OSSIM: a Careful, Free and Always Available Guardian for Your Network OSSIM a Careful, Free and Always Available Guardian for Your Network
Total Page:16
File Type:pdf, Size:1020Kb
FEATURE OSSIM: a Careful, Free and Always Available Guardian for Your Network OSSIM a Careful, Free and Always Available Guardian for Your Network Monitor your network’s security 24/7 with a free and open-source solution that collects, analyzes and reports logs of the events on your network. MARCO ALAMANNI 68 / JUNE 2014 / WWW.LINUXJOURNAL.COM LJ242-June2014.indd 68 5/22/14 12:36 PM etworks and information check them all, one by one, to obtain systems are increasingly meaningful information. N exposed to attacks that A further difficulty is that there is are becoming more sophisticated no single standard used to record the and sustained over time, such as logs and often, depending on the type the so-called APT (Advanced and size, they are not immediate or Persistent Threats). easy to understand. Information security experts agree It is even more difficult to relate on the fact that no organization, other logs produced by many even the best equipped to protect different systems to each other itself from these attacks, can be manually, to highlight anomalies considered immune, and that the in the network that would not be issue is not whether its systems will detectable by analyzing the logs of be compromised, but rather when each machine separately. and how it will happen. SIEM (Security Information and It is essential to be able to Event Management) software, detect attacks in a timely manner therefore, is not limited to and implement the relative being a centralized solution for countermeasures, following log management, but also (and appropriate procedures to respond especially) it has the ability to to incidents, thus minimizing the standardize logs in a single format, effects and the damages they can analyze the recorded events, cause. In order to detect intrusions highlight the most important and attacks, system administrators information and relate the logs to and information security analysts each other (correlation), allowing make use of tools, such as IDS/IPS analysts to detect anomalies and (Intrusion Detection/Prevention attacks more easily. System) and analysis of logs (event For example, for log management records) of servers and network software, three failed attempts to log devices, looking for any significant in to the same user account from three events from a security point of view. different clients will be only three A network of an organization of lines in your log file and not obviously average size produces, as a whole, related to each other. For an analyst, such a quantity of logs that it is very instead, it may be a sequence of difficult (and still very expensive) to events worthy of further analysis, and WWW.LINUXJOURNAL.COM / JUNE 2014 / 69 LJ242-June2014.indd 69 5/22/14 12:36 PM FEATURE OSSIM: a Careful, Free and Always Available Guardian for Your Network its correlation (looking for patterns in You can install these components the log files) can generate alerts when on a single physical machine (the these types of events occur. default installation), on a single virtual machine, on different virtual machines Overview of a SIEM Open-Source and/or physical machines, depending Solution: OSSIM on the size and configuration of the OSSIM is a SIEM software platform, network to monitor. free and open-source, developed by For a relatively small network, AlienVault and based on a Debian installation on a single machine, 64-bit Linux distribution. OSSIM has which is the simplest configuration, four major components: may be the right solution. For larger networks, it is advisable to 1. Sensor. install the Sensor and the Database separately. Figure 1 shows the 2. Server. OSSIM architecture. Sensor: The Sensor has two 3. Framework. main components: 4. Database. 1. The rsyslog service, which listens Figure 1. OSSIM Architecture 70 / JUNE 2014 / WWW.LINUXJOURNAL.COM LJ242-June2014.indd 70 5/22/14 12:36 PM on TCP/UDP port 514, receives Database: The Database is a the logs from network devices -Y31, SERVER INSTANCE THAT STORES and stores them locally, according events and system configuration data. to the configuration. Functionalities 2. The Ossim-agent, using a Following is a brief description series of modules called of OSSIM’s main features and plugins, one for each type of functionalities concerning the log, performs log analysis and collection, analysis and correlation normalization, and sends that of logs and the primary tools to the Server component. included in the system for network security monitoring. Plugins are of two types: Collection and Normalization of detectors, which detect anomalies Logs: You can collect logs from the and possible attacks (such as Snort, devices on your network in two ways: P0f, Arpwatch), and monitors to monitor the network status (like 1. Install a software agent (like Ntop and Nagios). Snare or SysLogAgent) in the Server: The Server performs source machine and configure the essential SIEM functions: it to read certain types of aggregation, risk assessment and logs and send them to the correlation of events that are received Sensor component. from the sensor through TCP port 40001. The server also sends the 2. Configure the source machine information concerning the events to send the logs upon request to the Database for storage. of the appropriate Sensor Framework: The Framework plugins (for example, via WMI connects and manages the OSSIM for Windows machines). Once components and security tools the Sensor records the logs, included, and it provides the system the OSSIM Agent performs the administration Web interface. It analysis and converts them to is the component that needs the a single format (normalization). least hardware resources and is Each log represents an event usually installed together with the that will be sent to the server Server component. for analysis (Figure 2). WWW.LINUXJOURNAL.COM / JUNE 2014 / 71 LJ242-June2014.indd 71 5/22/14 12:36 PM FEATURE OSSIM: a Careful, Free and Always Available Guardian for Your Network Figure 2. Log Collection and Normalization Prioritization of Events and calculated in real time and is based on Risk Assessment: The prioritization three main factors: process involves assigning priority values to the recorded events, which 1. The value or level of importance of the is done by the Server component. machine that generated the event. It depends on the structure of the network and it needs, as 2. The type of threat posed by the event. prerequisites, the definition of security policies and the inventory of 3. The probability that this event occurs. information assets on the network, which can be managed in the Web The formula used for calculating administration panel. It sets the risk is the following (Figure 3): priority of an event based on the Risk = value * (reliability * Priority / 25). machine that generated it and the Analysis and Correlation of type of event to which it belongs. Events: The correlation of events The risk assessment of events is essentially relates events to each other 72 / JUNE 2014 / WWW.LINUXJOURNAL.COM LJ242-June2014.indd 72 5/22/14 12:36 PM Figure 3. How to Calculate the Risk Associated with an Event Figure 4. Example of Analysis and Correlation of Events to achieve a comprehensive view events, using directives, consisting of of network security and to detect rules that relate events to patterns of possible attacks or anomalies. known attacks. This method is similar The correlation process is performed to using Snort for intrusion detection via two methods: (signature-based detection). 1. Correlation using sequence of 2. Correlation using heuristic WWW.LINUXJOURNAL.COM / JUNE 2014 / 73 LJ242-June2014.indd 73 5/22/14 12:36 PM FEATURE OSSIM: a Careful, Free and Always Available Guardian for Your Network algorithms can be detected by <rules> these abnormal situations that <rule type="detector" name="SSH Authentication failure (5 times)" do not detect the preceding rules ´reliability="+2" occurrence="5" from="1:SRC_IP" to="ANY" and may or may not be attacks ´port_from="ANY" time_out="20" port_to="ANY" (abnormality detection). ´plugin_id="4003" plugin_sid="1,2,3,4,5,6" sticky="true"> <rules> Directives are located in the <rule type="detector" name="SSH Authentication failure (10 times)" /etc/ossim/server/directives.xml file. ´reliability="+2" occurrence="10" from="1:SRC_IP" to="ANY" Directives are specified in XML ´port_from="ANY" time_out="30" port_to="ANY" using tags like Id, Name, Priority, ´plugin_id="4003" plugin_sid="1,2,3,4,5,6" sticky="true"> Type, Reliability, Occurrence, </rule> Timeout, Source, Destination, </rules> Source port, destination port, </rule> protocol, PluginSid and Sensor. </rules> Reliability is a measure of the </rule> probability that the considered </rules> event truly represents the attack </rule> referred to by the directive and is </directive> generally based on the number of occurrences of the event. The directive assigns a value of For example, consider the reliability equal to 3 (30% probability) following directive to detect when the number of occurrences of brute-force SSH attacks: the event detected by the sensor (SSH authentication error) is equal to <directive id="20" name="Possible SSH brute force login 1, then increments it by 1 at the third ´attempt against DST_IP" priority="5"> occurrence of the event, by 2 at the <rule type="detector" name="SSH Authentication failure" fifth occurrence and by an additional ´reliability="3" occurrence="1" from="ANY" to="ANY" 2 at the tenth, thereby achieving a ´port_from="ANY" port_to="ANY" time_out="10" reliability of 8 (80% of probability) ´plugin_id="4003" plugin_sid="1,2,3,4,5,6"> when the incorrect authentication <rules> attempts are 10. <rule type="detector" name="SSH Authentication failure (3 times)" OSSIM also has the ability to ´reliability="+1" occurrence="3" from="1:SRC_IP" to="ANY" correlate different types of logs, ´port_from="ANY" time_out="15" port_to="ANY" generated by various plugins (cross- ´plugin_id="4003" plugin_sid="1,2,3,4,5,6" sticky="true"> correlation).