ACSE - Administración de Correlacionadores OSSIM
ACSE - Administración de Correlacionadores OSSIM
ACSE - Administración de Correlacionadores OSSIM
1
Thursday, May 3, 12
2
Thursday, May 3, 12
3
Thursday, May 3, 12
Contents
Installation
Logger
Updates
IDM
CLI
HIDS
Event Collection
Secure Connection
Data Sources
Snort
Dimensioning and
Deployment
4
Thursday, May 3, 12
Bubba
Throughout the document Bubba will give you useful hints and
links for further documentation
5
Thursday, May 3, 12
AlienVault Installation
Getting to speed
6
Thursday, May 3, 12
Products
AlienVault Installations
Appliances
Software
7
Thursday, May 3, 12
Installation Guide
8
Thursday, May 3, 12
http://www.alienvault.com/docs/Installation_Guide.pdf
Hardware recommendations
64 Processor
9
Thursday, May 3, 12
"Divide et vinces"
Network hardware
10
Thursday, May 3, 12
performance
performance
performance
Best practice
11
Thursday, May 3, 12
for the time of installation and customization, try to stick to english for
faster support
dont use Sniffers (ntop, snort, p0f) on interfaces without tap or port/
mirror
12
Thursday, May 3, 12
take care that all resources are bound singularly to the AlienVault
guest system
SIEM only
Logger only
use at least twice the space required per log interval for /var
Thursday, May 3, 12
13
14
Thursday, May 3, 12
15
Thursday, May 3, 12
Sensor only
50-100GB for /
filesystem
size
partition
/boot
ext2
2GB
#1
ext3
100GB
#2
swap
swap
16GB
#3
/var
ext3
834GB
#4
/var/lib/mysql
ext3
100GB
#5
Installation profiles
16
Thursday, May 3, 12
Sensor
Database
Framework
Profile: Sensor
17
Thursday, May 3, 12
Tap device
Hub
Profile: Sensor
18
Thursday, May 3, 12
OCS (Inventory)
Profile: Server
19
Thursday, May 3, 12
correlation
risk assessment
etc.
digitally signed
The server installation profile also comes with a Sensor with limited
functionality to monitor the Server itself
Profile: Database
metadata
framework
Logger
20
Thursday, May 3, 12
configuration
metadata
framework
Profile: Framework
21
Thursday, May 3, 12
low overhead
Profile: All-In-One
22
Thursday, May 3, 12
Sensor
Framework (Web-Interface)
Useful for:
Testing
Evaluation
Small deployments
Installation methods
Automated installation
Custom installation
2. Configure networking
3. Configure keyboard
be installed
4. Watch the automatic download/install/setup/update of
the base system.
5. Set up users and passwords
6. Load the newly installed system for the first time
4. Configure location
5. Select the installation AlienVault profiles for this installation
6. Configure networking
7. Create and mount the partitions on which AlienVault will
be installed
8. Enter the professional license
9. Watch the automatic download/install/setup/update of
the base system.
10.Set up users and passwords
23
Thursday, May 3, 12
Installation checklist
24
Thursday, May 3, 12
Rack Space
Power
Network Configuration
Port mirroring
IP addresses
Professional Key
INSTALL
25
Thursday, May 3, 12
26
Thursday, May 3, 12
username/password = admin
Hands-On: Installation
Fill in the following tables with the partitioning data for the given
profiles
Capacity
Comment
27
Thursday, May 3, 12
Capacity
Comment
Hands-On: Installation
Logger:
Profiles:
______________________________________
______________________________________
______________________________________
28
Thursday, May 3, 12
Sensor:
Profiles:
______________________________________
______________________________________
______________________________________
AlienVault Updates
Keeping your system up to date
29
Thursday, May 3, 12
reliable
tested
/etc/apt/sources.list.d/alienvault-pro.list
30
Thursday, May 3, 12
/etc/apt/sources.list.d/alienvault-etpro-pro.list
Updating Process
/etc/apt/preferences
31
Thursday, May 3, 12
Update AlienVault
32
Thursday, May 3, 12
# alienvault-update
debugging: alienvault-update -v
Update AlienVault
