OSSIM Fast Guide

Similar documents
OSSIM. General System Description. Open Source Security Information Management. Wednesday, 26 November 2003 Version: 0.18

OSSIM data flow. (

intelop Stealth IPS false Positive

Cisco Security Monitoring, Analysis and Response System 4.2

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

Understanding Cisco Cybersecurity Fundamentals

Behavior-Based IDS: StealthWatch Overview and Deployment Methodology

Improving Your Network Defense. Joel M Snyder Senior Partner Opus One

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems

Snort: The World s Most Widely Deployed IPS Technology

CIH

Introduction to Network Discovery and Identity

Connection Logging. Introduction to Connection Logging

Introduction to Network Discovery and Identity

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Connection Logging. About Connection Logging

Host Identity Sources

How can OSSIM help you with your PCI DSS Wireless requirements?

Training for the cyber professionals of tomorrow

ProCurve Network Immunity

2. INTRUDER DETECTION SYSTEMS

Intrusion Detection Systems

CIS Controls Measures and Metrics for Version 7

Security in the Privileged Remote Access Appliance

CIS Controls Measures and Metrics for Version 7

Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng

Compare Security Analytics Solutions

ForeScout Extended Module for ArcSight

Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats.

Different attack manifestations Network packets OS calls Audit records Application logs Different types of intrusion detection Host vs network IT

ForeScout Extended Module for HPE ArcSight

the SWIFT Customer Security

CyberArk Privileged Threat Analytics

How were the Credit Card Numbers Published on the Web? February 19, 2004

Implementing Cisco Cybersecurity Operations

Mobile Agent Based Adaptive Intrusion Detection and Prevention Systems

Monitoring the Device

Configuring Anomaly Detection

CSE 565 Computer Security Fall 2018

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Configuring Anomaly Detection

A Knowledge-based Alert Evaluation and Security Decision Support Framework 1

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

Firewalls, Tunnels, and Network Intrusion Detection

Configuring Event Action Rules

NIST Framework for Improving Critical Infrastructure Cybersecurity Technical Control Automation

What is New in Cisco ACE 4710 Application Control Engine Software Release 3.1

Security in Bomgar Remote Support

BIG-IP Local Traffic Management: Basics. Version 12.1

Configuring Anomaly Detection

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Intrusion Detection Systems (IDS)

Cisco Intrusion Prevention Solutions

Systrome Next Gen Firewalls

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

DoS Attacks Malicious Code Attacks Device Hardening Social Engineering The Network Security Wheel

Seceon s Open Threat Management software

Intrusion Detection by Combining and Clustering Diverse Monitor Data

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

CSE 565 Computer Security Fall 2018

CNS-207-2I Implementing Citrix NetScaler 10.5 for App and Desktop Solutions

Citrix NetScaler Basic and Advanced Administration Bootcamp

Identity Firewall. About the Identity Firewall

Log Correlation Engine 4.4 Statistics Daemon Guide. February 26, 2015 (Revision 1)

Network Security in the Patched Environment. Guy Helmer, Ph.D. Palisade Systems, Inc.

CompTIA Exam CAS-002 CompTIA Advanced Security Practitioner (CASP) Version: 6.0 [ Total Questions: 532 ]

Unified Networks Administration & Monitoring System Specifications : YM - IT. YM Unified Networks Administration & Monitoring System

Anomaly Detection in Communication Networks

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

AAD - ASSET AND ANOMALY DETECTION DATASHEET

Un SOC avanzato per una efficace risposta al cybercrime

Contents at a Glance

Intrusion Detection - Snort

SANS Exam SEC504 Hacker Tools, Techniques, Exploits and Incident Handling Version: 7.1 [ Total Questions: 328 ]

Improved Detection of Low-Profile Probes and Denial-of-Service Attacks*

Detecting Specific Threats

Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions

ASA/PIX Security Appliance

Features and Functionality

IBM Proventia Network Anomaly Detection System

IT Services IT LOGGING POLICY

Network Security Terms. Based on slides from gursimrandhillon.files.wordpress.com

Best Practices With IP Security.

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Exam : Title : Security Solutions for Systems Engineers(SSSE) Version : Demo

Out-of-Band Management

RiskSense Attack Surface Validation for Web Applications

This document describes Firepower module s system/ traffic events and various method of sending these events to an external logging server.

