Taking a bite out of logs with Sagan
Size: px
Start display at page:

Download "Taking a bite out of logs with Sagan"

Transcription

1 Taking a bite out of logs with Sagan By Champ Clark III (AKA - Da Beave) cclark@quadrantsec.com Sagan Website: Slides: 1

2 Telephreak.org 2

3 finger Security researcher Network Quadrant Information Security. Syngress author White papers Various magazines (Wired, 2600, etc). Founder of Telephreak & Deathrow OpenVMS cluster. Defensive computing programmer 3

4 What is Sagan? Sagan is a open source, multi-threaded *nix application written in C that preforms real time log analysis. 4

5 What is Sagan? Sagan leverages some existing technologies rather than re-inventing the wheel... Namely... 5

6 Sourcefire s Snort 6

7 Sagan Snort like features. Uses the same SQL schema. Unified2 output format. Rule sets are very similar. 7

8 Correlation. 8

9 How does Sagan receive log data? 9

10 Sagan & Snort Correlation Points. Timestamps. Source / Destination. Protocol ( UDP / TCP / ICMP ). Protocol port being used. Classification. 10

11 How are the data/events correlated? 11

12 Log normalization. 12

13 ACME Corp Centralized Logging Setup Centralized Logging Address: Target IP Address: Attackers IP address:

14 ACME Corp Centralized Logging Setup Syslog source == Syslog destination ==

15 Where is the attackers IP address? 15

16 Lame. 16

17 Attack Syslog Message: sshd[666]: Failed keyboard-interactive/pam for invalid user dabeave from port ssh2 17

18 Attack Syslog Message: sshd[666]: Failed keyboard-interactive/pam for invalid user dabeave from port ssh2 18

19 How Sagan See s the Attack. Records the timestamp. It knows this attack is TCP. The target port is likely TCP/22. The source port is TCP/ The invalid login is dabeave. The true source is The destination/target is Classification line up with Snort rules. 19

20 Really? How? 20

21 Attack Syslog Message: sshd[666]: Failed keyboard-interactive/pam for invalid user dabeave from port ssh2 21

22 Stored to our Snort IDS Database. 22

23 Security Consoles. 23

24 Snorby.org 24

25 Snorby.org 25

26 Snorby.org 26

27 Snorby.org 27

28 Snorby.org 28

29 Snorby.org 29

30 Sguil.sf.net 30

31 One place for log events and IDS/IPS events. 31

32 Your choice of security console doesn t matter to Sagan. 32

33 BASE 33

34 BASE 34

35 BASE 35

36 Prelude 36

37 Prelude 37

38 The console doesn t matter. 38

39 Sagan rules. 39

40 Let s write a Sagan rule for it. sshd[666]: Failed keyboard-interactive/pam for invalid user dabeave from port ssh2 40

41 alert tcp $EXTERNAL_NET any - > $HOME_NET 22 (msg:"[openssh] Invalid user"; content: "invalid user ; program: sshd; pri: 1; sid: ; rev:6;) 41

42 alert tcp $EXTERNAL_NET any - > $HOME_NET 22 (msg:"[openssh] Invalid user"; content: "invalid user ; program: sshd; pri: 1; sid: ; rev:6;) 42

43 alert tcp $EXTERNAL_NET any - > $HOME_NET 22 (msg:"[openssh] Invalid user"; content: "invalid user ; program: sshd; pri: 1; sid: ; rev:6;) 43

44 alert tcp $EXTERNAL_NET any - > $HOME_NET 22 (msg:"[openssh] Invalid user"; content: "invalid user ; program: sshd; pri: 1; sid: ; rev:6;) 44

45 alert tcp $EXTERNAL_NET any - > $HOME_NET 22 (msg:"[openssh] Invalid user"; content: "invalid user ; program: sshd; pri: 1; sid: ; rev:6;) 45

46 alert tcp $EXTERNAL_NET any - > $HOME_NET 22 (msg:"[openssh] Invalid user"; content: "invalid user ; program: sshd; pri: 1; sid: ; rev:6;) 46

47 alert tcp $EXTERNAL_NET any - > $HOME_NET 22 (msg:"[openssh] Invalid user"; content: "invalid user ; program: sshd; pri: 1; sid: ; rev:6;) 47

48 alert tcp $EXTERNAL_NET any - > $HOME_NET 22 (msg:"[openssh] Invalid user"; content: "invalid user ; program: sshd; pri: 1; sid: ; rev:6;) 48

49 alert tcp $EXTERNAL_NET any - > $HOME_NET 22 (msg:"[openssh] Invalid user"; content: "invalid user ; program: sshd; pri: 1; sid: ; rev:6;) 49

50 That s it. 50

51 alert tcp $EXTERNAL_NET any - > $HOME_NET 22 (msg:"[openssh] Invalid user"; content: "invalid user ; nocase; program: sshd; classtype: attempted- user; sid: ; rev:7;) 51

52 alert tcp $EXTERNAL_NET any - > $HOME_NET 22 (msg:"[openssh] Invalid or Illegal user"; pcre: "/invalid illegal/i ; content: user ; nocase; program: sshd; classtype: attempted- user; sid: ; rev:7;) 52