Once the system has been updated, if something is not working run:
-
33
Thursday, May 3, 12
# alienvault-reconfig
Update AlienVault
In case new Snort or OpenVas rules are included manually, you will
need to run the following scripts to update the information in the
database
Snort:
OpenVas:
Thursday, May 3, 12
# perl /usr/share/ossim/scripts/update_nessus_ids.pl
34
# /etc/init.d/ossim-server restart
Package Management
apt-get
dpkg
35
Thursday, May 3, 12
Hands-On: Updates
36
Thursday, May 3, 12
ossim-server ___________________________
ossim-agent
mysql-server-core ___________________________
ossim-framework ___________________________
___________________________
AlienVault CLI
power to the user
37
Thursday, May 3, 12
Open
Reliable
Secure
Innovative
38
Thursday, May 3, 12
where possible
AlienVault repositories
AlienVault: Filesystem
39
Thursday, May 3, 12
journaled
stable
40
Thursday, May 3, 12
use the password supplied by AlienVault or the one from the installation
process
Configuration Files
AlienVault
Frameworkd: /etc/ossim/framework/ossim.conf
Snort
OpenVas
Thursday, May 3, 12
/etc/nagios3/
Database
41
/etc/openvas/openvasd.conf
Nagios
/etc/snort/snort.ethN.conf
/etc/mysql/my.cnf
Configuration Files
System startup
Logrotate
Thursday, May 3, 12
/etc/rsyslog.conf
Monit
42
/etc/resolv.conf
Rsyslog
/etc/network/interfaces
DNS configuration
/etc/logrotate.d
Network configuration
/etc/rc*
/etc/monit/monitrc
AlienVault: Services
Stop a service
# /etc/init.d/<servicename> stop
Start a service
# /etc/init.d/<service> start
Restart a service
# /etc/init.d/<servicename> restart
The parameters that the services will use when starting are usually
configured in the following path:
43
Thursday, May 3, 12
# /etc/default/<service>
alienvault-setup /alienvault-reconfig
AlienVault
Components
Database
ossim_setup.conf
ossim-reconfig
Integrated Tools
OS Components
44
Thursday, May 3, 12
ossim-setup.conf
45
Thursday, May 3, 12
alienvault-setup (Database)
46
Thursday, May 3, 12
ossim-setup.conf (Sensor)
47
Thursday, May 3, 12
ip: IP address that the sensor will use to connect to the AlienVault
Server
ossim-setup.conf
48
Thursday, May 3, 12
FRAMEWORK
SERVER
ossim-setup.conf
SNMP
FIREWALL
49
Thursday, May 3, 12
VPN
Agent Configuration
/etc/ossim/agent/config.cfg
[daemon]
50
Thursday, May 3, 12
[event-consolidation]
Agent Configuration
/etc/ossim/agent/config.cfg
[log]
Configures the verbose level and the path to the different log files
stats: File in which the agent stats will be stored (Every 5 minutes)
verbose: Configures the verbose level (Debug, Info, Warning, Error or Critical)
51
Thursday, May 3, 12
[output-plain]
Writes in a log file what is being sent to the AlienVault Server (Useful for debugging
and developing purposes)
Agent Configuration
/etc/ossim/agent/config.cfg
[output-server]
[plugin-defaults]
52
Thursday, May 3, 12
Agent Configuration
/etc/ossim/agent/config.cfg
[plugins]
-
name_of_the_plugin=path_to_the_plugin_config_file
device= /etc/ossim/agent/plugins/device.cfg
[watchdog]
53
Thursday, May 3, 12
Agent Configuration
/etc/ossim/agent/aliases.cfg
54
Thursday, May 3, 12
/etc/ossim/agent/plugins/*.cfg
[DEFAULT]
55
Thursday, May 3, 12
Any var defined inside this category will be sent to the AlienVault
Server
[config]
type: detector
[config]
56
Thursday, May 3, 12
Agent Configuration
The different configuration variables defined in the config file can be used with the
following syntax to help defining new variables:
%()s
process=pads
shutdown=killall -9 %(process)s
\_CFG()
When the variable has been defined in the main configuration file(config.cfg)
In /etc/ossim/agent/config.cfg file:
restart_interval=3600 ; seconds between plugin process restart
57
Thursday, May 3, 12
Server Configuration
/etc/ossim/server/config.xml
Thursday, May 3, 12
58
<log filename="/var/log/ossim/server.log"/>
Server Configuration
/etc/ossim/server/config.xml
