1 / 38

OSSEC HIDS, Host Based Intrusion Detection System

Aurora Mazzone, INFN Sezione di Torino Parte Terza. OSSEC HIDS, Host Based Intrusion Detection System. Analisi dei log: file di configurazione. decoder: /var/ossec/etc/decoder.xml /var/ossec/etc/local_decoder.xml rules: /var/ossec/rules/*.xml /var/ossec/rules/local_rules.xml.

shae
Download Presentation

OSSEC HIDS, Host Based Intrusion Detection System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Aurora Mazzone, INFN Sezione di Torino Parte Terza OSSEC HIDS, Host Based Intrusion Detection System

  2. Analisi dei log: file di configurazione decoder: /var/ossec/etc/decoder.xml /var/ossec/etc/local_decoder.xml rules: /var/ossec/rules/*.xml /var/ossec/rules/local_rules.xml

  3. Analisi dei log: file di configurazione ossec.conf: <rules> <include>rules_config.xml</include> <include>pam_rules.xml</include> <include>sshd_rules.xml</include> <include>telnetd_rules.xml</include> [...] </rules>

  4. Analisi dei log Tre fasi: • pre-decoding • decoding • rules

  5. Pre-decoding Informazioni statiche: • hostname • program_name • data/timestamp • log

  6. Pre-decoding Oct 28 14:21:39 atropo sshd[855]: Accepted password for jack from 192.135.19.13 port 45018 ssh2

  7. Pre-decoding **Phase 1: Completed pre-decoding. full event: 'Oct 28 14:21:39 atropo sshd[855]: Accepted password for jack from 192.135.19.13 port 45018 ssh2' hostname: 'atropo' program_name: 'sshd' log: 'Accepted password for jack from 192.135.19.13 port 45018 ssh2' La parte di log analizzata in questa fase è: “Oct 28 14:21:39 atropo sshd[855]:”

  8. Decoding Informazioni dinamiche: • user • protocol • source/destination port • source/destination ip • action • id • url • [...]

  9. Decoding Oct 28 14:21:39 atropo sshd[855]: Accepted password for jack from 192.135.19.13 port 45018 ssh2

  10. Decoding **Phase 2: Completed decoding. decoder: 'sshd' dstuser: 'jack' srcip: '192.135.19.13'

  11. Decoding Sshd parent decoder: <decoder name="sshd"> <program_name>^sshd</program_name> </decoder> Dal pre-decoding: program_name: 'sshd'

  12. Decoding Sshd child decoder: <decoder name="sshd-success"> <parent>sshd</parent> <prematch>^Accepted</prematch> <regex offset="after_prematch">^ \S+ for (\S+) from (\S+) port </regex> <order>user, srcip</order> <fts>name, user, location</fts> </decoder>

  13. Decoding: alcuni tag Sshd child decoder: <parent>: nome del decoder padre da cui dipende. <prematch>: match di una stringa (anche con espressioni regolari)‏ (os_regex)‏ <regex>: espressioni regolari (os_regex) + “capture groups” @offset: punto da cui partire per regex <order>: etichette per le informazioni estratte

  14. Decoding: os_regex • espressioni regolari • non troppe opzioni ma veloci • utilizzata da tutte le opzioni dei decoder con espressioni regolari o match di stringhe (<prematch> e <regex>) e dal tag <regex> nelle regole‏

  15. Rules Oct 28 14:21:39 atropo sshd[855]: Accepted password for jack from 192.135.19.13 port 45018 ssh2

  16. Rules: filtering **Phase 3: Completed filtering (rules). Rule id: '5715' Level: '3' Description: 'SSHD authentication success.' **Alert to be generated.

