SCADA Intrusion Detection System Test Framework

Total Page:16

File Type:pdf, Size:1020Kb

SCADA Intrusion Detection System Test Framework SCADA Intrusion Detection System Test Framework By: Henrik Waagsnes Supervisor: Nils Ulltveit-Moe, Associate Professor Ph.D IKT 590 - Master’s thesis Spring 2017 Department of Information and Communication Technology Faculty of Engineering and Science University of Agder Grimstad, 21 May 2017 Henrik Waagsnes SCADA Intrusion Detection System Test Framework Abstract Supervisory control and data acquisition (SCADA) systems play an important role in our critical infrastructure (CI). Several of the protocols used in SCADA communication are old and lack of security mechanisms. This master thesis presents a SCADA Intrusion Detection System Test Framework that can be used to simulate SCADA traffic and detect malicious network activity. The framework uses a signature-based approach and utilize two different IDS engines, Suricata and Snort. The IDS engines include rule-sets for the IEC 60870-5-104, DNP3 and Modbus protocols. The IDS engines ships detected events to a distributed cluster and visualize them using a web interface. The experiments carried out in this project show that there generally is little difference between Suricata and Snort's ability to detect malicious traffic. Suricata is compatible with signatures written in snort lightweight rules description language. I did however, discover some compatibility issues. The purposed framework applies additional latency to the analysis of IDS events. The perceived latency was generally higher for Snort events than for Suricata events. The reason for this is probably the additional processing time applied by the implemented log conversion tool. Keywords: SCADA, IDS, SIEM 2 Henrik Waagsnes SCADA Intrusion Detection System Test Framework Preface This report is the result of the master thesis IKT 590 (30 ECTS) which is part of my fourth semester MSc study at the Faculty of Engineering and Science, University of Agder (UiA) in Grimstad, Norway. The work on this project started from 1 January 2017 and ended on 21 May 2017. In this project, I have designed, implemented and demonstrate a "SCADA Intrusion Detection System Test Framework". I would like to express my gratitude to my supervisor Nils Ulltveit-Moe for making this Master Thesis possible and giving me guidance and feedback throughout this project. I would also like to thank NC-Spectrum AS for good support and for inviting me to a conference in Kviteseid themed securing SCADA systems. This conference helped me kick start my master thesis and gave me many new ideas. Grimstad May 2017 Henrik Waagsnes 3 Henrik Waagsnes SCADA Intrusion Detection System Test Framework List of figures Figure 1: Defense-in-depth security layers [3] ................................................................ 12 Figure 2: Activity framework for Design Science Research [5] ....................................... 14 Figure 3: Relationships between kernel theory, mid-range-theory and design theory, and the design process [5] .................................................................................................... 14 Figure 4: Reasoning in the Design Research Cycle [5] .................................................. 15 Figure 5: Hierarchy of the five levels of distribution automation (DA)[1] ......................... 16 Figure 6: DA level interconnection [1] ............................................................................. 17 Figure 7: First generation SCADA Architecture [6] ......................................................... 18 Figure 8: Second generation SCADA Architecture [6] .................................................... 19 Figure 9: Third generation SCADA Architecture [6] ........................................................ 19 Figure 10: Fourth generation SCADA Architecture [8] .................................................... 20 Figure 11: IEC 60870-5-104 APDU [11] ......................................................................... 21 Figure 12: Control Field Information Type Structure [10] ................................................ 21 Figure 13: Code Type Groups [10] ................................................................................. 21 Figure 14: DNP3 master/slave architecture [10] ............................................................. 22 Figure 15: DNP3 Data Link Frame [10] ......................................................................... 22 Figure 16: Modbus Client/Server communication model [13] ......................................... 23 Figure 17: Modbus TCP/IP communication architecture [13] ......................................... 24 Figure 18: General Modbus frame [13] ........................................................................... 24 Figure 19: Modbus TCP/IP frame [13] ............................................................................ 24 Figure 20:Interrelations between the IEC TC57 standards and the IEC 62351 security standards [20] ................................................................................................................. 27 Figure 21: Stuxnet first three stages[21] ......................................................................... 28 Figure 22: Stuxnet last three stages[21] ......................................................................... 28 Figure 23: Multilayer SCADA cyber-security framework with IDS [31] ............................ 34 Figure 24: SCADA-IDS security management system [31] ............................................ 34 Figure 25: Hybrid SCADA-IDS process [31] ................................................................... 35 Figure 26: OCSVM classification [35] ............................................................................. 38 Figure 27: Alert-ontology [40] ......................................................................................... 40 Figure 28: Architecture overview [41] ............................................................................. 42 Figure 29: SCADA network topology [41] ....................................................................... 43 Figure 30: SCADA Honeynet architecture [44] ............................................................... 44 Figure 31: GridLab District setup [45] ............................................................................. 44 Figure 32: Implementation overview of SoftGrid testbed [46] ......................................... 45 Figure 33: Placement of A*CMD system [46] ................................................................. 46 Figure 34: Framework Architecture ................................................................................ 49 Figure 35: IEC Server panels ......................................................................................... 51 Figure 36: qtester104.ini configuration file ...................................................................... 52 Figure 37: QTester104 GUI connected to IEC Server .................................................... 52 Figure 38: Wireshark analysis of IEC 60870-5-104 communication ............................... 53 Figure 39: OSHMI KOR1 substation in simulation mode switch on ................................ 53 Figure 40: OSHMI KOR1 substation in simulation mode switch off ................................ 54 4 Henrik Waagsnes SCADA Intrusion Detection System Test Framework Figure 41: OSHMI KOR1 event viewer in simulation mode ............................................ 54 Figure 42: OSHMI KOR1 substation trend viewer in simulation mode ........................... 54 Figure 43: OpenMUC j60870 Client Console default ...................................................... 55 Figure 44: Adding new commands and acionkeys ......................................................... 55 Figure 45: Configuring action for actionkey .................................................................... 56 Figure 46: Add new action for each command ............................................................... 56 Figure 47: OpenMUC j60870 Client Console after modification ..................................... 56 Figure 48: ELK stack architecture................................................................................... 62 Figure 49: Logstash configuration [51] ........................................................................... 63 Figure 50: Three-node cluster ........................................................................................ 64 Figure 51:ELK stack successfully configured ................................................................. 65 Figure 52: Pie chart visualization in kibana .................................................................... 65 Figure 53: Monitoring dashboard provided by x-pack ..................................................... 66 Figure 54: Elasticsearch monitoring using x-pack .......................................................... 66 Figure 55: Functionality available in x-pack [53] ............................................................. 67 Figure 56: Network traffic monitoring dashboard ............................................................ 68 Figure 57: IDS alert monitoring dashboard ..................................................................... 69 Figure 58: IDS comparison dashboard ........................................................................... 69 Figure 59: Experimental dashboard ................................................................................ 70 Figure 60: Calculating latency ........................................................................................ 70 Figure 61: Latency Dashboard
Recommended publications
  • Oracle with Metasploit
    Oracle Penetration Testing Using the Metasploit Framework Chris Gates & Mario Ceballos Metasploit Project Abstract Over the years there have been tons of Oracle exploits, SQL Injection vulnerabilities, and post exploitation tricks and tools that had no order, methodology, or standardization, mainly just random .sql files. Additionally, none of the publicly available Pentest Frameworks have the ability to leverage built- in package SQL Injection vulnerabilities for privilege escalation, data extraction, or getting operating system access. In this whitepaper we will present an Oracle Pentesting Methodology and give you all the tools to break the "unbreakable" Oracle as Metasploit auxiliary modules. We've created your version and SID enumeration modules, account bruteforcing modules, ported all the public (and not so public) Oracle SQL Injection vulnerabilities into SQLI modules (with IDS evasion examples for 10g/11g), modules for OS interaction, and modules for automating some of our post exploitation tasks. The modules are currently only supported under Linux and OSX. Oracle Penetration Testing Methodology Locate a system running Oracle. Determine Oracle Version. Determine Oracle SID. Guess/Bruteforce USERNAME/PASS. Privilege Escalation via SQL Injection. Manipulate Data/Post Exploitation. Cover Tracks. Locating an Oracle System You will typically find most Oracle installations by performing port scanning in the target netblock. The Oracle listener default port is 1521 but can listen on an port generally in the 1521-1540 range. You can also discover oracle instances by scanning other common Oracle ports. Review http://www.red- database-security.com/whitepaper/oracle_default_ports.html for common Oracle ports. Generally running a service scan will NOT give you the Oracle TNS Listener version but updated fingerprints for new versions of Nmap may yield versions in some situations.
    [Show full text]
  • Software Assurance
    Information Assurance State-of-the-Art Report Technology Analysis Center (IATAC) SOAR (SOAR) July 31, 2007 Data and Analysis Center for Software (DACS) Joint endeavor by IATAC with DACS Software Security Assurance Distribution Statement A E X C E E C L I L V E R N E Approved for public release; C S E I N N I IO DoD Data & Analysis Center for Software NF OR MAT distribution is unlimited. Information Assurance Technology Analysis Center (IATAC) Data and Analysis Center for Software (DACS) Joint endeavor by IATAC with DACS Software Security Assurance State-of-the-Art Report (SOAR) July 31, 2007 IATAC Authors: Karen Mercedes Goertzel Theodore Winograd Holly Lynne McKinley Lyndon Oh Michael Colon DACS Authors: Thomas McGibbon Elaine Fedchak Robert Vienneau Coordinating Editor: Karen Mercedes Goertzel Copy Editors: Margo Goldman Linda Billard Carolyn Quinn Creative Directors: Christina P. McNemar K. Ahnie Jenkins Art Director, Cover, and Book Design: Don Rowe Production: Brad Whitford Illustrations: Dustin Hurt Brad Whitford About the Authors Karen Mercedes Goertzel Information Assurance Technology Analysis Center (IATAC) Karen Mercedes Goertzel is a subject matter expert in software security assurance and information assurance, particularly multilevel secure systems and cross-domain information sharing. She supports the Department of Homeland Security Software Assurance Program and the National Security Agency’s Center for Assured Software, and was lead technologist for 3 years on the Defense Information Systems Agency (DISA) Application Security Program. Ms. Goertzel is currently lead author of a report on the state-of-the-art in software security assurance, and has also led in the creation of state-of-the-art reports for the Department of Defense (DoD) on information assurance and computer network defense technologies and research.
    [Show full text]
  • Metasploit Framework «Back|Track-[IT]
    Metasploit Framework www.backtrack.it «Back|Track-[IT] www.backtrack.it (c) 2009 brigante - fiocinino [email protected] [email protected] Metasploit Framework Metasploit Framework www.backtrack.it Metasploit Framework www.backtrack.it Questo documento è rivolto a tutti coloro che vogliono conoscere cos'é, come viene utilizzato e cosa comporta l' uso del “Metasploit Framework”, parte del Metasploit Project. Metasploit è più di un semplice progetto per la sicurezza informatica, è un vero è proprio insieme di strumenti, (appunto denominato Framework), che ha praticamente rivoluzionato l' intero mondo della sicurezza informatica. Come per la stragrande maggioranza della nostra documentazione verrà, anche in questo documento, dato spazio sia alla parte teorica che alla parte pratica e descrittiva, con svariati esempi e con la descrizione dettagliata alcuni nostri video, reperibili naturalmente dall' apposita sezione del nostro portale. “Che cos'é Metasploit” Metasploit Project nasce con l' intento di fornire informazioni su vulnerabilità, sviluppo di sistemi di rilevamento di intrusioni e semplificare le operazioni di penetration testing. Il sub-project più conosciuto è il Metasploit Framework, un' insieme di strumenti per lo sviluppo e l'esecuzione di exploits, di shellcodes, auxiliary, opcode noto per lo sviluppo di strumenti di elusione ed anti- rilevamento. Uno dei principali Goals del “Metasploit Project” è quello di mirare principalmente a fornire informazioni utili allo sviluppo di nuove tecniche di pentesting e di firme per
    [Show full text]
  • Scapy–A Python Tool for Security Testing
    ien r Sc ce & te S u y p s t m e o m C s Journal of Bansal and Bansal, J Comput Sci Syst Biol 2015, 8:3 f B o i l o a DOI: 10.4172/jcsb.1000182 l o n r g u y o J Computer Science & Systems Biology ISSN: 0974-7230 Research Article Article OpenOpen Access Access Scapy–A Python Tool For Security Testing Shipra Bansal1* and Nitin Bansal2 1Department of Computer Applications, Lovely Professional University, Jalandhar, India 2Department of Management, Lovely Professional University, Jalandhar, India Abstract Security Testing is the essential method of any information System and this method is used to detect flaws in the security measures in an Information System which protect the data from an unauthorized access. Passing through the Security testing method does not ensure that flaws are not present in the System. Python is a new emerging Programming language. This research paper looks into the tool named Scapy which is based on Python language; lists out some vital commands, explanation with examples and uses of Security Testing. This research paper, being introductory one tries to give a brief description and understandable usage of the security Testing tool. Keywords: Security testing; Python; Scapy; Flaws Stackless is used for concurrency and PyPy has greater speed execution than CPython. Its extension is .py normally. Introduction Introduction to scapy Security is defined as “No unauthorized Access of information”. Security is very essential to maintain the integrity of System [1,2]. Scapy is a tool for manipulating interactive packets. This tool is Security Testing is the first step to detect flaws in the security measures totally based on Python language.
    [Show full text]
  • OSSIM: a Careful, Free and Always Available Guardian for Your Network OSSIM a Careful, Free and Always Available Guardian for Your Network
    FEATURE OSSIM: a Careful, Free and Always Available Guardian for Your Network OSSIM a Careful, Free and Always Available Guardian for Your Network Monitor your network’s security 24/7 with a free and open-source solution that collects, analyzes and reports logs of the events on your network. MARCO ALAMANNI 68 / JUNE 2014 / WWW.LINUXJOURNAL.COM LJ242-June2014.indd 68 5/22/14 12:36 PM etworks and information check them all, one by one, to obtain systems are increasingly meaningful information. N exposed to attacks that A further difficulty is that there is are becoming more sophisticated no single standard used to record the and sustained over time, such as logs and often, depending on the type the so-called APT (Advanced and size, they are not immediate or Persistent Threats). easy to understand. Information security experts agree It is even more difficult to relate on the fact that no organization, other logs produced by many even the best equipped to protect different systems to each other itself from these attacks, can be manually, to highlight anomalies considered immune, and that the in the network that would not be issue is not whether its systems will detectable by analyzing the logs of be compromised, but rather when each machine separately. and how it will happen. SIEM (Security Information and It is essential to be able to Event Management) software, detect attacks in a timely manner therefore, is not limited to and implement the relative being a centralized solution for countermeasures, following log management, but also (and appropriate procedures to respond especially) it has the ability to to incidents, thus minimizing the standardize logs in a single format, effects and the damages they can analyze the recorded events, cause.
    [Show full text]
  • Metasploit Pro User Guide
    4.11 USER GUIDE Getting Started First things first. If you haven't installed Metasploit yet, check out this these instructions if you're a commercial user. Otherwise, if you already have Metasploit installed, congratulations! You've come to the right place to get started. What's Metasploit? Metasploit is a penetration testing platform that enables you to find, exploit, and validate vulnerabilities. The platform includes the Metasploit Framework and its commercial counterparts: Metasploit Pro, Express, Community, and Nexpose Ultimate. Metasploit Framework The Metasploit Framework is the foundation on which the commercial products are built. It is an open source project that provides the infrastructure, content, and tools to perform penetration tests and extensive security auditing. Thanks to the open source community and Rapid7's own hard working content team, new modules are added on a regular basis, which means that the latest exploit is available to you as soon as it's published. There are quite a few resources available online to help you learn how to use the Metasploit Framework; however, we highly recommend that you take a look at the Metasploit Framework Wiki, which is maintained by Rapid7's content team, to ensure that you have the most up to date information available. You can also use the sidebar navigation on the left to view the documentation that is available on this site; just click on the Metasploit Framework topic or search for the topic you want. Either way, if you are unable to find what you need, let us know, and we will add it to the documentation back log.
    [Show full text]
  • Build Network Packets with Scapy
    SharkFest ’18 Europe Handcrafted packets build network packets with Scapy Uli Heilmeier Krones AG #sf18eu#sf18eu •• ImperialImperial RidingRiding SchoolSchool RenaissanceRenaissance ViennaVienna •• OctOct 2929 -- NovNov 22 Scan me... pak=IP(dst="10.80.49.*")/ \ TCP(dport=[23,21], \ sport=RandShort(),flags="SAUFP") ans,unansw=sr(pak, timeout=1) #sf18eu • Imperial Riding School Renaissance Vienna • Oct 29 - Nov 2 Stacking layers dnspkt= \ Ether()/ \ IPv6(dst="2001:db8::1")/ \ UDP()/ \ DNS(rd=1,qd= \ DNSQR(qname="wireshark.org")) #sf18eu • Imperial Riding School Renaissance Vienna • Oct 29 - Nov 2 #sf18eu • Imperial Riding School Renaissance Vienna • Oct 29 - Nov 2 Working with packets dnspkt[UDP] #or dnspkt[2] dnspkt[DNSQR].qtype="AAAA" dnspkt[IPv6].payload dnspkt[Ether].payload.payload dnspkt[UDP].chksum=0xffff dnspkt[UDP].chksum del(dnspkt[UDP].chksum) #sf18eu • Imperial Riding School Renaissance Vienna • Oct 29 - Nov 2 Working with packets dnspkt.sprintf("Destination IP is %IPv6.dst%") dnspkt.summary() ls(dnspkt) dnspkt.command() dnspkt.pdfdump(filename="../dns.pdf") #sf18eu • Imperial Riding School Renaissance Vienna • Oct 29 - Nov 2 ff ff ff ff ff ff 00 00 00 00 00 00 86 dd 60 00 Ethernet 00 00 00 27 11 40 00 00 00 00 00 00 00 00 00 00 dst ↵:↵:↵:↵:↵:↵ 00 00 00 00 00 00 20 01 0d b8 00 00 00 00 00 00 src 00:00:00:00:00:00 00 00 00 00 00 01 00 35 00 35 00 27 ff ff 00 00 type 0x86dd 01 00 00 01 00 00 00 00 00 00 09 77 69 72 65 73 IPv6 68 61 72 6b 03 6f 72 67 00 00 01 00 01 version 6 tc 0 fl 0 plen 39 nh UDP hlim 64 src :: dst 2001:db8::1
    [Show full text]
  • Packet Crafting Using Scapy
    Packet Crafting using Scapy by William Zereneh Bachelor of Science, Toronto, 2006 A thesis Presented to Ryerson University in partial fulfillment of the requirements for the degree of Master of Engineering in the Program of Computer Networks Toronto, Ontario, Canada, 2011 ©William Zereneh 2011 Abstract This paper will introduce both Packet Crafting as a testing methodology and the tool that will be used to accomplish all four aspects of this methodology; Packet Assembly, Packet Editing, Packet Re-Play and Packet Decoding. Scapy is an Open Source network programming language based on Python programming language, will be used in this project. The tool will be used to capture packets off the wire, create others by layering protocols as needed, altering the content of Ethernet, Dot3, LLC, SNAP, IP, UDP and ICMP header fields as required and finally launching such packets onto the network. In some cases the responses gathered as a result of launching such packets will not be decoded. As a result of this project, some network vulnerabilities will be explored to fully demonstrate the power of the methodology using Scapy, but never exploited to cause any damage. ii Authorʼs declaration I hereby declare that I am the sole author of this thesis I authorize Ryerson University to lend this thesis to other institutions or individuals for the purpose of scholarly research. William Zereneh I further authorize Ryerson University to reproduce this thesis by photocopying or by other means, in total or in part, at the request of other institutions or individuals for the purpose of scholarly research. William Zereneh iii Acknowledgments This paper would have not be possible if it were not for the constant reminder by my wife and kids that my “home work” has to be done first.
    [Show full text]
  • An Encrypted Payload Protocol and Target-Side Scripting Engine
    An Encrypted Payload Protocol and Target-Side Scripting Engine Dino A. Dai Zovi [email protected] Abstract into the remote process and then triggering the vulnera- Modern exploit payloads in commercial and open-source bility (the injection vector) in order to cause the remote penetration testing frameworks have grown much more process to execute the injected code (the payload). Tra- advanced than the traditional shellcode they replaced. ditionally, these payloads have been written in processor- These payloads permit interactive access without launch- specific assembly language, assembled, and extracted by ing a shell, network proxying, and many other rich fea- hand into reusable machine code components. These tures. Available payload frameworks have several lim- payloads were typically small and executed an operating itations, however. They make little use of encryption to system shell, causing them to be commonly referred to secure delivery and communications, especially in earlier as shellcode. Common shellcode variants included func- stage payloads. In addition, their richer features require tionality such as restoring dropped privileges, breaking a constant network connection to the penetration tester, out of chroot environments, and attaching the shell to making them unsuitable against mobile clients, such as an inbound or outbound network connection. This style laptops, PDAs, and smart phones. of payload construction was both labor and skill inten- This work introduces a first-stage exploit payload that sive. is able to securely establish an encrypted channel using With the growth of commercial penetration testing ElGamal key agreement and the RC4 stream cipher. The services and especially commercial penetration test- key agreement implementation requires only modular ing products, exploit payloads have gotten considerably exponentiation and RC4 also lends itself to an implemen- more capable and complex.