53 /\x7c\d+\x2e\d+\x2e\d+\x2e\d+ \x7c.*\x7cyuri\ s+v1\x2e\d+\x7c/smi 53

54 alert tcp $EXTERNAL_NET any - > $HOME_NET 22 (msg:"[openssh] Invalid or Illegal user"; pcre: "/invalid user illegal user/ i ; program: sshd; classtype: attempted- user; sid: ; rev:8;) 54

55 alert tcp $EXTERNAL_NET any - > $HOME_NET 22 (msg:"[openssh] Invalid or Illegal user"; pcre: "/invalid user illegal user/ i ; program: sshd; threshold: type limit, track by_src, count 5, seconds 300; classtype: attempted- user; sid: ; rev:8;) 55

56 alert tcp $EXTERNAL_NET any - > $HOME_NET 22 (msg:"[openssh] Invalid or Illegal user"; pcre: "/invalid user illegal user/ i ; program: sshd; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 3, seconds 300; classtype: attempted- user; sid: ; rev:9;) 56

57 Nifty, I still don t see Log normalization. Only detection. 57

58 alert tcp $EXTERNAL_NET any - > $HOME_NET 22 (msg:"[openssh] Invalid or Illegal user"; pcre: "/invalid user illegal user/ i ; program: sshd; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 3, seconds 300; normalize: openssh; classtype: attempted- user; sid: ; rev:10;) 58

59 liblognorm 59

60 Failed keyboard-interactive/pam for invalid user dabeave from port ssh2 60

61 Failed keyboard-interactive/pam for invalid user %username:word% from %src-ip:ipv4% port %srcport:number% ssh2 61

62 Current Sagan Rules adtran, apache, apc-emu, arp, asterisk, attack, bash, bind, bonding, bro-ids, cacti, cisco-ios, cisco-pixasa, courier, dns, dovecot, fortinet, ftpd, grsec, hordeimp, hostapd, imapd, ipop3d, juniper, kismet, linux-kernel, milter, mysql, nginx, ntp, openssh, ossec, php, postfix, postgresql, pptp, procurve, pure-ftpd, racoon, roundcube, rsync, samba, sendmail, snort, solaris, sonicwall, squid, su, syslog, tcp, telnet, tripwire, vmpop3d, vmware, vpopmail, vsftpd, weblabrinth, windows (event logs), wordpress, xinetd, zeus. 62

63 Output Plugins. (see the sagan.conf) 63

64 output smtpserver=

65 output external: /home/user/ myscript parseable 65

66 output database: log, mysql, user=sagan password=pw dbname=sagan host=

67 output unified2: filename sagan.u2, limit

68 output alert_fwsam: /mypassword 68

69 alert tcp $EXTERNAL_NET any - > $HOME_NET 22 (msg:"[openssh] Invalid or Illegal user"; pcre: "/invalid user illegal user/ i ; program: sshd; threshold: type limit, track by_src, count 5, seconds 300; after: track by_src, count 3, seconds 300; normalize: fwsam: src, 1 day; openssh; classtype: attempted- user; sid: ; rev:10;) 69

70 Preprocessors. (See the sagan.conf) 70

71 preprocessor sagan-trackclients: client_timeout

72 Sagan Preprocessors In Development Log anomaly detection. Websense Threatseeker integration. DShield Integration. 72

73 Q & A? 73

Similar documents

The Bro Network Security Monitor

The Bro Network Security Monitor The Bro Network Security Monitor Bro Integrations: Some Misc. Bro Related Stuff Jon Schipp, NCSA BroCon15 MIT, Cambridge, Massachusetts Agenda Outlining a few things I ve worked on ISLET - Software that

More information

IDS / SNORT. Matsuzaki maz Yoshinobu stole slides from Fakrul Alam

IDS / SNORT. Matsuzaki maz Yoshinobu stole slides from Fakrul Alam IDS / SNORT Matsuzaki maz Yoshinobu stole slides from Fakrul Alam 1 Sometimes, Defenses Fail Our defenses aren t perfect Patches weren t applied promptly enough Antivirus signatures not

More information

Intrusion Detection - Snort. Network Security Workshop April 2017 Bali Indonesia

Intrusion Detection - Snort. Network Security Workshop April 2017 Bali Indonesia Intrusion Detection - Snort Network Security Workshop 25-27 April 2017 Bali Indonesia Issue Date: [31-12-2015] Revision: [V.1] Sometimes, Defenses Fail Our defenses aren t perfect Patches weren t applied

More information

Intrusion Detection - Snort

Intrusion Detection - Snort Intrusion Detection - Snort Network Security Workshop 3-5 October 2017 Port Moresby, Papua New Guinea 1 Sometimes, Defenses Fail Our defenses aren t perfect Patches aren t applied promptly enough AV signatures

More information

Intrusion Detection - Snort

Intrusion Detection - Snort Intrusion Detection - Snort 1 Sometimes, Defenses Fail Our defenses aren t perfect Patches aren t applied promptly enough AV signatures not always up to date 0-days get through Someone brings in an infected

More information

Chapter 7. Network Intrusion Detection and Analysis. SeoulTech UCS Lab (Daming Wu)