  17. Rules: filtering Sshd parent rule: <rule id="5700"level="0" noalert="1"> <decoded_as>sshd</decoded_as> <description>SSHD messages grouped.</description> </rule>

  18. Rules: alcuni tag @id : id univoco che identifica ogni regola (più di 800)‏ @level: da 0 a 15, livello di importanza. <decoded_as>: nome del decoder che ha già decodificato il log (se presente)‏

  19. Rules: filtering Sshd child rules: <rule id="5715" level="3"> <if_sid>5700</if_sid> <match>^Accepted|authenticated.$</match> <description>SSHD authentication success.</description> <group>authentication_success,</group> </rule>

  20. Rules: alcuni tag <if_sid>: id della regola padre da cui questa dipende <match>: match di una stringa (os_match)‏ <group>: gruppo aggiuntivo assegnato all'evento

  21. Rules: os_match • match veloce di una stringa • non supporta espressioni regolari • molto semplice ma più veloce di os_regex • usata nelle regole da tutti i tag che confrontano un dato (non da regex)‏

  22. Relazione tra regole e decoder Decoder: utilizzato solo nel caso in cui sia necessario estrarre informazioni dinamiche dal log da confrontare successivamente nelle regole, da utilizzare per l'fts o nell'active-response. Regole: possono esserci regole che non fanno riferimento a nessun decoder.

  23. Regole composite Correlazione di eventi: • condizione • counter • timeframe • elementi in comune (stesso utente, stesso ip sorgente, ...)‏

  24. Regole composite Correlazione di eventi: condizione <if_matched_sid> <if_matched_group> <if_matched_regex>

  25. Regole composite Correlazione di eventi: counter @frequency[rule] timeframe @timeframe[rule]

  26. Regole composite Correlazione di eventi: elementi in comune • same_source_ip • same_src_port • same_dst_port • same_user • same_location • same_id • different_url

  27. Regole composite 10x Dec 8 23:56:33 localhost sshd[2688]: Failed password for root from 192.168.108.1 port 57084 ssh2 + 1x Dec 8 23:56:51 localhost sshd[2699]: Accepted password for root from 192.168.108.1 port 57087 ssh2

  28. Regole composite Failed login: **Phase 2: Completed decoding. decoder: 'sshd' dstuser: 'root' srcip: '192.168.108.1' **Phase 3: Completed filtering (rules). Rule id: '5716' Level: '5' Description: 'SSHD authentication failed.' **Alert to be generated.

  29. Regole composite Rule 5716 <rule id="5716" level="5"> <if_sid>5700</if_sid> <match>^Failed|^error: PAM: Authentication</match> <description>SSHD authentication failed.</description> <group>authentication_failed,</group> </rule>

  30. Regole composite Authentication success: **Phase 2: Completed decoding. decoder: 'sshd' dstuser: 'root' srcip: '192.168.108.1' **Phase 3: Completed filtering (rules). Rule id: '5715' Level: '3' Description: 'SSHD authentication success.' **Alert to be generated.

  31. Regole composite Regola 5715 <rule id="5715" level="3"> <if_sid>5700</if_sid> <match>^Accepted|authenticated.$</match> <description>SSHD authentication success.</description> <group>authentication_success,</group> </rule>

  32. Regole composite Regola 5720 <rule id="5720" level="10" frequency="6"> <if_matched_sid>5716</if_matched_sid> <same_source_ip /> <description>Multiple SSHD authentication failures.</description> <group>authentication_failures,</group> </rule> Match dopo 6 login falliti su ssh (5716).

  33. Regole composite Failed login: • 6 tentativi di accesso falliti = 6 match della regola 5716 = regola 5720 • regola 5720: group: authentication_failures • srcip: '192.168.108.1'

  34. Regole composite Authentication success: • 1 login corretto = 1 match della regola 5715 • regola 5715: group: authentication_success • srcip: '192.168.108.1'

  35. Regole composite Regola 40112 <rule id="40112" level="12" timeframe="240"> <if_group>authentication_success</if_group><if_matched_group>authentication_failures</if_matched_group> <same_source_ip /> <description>Multiple authentication failures followed </description> <description>by a success.</description> </rule>

  36. Regole composite 6x 5716 (authentication failed) = 5720 (authentication_failures)‏ + 1x 5715 (authentication_success)‏ = 40112 (same_source_ip)‏

  37. Regole composite **Phase 2: Completed decoding. decoder: 'sshd' dstuser: 'root' srcip: '192.168.108.1' **Phase 3: Completed filtering (rules). Rule id: '40112' Level: '12' Description: 'Multiple authentication failures followed by a success.' **Alert to be generated.

More Related