Open Source Security

  • Upload
    wremes

  • View
    2.125

  • Download
    0

Embed Size (px)

Citation preview

Wim Remes

http://www.eurotrashsecurity.euhttp://www.twitter.com/eurotrashsec

Chris-John Riley, Craig Balding, Dale Pearson & me.

(shameless self-promotion)

The value of open source solutions in a security infrastructure

AND

Infosec Technology in the past decade

Pwned by a vendor ?

It's time to unleash the power ...

What can't you do with open source solutions?

YES WE CAN !

It's about the bottom line. Your bottom and Your line!

Open Source Security

A host-based intrusion detection system

Mr. Daniel Cid

His royal OSSECness

http://www.twitter.com/danielciddcid in #ossec on irc.freenode.net

OSSEC Technical Overview

OSSEC Rollout Scenarios

OSSEC Rule engine

1 2 3

Host Based Intrusion Detection

Client/Server Architecture

Highly Scalable

Cross Platform

Log Analysis

Integrity Checking

Rootkit Detection

Active Response

1 2 3

OSSEC Technical Overview

If a tree falls in a forest, and nobody hears it, did it really fall?

OSSEC SERVER

1 2 3

syslog

syslog

ossec

OSSEC Technical Overview

1 2 3

SIEM

OSSEC Rollout Scenarios

1 2 3

customer 1

customer 2

OSSEC Rollout Scenarios

And thy network shall be named Babel

1 2 3

ANALYZEPRE-DECODEDECODELOGALERT!MSGOSSEC Rule engine

1 2 3

AGENTSERVER

ossec-logcollectorossec-analysisdossec-maildossec-execdCompressed (zlib)Encrypted (blowfish)

OSSEC Rule engine

Flexibility is the key word here!

1 2 3

PRE-DECODINGFeb 24 10:12:23beijing appdaemon:stopped

time/date : Feb 24 10:12:23Hostname: beijingProgram_name: appdaemonLog: stopped

OSSEC Rule engine

1 2 3

Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10

time/date : Feb 25 12:00:47Hostname: beijingProgram_name: appdaemonLog: user john logged on from 10.10.10.10

PRE-DECODING

OSSEC Rule engine

1 2 3

time/date : Feb 25 12:00:47Hostname: beijingProgram_name: appdaemonLog: user john logged on from 10.10.10.10Srcip: 10.10.10.10 User: john

DECODING

OSSEC Rule engine

Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10

1 2 3

appdaemonappdaemon rule

666^logged onsuccesful logon

ANALYSISOSSEC Rule engine

1 2 3

ANALYSIS

766^beijing!192.168.10.0/24unauthorized logon!

766^shanghai!johnunauthorised logon !

OSSEC Rule engine

1 2 3

ANALYSIS666766866966

OSSEC Rule engine

1 2 3

ANALYSIS

666^login failedfailed login !

1066Probable Brute Force !

OSSEC Rule engine

1 2 3

AGENTSERVER

ossec-logcollectorossec-analysisdossec-maildossec-execdCompressed (zlib)Encrypted (blowfish)

OSSEC Rule engine

Real Goodness

1 2 3

666766866966

1066

1166

STOP!

1 2 3

ossec.confcommand1command2command3...

command2local1166600

action1action2action3...

command2command2.shsrcipyes

1166

Real Goodness

Thank you

[email protected] (mail)blog.remes-it.be (blog)@wimremes (twitter)#ossec (irc)