SlideShare a Scribd company logo

Open Source Security

Download as ODP, PDF
W
wremes

The document discusses the value of open source solutions in security infrastructure, particularly focusing on OSSEC, a host-based intrusion detection system. It highlights various features of OSSEC such as log analysis, integrity checking, rootkit detection, and the flexibility of its rule engine. The text includes technical details, rollout scenarios, and examples of rules for analyzing log data to detect unauthorized access and potential security threats.

Technology
1 of 33
Downloaded 41 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
大家好吗?大家好吗? 我 是我 是 Wim RemesWim Remes 比利时比利时
http://www.eurotrashsecurity.eu http://www.twitter.com/eurotrashsec Chris-John Riley, Craig Balding, Dale Pearson & me. (shameless self-promotion)(shameless self-promotion)
今天的主题是今天的主题是 The value of open source solutions in a security infrastructure AN D
Infosec Technology in the past decade
Pwned by a vendor ?
It's time to unleash the power ...
What can't you do with open source solutions?
YES WE CAN !YES WE CAN !
It's about the bottom line. Your bottom and Your line!
Open Source Security A host-based intrusion detection system
Mr. Daniel CidMr. Daniel Cid His royal OSSECnessHis royal OSSECness http://www.twitter.comhttp://www.twitter.com/danielcid/danielcid dcid in #ossec on irc.freenode.netdcid in #ossec on irc.freenode.net
OSSEC TechnicalOSSEC Technical OverviewOverview OSSEC Rollout ScenariosOSSEC Rollout Scenarios OSSEC Rule engineOSSEC Rule engine 1 2
Host Based Intrusion DetectionHost Based Intrusion Detection Client/Server ArchitectureClient/Server Architecture Highly ScalableHighly Scalable Cross PlatformCross Platform Log AnalysisLog Analysis Integrity CheckingIntegrity Checking Rootkit DetectionRootkit Detection Active ResponseActive Response 1 2 OSSEC Technical Overview
If a tree falls in a forest, andIf a tree falls in a forest, and nobody hears it, did it really fall?nobody hears it, did it really fall?
OSSEC SERVER 1 2 syslog syslog ossec OSSEC Technical Overview
1 2 SIEM OSSEC Rollout Scenarios
1 2 customer 1 customer 2 OSSEC Rollout Scenarios
And thy network shall be namedAnd thy network shall be named BabelBabel
1 2 ANALYZE PRE-DECODE DECODE LOG ALERT! MSG OSSEC Rule engine
1 2 AGENT SERVER ossec-logcollector ossec-analysisd ossec-maild ossec-execd Compressed (zlib) Encrypted (blowfish) OSSEC Rule engine
Flexibility is the key word here!Flexibility is the key word here!
1 2 PRE-DECODING Feb 24 10:12:23Feb 24 10:12:23 beijing appdaemon:stoppedbeijing appdaemon:stopped time/datetime/date :: Feb 24 10:12:23Feb 24 10:12:23 HostnameHostname :: beijingbeijing Program_nameProgram_name :: appdaemonappdaemon LogLog :: stoppedstopped OSSEC Rule engine
1 2 Feb 25 12:00:47 beijing appdaemon:userFeb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10john logged on from 10.10.10.10 time/datetime/date :: Feb 25 12:00:47Feb 25 12:00:47 HostnameHostname :: beijingbeijing Program_nameProgram_name :: appdaemonappdaemon LogLog :: user john logged on from 10.10.10.10user john logged on from 10.10.10.10 PRE-DECODING OSSEC Rule engine
1 2 time/datetime/date :: Feb 25 12:00:47Feb 25 12:00:47 HostnameHostname :: beijingbeijing Program_nameProgram_name :: appdaemonappdaemon LogLog :: user john logged on from 10.10.10.10user john logged on from 10.10.10.10 SrcipSrcip :: 10.10.10.1010.10.10.10 UserUser : john: john DECODING OSSEC Rule engine Feb 25 12:00:47 beijing appdaemon:userFeb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10john logged on from 10.10.10.10
1 2 <rule id=666 level=”0”><rule id=666 level=”0”> <decoded_as><decoded_as>appdaemonappdaemon</decoded_as></decoded_as> <description>appdaemon rule</description><description>appdaemon rule</description> </rule></rule> <rule id=”766” level=”5”><rule id=”766” level=”5”> <if_sid>666</if_sid><if_sid>666</if_sid> <match>^<match>^logged onlogged on</match></match> <description>succesful logon</description><description>succesful logon</description> </rule></rule> ANALYSIS OSSEC Rule engine
1 2 ANALYSIS <rule id=866 level=”7”><rule id=866 level=”7”> <if_sid>766</if_sid><if_sid>766</if_sid> <hostname>^beijing</hostname><hostname>^beijing</hostname> <srcip><srcip>!192.168.10.0/24!192.168.10.0/24</srcip></srcip> <description>unauthorized logon!</description><description>unauthorized logon!</description> </rule></rule> <rule id=”966” level=”13”><rule id=”966” level=”13”> <if_sid>766</if_sid><if_sid>766</if_sid> <hostname>^shanghai</hostname><hostname>^shanghai</hostname> <user><user>!john!john</user></user> <description>unauthorised logon !</description><description>unauthorised logon !</description> </rule></rule> OSSEC Rule engine
1 2 ANALYSIS 666 766 866 966 OSSEC Rule engine
1 2 ANALYSIS <rule id=1066 level=”7”><rule id=1066 level=”7”> <if_sid>666</if_sid><if_sid>666</if_sid> <match>^login failed</hostname><match>^login failed</hostname> <description>failed login !</description><description>failed login !</description> </rule></rule> <rule id=”1166” level=”9”<rule id=”1166” level=”9” frequency=”10” timeframe=”100”frequency=”10” timeframe=”100”>> <if_matched_sid>1066</if_matched_sid><if_matched_sid>1066</if_matched_sid> <same_source_ip /><same_source_ip /> <description>Probable Brute Force !</description><description>Probable Brute Force !</description> </rule></rule> OSSEC Rule engine
1 2 AGENT SERVER ossec-logcollector ossec-analysisd ossec-maild ossec-execd Compressed (zlib) Encrypted (blowfish) OSSEC Rule engine
Real GoodnessReal Goodness 1 2 666 766 866 966 1066 1166 STOP!
1 2 ossec.conf command1 command2 command3 ... <active-response> <command>command2</command> <location>local</location> <rules_id>1166</rules_id> <timeout>600</timeout> </active-response> action1 action2 action3 ... <command> <name>command2</name> <executable>command2.sh</executable> <expect>srcip</expect> <timeout_allowed>yes</timeout_allowed> </command> 1166 Real GoodnessReal Goodness
Open Source Security
谢谢谢谢 Thank youThank you wim@remes-it.bewim@remes-it.be (mail)(mail) blog.remes-it.be (blog)blog.remes-it.be (blog) @wimremes (twitter)@wimremes (twitter) #ossec (irc)#ossec (irc)

