Scaricare la presentazione
La presentazione è in caricamento. Aspetta per favore
1
OSSEC HIDS, Host Based Intrusion Detection System
Aurora Mazzone, INFN Sezione di Torino Parte Seconda
2
Scelta del tipo di installazione: server, agent o local?
3
Installazione E-mail notification:
invio di per segnalare eventi rilevanti, importanti o gravi.
4
Installazione Integrity check daemon:
controllo su file di configurazione ed eseguibili.
5
Rootkit detection engine: ricerca di rootkit.
Installazione Rootkit detection engine: ricerca di rootkit.
6
Active response: risposta ad un evento.
Installazione Active response: risposta ad un evento.
7
File di configurazione
/var/ossec/etc/ossec.conf: opzioni globali, completamente personalizzabili. /var/ossec/etc/internal_options.conf: opzioni chiave per il funzionamento generale, da modificare solo in casi particolari.
8
ossec.conf: e-mail <global>
Configurazione (sezione “global”): <global> < _notification>yes</ _notification> <smtp_server> </smtp_server> < _maxperhour>70</ _maxperhour> </global>
9
ossec.conf: e-mail <email_alerts>
Configurazione granulare (sezione “ _alerts”): < _to> <event_location> <group> <level> <rule_id> <do_not_delay /> <do_not_group /> <format>
10
ossec.conf: e-mail <email_alerts>
Configurazione granulare (sezione “ _alerts”): < _alerts> <level>12</level> <do_not_group/> <do_not_delay/> </ _alerts>
11
ossec.conf: e-mail <email_alerts>
Configurazione granulare (sezione “ _alerts”): < _alerts> <event_location>vm-ossec-c|vm-ossec-d| /24</event_location> <do_not_group/> </ _alerts>
12
ossec.conf: e-mail <email_alerts>
Configurazione granulare (sezione “ _alerts”): < _alerts> <group>syscheck</group> <format>sms</format> </ _alerts>
13
ossec.conf: e-mail <email_alerts>
Configurazione granulare (sezione “ _alerts”): < _alerts> <rule_id>40111</rule_id> <format>sms</format> </ _alerts>
14
ossec.conf: e-mail <alerts>
Configurazione (sezione “alerts”): <alerts> <log_alert_level>1</log_alert_level> < _alert_level>7</ _alert_level> </alerts>
15
ossec.conf: e-mail <alerts>
Level 0: Ignored, no action taken. Scanned before all others (grouping). Level 2: System low priority notification and “catch all” rule with BAD_WORD. Level 3: Successful/authorized events. Level 4: System low priority errors. Level 5: User generated error (missed passwords, denied actions, etc.). Level 7: Syscheck. Level 8: First time seen events. Stats alerts.
16
ossec.conf: e-mail <alerts>
Level 10: Multiple user generated errors: multiple bad passwords, multiple failed logins. Level 12: High importance event: error or warning messages from the system, kernel, etc. or something that might indicate an attack against a specific application. Level 13: Unusual error. Common attack patterns. Level 14: High importance security event: correlation of multiple attack rules. Level 15: Attack successful.
17
internal_options.conf: e-mail grouping
Configurazione # Maild grouping (0=disabled, 1=enabled) # Groups alerts within the same . maild.groupping=1
18
“Stats” Numero di eventi generati: per ogni ora della giornata
per ogni giorno della settimana totali
19
ossec.conf: “stats” <global>
<stats>8</stats> </global> Ogni variazione significativa del numero di eventi segnalati in un certo periodo di tempo genera un alert di livello 8.
20
Internal_options.conf: “stats”
# Analysisd stats maximum diff. analysisd.stats_maxdiff=25000 # Analysisd stats minimum diff. analysisd.stats_mindiff=250 # Analysisd stats percentage (how much to differ from average) analysisd.stats_percent_diff=30
21
ossec.conf: file di log da monitorare <localfile>
<log_format>syslog</log_format> <location>/var/log/messages</location> </localfile> Formati supportati nativamente: syslog, snort-full, snort-fast, squid, iis, eventlog, nmapg (greppable nmap formatted logs), mysql_log, postgresql_log, apache.
22
ossec.conf: file integrity check <syscheck>
Opzioni <syscheck>: <frequency> <scan_day>* <scan_time> <scan_on_start> <directories> <ignore> <auto_ignore> <alert_new_files> <windows_registry> <registry_ignore>
23
ossec.conf: file integrity check <syscheck>
Configurazione <syscheck>: day/time <syscheck> <scan_day>monday</scan_day>* <scan_time>8 pm</scan_time> <scan_on_start>no</scan_on_start> <auto_ignore>no</auto_ignore> [...] </syscheck>
24
ossec.conf: file integrity check <syscheck>
Configurazione <syscheck>: frequency <syscheck> <frequency>7200</frequency> <auto_ignore>no</auto_ignore> <alert_new_files>yes</alert_new_files> [...] </syscheck>
25
ossec.conf: file integrity check <syscheck>
Configurazione <syscheck>: <directories> <syscheck> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/bin,/sbin</directories> <windows_registry>HKEY_LOCAL_MACHINE\Software</windows_registry> [...] </syscheck>
26
ossec.conf: file integrity check <syscheck>
Configurazione <syscheck>: <directories> attributes check_all check_sum check_size check_owner check_group check_perm
27
ossec.conf: file integrity check <syscheck>
Configurazione <syscheck>: <ignore> <syscheck> <ignore>/etc/mtab</ignore> <ignore>C:\WINDOWS/System32/LogFiles</ignore> <registry_ignore>HKEY_CURRENT_USER</registry_ignore> [...] </syscheck> I file ignorati sul server vengono ignorati anche su tutti gli agent.
28
internal_options.conf: file integrity check
# Syscheck checking/usage speed. To avoid large cpu/memory usage, you can specify how much to sleep after generating the checksum of X files. The default is to sleep 2 seconds after reading 15 files. syscheck.sleep=2 syscheck.sleep_after=15
29
ossec.conf: rootkit detection engine and policy enforcement <rootcheck>
Opzioni <rootcheck>: <disabled> <frequency> <rootkit_files> <rootkit_trojans> <system_audit> <windows_audit> <windows_apps> <windows_malware>
30
ossec.conf: rootkit detection engine and policy enforcement <rootcheck>
Opzioni <rootcheck>: <rootkit_files>: application level rootkit signatures file <rootkit_trojans>: application level trojan signatures file
31
ossec.conf: rootkit detection engine and policy enforcement <rootcheck>
Opzioni <rootcheck>: policy enforcement <system_audit> <windows_audit> <windows_apps> <windows_malware> Controllo su: f: file o directory (e loro contenuto) r: registry key p: processo
32
Tool Principali tool di gestione (versione 1.6): /var/ossec/bin
ossec-control syscheck_control clear_stats rootcheck_control agent_control list_agents syscheck_update manage_agents
33
Demoni Principali demoni (versione 1.6): /var/ossec/bin ossec-remoted
ossec-agentd ossec-execd ossec-syscheckd* ossec-analysisd ossec-logcollector* ossec-maild ossec-monitord * girano come root
Presentazioni simili