Thursday, May 3, 12
<scheduler interval="15"/>
59
<directive filename="/etc/ossim/server/directives.xml"/>
60
Thursday, May 3, 12
/etc/ossim/framework/panel/
/etc/ossim/framework/ossim.conf
Monit
Monit
# Framework
check process ossim-framework with pidfile /var/run/ossim-framework.pid
group framework
start program = "/etc/init.d/ossim-framework start"
stop program = "/etc/init.d/ossim-framework stop"
if 5 restarts within 5 cycles then timeout
61
Thursday, May 3, 12
errors may not be seen directly in the Web interface but can be spotted in the system
logs
Diagnosis
62
Thursday, May 3, 12
OSSIM Server
OSSIM Agent
/var/log/ossim/frameworkd.log
Snort
/var/log/syslog
Other applications
Thursday, May 3, 12
/var/log/ossim/agent.log
OSSIM Frameworkd
63
/var/log/ossim/server.log
Debug Mode
OSSIM Server
# ossim-server D 6 -d
Logfiles in /var/log/ossim/server.log
This does not show information on the terminal, much more info
will be logged in the server log file
OSSIM Agent
64
Thursday, May 3, 12
# ossim-agent vv
OSSIM Frameworkd
# ossim-framework vv
ethtool/mii-tool
set link speed and type for not autonegoiating switch ports
iptraf
65
Thursday, May 3, 12
tcpdump
Network Configuration
Insert a line for each network interface with the following format :
66
Thursday, May 3, 12
Network Configuration
67
Thursday, May 3, 12
# udevinfo -a -p /sys/class/net/eth0
Network Configuration
68
Thursday, May 3, 12
/etc/network/interfaces
# /etc/init.d/networking restart
Network Configuration
69
Thursday, May 3, 12
Network Configuration
70
Thursday, May 3, 12
Network Configuration
71
Thursday, May 3, 12
Network Recommendations
72
Thursday, May 3, 12
Disk Space
The folder /var/ will use the biggest amount of disk space in
AlienVault
73
Thursday, May 3, 12
Databases
Log files
The /var/ folder should be separated into another partition with the
highest amount of disk available (>80%).
Swap Memory
74
Thursday, May 3, 12
Munin
75
Thursday, May 3, 12
76
Thursday, May 3, 12
77
Thursday, May 3, 12
Hands-On: CLI
alienvault-setup
78
Thursday, May 3, 12
AlienVault Event
Collection
Get the data from the network
79
Thursday, May 3, 12
Syslog
80
Thursday, May 3, 12
Snare Agent
81
Thursday, May 3, 12
WMI
82
Thursday, May 3, 12
Detector: wmi-system-logger.cfg
Monitor: wmi-monitor.cfg
Fw1-Loggraber
83
Thursday, May 3, 12
Cisco SDEE
The AlienVault Sensor can collect events from Cisco devices using
the SDEE protocol.
84
Thursday, May 3, 12
Cisco Switch IDS Cisco IOS routers with Inline Intrusion Prevention
System (IPS) functions
Rsyslog
85
Thursday, May 3, 12
rsyslog filters
Regex in Rsyslog
86
Thursday, May 3, 12
http://www.rsyslog.com/user-regex.php
rsyslog customization
e.g. /etc/rsyslog.d/customize.conf
possible commands
87
Thursday, May 3, 12
Log rotation
/etc/logrotate.d/
If you have new separated logfiles just take this example and add
your new logfiles to it!
/etc/logrotate.d/alienvault
/var/log/xyz.log
/var/log/foo.log
...
{
rotate 7
# Save the last 7 logs
daily
# rotate daily
missingok
# if file doesnt exist continue
notifempty
# if log is empty, the log dont rotate
delaycompress # postpone compression of previous log-file to next cycle
compress
# Compress the log
postrotate
invoke-rc.d rsyslog reload > /dev/null
}
89
Thursday, May 3, 12
Hands-On: CLI
alienvault-setup
90
Thursday, May 3, 12
Hands-On: CLI
Logfiles
send some example logs to /var/log/syslog
while true
do
cat /var/log/firewall.log | logger -t <STRING>
sleep 10
done
91
Thursday, May 3, 12
filter the log and send it to a separated log file and be sure that this
log is not filling up your disk space (rotate the file daily with
compression enabled)
92
Thursday, May 3, 12
Types of DS Connectors
93
Thursday, May 3, 12
Files
94
Thursday, May 3, 12
Plugin.cfg
Contains the configuration parameters of the plugins and the rules
that an event has to match in order to be collected and normalized.