More Related Content

PDF
Fosdem10
wremes
 
PDF
OSSEC @ ISSA Jan 21st 2010
wremes
 
PPTX
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat Security Conference
 
PPTX
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Nahidul Kibria
 
PPTX
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
CODE BLUE
 
PPTX
Catching fileless attacks
Balaji Rajasekaran
 
PDF
Adaptive Defense - Understanding Cyber Attacks
Jermund Ottermo
 
PPTX
Breaking the cyber kill chain!
Nahidul Kibria
 
Fosdem10
wremes
 
OSSEC @ ISSA Jan 21st 2010
wremes
 
BlueHat v17 || Mitigations for the Masses: From EMET to Windows Defender Exp...
BlueHat Security Conference
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Nahidul Kibria
 
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
CODE BLUE
 
Catching fileless attacks
Balaji Rajasekaran
 
Adaptive Defense - Understanding Cyber Attacks
Jermund Ottermo
 
Breaking the cyber kill chain!
Nahidul Kibria
 

What's hot (20)

PDF
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat Security Conference
 
PPT
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat Security Conference
 
PDF
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat Security Conference
 
PPTX
Advanced OSSEC Training: Integration Strategies for Open Source Security
AlienVault
 
PDF
Testing Android Security Codemotion Amsterdam edition
Jose Manuel Ortega Candel
 
PDF
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
michelemanzotti
 
PPTX
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
OWASP
 
PDF
Docker Plugin For DevSecOps
Pichaya Morimoto
 
PDF
DEF CON 23: Internet of Things: Hacking 14 Devices
Synack
 
PPTX
Living off the land and fileless attack techniques
Symantec Security Response
 
KEY
Firefox Syncサーバーを建ててみた
Hiromu Yakura
 
PDF
BlueHat v18 || May i see your credentials, please
BlueHat Security Conference
 
PDF
Avoiding damage, shame and regrets data protection for mobile client-server a...
Stanfy
 
PPTX
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat Security Conference
 
PPTX
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat Security Conference
 
PPTX
Anatomy of Exploit Kits
securityxploded
 
PDF
OSB220: What's New in Security Endpoint Manager
Ivanti
 
PDF
DrupalCamp London 2017 - Web site insecurity
George Boobyer
 
PPTX
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat Security Conference
 
PDF
Whatever it takes - Fixing SQLIA and XSS in the process
guest3379bd
 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat Security Conference
 
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat Security Conference
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat Security Conference
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
AlienVault
 
Testing Android Security Codemotion Amsterdam edition
Jose Manuel Ortega Candel
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
michelemanzotti
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
OWASP
 
Docker Plugin For DevSecOps
Pichaya Morimoto
 
DEF CON 23: Internet of Things: Hacking 14 Devices
Synack
 
Living off the land and fileless attack techniques
Symantec Security Response
 
Firefox Syncサーバーを建ててみた
Hiromu Yakura
 
BlueHat v18 || May i see your credentials, please
BlueHat Security Conference
 
Avoiding damage, shame and regrets data protection for mobile client-server a...
Stanfy
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat Security Conference
 
BlueHat v17 || Betraying the BIOS: Where the Guardians of the BIOS are Failing
BlueHat Security Conference
 
Anatomy of Exploit Kits
securityxploded
 
OSB220: What's New in Security Endpoint Manager
Ivanti
 
DrupalCamp London 2017 - Web site insecurity
George Boobyer
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat Security Conference
 
Whatever it takes - Fixing SQLIA and XSS in the process
guest3379bd
 
Ad

Viewers also liked (20)

DOCX
Secure Abu Dhabi talk
wremes
 
PDF
Vinnes jayson koken
wremes
 
PDF
Distributed Denial Of Service Introduction
wremes
 
PDF
Build Your Own Incident Response
wremes
 
PDF
Crème Brulée :-)
wremes
 
PPTX
Intro to Malware Analysis
wremes
 
PDF
Blackhat Workshop
wremes
 
KEY
Morph V3.1
g2ixOne
 
PDF
SIEM brown-bag presentation
wremes
 
PPT
Brucon presentation
wremes
 
PDF
The Future of Visualization
Raffael Marty
 
PDF
DAVIX - VizSec 2008
Raffael Marty
 
PPT
Visual Log Analysis - DefCon 2006
Raffael Marty
 
PPSX
Ahmed Anver Manatunga
Ahmed Anver Manatunga
 
PDF
DAVIX - Data Analysis and Visualization Linux
Raffael Marty
 
PDF
In the land of the blind the squinter rules
wremes
 
PDF
The Heatmap
 - Why is Security Visualization so Hard?
Raffael Marty
 
PPTX
Discover Synchronized Security - Sophos Day Netherlands
Sophos Benelux
 
PDF
Visualization in the Age of Big Data
Raffael Marty
 
PDF
AfterGlow
Raffael Marty
 
Secure Abu Dhabi talk
wremes
 
Vinnes jayson koken
wremes
 
Distributed Denial Of Service Introduction
wremes
 
Build Your Own Incident Response
wremes
 
Crème Brulée :-)
wremes
 
Intro to Malware Analysis
wremes
 
Blackhat Workshop
wremes
 
Morph V3.1
g2ixOne
 
SIEM brown-bag presentation
wremes
 
Brucon presentation
wremes
 
The Future of Visualization
Raffael Marty
 
DAVIX - VizSec 2008
Raffael Marty
 
Visual Log Analysis - DefCon 2006
Raffael Marty
 
Ahmed Anver Manatunga
Ahmed Anver Manatunga
 
DAVIX - Data Analysis and Visualization Linux
Raffael Marty
 
In the land of the blind the squinter rules
wremes
 
The Heatmap
 - Why is Security Visualization so Hard?
Raffael Marty
 
Discover Synchronized Security - Sophos Day Netherlands
Sophos Benelux
 
Visualization in the Age of Big Data
Raffael Marty
 
AfterGlow
Raffael Marty
 
Ad

Similar to Open Source Security (20)

PPTX
Neo4j Import Webinar
Neo4j
 
PDF
Tools &amp; techniques, building a dev secops culture at mozilla sba live a...
SBA Research
 
PDF
Microservices, la risposta che (forse) cercavi!
Commit University
 
PPTX
Securing your Cloud Environment v2
ShapeBlue
 
PPTX
Low Cost Tools for Security Challenges - Timothy De Block
IT-oLogy
 
PDF
Securing your Cloud Environment
ShapeBlue
 
PDF
Microservices in Production
Damien PLARD
 
PDF
Exploit Kit Cornucopia - Blackhat USA 2017
Brad Antoniewicz
 
PDF
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Canada
 
PDF
Microservices: 5 Things I Wish I'd Known - Code Motion Milan 2017
Vincent Kok
 
PDF
Vincent Kok - Microservices 5 things I wish I'd known - Codemotion Milan 2017
Codemotion
 
PPTX
New Microsoft PowerPoint Presentation (2).pptx
MannuMatamAkash
 
PDF
stackconf 2021 | Continuous Security – integrating security into your pipelines
NETWAYS
 
PDF
Software Define your Current Storage with Opensource
Antonio Romeo
 
PDF
iperfTZ: Understanding Network Bottlenecks for TrustZone-based Applications
LEGATO project
 
PDF
No Apology Required: Deconstructing BB10
Duo Security
 
PDF
JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...
Jarrod Overson
 
PDF
The 7 characteristics of container native infrastructure, LinuxCon/ContainerC...
Casey Bisson
 
PDF
Container Runtime Security with Falco
Michael Ducy
 
PPTX
2018 Writing Offensive .Net Tools
Alexander Polce Leary
 
Neo4j Import Webinar
Neo4j
 
Tools &amp; techniques, building a dev secops culture at mozilla sba live a...
SBA Research
 
Microservices, la risposta che (forse) cercavi!
Commit University
 
Securing your Cloud Environment v2
ShapeBlue
 
Low Cost Tools for Security Challenges - Timothy De Block
IT-oLogy
 
Securing your Cloud Environment
ShapeBlue
 
Microservices in Production
Damien PLARD
 
Exploit Kit Cornucopia - Blackhat USA 2017
Brad Antoniewicz
 
Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker
Cisco Canada
 
Microservices: 5 Things I Wish I'd Known - Code Motion Milan 2017
Vincent Kok
 
Vincent Kok - Microservices 5 things I wish I'd known - Codemotion Milan 2017
Codemotion
 
New Microsoft PowerPoint Presentation (2).pptx
MannuMatamAkash
 
stackconf 2021 | Continuous Security – integrating security into your pipelines
NETWAYS
 
Software Define your Current Storage with Opensource
Antonio Romeo
 
iperfTZ: Understanding Network Bottlenecks for TrustZone-based Applications
LEGATO project
 
No Apology Required: Deconstructing BB10
Duo Security
 
JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...
Jarrod Overson
 
The 7 characteristics of container native infrastructure, LinuxCon/ContainerC...
Casey Bisson
 
Container Runtime Security with Falco
Michael Ducy
 
2018 Writing Offensive .Net Tools
Alexander Polce Leary
 

More from wremes (8)

PDF
Collaborate, Innovate, Secure
wremes
 
PDF
Data Driven Infosec Services
wremes
 
PDF
SOPA 4 dummies
wremes
 
PDF
And suddenly I see ... IDC IT Security Brussels 2011
wremes
 
PDF
10 things we're doing wrong with SIEM
wremes
 
PDF
Teaser
wremes
 
PDF
Ossec Lightning
wremes
 
ODP
Pareto chart using Openoffice.org
wremes
 
Collaborate, Innovate, Secure
wremes
 
Data Driven Infosec Services
wremes
 
SOPA 4 dummies
wremes
 
And suddenly I see ... IDC IT Security Brussels 2011
wremes
 
10 things we're doing wrong with SIEM
wremes
 
Teaser
wremes
 
Ossec Lightning
wremes
 
Pareto chart using Openoffice.org
wremes
 

Recently uploaded (20)

PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Approach and Philosophy of On baking technology
30anthuong17
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Teaching material agriculture food technology
LiaRayya
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
KodekX | Application Modernization Development
KodekX
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 

Open Source Security