Chapter 7. Network Intrusion Detection and Analysis. SeoulTech UCS Lab (Daming Wu) SeoulTech UCS Lab Chapter 7 Network Intrusion Detection and Analysis 2015. 11. 3 (Daming Wu) Email: wdm1517@gmail.com Copyright c 2015 by USC Lab All Rights Reserved. Table of Contents 7.1 Why Investigate

More information

Intrusion Detection. What is Intrusion Detection

Intrusion Detection. What is Intrusion Detection Intrusion Detection 1 What is Intrusion Detection We are referering to the act of detecting an unauthorized intrusion by a computer on a Network. Attemp to compromise or otherwise do harm, to other Network

More information

Pre processors. Detection Engine

Pre processors. Detection Engine Packet Decoder Pre processors Detection Engine Logging and Alerting System Output Modules Filesystem Syslog Database XML Firewall config You should know how the rules are constructed in order to fully

More information

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others FIREWALLS 1 FIREWALLS Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others FIREWALLS: WHY Prevent denial of service attacks: SYN ooding: attacker

More information

LPI202 - LPIC-2 Exam Prep (Course 2) (LPI202) HL966S

LPI202 - LPIC-2 Exam Prep (Course 2) (LPI202) HL966S Course data sheet LPI202 - LPIC-2 Exam Prep (Course 2) (LPI202) HL966S Prerequisites Supported distributions Course data sheet Page 1 Detailed course outline Module 5: Maintaining a Web Server Module 6:

More information

Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng

Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Internet Security Mechanisms Prevent: Firewall, IPsec, SSL Detect: Intrusion Detection Survive/ Response:

More information

Snort Tuning 101. Nick Moore Sr. Sales Engineer Sourcefire

Snort Tuning 101. Nick Moore Sr. Sales Engineer Sourcefire Snort Tuning 101 Nick Moore Sr. Sales Engineer Sourcefire Overview Why tune? Variables Rule Selection Brief demo Why tune? You haven t got time for all those alerts Real threats hide like a needle in a

More information

Ubuntu Sever Administration. Duration:40 Hrs

Ubuntu Sever Administration. Duration:40 Hrs Ubuntu 12.04 Sever Administration Duration:40 Hrs 1. Introduction to Ubuntu Linux Ubuntu Server Ubuntu Server 12.04 Server Installation Alternatives and Options Server on the Desktop Installation Desktop

More information

NETWORK CONFIGURATION AND SERVICES. route add default gw /etc/init.d/apache restart

NETWORK CONFIGURATION AND SERVICES. route add default gw /etc/init.d/apache restart NETWORK CONFIGURATION AND SERVICES route add default gw 192.168.0.1 /etc/init.d/apache restart NETWORK CONFIGURATION There are two main approaches to configuring a machine for network access: Static configuration

More information

CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems CIT 480: Securing Computer Systems Intrusion Detection CIT 480: Securing Computer Systems Slide #1 Topics 1. Definitions and Goals 2. Models of Intrusion Detection 3. False Positives 4. Architecture of

More information

Security Principles SNORT - IDS

Security Principles SNORT - IDS Security Principles SNORT - IDS Intrusion detection What is intrusion detection? Technically, any method that allows you to discover if someone has penetrated or is attempting intrusion into your network,

More information

Performance Rules Creation. Part 2: Rules Options and Techniques

Performance Rules Creation. Part 2: Rules Options and Techniques Performance Rules Creation Part 2: Rules Options and Techniques What madness today? Learn by reviewing actual VRT published rules Highlight potential issues with certain rule options Break down some common

More information

LINUX ADMINISTRATION TYBSC-IT SEM V

LINUX ADMINISTRATION TYBSC-IT SEM V 1 LINUX ADMINISTRATION TYBSC-IT SEM V 2 UNIT 4 CHAPTER 1 : INTERNET SERVICES WHAT IS AN INTERNET SERVICE? Internet Service can be defined as any service that can be accessed through TCP/IP based networks,

More information

* Knowledge of Adaptive Security Appliance (ASA) firewall, Adaptive Security Device Manager (ASDM).

* Knowledge of Adaptive Security Appliance (ASA) firewall, Adaptive Security Device Manager (ASDM). Contents Introduction Prerequisites Requirements Components Used Background Information Configuration Step 1. Configure Intrusion Policy Step 1.1. Create Intrusion Policy Step 1.2. Modify Intrusion Policy

More information

Tato pravidla byla povolena v následujících souborech jejich umístění /etc/suricata/rules/

Tato pravidla byla povolena v následujících souborech jejich umístění /etc/suricata/rules/ Suricata Tato pravidla byla povolena v následujících souborech jejich umístění /etc/suricata/rules/ emerging-icmp_info.rules "; icode:0; itype:8; classtype:misc-activity; sid:2100384; rev:6;) *NIX"; itype:8;

More information

TCP, UDP Ports, and ICMP Message Types1

TCP, UDP Ports, and ICMP Message Types1 Appendix A APPENDIX A TCP, UDP Ports, and ICMP Message Types1 I list useful TCP, UDP ports, and ICMP message types in this appendix. A comprehensive list of registered TCP and UDP services may be found

More information

Extrusion Detection with Aanval and Bleeding Edge Threats. Russ McRee holisticinfosec.org