Plugin.sql
Contains the description of every possible event that can be
collected using the plugin (Plugin_id, Plugin_sid, Name given to the
event, priority and reliability)
Ds Connector: Detector
[DEFAULT]
plugin_id=4003
# default values for dst_ip and dst_port
# they can be overwritten in each rule
dst_ip=\_CFG(plugin-defaults,sensor)
dst_port=22
[config]
type=detector
enable=yes
source=log
location=/var/log/auth.log
create_file=false
process=sshd
start=no
stop=no
startup=/etc/init.d/ssh start
shutdown=/etc/init.d/ssh stop
Type of event
Regular expressions
95
Thursday, May 3, 12
Ds Connector: Detector
96
Thursday, May 3, 12
plugin_id
E.g.: plugin_id=3000
source
Ds Connector: Detector
location
E.g.: location=/var/log/file.log
create_file
false/true
97
Thursday, May 3, 12
Only if the process is running in the same machine that the detector
Ds Connector: Detector
98
Thursday, May 3, 12
Rules
Rules define the format of each event and how they are normalized
In some cases only one regular expression will collect every event
coming from one application, in some other cases more than one
rule will be required
DS Connector: Detector
99
Thursday, May 3, 12
Rules
Once the log matches one the regex of one rule the ossim agent
stops processing the event
DS Connector: Detector
100
Thursday, May 3, 12
event_type=event
plugin_sid
date
sensor
interface
protocol
src_ip
src_port
dst_ip
dst_port
username
password
filename
userdata1
userdata2
userdata3
userdata4
userdata5
userdata6
userdata7
userdata8
userdata9
Fields in red include values that always have to be defined in the plugin
Fields in green can will be filled by the AlienVault Agent in case they can not be found
in the original log (Dont include that line when creating the plugin)
DS Connector: Detector
Regexp
The regexp field contains the regular expression that defines the format of the events,
and extracts the information to normalize the event.
The regular expressions are written using the Python regular expression syntax:
101
Thursday, May 3, 12
http://docs.python.org/library/re.html
Regular expressions
102
Thursday, May 3, 12
Operator
Meaning
\c
[]
One or any of the characters ; accepts intervals of the type a-z, 0-9, A-Z
[^]
A char different from ; Accepts intervals of the type a-z, 0-9, A-Z
Regular expressions
103
Thursday, May 3, 12
Regular expression
Matches with
a.b
a..b
[abc]
[aA]
[aA][bB]
[0123456789]
0123456789
[0-9]
0123456789
[A-Za-z]
A B C ... Z a b c ... Z
[0-9][0-9][0-9]
[0-9]*
[0-9][0-9]*
^.*$
A full line
Regular expressions
104
Thursday, May 3, 12
Operator
Meaning
r*
r+
r?
r{n}
No occurrences of the RE r
r{,m}
r{n,m}
r1|r2
The RE r1 or the RE r2
Regular
expression
Matches with
[0-9]+
[0-9]?
empty_string 0 1 2 .. 9
(ab)*
([0-9]+ab)*
Regular expressions
105
Thursday, May 3, 12
Regular
expression
Matches with
Equals
\d
[0-9]
\D
[^0-9]
\s
[ \t\n\r\f\v]
\S
[^ \t\n\r\f\v]
\w
[a-zA-Z0-9_]
\W
[^a-zA-Z0-9_]
\Z
End of line
Regular expressions
Pattern
b,c,X,8
Description
Ordinary characters just match themselves exactly. The meta-characters which do not match themselves because they
have special meanings are: . ^ $ * + ? { [ ] \ | ( )
.
\w
\W
\s
Lowercase s matches a single whitespace character -- space, newline, return, tab, form [ \n\r\t\f].
\S
\d
\D
\t
\n
\r
\Z
Escapes special characters. If you are unsure if a character has special meaning, such as '@', you can put a slash in front
of it, \@, to make sure it is treated just as a character.
106
Thursday, May 3, 12
Regex aliases
/etc/ossim/agent/aliases.cfg
Usage Example:
107
Thursday, May 3, 12
\SYSLOG_DATE\s+\IPV4\s+\IPV4
Regular Expressions
hour={$1}
minutes ={$2}
seconds={$3}
Tags: (?P<hour>\d\d):(?P<minutes>\d\d)(?P<seconds>\d\d)
108
Thursday, May 3, 12
hour={$hour}
minutes ={$minutes}
seconds={$seconds}
Functions
resolv()
Translate hostnames into IPV4 addresess (DNS queries)
normalize_date()
The normalize_date function translate many format dates into the format
accepted by the SIEM or Logger
109
Thursday, May 3, 12
YYYY-MM-DD hh:mm:ss
Translation Tables
110
Thursday, May 3, 12
111
Thursday, May 3, 12
Hands-On: plugins
112
Thursday, May 3, 12
Hands-On: plugins
113
Thursday, May 3, 12
114
Thursday, May 3, 12
115
Thursday, May 3, 12
Policy rules
SIEM
Logger
116
Thursday, May 3, 12
Disk storage
No more storage limits apart from the available disk space
Everything should be stored in the Logger without
exception
Filter examples
117
Thursday, May 3, 12
Filter in Policy
1. Create a DS group with the types of events that have to be filtered
2. Select source and destination Assets (Hosts, Networks, ANY...)
3. Select the ports
4. Select the DS group
5. Select time period in which the policy applies
6. Select policy consequences
1.
2.
3.