Cisco IOS Inline Intrusion Prevention System (IPS)

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Administration of Symantec Cyber Security Services (July 2015) Sample Exam

Request for Proposal (RFP) for Supply and Implementation of Firewall for Internet Access (RFP Ref )

Cisco Firepower NGFW. Anticipate, block, and respond to threats

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

CNIT 121: Computer Forensics. 9 Network Evidence

HONEYPOT BASED INTRUSION MANAGEMENT SYSTEM: FROM A PASSIVE ARCHITECTURE TO AN IPS SYSTEM

Last time. Security Policies and Models. Trusted Operating System Design. Bell La-Padula and Biba Security Models Information Flow Control

Auditing CISCO Routers

Basic Concepts in Intrusion Detection

Transcription:

----------------- OSSIM Fast Guide ----------------- February 8, 2004 Julio Casal <jcasal@ossim.net> http://www.ossim.net WHAT IS OSSIM? In three phrases: - VERIFICATION may be OSSIM s most valuable contribution at this time. Using its correlation engine, OSSIM screens out a large percentage of false positives. - The second advantage is that of INTEGRATION, we have a series of security tools that enable us to perform a range of tasks from auditing, pattern matching and anomaly detection to forensic analysis in one single platform. We take responsibility for testing the stability of these programs and providing patches for them to work together. - The third is RISK ASSESSMENT, OSSIM offers high level state indicators that allow us to guide inspection and measure the security situation of our network. * DISTRIBUTION - OSSIM integrates a number of powerful open source security tools in a single distribution. These include: - Snort - Nessus - Ntop - Snortcenter - Acid - Riskmeter - Spade - RRD - Nmap, P0f, Arpwatch, etc.. - These tools are linked together in OSSIM s console giving the user a single, integrated navigation environment. * ARCHITECTURE - OSSIM is organized into 3 layers:. Sensors. Servers. Console - The database is independent of these layers and could be considered to be a fourth layer.

Sensors - Sensors integrate powerful software in order to provide three capabilities:. IDS. Anomaly Detection. Real time Monitoring - Sensors can also perform other functions including traffic consolidation on a segment and event normalization. - Sensors communicate and receive orders from the server using a proprietary protocol. Server - OSSIM s server has the following capabilities:. Correlation. Prioritization. Online inventory. Risk assessment. Normalization Console The console s interface is structured hierarchically with the following functions:. Control Panel. Risk and usage monitors. Forensic console. The Configuration Framework Databases - OSSIM uses an open interface that gives it the ability to communicate with any SQL database - The distribution uses Postgress or Mysql as its open source relational database Communication Protocol - The protocol used for communication between server and sensors is proprietary and utilizes a TCP port. - With this protocol, the user can activate, configure, request and receive data from the sensors. - This protocol includes all of the functionality of IDMEF, it even adds an option for on-demand queries from the correlation engine to the monitors, sometime in the future it will be IDMEF compliant. * NORMALIZATION & AGGREGATION - OSSIM is currently able to read alerts from:. Snort Fast Guide 2 http://www.ossim.net

. Real Secure. Spade. Any data from NTOP. Firewall-1. Iptables. Apache. IIS. Cisco Routers. Unix Servers - Normalization is performed with a configurable parser using XML files. Adding new agents can be accomplished in a matter of hours. - Information from each detector is normally sent to the nearest sensor using native delivery capacity. OSSIM allows delivery using the following methods:. Snmp. Syslog. Rawsockets. SQL. OPSEC - Aggregation between sensor and server is executed using OSSIM s proprietary protocol. - If encrypted communications and authentication is required, it can be established using tunnels at the application level, typically ssh or ssl. Fast Guide 3 http://www.ossim.net

* FUNCTIONALITY IDS - OSSIM includes snort, although it is capable of receiving and saving alerts from other IDSes - Snort is configured and parametered for maximum performance, we also include a number of our own alerts, especially ATTACK-RESPONSE alerts, since they allow OSSIM to verify attacks, which is one of its main objectives Anomaly Detection - OSSIM includes three types of anomaly detection: Connections that are anomalous in origin or destination (ex: abnormal connection to an open port) Use data that is anomalous in relation to a threshold (ex: more than 100k throughput by host H) Anomalies in data with periodic tendencies learned using the holtwinters forecasting algorithm (as it learns the algorithm adjusts thresholds, for example high traffic during office hours and low traffic on nights and weekends) - Anomalies can be correlated to identify malicious use or behavior (ex: a worm that sends 300% more traffic, makes 400% more connections, and a number of abnormal connections to machines and ports). - Abnormal behavior can in turn be correlated with pattern alerts, thereby providing much superior detection and verification. Correlation - OSSIM has a powerful correlation engine that can: 1. Correlate an alert according to the version of the affected product and operating system. (If the attack affects an IIS-Windows machine, it is discarded if the target is Apache-Linux) 2. Correlate snort with nessus (if there is a possible buffer-overrun and nessus determines that we are vulnerable, the alert is prioritized) 3. Define logical directives for sequences of events that can correlate: a. alerts b. anomalies c. states by queries to monitors - To achieve the above functionalities OSSIM also employs the following processes: Online inventory Maintenance Maintenance of alert-version and alert-vulnerability relationship tables Real time monitor querying Fast Guide 4 http://www.ossim.net