Extrusion Detection with Aanval and Bleeding Edge Threats. Russ McRee holisticinfosec.org Extrusion Detection with Aanval and Bleeding Edge Threats Russ McRee holisticinfosec.org Introduction The threats are real Malware (e.g. viruses, worms, trojans, bots, rootkits) are becoming more sophisticated

More information

IDS signature matching with iptables, psad, and fwsnort

IDS signature matching with iptables, psad, and fwsnort M I K E R A S H IDS signature matching with iptables, psad, and fwsnort Michael Rash holds a Master s degree in Applied Mathematics and works as a Security Architect for Enterasys Networks, Inc. He is

More information

CS536 Final Paper May 05, 2006

CS536 Final Paper May 05, 2006 INTRUSION DETECTION AND PREVENTION SYSTEMS Matt Carlson mrcarlso@cs.purdue.edu Andrew Scharlott ascharlo@cs.purdue.edu CS536 Final Paper May 05, 2006 Abstract A general trend in industry is a shift from

More information

OSSIM Fast Guide

OSSIM Fast Guide ----------------- OSSIM Fast Guide ----------------- February 8, 2004 Julio Casal http://www.ossim.net WHAT IS OSSIM? In three phrases: - VERIFICATION may be OSSIM s most valuable contribution

More information

Linux Administration

Linux Administration Linux Administration This course will cover all aspects of Linux Certification. At the end of the course delegates will have the skills required to administer a Linux System. It is designed for professionals

More information

RedHat Certified Engineer

RedHat Certified Engineer RedHat Certified Engineer Red Hat Certified Engineer (RHCE) is a performance-based test that measures actual competency on live systems. Called the "crown jewel of Linux certifications," RHCE proves an

More information

Log Correlation Engine 3.0 Log Normalization Guide October 29, 2008 (Revision 1)

Log Correlation Engine 3.0 Log Normalization Guide October 29, 2008 (Revision 1) Log Correlation Engine 3.0 Log Normalization Guide October 29, 2008 (Revision 1) The ne west version of this document is available at the following URL: http://cgi.tenablesecurity.com/lce_3.0_log_analysis.pdf

More information

Nessus Scan Report. Hosts Summary (Executive) Hosts Summary (Executive) Mon, 15 May :27:44 EDT

Nessus Scan Report. Hosts Summary (Executive) Hosts Summary (Executive) Mon, 15 May :27:44 EDT Nessus Scan Report Mon, 15 May 2017 15:27:44 EDT Table Of Contents Hosts Summary (Executive) 192.168.168.134 Hosts Summary (Executive) [-] Collapse All [+] Expand All 192.168.168.134 Summary Critical High

More information

Snort 初探. Aphyr Lee

Snort 初探. Aphyr Lee Snort 初探 Aphyr Lee aphyr@www.elites.org 2004.11.20 Outline How to IDSs detect intrusions Snort s Inner Workings Playing by the Rules Conclusion How to IDSs detect intrusions (1/6) Any way they can Specialized

More information

Textual Manipulation for SQL Injection Attacks

Textual Manipulation for SQL Injection Attacks I.J.Computer Network and Information Security, 2014, 1, 26-33 Published Online November 2013in MECS (http://www.mecs-press.org/) DOI: 10.5815/ijcnis.2014.01.04 Textual Manipulation for SQL Injection Attacks

More information

Improving your custom Snort rules. What you will learn. What you should know. Leon Ward - November 2010

Improving your custom Snort rules. What you will learn. What you should know. Leon Ward - November 2010 Improving your custom Snort rules Leon Ward - November 2010 leon.ward@sourcefire.com While it is easy to create a custom Snort rule, do you know if you are actually making a good one or not? This article

More information

SOURCEFIRE 3D SYSTEM RELEASE NOTES

SOURCEFIRE 3D SYSTEM RELEASE NOTES SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.3.0.2 Original Publication: April 21, 2014 Last Updated: April 25, 2016 These release notes are valid for Version 5.3.0.2 of the Sourcefire 3D System. Even

More information

Anomaly Detection in Communication Networks

Anomaly Detection in Communication Networks Anomaly Detection in Communication Networks Prof. D. J. Parish High Speed networks Group Department of Electronic and Electrical Engineering D.J.Parish@lboro.ac.uk Loughborough University Overview u u

More information

Index. Mike O Leary 2015 M. O Leary, Cyber Operations, DOI /

Index. Mike O Leary 2015 M. O Leary, Cyber Operations, DOI / Index A Active Directory group policy, 228 232 groups and delegation, 225 227 installation, 195 organizational unit (OU), 223 225 remote administration, 227 228 running commands remotely, 219 223 second

More information

Topics. Principles of Intrusion Detection. Intrusion Detection. Characteristics of systems not under attack

Topics. Principles of Intrusion Detection. Intrusion Detection. Characteristics of systems not under attack Intrusion Detection Topics 1. Principles 2. Models of Intrusion Detection 3. False Positives 4. Architecture of an IDS 5. IDS Deployment 6. Active Response (IPS) 7. Host-based IDS and IPS 8. IDS Evasion

More information

Linux Systems Security. Logging and Network Monitoring NETS1028 Fall 2016

Linux Systems Security. Logging and Network Monitoring NETS1028 Fall 2016 Linux Systems Security Logging and Network Monitoring NETS1028 Fall 2016 Monitoring Monitoring can take many forms, from passive periodic inspection to realtime intrusion detection For this unit, we will

More information

LPI102 EXAM PREPARATION LPIC-1 (LINUX PROFESSIONAL INSTITUTE)

LPI102 EXAM PREPARATION LPIC-1 (LINUX PROFESSIONAL INSTITUTE) LPI102 EXAM PREPARATION LPIC-1 (LINUX PROFESSIONAL INSTITUTE) COURSE DESCRIPTION: This course prepares students to take the LPI 102 exam of the LPI level 1 certification. The LPI objectives covered are

More information

HP ArcSight Port and Protocol Information

HP ArcSight Port and Protocol Information Important Notice HP ArcSight Port and Protocol Information The information (data) contained on all sheets of this document constitutes confidential information of Hewlett- Packard Company or its affiliates

More information

Network Security: Firewall, VPN, IDS/IPS, SIEM

Network Security: Firewall, VPN, IDS/IPS, SIEM Security: Firewall, VPN, IDS/IPS, SIEM Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr What is a Firewall? A firewall is hardware, software, or a combination of both that is used to prevent unauthorized

More information

Installation Manual InfraManage.NET Installation Instructions for Ubuntu

Installation Manual InfraManage.NET Installation Instructions for Ubuntu Installation Manual InfraManage.NET Installation Instructions for Ubuntu Copyright 1996 2017 Timothy Ste. Marie Version 7.5.72SQL InfraManage.NET Installing InfraManage.NET Page 1 of 78 Table of Contents

More information

Study of Snort Ruleset Privacy Impact

Study of Snort Ruleset Privacy Impact Study of Snort Ruleset Privacy Impact Nils Ulltveit-Moe and Vladimir Oleshchuk University of Agder Presented at: Fifth International PrimeLife/IFIP Summer School, Nice, France 7.-11. September 2009. This

More information

Global Information Assurance Certification Paper

Global Information Assurance Certification Paper Global Information Assurance Certification Paper Copyright SANS Institute Author Retains Full Rights This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without

More information

Overview of Firewalls. CSC 474 Network Security. Outline. Firewalls. Intrusion Detection System (IDS)

Overview of Firewalls. CSC 474 Network Security. Outline. Firewalls. Intrusion Detection System (IDS) CSC 474 Network Security Topic 8.4 Firewalls and Intrusion Detection Systems (IDS) 1 Outline Firewalls Filtering firewalls Proxy firewalls Intrusion Detection System (IDS) Rule-based IDS Anomaly detection

More information

UNIVERSITY OF MUMBAI OCTOBER 2014 LINUX ADMINISTRATION

UNIVERSITY OF MUMBAI OCTOBER 2014 LINUX ADMINISTRATION Seat No: 1. a. Implement a linux server system with an ip address 192.168.0.45 and update 20 the hostname as ServerXX (XX stands for rollno) b. Implement a linux client system with an ip address 192.168.0.24

More information

Class 1. Class 2. Class 3

Class 1. Class 2. Class 3 Basic Requirement for Linux Installation Installation Minimal and Custom Installation of Linux VMware ws Installation different flavors of Linux like centos,rhel,suse,ubuntu Installation of Solaris Kickstart

More information

Installing Snort on Windows

Installing Snort on Windows Installing Snort on Windows There are many sources of guidance on installing and configuring Snort, but few address installing and configuring the program on Windows except for the Winsnort project (Winsnort.com)

More information

Level 2 Support Services. V This version of the document cancels all previous published versions

Level 2 Support Services. V This version of the document cancels all previous published versions Level 2 Support Services V1.4-2018-05-28 This version of the document cancels all previous published versions INDEX Services and Software supported 4 Operating systems 6 Control panels 10 Virtualization

More information

CIS Top 20 #12 Boundary Defense. Lisa Niles: CISSP, Director of Solutions Integration

CIS Top 20 #12 Boundary Defense. Lisa Niles: CISSP, Director of Solutions Integration CIS Top 20 #12 Boundary Defense Lisa Niles: CISSP, Director of Solutions Integration CSC # 12 - Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus

More information

LPIC-2 Linux Engineer

LPIC-2 Linux Engineer LPIC-2 Linux Engineer LPIC-2 is the second certification in LPI s multi-level professional certification program. The LPIC-2 will validate the candidate's ability to administer small to medium sized mixed

More information

OSSIM data flow. (

OSSIM data flow. ( OSSIM data flow SIMS Project - Security Intrusion Management System (http://www.fullsecurity.ch/security/sims/) Author : Joël Winteregg (joel.winteregg@eivd.ch) Supervisor : Prof. Stefano Ventura Institute

More information

Network & Computer Systems Operators

Network & Computer Systems Operators A COLLECTION OF INTERVIEW QUESTIONS FOR Network & Computer Systems Operators COMMON QUESTIONS What is your favourite technology platform? (Microsoft, Linux, Apple) What brought you to the technology industry?

More information

The Wonderful World of Services. By: Stefanja

The Wonderful World of Services. By: Stefanja The Wonderful World of Services By: Stefanja What Is a Service? Make the computer world go round Without Services we d have nothing A service is an application that runs in the background to enable a computer

More information

CNIT 50: Network Security Monitoring. 6 Command Line Packet Analysis Tools

CNIT 50: Network Security Monitoring. 6 Command Line Packet Analysis Tools CNIT 50: Network Security Monitoring 6 Command Line Packet Analysis Tools Topics SO Tool Categories Running Tcpdump Using Dumpcap and Tshark Running Argus and the Ra Client SO Tool Categories Three Types

More information

Log Correlation Engine 3.2 Log Normalization Guide May 19, 2009 (Revision 1)

Log Correlation Engine 3.2 Log Normalization Guide May 19, 2009 (Revision 1) Log Correlation Engine 3.2 Log Normalization Guide May 19, 2009 (Revision 1) The newest version of this document is available at the following URL: http://cgi.tenablesecurity.com/lce_3.2_log_analysis.pdf

More information

CSCI 454/554 Computer and Network Security. Topic 8.4 Firewalls and Intrusion Detection Systems (IDS)

CSCI 454/554 Computer and Network Security. Topic 8.4 Firewalls and Intrusion Detection Systems (IDS) CSCI 454/554 Computer and Network Security Topic 8.4 Firewalls and Intrusion Detection Systems (IDS) Outline Firewalls Filtering firewalls Proxy firewalls Intrusion Detection System (IDS) Rule-based IDS

More information

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content Intrusion Detection INFO404 - Lecture 13 21.04.2009 nfoukia@infoscience.otago.ac.nz Content Definition Network vs. Host IDS Misuse vs. Behavior Based IDS Means for Intrusion Detection Definitions (1) Intrusion:

More information

Network Intrusion Analysis (Hands on)

Network Intrusion Analysis (Hands on) Network Intrusion Analysis (Hands on) TCP/IP protocol suite is the core of the Internet and it is vital to understand how it works together, its strengths and weaknesses and how it can be used to detect

More information

Outline. Internet Security Mechanisms. Basic Terms. Example Attacks

Outline. Internet Security Mechanisms. Basic Terms. Example Attacks Outline AIT 682: Network and Systems Security Topic 8.4 Firewalls and Intrusion Detection Systems (IDS) Firewalls Filtering firewalls Proxy firewalls Intrusion Detection System (IDS) Rule-based IDS Anomaly

More information

AIT 682: Network and Systems Security

AIT 682: Network and Systems Security AIT 682: Network and Systems Security Topic 8.4 Firewalls and Intrusion Detection Systems (IDS) Instructor: Dr. Kun Sun Firewalls Filtering firewalls Proxy firewalls Outline Intrusion Detection System

More information

SOURCEFIRE 3D SYSTEM RELEASE NOTES

SOURCEFIRE 3D SYSTEM RELEASE NOTES SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.3.0.3 Original Publication: April 21, 2014 These release notes are valid for Version 5.3.0.3 of the Sourcefire 3D System. Even if you are familiar with the

More information

Project 4: Penetration Test

Project 4: Penetration Test Project description Project 4: Penetration Test April 28, 2014 Bing Hao The learning objective of this project is to gain hands on experiences with the usage and functionality of Nmap, Neussus and Metsploit.

More information

Design and Implementation of Real-time Visualization tool for Network Security Monitoring

Design and Implementation of Real-time Visualization tool for Network Security Monitoring Design and Implementation of Real-time Visualization tool for Network Security Monitoring Aneela Safdar Supervisor : Dr. Hanif Durad Co-Supervisor : M. Masoom Alam DCIS PIEAS Motivation To look what s

More information

Building an IPS solution for inline usage during Red Teaming

Building an IPS solution for inline usage during Red Teaming Building an IPS solution for inline usage during Red Teaming Repurposing defensive technologies for offensive Red Team operations K. Mladenov A. Zismer {kmladenov,azismer}@os3.nl Master Students in System

More information

Common Event Expression. Larry Shields William Heinbockel

Common Event Expression. Larry Shields William Heinbockel Common Event Expression Larry Shields [lshields@mitre.org] William Heinbockel [heinbockel@mitre.org] Organization The Situation The Problem The Goals The Solution The Standard: CEE Common Event Expression

More information

CORPORATE ESPIONAGE. James McFadyen and Jacolon Walker

CORPORATE ESPIONAGE. James McFadyen and Jacolon Walker CORPORATE ESPIONAGE James McFadyen and Jacolon Walker (jtm) (disable) Outline Part I: Intro Corporate Espionage, Corporate Attitude Part II: Enterprise Security Technology The different technology Part

More information

Network security session 9-2 Router Security. Network II

Network security session 9-2 Router Security. Network II Network security session 9-2 Router Security Network II Router security First line of defense of the network Compromise of a router can lead to many issues: Denial of network services Degrading of network

More information

TIBCO LogLogic Security Event Management (SEM) Release Notes. Software Release 3.6.0

TIBCO LogLogic Security Event Management (SEM) Release Notes. Software Release 3.6.0 TIBCO LogLogic Security Event Management (SEM) Release Notes Software Release 3.6.0 1 Important Information SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED OR BUNDLED TIBCO