4. Correlate only?
118
Thursday, May 3, 12
Agent Configuration
Thursday, May 3, 12
detectors
119
/etc/ossim/ossim_setup.conf
# alienvault-reconfig
Filtering in DS Connectors
120
Thursday, May 3, 12
exclude_sids=404,200,403
Hands-on: Policies
121
Thursday, May 3, 12
Logical Correlation
Directives
Put intelligence into your SIEM
122
Thursday, May 3, 12
123
Thursday, May 3, 12
124
Thursday, May 3, 12
/etc/ossim/server/
Rules
Some of the values of the rule will be used to generate the new event
(In the event of a successful correlation of that rule)
125
Thursday, May 3, 12
Illegal User
Normalized Events
SIEM
126
Thursday, May 3, 12
SENSOR
Example: Brute-Force
Thursday, May 3, 12
127
Example: Brute-Force
This is the name that will take all events generated within the correlation
of this directive
ID of the directive
All events generated within this directive will use 1505 as plugin_id
(Data Source ID) and the ID of the directive as plugin_sid (Event type)
128
Thursday, May 3, 12
All events generated within this directive will have as their priority the
global priority value of the correlation directive
Example: Brute-Force
<directive id="500000" name="SSH Brute Force Attack Against DST_IP" priority="4"> </directive>
129
Thursday, May 3, 12
SQL Storage
Correlation
Risk Assessment
Policy
Collection
EVENTS
SIEM
Events will first try to get in those directive whose correlation has
started and then they will try to match with the first correlation level
of the correlation rules that are enabled while the SIEM runs
SIEM
Logical Correlation
Directives in the correlation engine
130
Thursday, May 3, 12
Example: Brute-Force
131
Thursday, May 3, 12
Special Conditions
Only one occurrence (Correlation of the directive will start with the
first event matching the conditions of the rule
Example: Brute-Force
Thursday, May 3, 12
132
E.g.: Avoid events with a certain username from matching the rule
Example: Brute-Force
Only one Data Source in each rule (One plugin_id with one or multiple
plugin_sid)
133
Thursday, May 3, 12
The first rule is usually generic (We do not know yet where the attack is
coming from)
Example: Brute-Force
type: detector (First rule is always detector) and we will collect the events using a
detector DS Connector
134
Thursday, May 3, 12
from/to: Both are set to any because we don't know yet who will be the attacker
and his target
plugin_id/plugin_id: List of the events in the SSHD DS Connector that refer to fail
authentications
Example: Brute-Force
<directive id="500000" name="SSH Auth Failed against one of the Web Servers" priority="4">
<rule type="detector" name="SSH Authentication failure" reliability="0"
occurrence="1" from="ANY"
to="172.18.1.100,172.18.1.101.172.18.1.102" port_from="ANY" port_to="ANY"
plugin_id="4003" plugin_sid="1,2,3,4,5,6,9,10,12,13,14,15,16,20"/>
</directive>
WIth a reliability of 0 this event will never
become alarm, but it will be stored in the
SIEM SQL (SIEM -> Analysis)
List of the IP Addresses of the Web Servers
135
Thursday, May 3, 12
Example: Brute-Force
Second correlation level
Authentication successful
Same Source and Same destination that matched the first correlation level
136
Thursday, May 3, 12
Same Source and Same destination that matched the first correlation level
Logical Correlation
137
Thursday, May 3, 12
138
Thursday, May 3, 12
139
Thursday, May 3, 12
Priority 2, Reliability 10
With this directive the event will get as much a risk of 4 (When one
of the assets involved has a value of 5)
(2*10*5) / 25 =4
Example: Worm
SIEM
140
Thursday, May 3, 12
Alarm
Example: Worm
SIEM
140
Thursday, May 3, 12
Alarm
Alarm
Example: Worm
SIEM
140
Thursday, May 3, 12
Alarm
Alarm
Alarm
Example: Worm
SIEM
140
Thursday, May 3, 12
Example: Intrusion
1.1.
2.
Hi!
At your command!
3.
Persistence
4.
141
Thursday, May 3, 12
Behaviour
142
Thursday, May 3, 12
The initial rule does not have a time_out value, and it can be
matched by any event while the SIEM is running
143
Thursday, May 3, 12
In the following rules in many cases we will have to make sure that
some fields have the same value than the event that started the
correlation of the directive
144
Thursday, May 3, 12
More than one rule can be included in each correlation level (Not in
the first one)
145
Thursday, May 3, 12
Detector rules: Detector rules for incoming events from the different
detector plugins (SSH, Snort, Firewalls...)
146
Thursday, May 3, 12
time_out: Waiting time before the rule expires and the directive
process defined in that rule is discarded. The first rule doesnt have a
time_out value.
