Transcript Power of OSSEC, by Donovan Thorpe

Power of OSSEC
By Donovan Thorpe
CS 5910 Fall 2010
What is OSSEC
• OSSEC History
• Host-based Intrusion Detection System
• Open Source
• Multi-platform
CS 5910 - dthorpe - OSSEC - 2010-12-08
2
Installation Types
• Local
• Server
• Agent and Agent-less
CS 5910 - dthorpe - OSSEC - 2010-12-08
3
OSSEC features
• System Integrity Checking
• Rootkit Detection
• Log Analysis
• Active Response
CS 5910 - dthorpe - OSSEC - 2010-12-08
4
Integrity Checking
• syscheck
• checks: md5sum, sha1sum, size,
owner, group, perms
• realtime option for directories
CS 5910 - dthorpe - OSSEC - 2010-12-08
5
Rootkit Detection
• Looks for known rootkits
• Scans filesystem looking for unusual
files and permissions
• Looks for hidden ports
• Looks for promiscuous mode on all
interfaces
CS 5910 - dthorpe - OSSEC - 2010-12-08
6
Log Analysis
• File Monitoring
• Process Monitoring
• search the output of a command
• df -h
• based on when the output changes
• netstat -tan |grep LISTEN|grep -v
127.0.0.1
CS 5910 - dthorpe - OSSEC - 2010-12-08
7
Output and Alerts
• syslog
• email
• database
CS 5910 - dthorpe - OSSEC - 2010-12-08
8
Active Response
• Based on an alert run a command
• hosts deny
• firewall drop
• route null
CS 5910 - dthorpe - OSSEC - 2010-12-08
9
Comparison
• CISCO Security Agent
• Symantec Client Security
• Tripwire
CS 5910 - dthorpe - OSSEC - 2010-12-08
10
Enhancements
• Recursive optional or blocking
• Realtime options for files
• More inotify event codes
• Per entry of inotify
CS 5910 - dthorpe - OSSEC - 2010-12-08
11
Resources
• Main web site www.ossec.net
• Mailing lists
• Books
• Web interface and Plugins
CS 5910 - dthorpe - OSSEC - 2010-12-08
12
Q&A
• Questions ???
CS 5910 - dthorpe - OSSEC - 2010-12-08
13