OSSEC HIDS, Host Based Intrusion Detection System - PowerPoint PPT Presentation

1 / 34
About This Presentation
Title:

OSSEC HIDS, Host Based Intrusion Detection System

Description:

syscheck.sleep=2 syscheck.sleep_after=15 ossec.conf: rootkit detection engine and policy enforcement Opzioni : ... – PowerPoint PPT presentation

Number of Views:375
Avg rating:3.0/5.0
Slides: 35
Provided by: mazz3
Category:

less

Transcript and Presenter's Notes

Title: OSSEC HIDS, Host Based Intrusion Detection System


1
OSSEC HIDS, Host Based Intrusion Detection System
  • Aurora Mazzone, INFN Sezione di Torino
  • Parte Seconda

2
Installazione
  • Scelta del tipo di installazione
  • server, agent o local?

3
Installazione
  • E-mail notification
  • invio di e-mail per segnalare eventi rilevanti,
    importanti o gravi.

4
Installazione
  • Integrity check daemon
  • controllo su file di configurazione ed eseguibili.

5
Installazione
  • Rootkit detection engine
  • ricerca di rootkit.

6
Installazione
  • Active response
  • risposta ad un evento.

7
File di configurazione
  • /var/ossec/etc/ossec.conf
  • opzioni globali, completamente personalizzabili.
  • /var/ossec/etc/internal_options.conf
  • opzioni chiave per il funzionamento generale, da
    modificare solo in casi particolari.

8
ossec.conf e-mail ltglobalgt
  • Configurazione e-mail (sezione global)
  • ltglobalgt
  • ltemail_notificationgtyeslt/email_notificationgt
  • ltemail_togtroot_at_localhostlt/email_togt
  • ltsmtp_servergt127.0.0.1lt/smtp_servergt
  • ltemail_fromgtossecm_at_localhost.localdomainlt/emai
    l_fromgt
  • ltemail_maxperhourgt70lt/email_maxperhourgt
  • lt/globalgt

9
ossec.conf e-mail ltemail_alertsgt
  • Configurazione e-mail granulare (sezione
    email_alerts)
  • ltemail_togt
  • ltevent_locationgt
  • ltgroupgt
  • ltlevelgt
  • ltrule_idgt
  • ltdo_not_delay /gt
  • ltdo_not_group /gt
  • ltformatgt

10
ossec.conf e-mail ltemail_alertsgt
  • Configurazione e-mail granulare (sezione
    email_alerts)
  • ltemail_alertsgt
  • ltemail_togtpluto_at_localhostlt/email_togt
  • ltlevelgt12lt/levelgt
  • ltdo_not_group/gt
  • ltdo_not_delay/gt
  • lt/email_alertsgt

11
ossec.conf e-mail ltemail_alertsgt
  • Configurazione e-mail granulare (sezione
    email_alerts)
  • ltemail_alertsgt
  • ltemail_togtpippo_at_localhostlt/email_togt
  • ltevent_locationgtvm-ossec-cvm-ossec-d192.
    168.0.0/24lt/event_locationgt
  • ltdo_not_group/gt
  • lt/email_alertsgt

12
ossec.conf e-mail ltemail_alertsgt
  • Configurazione e-mail granulare (sezione
    email_alerts)
  • ltemail_alertsgt
  • ltemail_togtanna_at_localhostlt/email_togt
  • ltgroupgtsyschecklt/groupgt
  • ltformatgtsmslt/formatgt
  • lt/email_alertsgt

13
ossec.conf e-mail ltemail_alertsgt
  • Configurazione e-mail granulare (sezione
    email_alerts)
  • ltemail_alertsgt
  • ltemail_togtadmin_at_localhostlt/email_togt
  • ltrule_idgt40111lt/rule_idgt
  • ltformatgtsmslt/formatgt
  • lt/email_alertsgt

14
ossec.conf e-mail ltalertsgt
  • Configurazione e-mail (sezione alerts)
  • ltalertsgt
  • ltlog_alert_levelgt1lt/log_alert_levelgt
  • ltemail_alert_levelgt7lt/email_alert_levelgt
  • lt/alertsgt

15
ossec.conf e-mail ltalertsgt
  • Level 0 Ignored, no action taken. Scanned before
    all others (grouping).
  • Level 2 System low priority notification and
    catch all rule with BAD_WORD.
  • Level 3 Successful/authorized events.
  • Level 4 System low priority errors.
  • Level 5 User generated error (missed passwords,
    denied actions, etc.).
  • Level 7 Syscheck.
  • Level 8 First time seen events. Stats alerts.

16
ossec.conf e-mail ltalertsgt
  • Level 10 Multiple user generated errors
    multiple bad passwords, multiple failed logins.
  • Level 12 High importance event error or warning
    messages from the system, kernel, etc. or
    something that might indicate an attack against a
    specific application.
  • Level 13 Unusual error. Common attack patterns.
  • Level 14 High importance security event
    correlation of multiple attack rules.
  • Level 15 Attack successful.

17
internal_options.conf e-mail grouping
  • Configurazione e-mail
  • Maild grouping (0disabled, 1enabled)?
  • Groups alerts within the same e-mail.
  • maild.groupping1

18
Stats
  • Numero di eventi generati
  • per ogni ora della giornata
  • per ogni giorno della settimana
  • totali

19
ossec.conf stats ltglobalgt
  • ltglobalgt
  • ltstatsgt8lt/statsgt
  • lt/globalgt
  • Ogni variazione significativa del numero di
    eventi segnalati in un certo periodo di tempo
    genera un alert di livello 8.

20
Internal_options.conf stats
  • Analysisd stats maximum diff.
  • analysisd.stats_maxdiff25000
  • Analysisd stats minimum diff.
  • analysisd.stats_mindiff250
  • Analysisd stats percentage (how much to differ
    from average)?
  • analysisd.stats_percent_diff30

21
ossec.conf file di log da monitorare ltlocalfilegt?
  • ltlocalfilegt
  • ltlog_formatgtsysloglt/log_formatgt
  • ltlocationgt/var/log/messageslt/locationgt
  • lt/localfilegt
  • Formati supportati nativamente
  • syslog, snort-full, snort-fast, squid, iis,
    eventlog, nmapg (greppable nmap formatted logs),
    mysql_log, postgresql_log, apache.

22
ossec.conf file integrity check ltsyscheckgt?
  • Opzioni ltsyscheckgt
  • ltfrequencygt
  • ltscan_daygt
  • ltscan_timegt
  • ltscan_on_startgt
  • ltdirectoriesgt
  • ltignoregt
  • ltauto_ignoregt
  • ltalert_new_filesgt
  • ltwindows_registrygt
  • ltregistry_ignoregt

23
ossec.conf file integrity check ltsyscheckgt
  • Configurazione ltsyscheckgt day/time
  • ltsyscheckgt
  • ltscan_daygtmondaylt/scan_daygt
  • ltscan_timegt8 pmlt/scan_timegt
  • ltscan_on_startgtnolt/scan_on_startgt
  • ltauto_ignoregtnolt/auto_ignoregt
  • ...
  • lt/syscheckgt

24
ossec.conf file integrity check ltsyscheckgt
  • Configurazione ltsyscheckgt frequency
  • ltsyscheckgt
  • ltfrequencygt7200lt/frequencygt
  • ltauto_ignoregtnolt/auto_ignoregt
  • ltalert_new_filesgtyeslt/alert_new_filesgt
  • ...
  • lt/syscheckgt

25
ossec.conf file integrity check ltsyscheckgt
  • Configurazione ltsyscheckgt ltdirectoriesgt
  • ltsyscheckgt
  • ltdirectories check_all"yes"gt/etc,/usr/bin,/usr/
    sbinlt/directoriesgt
  • ltdirectories check_all"yes"gt/bin,/sbinlt/directo
    riesgt ltwindows_registrygtHKEY_LOCAL_MACHINE\Softwar
    elt/windows_registrygt
  • ...
  • lt/syscheckgt

26
ossec.conf file integrity check ltsyscheckgt?
  • Configurazione ltsyscheckgt ltdirectoriesgt
    attributes
  • check_all
  • check_sum
  • check_size
  • check_owner
  • check_group
  • check_perm

27
ossec.conf file integrity check ltsyscheckgt
  • Configurazione ltsyscheckgt ltignoregt
  • ltsyscheckgt
  • ltignoregt/etc/mtablt/ignoregt ltignoregtC\WINDOWS/S
    ystem32/LogFileslt/ignoregt ltregistry_ignoregtHKEY_CU
    RRENT_USERlt/registry_ignoregt
  • ...
  • lt/syscheckgt
  • I file ignorati sul server vengono ignorati anche
    su tutti gli agent.

28
internal_options.conf file integrity check
  • Syscheck checking/usage speed. To avoid large
    cpu/memory usage, you can specify how much to
    sleep after generating the checksum of X files.
    The default is to sleep 2 seconds after reading
    15 files.
  • syscheck.sleep2
  • syscheck.sleep_after15

29
ossec.conf rootkit detection engine and policy
enforcement ltrootcheckgt
  • Opzioni ltrootcheckgt
  • ltdisabledgt
  • ltfrequencygt
  • ltrootkit_filesgt
  • ltrootkit_trojansgt
  • ltsystem_auditgt
  • ltwindows_auditgt
  • ltwindows_appsgt
  • ltwindows_malwaregt

30
ossec.conf rootkit detection engine and policy
enforcement ltrootcheckgt
  • Opzioni ltrootcheckgt
  • ltrootkit_filesgt application level rootkit
    signatures file
  • ltrootkit_trojansgt application level trojan
    signatures file

31
ossec.conf rootkit detection engine and policy
enforcement ltrootcheckgt?
  • Opzioni ltrootcheckgt policy enforcement
  • ltsystem_auditgt
  • ltwindows_auditgt
  • ltwindows_appsgt
  • ltwindows_malwaregt
  • Controllo su
  • f file o directory (e loro contenuto)?
  • r registry key
  • p processo

32
Tool
  • Principali tool di gestione (versione 1.6)
  • /var/ossec/bin
  • ossec-control
  • syscheck_control
  • clear_stats
  • rootcheck_control
  • agent_control
  • list_agents
  • syscheck_update
  • manage_agents

33
Demoni
  • Principali demoni (versione 1.6)
  • /var/ossec/bin
  • ossec-remoted
  • ossec-agentd
  • ossec-execd
  • ossec-syscheckd
  • ossec-analysisd
  • ossec-logcollector
  • ossec-maild
  • ossec-monitord
  • girano come root

34
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com