- As a result correlation becomes a powerful tool for VERIFICATION, and identifies a high percentage of false positives generated by an IDS. Let s take a look at some examples of the correlation process:. Verification of an intrusion attack:. Wait for attack responses. Verify the existence of persistent sessions. Verify connect-back. Verify anomalous behavior of the target following an attack. Verification of a denial of service attack:. Verify that service is down (using monitors). Verification of web attacks:. Verify negative response from web server. Verify positive response. Verify error response. Etc (For a more in-depth look at this subject a paper specifically on correlation will soon be published.) Prioritization - Prioritization provides the system with the following information: What is important for security (assessment of assets) Which origins we should be worried about Which destinations we should be worried about - The relationships among these data are laid out in a policy, similar to that of a firewall, in which we can configure, for example: If the attack originated from the Internet and goes to the internal network, it should be prioritized If the attack is carried out against a printer it should be deprioritized If the alert is a known configuration error for the network it should be deprioritized Etc. - The policy allows us to define objects, groups of objects, ranges of directions, etc. Inventory - OSSIM can automatically and instantaneously inventory the following network information: Operating system Mac address netbios name, DNS Open services Products and versions of open services Various data on use (traffic/connections/time of day) found in the Usage Monitor's database Fast Guide 5 http://www.ossim.net

- This information is collected both passively and actively (listening and asking) using various specific programs. - OSSIM can detect changes in any of the above parameters and send anomaly alerts if configured to do so. Forensic Console - OSSIM utilizes an extension of Acid for its Forensic Console, this console allows us to exploit the event database (EDB) collected through the process of normalization. - Using Acid OSSIM allows us to store and exploit other events besides those of snort, as mentioned earlier (Firewall-1, Cisco, Apache, etc). - The modification made to Acid enables it to store and search the following types of data that are not normally included:. Accumulated risk to the host at the moment of an attack. Instantaneous risk represented by an alert. Value of the asset at the moment of the attack. Reliability of the event assigned by the correlation engine - OSSIM allows us to automate administrative tasks for cleanup and creation of histories in order to improve performance. Risk Monitor - OSSIM includes a monitor of accumulated risk" called Riskmeter that utilizes a scoring algorithm called CALM (see OSSIM: General Description ). - This monitor offers a real time indicator of the security situation of a host, a network, a group of machines, or even the global security situation. The indicator distinguishes between whether the machine may be compromised (or behaves like an attacker) or may be under attack. - The monitor can graph this indicator over time, send alerts according to defined thresholds, and use them for correlation in logical directives. Auditing - OSSIM integrates Nessus for auditing. - Using Nessus we can obtain a vulnerability index, i.e. the state of network vulnerability, which can be used as an objective or technical assessment of security. - Vulnerabilities are stored and correlated to prioritize and discard attacks identified by the IDS. Fast Guide 6 http://www.ossim.net

Usage Monitor - OSSIM includes NTOP, a monitor that collects all traffic data via passive listening and creates a use profile for each machine. - This information is stored in circular databases that enable us to save detailed information for a long period of time, for example: bytes sent/received, bytes by service, throughput, connections made, time of day, etc. - The monitor can make graphs of each item, send alerts according to defined thresholds, and use the data for correlation in logical directives. - OSSIM links this information to security information in order to query them jointly. Control Panel - OSSIM integrates, summarizes, and links together all of the above tools in a single Control Panel. - Its purpose is to enable the user to analyze and interrelate information from the most abstract to the most concrete. - The control panel allows us to create reports with information crossreferenced from the various tools that make up OSSIM. - This control panel should be modified and personalized for each organization. Fast Guide 7 http://www.ossim.net

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback