As opposed to Network-‐Based Intrusion Detec2on – Can be use in conjunc2on with NIDS • Mature, open source (GPLv2) offering – Ac2vely developed, well-‐documented – Most current major release v2.7 (12/2012) – Developed by Trend Micro, commercial support available • Scalable, modular, and highly configurable • Home Page: hUp://www.ossec.net/ • Runs on most OSs: Linux, Unix, Mac...even Windows ;-‐)
sites that are compromised don’t even know it or find out long a]er the fact • Most sites will experience script kiddie and some2mes more sophis2cated aUack • The aUackers can take over your system and lock you out of it and/or secretly replace the tools you use to administer your system and detect issues with hacked versions that conceal the malware • Serves required func2ons for compliance
Agent and Agent-‐less Monitoring – agent_control tool allows you to query and get informa2on from any agent you have configured on your server and it also allows you to restart (run now) the syscheck/rootcheck scan on any agent. • Can be installed in virtualiza2on host, guests • Real-‐2me aler2ng + web console – Email, SMS, Console, 3rd party tools like sguil
– OS, Applica2on, Firewalls, Switches, Routers, etc.. – Look for things like bad login aUempts – Unusual requests, usage paUerns – Supports large number of files/formats (Apache, MySQL, Postgres, na2ve system logs) – Also supports analyzing output of processes (e.g. netstat, ifconfig, …) – Can be used in conjunc2on with WAFs, DAFs
(syscheck) – Checksum database – ino2fy integra2on for real2me monitoring of directories – Can alert on new file crea2on – Can configure files/dirs to ignore – Built-‐in flood preven2on (default 3) – Use with OS Audi2ng to see who changed files – syscheck_control provides an interface for managing and viewing the integrity checking database
specific rules – Can do things like: • Restore Changed Files • Firewall drop, null route • Host deny • Disable account – By default – lockout for some amount of 2me – Can increase lockout 2me for repeat offenders
– Hidden processes (not shown by ps) – Hidden ports (not shown by netstat) – Promiscuous interfaces (not shown by ifconfig) – Known bad files, and known bad signatures – Suspicious file permissions, hidden directories, etc. – /dev anomalies, etc.
and analysis – No HA for Manager by default but some have implemented using shared storage (drbd, etc.) – Manager can handle large # of agents • Mul2ple Agents – Large numbers supported – Low privileges for most components, chroot jail – Can send alerts on their own – If config changed – manager no2fied • Support Agent-‐less for things like firewalls, routers, etc.
of a broader arsenal of tools for “good guys” – Most sites that are compromised never even know it or don’t know for some 2me – Ac2ve Response is a key aspect • Compliance – Helps meet requirements such as PCI, HIPAA – For PCI, it covers the sec2ons of file integrity monitoring (PCI 11.5, 10.5), log inspec2on and monitoring (sec2on 10) and policy enforcement/ checking.
• Free (as in beer) • Highly configurable adaptable to your applica2on • Will help you know you’ve been aUacked • Can prevent you from being locked out of your own system and/or restore hacked files/configs • Use in combina2on with Virtualiza2on, Automated deployment systems like Chef/ Puppet • Real-‐2me aler2ng, monitors file changes using ino2fy – some systems rely just on periodic scans
sddevops
yuyatakeyama
shoota
shihochan
kawaguti
dak2
k_adachi_01
saorimurooka
sonic
rince
sakaik
ysd113
shiba_8ro
frankvandijk
emna__ayadi
honnibal
scottboms
cassininazir
mojombo
tapps
uxyall
szymonslowik
aemeredith
axbom
wayneb77