    [Show full text]
  • Popular OSSIM Plugins Sidebar for a Brief Agent by Running the Command: Listing of the Leading Ones)
    To read more Linux Journal or start your subscription, please visit http://www.linuxjournal.com. AlienVault the Future of Security Information Management Meet AlienVault OSSIM, a complex security system designed to make your life simpler. JERAMIAH BOWLING Security Information Management (SIM) systems have made many security administrators’ lives easier over the years. SIMs organize an enterprise’s security environment and provide a common interface to manage that environment. Many SIM products are available today that perform well in this role, but none are as ambitious as AlienVault’s Open Source Security Information Management (OSSIM). With OSSIM, AlienVault has harnessed the capabilities of several popular security packages and created an “intelligence” that translates, analyzes and organizes the data in unique and customizable ways that most SIMs cannot. It uses a process called correlation to make threat judgments dynamically and report in real time on the state of risk in your environment. The end result is a design approach that makes risk management an organized and observable process that security administrators and managers alike can appreciate. In this article, I explain the installation of an all-in-one OSSIM agent/server into a test network, add hosts, deploy a Figure 1. A little tough to read, but this is where everything starts. third-party agent, set up a custom security directive and take a quick tour of the built-in incident response system. In addition AlienVault site in .iso form (version 2.1 at the time of this to the OSSIM server, I have placed a CentOS-based Apache writing) and booted my VM from the media.
    [Show full text]
  • Scapy Documentation Release 2.0.1
    Scapy Documentation Release 2.0.1 Philippe Biondi and the Scapy community October 24, 2009 CONTENTS 1 Introduction 3 1.1 About Scapy........................................3 1.2 What makes Scapy so special...............................3 1.3 Quick demo........................................5 1.4 Learning Python......................................7 2 Download and Installation9 2.1 Overview..........................................9 2.2 Installing Scapy v2.x....................................9 2.3 Installing Scapy v1.2.................................... 10 2.4 Optional software for special features........................... 11 2.5 Platform-specific instructions............................... 12 3 Usage 19 3.1 Starting Scapy....................................... 19 3.2 Interactive tutorial..................................... 19 3.3 Simple one-liners...................................... 42 3.4 Recipes........................................... 46 4 Advanced usage 51 4.1 ASN.1 and SNMP..................................... 51 4.2 Automata.......................................... 60 5 Build your own tools 67 5.1 Using Scapy in your tools................................. 67 5.2 Extending Scapy with add-ons............................... 68 6 Adding new protocols 71 6.1 Simple example...................................... 71 6.2 Layers........................................... 72 6.3 Dissecting......................................... 75 6.4 Building.......................................... 79 6.5 Fields...........................................
    [Show full text]
  • OSSIM Fast Guide
    ----------------- OSSIM Fast Guide ----------------- February 8, 2004 Julio Casal <[email protected]> http://www.ossim.net WHAT IS OSSIM? In three phrases: - VERIFICATION may be OSSIM’s most valuable contribution at this time. Using its correlation engine, OSSIM screens out a large percentage of false positives. - The second advantage is that of INTEGRATION, we have a series of security tools that enable us to perform a range of tasks from auditing, pattern matching and anomaly detection to forensic analysis in one single platform. We take responsibility for testing the stability of these programs and providing patches for them to work together. - The third is RISK ASSESSMENT, OSSIM offers high level state indicators that allow us to guide inspection and measure the security situation of our network. * DISTRIBUTION - OSSIM integrates a number of powerful open source security tools in a single distribution. These include: - Snort - Nessus - Ntop - Snortcenter - Acid - Riskmeter - Spade - RRD - Nmap, P0f, Arpwatch, etc.. - These tools are linked together in OSSIM’s console giving the user a single, integrated navigation environment. * ARCHITECTURE - OSSIM is organized into 3 layers: . Sensors . Servers . Console - The database is independent of these layers and could be considered to be a fourth layer. OSSIM 2004/02/07 Sensors - Sensors integrate powerful software in order to provide three capabilities: . IDS . Anomaly Detection . Real time Monitoring - Sensors can also perform other functions including traffic consolidation on a segment and event normalization. - Sensors communicate and receive orders from the server using a proprietary protocol. Server - OSSIM’s server has the following capabilities: . Correlation . Prioritization . Online inventory . Risk assessment . Normalization Console The console’s interface is structured hierarchically with the following functions: .
    [Show full text]