ANY
Address IP (x.x.x.x)
Thursday, May 3, 12
147
Any IP address
ANY
Any IP address
Address IP (x.x.x.x)
An IP address (E.g: 192.168.1.9)
Several IP addresses
IP address list separated by commas (E.g: 192.168.1.2,192.168.2.3)
Network name
Network name (Defined in the paragraph Policy in the Web interface)
Relative values
It is possible to relate variable values to previous correlation levels:
Thursday, May 3, 12
1:SRC_IP refers to the origin IP address of the event in the first correlation level.
Denied values
148
HOME_NET
This field can adopt an only port or a list of ports separated by commas as value. The
keyword ANY is a list of all the ports.
1:DST_PORT refers to the values of the target port of the first correlation value.
3:DST_PORT refers to the value of the target port of the third correlation value.
To deny ports we put the symbol ! before the port we want to deny:
149
Thursday, May 3, 12
port="!22,25,110,!21"
The field Protocol refers to the protocol in which the communication was established where the event took place.
150
Thursday, May 3, 12
TCP
UDP
ICMP
Host_ARP_Event
Host_OS_Event
Host_Service_Event
Host_IDS_Event
Information_Event
151
Thursday, May 3, 12
Sticky
When the events arrive to the correlation engine they will try to be
correlated inside directives whose correlation has been started
Sticky Different
This variable can be associated to any field in rules with more than
one occurrence, to make all the occurrences have a different value in
one of the fields
E.g.: sticky_different=DST_PORT
All the events matching the rule must have a different destination
port (Port scanning detection)
152
Thursday, May 3, 12
value
condition
interval
absolute
153
Thursday, May 3, 12
Establishes a logical relation between the value field and the value
returned in the monitor plugin request.
eq
equal
ne
non equal
lt
less than
gt
greater than
le
ge
This field sets the value that has to be compared with the value returned by the collector
after doing the monitor request.
154
Thursday, May 3, 12
This value of this field sets the waiting time between each monitor request before the rule is
discarded because the time defined by time_out is over.
This value sets if the value that has to be compared is relative or absolute.
Absolute true: If the host has more than 1000 bytes sent during the next 60
seconds. There will be an answer if in 60 seconds this value is reached.
Absolute false: If the host shows an increase of more than 1000 bytes sent. There
will be an answer if the host shows this increase in 60 seconds.
Recommendations
155
Thursday, May 3, 12
Not all directives should generate alarms with a high risk value
(Rate the importance of the attack or problem detected by the
directive)
In some cases the last rule level should be used to keep collecting
events to avoid having the same directive in the correlation engine
so often
AlienVault Logger
Forensic Storage
156
Thursday, May 3, 12
Hands-On: Logger
157
Thursday, May 3, 12
alienvault-logger
after this you should see the indexed search possibility in the UI
Hands-On: Logger
158
Thursday, May 3, 12
ssh-keygen
example:
AlienVault IDM
Identity Monitoring & User awareness
159
Thursday, May 3, 12
AlienVault IDM
160
Thursday, May 3, 12
username
domain
hostname
IP address
MAC address
SIEM
Send IDM events
Send IDM
Send
IDM
Sensors
events
even
ts
Sensors
Sen
d ID
Me
ven
ts
Sensors
Sensors
ip=192.168.24.2
username=Administrator
hostname=dc01
domain=alienvault.com
161
Thursday, May 3, 12
162
Thursday, May 3, 12
logins
ActiveDirectory
LDAP servers
VPN access
event=idm-event
163
Thursday, May 3, 12
This information will then be sent to SIEM and associated with IPs
Installing IDM
On the sensor, tell the agent to send IDM events to the SIEM
sensor: /etc/ossim/agent/config.cfg
[output-idm]
enable=True
ip=The_IP_of_the_SIEM_server
port=40002
[idm-server-list]
FQDN1=The_IP_of_the_Second_SIEM_server;40002
FQDN2=The_IP_of_the_Third_SIEM_server;40002
164
Thursday, May 3, 12
Installing IDM
on SIEM server
add IDM in /etc/ossim/server/config.xml
165
Thursday, May 3, 12
Installing IDM
166
Thursday, May 3, 12
OSSEC
167
Thursday, May 3, 12
Insert rules for log messages generated with IDM relevant data
event-type = idm-event
Event attribute
username
IDM username
domain
IDM domain-name
hostname
IDM hostname
mac
ip
IDM associated IP
168
Thursday, May 3, 12
event-type = idm-event
Hands-On: IDM
169
Thursday, May 3, 12
from these two loglines, develop a IDM data source that reports
username, hostname, domainname and IP to the SIEM
AlienVault HIDS
Extending client security
170
Thursday, May 3, 12
Hands-On: OSSEC
171
Thursday, May 3, 12
Hands-On: OSSEC
172
Thursday, May 3, 12
Hands-On: OSSEC
173
Thursday, May 3, 12
install it
configure it:
-
Hands-On: OSSEC
174
Thursday, May 3, 12
next page
Hands-On: OSSEC
Troubleshoot
To check if events are arriving on the server
175
Thursday, May 3, 12
/var/ossec/logs/alerts/alerts.log
AlienVault Secure
Connection
Aliens love encrypted transports
176
Thursday, May 3, 12
Hands-on: OpenVPN
#alienvault-reconfig --add_vpnnode=<sensor_IP>
cd /etc/openvpn/nodes
177
Thursday, May 3, 12
Hands-on: OpenVPN
178
Thursday, May 3, 12
Hands-on: OpenVPN
troubleshoot:
-
179
Thursday, May 3, 12
Hands-on: OpenVPN
180
Thursday, May 3, 12
run alienvault-reconfig
or tcpdump -i tunX
Snort
Network IDS
181
Thursday, May 3, 12
What is Snort?
