes
Or the perimeter firewall...Or disable an account...Or shut down the system...
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Active Response
Execute responses on the manager, one particular agent, a firewall or everywhere
Worldwide?
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
OSSEC WebUI
A Face to OSSEC
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Benefits of GUIs
GUI interfaces allow you to see trends and patterns over time
FTP account gets locked out every day at 4:15 AM
What alerts does OSSEC think aren't worthy of an e-mail?
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
OSSEC WebUI
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
OSSEC WebUI
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
OSSEC WebUI
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Other GUI Options
Other options include:
Splunk
OSSIM
Picviz
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Why OSSEC?
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
PCI DSS 1.2
10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added shouldnot cause an alert).
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
PCI DSS 1.2
10.6 Review logs for all system components at least daily...
...Note: Log harvesting, parsing, and alerting tools may be used to meet compliance with Requirement 10.6
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Closing the NIDs Circle
Network-based IDS
Only half the picture
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Closing the NIDs Circle
Host-based IDS
The other half
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Closing the NIDs Circle
Network and Host-based IDS
A new level of insight into your environment
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Closing the NIDs Circle
Of course, OSSEC reads NIDs logs
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Forensics
Everything is forwarded to the manager for analysis and possible storage
Attackers like to delete logs
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Policy Compliance
How do you know your systems are still hardened?
Are admins logging in with unique accounts?
Is anti-virus running?
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Keep Employees Honest
Insider threats cost companies millions per year
Employees who know their activitiesare monitored tend to be more honest
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Budget
OSSEC can be used for free
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Risks & Countermeasures
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Mass Deployment
Deploying large amounts of agents is challenging
Each agent uses a unique key
How can a single package be created?
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Active Response
Attackers who know Active Response is in use may try to use that to their advantage
IPs can be spoofed, thereby triggering an incorrect response
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Alert Flooding
You have 6,972 new messages!
Will you read them all?
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Log Injection
Attacker uses poorly written regular expressions to bypass rules
root@slacker:~# ftp 192.168.3.4220 Welcome to labs ossec candy FTP service.Name (192.168.2.3:root): lala] FAIL LOGIN: Client “2.3.4.54″
Normal LogMon Jun 2 21:05:30 2007 [pid 1448] [myuser] FAIL LOGIN: Client “192.168.3.1″Log InjectionMon Jun 2 21:06:02 2007 [pid 1452] [lala] FAIL LOGIN: Client “2.3.4.54″ ] FAIL LOGIN: Client “192.168.3.1″
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Risk Countermeasures
E-mail floodingBy default, OSSEC will only send 12 alerts per hour, queuing the rest until the next hour
Active ResponseResponse timeoutIP whitelists
Log InjectionTight regular expressions
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Enterprise Considerations
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Define the Problem
What problem are you trying to solve?
What are your primary drivers?
What are the obstacles?
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Codify in Policy
Explicitly state the need in policy
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Set Requirements
Requirements are a measure of success
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Define the Scope
Will you monitor all systems?
What is the budget?
What is the time-frame?
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Make a Desicion
Is OSSEC a good fit?
Don't design a solutionlooking for a problem!
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Plan, Do, Check, Act
Plan your OSSEC rollout
Do the actual rollout
Check the requirements against the rollout
Act on the lessons learned
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Demo
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Summary
OSSEC can add a new level of insight into your environment
Only use OSSEC if it fits a need
If you do use OSSEC, contribute yourdecoders, rules and lessons learnedback to the community!
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Questions?
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Acknowledgements
Daniel B. Cid, OSSEC creator
Trend Micro
Rochester Security Summit
OSSEC Aucert presentation
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Image CreditsAgenda: http://www.sxc.hu/photo/807162Question mark: http://www.sxc.hu/photo/1147438Tree: http://www.sxc.hu/photo/1195970Vintage Mac: http://www.sxc.hu/photo/1028528Rubber band ball: http://www.sxc.hu/photo/168735Padlock: http://www.sxc.hu/photo/865986Fast car: http://www.sxc.hu/photo/1081680Cardboard box: http://www.sxc.hu/photo/1036068Jumping man: http://www.sxc.hu/photo/1212299Camera lid: http://www.sxc.hu/photo/450946Buckets: http://www.sxc.hu/photo/807354Ruler: http://www.sxc.hu/photo/1010158Bob: http://www.sxc.hu/photo/912662OSSEC WUI: http://www.ossec.net/dcid/?p=29Road sign: http://www.sxc.hu/photo/1157986
The following images were used under fair use provisions of US copyright and trademark law:Logos: Windows, Tux, FreeBSD, PCI and AIXOSSEC WebUI screenshots
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Image CreditsFiles in basket: http://www.sxc.hu/photo/456727Potato: http://www.sxc.hu/photo/1132394Paper stack: http://www.sxc.hu/photo/251979Old phone: http://www.sxc.hu/photo/1146563Little guy and stop sign: http://www.sxc.hu/photo/1197499Fence: http://www.sxc.hu/photo/1044635Clock: http://www.sxc.hu/photo/1026820Retro TV: http://www.sxc.hu/photo/981522Sunglasses: http://www.sxc.hu/photo/621374Happy face: http://www.sxc.hu/photo/1147441Thumb print: http://www.sxc.hu/photo/1231735Fist: http://www.sxc.hu/photo/621374Money symbol: http://www.sxc.hu/photo/983478Crowd: http://www.sxc.hu/photo/893433E-mail: http://www.sxc.hu/photo/1102040Red cross: http://www.sxc.hu/photo/971655
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Text Credits
“Attacking Log Analysis Tools,” Daniel B. Cid: http://www.ossec.net/main/attacking-log-analysis-tools
“OSSEC at AusCERT,” Daniel B Cid: http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf
Michael Starks 2009 Immutable Security http://www.immutablesecurity.com
Presentation LicenseThis presentation is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 license. The license does not extend to images, which hold their own copyrights attributed to various authors.
You are free:
to Share — to copy, distribute and transmit the workto Remix — to adapt the work
Under the following conditions:
Attribution — You must attribute the work in the manner specified by the author or licensor (but not in any way that suggests that they endorse you or your use of the work).Noncommercial — You may not use this work for commercial purposes.Share Alike — If you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
With the understanding that:
Waiver — Any of the above conditions can be waived if you get permission from the copyright holder.Other Rights — In no way are any of the following rights affected by the license:Your fair dealing or fair use rights;Apart from the remix rights granted under this license, the author's moral rights;Rights other persons may have either in the work itself or in how the work is used, such as publicity or privacy rights.Notice — For any reuse or distribution, you must make clear to others the license terms of this work.