More information

The Bro Network Intrusion Detection System

The Bro Network Intrusion Detection System The Bro Network Intrusion Detection System Robin Sommer Lawrence Berkeley National Laboratory rsommer@lbl.gov http://www.icir.org Outline Design of the Bro NIDS Philosophy Architecture LBNL s Bro Installation

More information

1 of 7 01/20/2009 01:39 PM NIDS: Network Intrusion Detection Systems Due Wednesday, June 4th 11:59 PM Lab Overview Contents 1. Introduction 2. Snort 3. BASE 1. Network Intrusion Detection System 2. Rules

More information

NAT logging basics. David Ford OxCERT (OUCS)

NAT logging basics. David Ford OxCERT (OUCS) NAT logging basics David Ford OxCERT (OUCS) What is NAT? Formally - the method of modifying network address information in a packet whilst in transit The effect is to modify one (or more) of the Source

More information

Securing Linux Systems Before Deployment

Securing Linux Systems Before Deployment Securing Linux Systems Before Deployment Richard Williams Senior Support Services Specialist Symark Why secure Linux systems? Your Linux enterprise installation is growing Assets on Linux systems are becoming

More information

A Deep Dive into the Firepower Manager

A Deep Dive into the Firepower Manager A Deep Dive into the Firepower Manager William Young, Security Solutions Architect willyou@cisco.com @WilliamDYoung BRKSEC-2058 Just some Security Guy William Young Security Solutions Architect, Cisco

More information

How Legos(tm) can inspire Intrusion Detection Systems

How Legos(tm) can inspire Intrusion Detection Systems How Legos(tm) can inspire Intrusion Detection Systems Pierre Chifflier Sébastien Tricaud INL 101/103 Bvd MacDonald 75019 Paris, France RMLL 2008 How Legos(tm) can inspire Intrusion Detection Systems 1/

More information

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640

UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prevention, and Penetration Testing CSEC 640 Contents Topic 1: Analogy... 2 Analogy: Deterring Jewel Thieves at a Museum... 2 Topic 2: Module Introduction... 4 Topic 3: Host-Based Intrusion Detection... 5 How Host-Based IDSs Work... 5 Topic 4: IDS

More information

syslog-ng: log correlation and beyond

syslog-ng: log correlation and beyond syslog-ng: log correlation and beyond Márton Illés marton.illes@balabit.com Contents Short introduction to syslog The syslog-ng story Logging today and SIEMs Some new & interesting features in syslog-ng

More information

Defense Wins Championships. April 16, 2014 For Educational Purposes Only

Defense Wins Championships. April 16, 2014 For Educational Purposes Only Defense Wins Championships April 16, 2014 For Educational Purposes Only For Educational Purposes Only Defense Wins Championships The threat landscape is constantly changing and being able to detect malicious

More information

Advanced IPS Deployment

Advanced IPS Deployment Advanced IPS Deployment Gary Halleen, Technical Solutions Architect BRKSEC-3300 About your Speaker Gary Halleen gary@cisco.com Technical Solutions Architect Cisco Global Security Sales Organization Oregon

More information

Network Implementation

Network Implementation CS 256/456: Operating Systems Network Implementation John Criswell! University of Rochester 1 Networking Overview 2 Networking Layers Application Layer Format of Application Data Transport Layer Which

More information

REMINDER course evaluations are online

REMINDER course evaluations are online REMINDER course evaluations are online http://web.mit.edu/subjectevaluation please fill them out they provide extremely valuable feedback to all instructors 6.033 Spring 2016 Lecture #23 Combating network

More information

Ftp Command Line Manual Windows Passive Mode Linux

Ftp Command Line Manual Windows Passive Mode Linux Ftp Command Line Manual Windows Passive Mode Linux To Connect to Box with Command Line (Advanced users on Mac or Linux) Windows built-in ftp command line utility cannot support passive mode (even. open

More information

Dynamic Software Updating (DSU) on a Large Scale. Karla Saur

Dynamic Software Updating (DSU) on a Large Scale. Karla Saur Dynamic Software Updating (DSU) on a Large Scale Karla Saur Kitsune: A Practical DSU System Whole-program updates for C Entirely standard compilation and tools Previously with Kitsune: 2 Kitsune: A Practical

More information

Advanced Firepower IPS Deployment

Advanced Firepower IPS Deployment Advanced Firepower IPS Deployment Gary Halleen, Technical Solutions Architect BRKSEC-3300 Webex Teams Questions? Use Webex Teams to chat with the speaker after the session How 1 2 3 4 Find this session

More information

CSE / / 60567: Computer Security. Network Security 5

CSE / / 60567: Computer Security. Network Security 5 CSE 40567 / 44567 / 60567: Computer Security Network Security 5 130 Homework #7 is Due on 4/19/18 at 11:59PM Eastern (ND) / Pacific (SV) Time See Assignments Page on the course website for details 131

More information

Latest IT Exam Questions & Answers

Latest IT Exam Questions & Answers DumpKiller Latest IT Exam Questions & Answers http://www.dumpkiller.com No help, Full refund! Exam : LX0-104 Title : CompTIA Linux+ [Powered by LPI] - Exam 2 Vendor : CompTIA Version : DEMO Get Latest