182
Thursday, May 3, 12
Brief History
183
Thursday, May 3, 12
IDS
184
Thursday, May 3, 12
NIDS
Advantages
185
Thursday, May 3, 12
Disadvantages
186
Thursday, May 3, 12
Network taps
Why a NIDS?
187
Thursday, May 3, 12
Snort modes
188
Thursday, May 3, 12
189
Thursday, May 3, 12
Snort is a very important tool within AlienVault and it has been used
by AlienVault since the first OSSIM release for several reasons:
Bad configurations
190
Thursday, May 3, 12
191
Thursday, May 3, 12
The AlienVault Sensor collects logs from the Snort Data Source
agent and send them normalized to the SIEM or Logger
All the events generated by the snort rules will have the plugin_id
1001. The events generated by the Snort preprocessors will have
a different plugin_id for each preprocessor within the range
1002-1500.
Snort Architecture
192
Thursday, May 3, 12
Decoders
Preprocessors
Detection engine
Output plugins
Architecture: Decoders
193
Thursday, May 3, 12
Architecture: Preprocessors
194
Thursday, May 3, 12
Architecture: Preprocessors
195
Thursday, May 3, 12
Architecture: Preprocessors
196
Thursday, May 3, 12
ssh: Detects the use of different exploits against the ssh protocol
dns: Detects the use of different exploits against the DNS service
197
Thursday, May 3, 12
The Detection engine uses rules that are loaded when Snort starts.
alert tcp $HOME_NET any -> 10.1.1.0/24 80 (flags: SF; msg: SYN-FIN Scan;)
Header:
tcp: protocol
Options:
198
Thursday, May 3, 12
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Megaupload file download service access";
flow:to_server,established; content:"GET "; depth: 4; uricontent:"/?d="; content:"|0d 0a|Host\: "; content:"megaupload.com";
within:25; nocase; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009301;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Download_Services; sid:2009301; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"ET POLICY Yahoo Chat Signin Inside Webmail";
flow:established,to_server; content:"content-length\:"; nocase; depth:15; content:"<Ymsg Command=|22|550|22|"; nocase;
classtype:policy-violation; reference:url,yahoo.com; reference:url,doc.emergingthreats.net/2007066;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_IM_Yahoo; sid:2007066; rev:3;)
199
Thursday, May 3, 12
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET VIRUS OUTBOUND Suspicious Email Attachment"; flow:
to_server,established; content:"Content-Disposition|3A|"; nocase; pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|
s[x])|c(rt|[ho]m|li|pl|md|pp)|d(iz|ll)|e(m[fl]|xe|bs)|h(lp|sq|ta)|jse?|m(d[abzew]|s[tcgip]|htm|ht)|p(cd|if|l[xsc]|[lm]|ot)|r(eg|ar)|s(cr|ct|[hy]s|wf)|
v(b[es]?|xd)|w(m[dfsz]|p[msz]|s[cfh])|xl[tw]|folder|fol|ba[st]|i(sp|n[sif])|lnk|nws|ocx|zip|url)[\x27\x22\n\r\s]/iR"; classtype: suspiciousfilename-detect; reference:url,doc.emergingthreats.net/2000562; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/
sigs/VIRUS/WORM_Suspicious_Extensions; sid: 2000562; rev:11;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Matcash related
Trojan Downloader (Ismazo Advanced Loader)"; flow:established,to_server; content:"User-Agent\: Ismazo"; nocase; classtype:
trojan-activity; reference:url,doc.emergingthreats.net/2007633; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/
VIRUS/TROJAN_Downloader_General; sid:2007633; rev:4;)
200
Thursday, May 3, 12
Syslog
Database
Tcpdump
Unified v1
Unified v2
More than one output plugin can be enabled at the same time
Syslog
Database
Tcpdump
Unified
Unified2
csv, prelude...
201
Thursday, May 3, 12
Unified (Version 2)
Snort Operation
SNORT
Packets
capture
Decoders
Network traffic
Preprocessors
Decoders
Output Plugins
Alerts
202
Thursday, May 3, 12
Snort Configuration
203
Thursday, May 3, 12
/etc/snort/
/etc/snort/snort.conf
/etc/snort/snort.eth0.conf
/etc/snort/snort.eth1.conf
Startup Options
All the startup options can be found in the Snort man file
204
Thursday, May 3, 12
# man snort
/etc/default/snort
/etc/snort/snort.debian.conf
Snort.conf includes
205
Thursday, May 3, 12
E.g.:
include threshold.conf
include classification.config
Snort.conf variables
HOME_NET: Local network monitored. (Automatically edited by alienvaultreconfig based on the networks defined in the OSSIM inventory)
206
Thursday, May 3, 12
Snort.conf Preprocessors
207
Thursday, May 3, 12
Snort.conf Outputs
208
Thursday, May 3, 12
The AlienVault Sensor needs Snort running with the 2the unified
output enabled as follows
209
Thursday, May 3, 12
snort.conf
snortunified.cfg
prefix=snort
Snort.conf Rules
210
Thursday, May 3, 12
The snort configuration file must include all the enable rules. Rules
are divided into different categories:
include $RULE_PATH/emerging-game.rules
include $RULE_PATH/emerging-inappropriate.rules
include $RULE_PATH/emerging-malware.rules
include $RULE_PATH/emerging-p2p.rules
Threshold.conf
Threshold
Thursday, May 3, 12
Alert every M times we see this event during the time interval.
Both
211
Alert on the 1st M events during the time interval, then ignore events for the
rest of the time interval.
Alert once per time interval after seeing M occurrences of the event,
then ignore any additional events during the time interval.
Threshold.conf
Limit alerts of rule with id 3420 (Only one alert every 60 seconds)
212
Thursday, May 3, 12
Troubleshooting
/var/log/syslog
/var/log/daemon.log
When fixing problems it may also be useful to start snort from the
command line (Not as a service)
213
Thursday, May 3, 12
# alienvault-reconfig
214
Thursday, May 3, 12
/etc/snort/rules/local.rules
Emerging Threats
215
Thursday, May 3, 12
AlienVault includes, apart from the official Snort rules, a rule set
created by the community in the Emerging Threats project:
http://www.emergingthreats.net
Create-sidmap.pl
Once new Snort rules have been downloaded, the system needs
to have a priority and reliability value for the new rules. This is
automatically done when using the following command:
216
Thursday, May 3, 12
# perl /usr/share/ossim/scripts/create_sidmap_preprocessors.pl /
etc/snort/gen-msg.map
Snort Statistics
217
Thursday, May 3, 12
218
Thursday, May 3, 12
Filter Traffic
port not 22
219
Thursday, May 3, 12
AlienVault Dimensioning
and Deployment
Getting best performance and maintainability
220
Thursday, May 3, 12
Topology Definition
221
Thursday, May 3, 12
Dimensioning
222
Thursday, May 3, 12
Correlation system
Vulnerability Management
Availability monitoring
File integrity
Network Throughput
223
Thursday, May 3, 12
If it is a low throughput more than one network can be analyzed in the same detector
If the throughput is extremely high it may require optimizations and configuration changes in
the network devices.
Mrtg
Ntop
Iptraf
Network Devices
224
Thursday, May 3, 12
225
Thursday, May 3, 12
Web servers
Billing software
Calculating EPS
2.
3.
In your production environment determine the peak number of security events (PEx) created
by each device that requires logging using Formula 1. (If you have identical devices with
identical hardware, configurations, load, traffic, etc., you may use this formula to avoid
having to determine PE for every device):
[PEx (# of identical devices)]
226
Thursday, May 3, 12
4.
Sum all PE numbers to come up with a grand total for your environment
5.
Add at least 10% to the Sum for headroom and another 10% for growth.
Calculating EPS
227
Thursday, May 3, 12
Step 1:
Step 2:
Step 3:
Dimensioning
228
Thursday, May 3, 12
Network map
Important servers
Important services
Important assets
Business Processes
Procedures
229
Thursday, May 3, 12
Rack Space
Hardware Recommendations
230
Thursday, May 3, 12