If you can't read please download the document
Upload
wremes
View
2.125
Download
0
Embed Size (px)
Citation preview
Wim Remes
http://www.eurotrashsecurity.euhttp://www.twitter.com/eurotrashsec
Chris-John Riley, Craig Balding, Dale Pearson & me.
(shameless self-promotion)
The value of open source solutions in a security infrastructure
AND
Infosec Technology in the past decade
Pwned by a vendor ?
It's time to unleash the power ...
What can't you do with open source solutions?
YES WE CAN !
It's about the bottom line. Your bottom and Your line!
Open Source Security
A host-based intrusion detection system
Mr. Daniel Cid
His royal OSSECness
http://www.twitter.com/danielciddcid in #ossec on irc.freenode.net
OSSEC Technical Overview
OSSEC Rollout Scenarios
OSSEC Rule engine
1 2 3
Host Based Intrusion Detection
Client/Server Architecture
Highly Scalable
Cross Platform
Log Analysis
Integrity Checking
Rootkit Detection
Active Response
1 2 3
OSSEC Technical Overview
If a tree falls in a forest, and nobody hears it, did it really fall?
OSSEC SERVER
1 2 3
syslog
syslog
ossec
OSSEC Technical Overview
1 2 3
SIEM
OSSEC Rollout Scenarios
1 2 3
customer 1
customer 2
OSSEC Rollout Scenarios
And thy network shall be named Babel
1 2 3
ANALYZEPRE-DECODEDECODELOGALERT!MSGOSSEC Rule engine
1 2 3
AGENTSERVER
ossec-logcollectorossec-analysisdossec-maildossec-execdCompressed (zlib)Encrypted (blowfish)
OSSEC Rule engine
Flexibility is the key word here!
1 2 3
PRE-DECODINGFeb 24 10:12:23beijing appdaemon:stopped
time/date : Feb 24 10:12:23Hostname: beijingProgram_name: appdaemonLog: stopped
OSSEC Rule engine
1 2 3
Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10
time/date : Feb 25 12:00:47Hostname: beijingProgram_name: appdaemonLog: user john logged on from 10.10.10.10
PRE-DECODING
OSSEC Rule engine
1 2 3
time/date : Feb 25 12:00:47Hostname: beijingProgram_name: appdaemonLog: user john logged on from 10.10.10.10Srcip: 10.10.10.10 User: john
DECODING
OSSEC Rule engine
Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10
1 2 3
appdaemonappdaemon rule
666^logged onsuccesful logon
ANALYSISOSSEC Rule engine
1 2 3
ANALYSIS
766^beijing!192.168.10.0/24unauthorized logon!
766^shanghai!johnunauthorised logon !
OSSEC Rule engine
1 2 3
ANALYSIS666766866966
OSSEC Rule engine
1 2 3
ANALYSIS
666^login failedfailed login !
1066Probable Brute Force !
OSSEC Rule engine
1 2 3
AGENTSERVER
ossec-logcollectorossec-analysisdossec-maildossec-execdCompressed (zlib)Encrypted (blowfish)
OSSEC Rule engine
Real Goodness
1 2 3
666766866966
1066
1166
STOP!
1 2 3
ossec.confcommand1command2command3...
command2local1166600
action1action2action3...
command2command2.shsrcipyes
1166
Real Goodness
Thank you
[email protected] (mail)blog.remes-it.be (blog)@wimremes (twitter)#ossec (irc)