More information

The Bro Cluster The Bro Cluster

The Bro Cluster The Bro Cluster The Bro Cluster The Bro Cluster Intrusion Detection at 10 Gig and A High-Performance beyond using the NIDS Bro Architecture IDS for the Lawrence Berkeley National Lab Robin International Computer Science

More information

Enterprise Linux Network Services (GL275) H7092S

Enterprise Linux Network Services (GL275) H7092S Course data sheet Enterprise Linux Network Services (GL275) H7092S HPE course number Course length Delivery mode View schedule, local pricing, and register View related courses H7092S 5 Days ILT, VILT

More information

Oct 02, 2017 Page 1. Tripwire, Inc. Tripwire Enterprise Platform Support Policy October 2017

Oct 02, 2017 Page 1. Tripwire, Inc. Tripwire Enterprise Platform Support Policy October 2017 Oct 02, 2017 Page 1 Tripwire, Inc. Tripwire Enterprise Platform Policy October 2017 SUPPORT DEFINITIONS Active No Officially supported by Tripwire as outlined in our support agreements, has no plans to

More information

websnort Documentation

websnort Documentation websnort Documentation Release 0.8 Steve Henderson Jul 04, 2018 Contents 1 Features 3 2 Contents 5 3 Issues 15 Python Module Index 17 i ii Websnort is an Open Source web service for analysing pcap files

More information

Log Correlation Engine 3.4 Log Normalization Guide July 29, 2010 (Revision 3)

Log Correlation Engine 3.4 Log Normalization Guide July 29, 2010 (Revision 3) Log Correlation Engine 3.4 Log Normalization Guide July 29, 2010 (Revision 3) The newest version of this document is available at the following URL: http://cgi.tenablesecurity.com/lce_3.4_log_analysis.pdf

More information

Lab 8: Firewalls & Intrusion Detec6on Systems

Lab 8: Firewalls & Intrusion Detec6on Systems Lab 8: Firewalls & Intrusion Detec6on Systems Fengwei Zhang Wayne State University CSC Course: Cyber Security Prac6ce 1 Firewall & IDS Firewall A device or applica6on that analyzes packet headers and enforces

More information

James Culverhouse AusCERT General Manager Mike Holm Operations Manager Protecting Organisations from cyber threats since 1993

James Culverhouse AusCERT General Manager Mike Holm Operations Manager Protecting Organisations from cyber threats since 1993 Making a Day in the Life of a University Sys-Admin Easier James Culverhouse AusCERT General Manager Mike Holm Operations Manager Protecting Organisations from cyber threats since 1993 About AusCERT AusCERT

More information

Install and Configure snort as NIDS tool Reza Abedi

Install and Configure snort as NIDS tool Reza Abedi Install and Configure snort as NIDS tool Reza Abedi Reza.Abedi@mail.bcu.ac.uk Contents 1 introduction... 2 what is snort and different modes... 3 snort system architect... 4 pre-snort installation... 5

More information

Evaluation of Intrusion Detection Systems under Denial of Service Attack in virtual Environment

Evaluation of Intrusion Detection Systems under Denial of Service Attack in virtual Environment Master of Science in Computer Science Engineering October 2017 Evaluation of Intrusion Detection Systems under Denial of Service Attack in virtual Environment Comparative study of Snort, Suricata and OSSEC

More information

"Charting the Course... RHCE Rapid Track Course. Course Summary

Charting the Course... RHCE Rapid Track Course. Course Summary Course Summary Description This course is carefully designed to match the topics found in the Red Hat RH299 exam prep course but also features the added benefit of an entire extra day of comprehensive

More information

Advanced Network Forensics User/Password Crack. Port Scan. Signature Detection. Converted Formats. ARP Spoofing. DDoS Detection.

Advanced Network Forensics User/Password Crack. Port Scan. Signature Detection. Converted Formats. ARP Spoofing. DDoS Detection. Advanced Network Forensics User/Password Crack. Port Scan. Signature Detection. Converted Formats. ARP Spoofing. DDoS Detection. Setup Setup 192.168.47.171 192.168.47.200 Snort -i 1 -c 1.rules alert.ids

More information

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems Section 1: Command Line Tools Skill 1: Employ commands using command line interface 1.1 Use command line commands to gain situational

More information

Replacing Windows Servers with Linux

Replacing Windows Servers with Linux Replacing Windows Servers with Linux Mark Post Novell, Inc. Wednesday, February 14, 2007 Session 9281 Agenda Reasons to move away from Microsoft Windows What Windows functions can be replaced? What can

More information

Address Space Randomization

Address Space Randomization Address Space Randomization A n E f f e c t i v e I m p l e m e n t a t i o n Michael Cloppert May, 2006 Address Space Randomization Theory Randomize location of memory objects Libraries Heap User, kernel-space

More information

Securing CS-MARS C H A P T E R

Securing CS-MARS C H A P T E R C H A P T E R 4 Securing CS-MARS A Security Information Management (SIM) system can contain a tremendous amount of sensitive information. This is because it receives event logs from security systems throughout

More information
2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback