Host Based Intrusion Detection
Transcription
Host Based Intrusion Detection
Host Based Intrusion Detection Simple Menu Driven Installation OSSEC HIDS v2.4 2 4 IInstallation ll i S Script i - http://www.ossec.net h // You are about to start the installation process of the OSSEC HIDS. You must have a C compiler p pre-installed p in yyour system. y If you have any questions or comments, please send an e-mail to dcid@ossec.net (or daniel.cid@gmail.com). - System: Linux myserver.mysite.com myserver mysite com 2.6.18-164.15.1.el5 2 6 18 164 15 1 el5 - User: root - Host: myserver.mysite.com -- Press ENTER to continue or Ctrl-C to abort. -- Log Analysis I t it Checking Integrity Ch ki Rootkit Detection Policy Monitoring Alerting Active Responses LIDS Log‐based Intrusion Detection System Scalable E Easy to t Install I t ll Free Multiplatform Secure by default Loaded with rules & decoders Log Management Alerts C Correlates l t events t Takes Action Host VM VM VM VM OSSEC Server OSSEC Agent OSSEC Agent OSSEC Agent OSSEC Server OSSEC Agent OSSEC Server OSSEC Agent OSSEC Agent <group name=“MyCustomApp,"> <rule id=“111100" level="0"> <category>web‐log</category> <description>Access log messages grouped.</description> </rule> <rule id <rule id=“111108" 111108 level level="0"> 0 > <if_sid>111100</if_sid> <id>^2|^3</id> <compiled_rule>is_simple_xyz_request</compiled_rule> <description>Ignored URLs (simple queries).</description> </rule> / l <rule id=“111101" level="5"> <if_sid>111100</if_sid> <id>^4</id> <description>Custom server 4014 error code.</description> </rule> <rule id=“111102" level="0"> <if sid>111101</if sid> <if_sid>111101</if_sid> <url>.jpg$|.gif$|favicon.ico$|.png$|rs.txt$|.cs$|.js$</url> <compiled_rule>is_simple_cutsom_request</compiled_rule> <description>Ignored extensions on 4000 error codes.</description> </rule> Logs Fil Ch File Changes Registry Modifications Precoding & Decoding So how does it work? Stand-alone Client-Server Stand-alone Client Acts as client & server Not very useful Testing scenarios only Client-Server Install More secure Centralized Management Greater taste Less Filling UNIX Integrity Checking Syscheck File Integrity Checking MD‐5 SHA‐1 Registry Integrity Checking Active Responses Out of the Box Active Responses Out of the Box Active Responses • • • • • Disable account.sh Disable‐account sh Firewall‐drop.sh Host‐deny.sh d h Ipfw_mac.sh Ipfw.sh Secure Architecture Encryption Encr ption ke key e exchange change at installation Integrity Checks performed at server Each process at lowest permissions Multiple processes Components run in chrooted jail So how do you install OSSEC? OSSEC Server Installation Install.sh Questions • • • • For installation in English, choose [en] ( /b / /d / l/ /f /i /j / l/ l/ / / ) [ ] (en/br/cn/de/el/es/fr/it/jp/nl/pl/ru/sr/tr) [en]: en What kind of installation do you want (server, agent, local or help)? server Choose where to install the OSSEC HIDS [/var/ossec]: /var/ossec Do you want e‐mail Do you want e mail notification? (y/n) [y]: y notification? (y/n) [y]: y – – – • • • • • What's your e‐mail address? guru@myfirm.com We found your SMTP server as: mailserver.myfirm.com. Do you want to use it? (y/n) [y]: y Do you want to run the integrity check daemon? (y/n) [y]: y D tt th i t it h k d ?( / )[ ] Do you want to run the rootkit detection engine? (y/n) [y]: y Do you want to enable active response? (y/n) [y]: y D Do you want to enable the firewall‐drop response? (y/n) [y]: y bl h fi ll d ?( / )[ ] Do you want to add more IPs to the white list? (y/n)? [n]: n That’s it! Installation Locations Installation Locations Default installation in /var/ossec ● Main configuration file is /var/ossec/etc/ossec.conf Main configuration file is /var/ossec/etc/ossec conf ● Decoders are stored at /var/ossec/etc/decoders.xml ● Binaries stored at /var/ossec/bin/ inaries stored at /var/ossec/bin/ ● Rules stored at /var/ossec/rules/*.xml ● Alerts are stored at /var/ossec/logs/alerts.log Why aren’t the OSSEC logs in /var/log? OSSEC Processes Secure chroot Chroot definition: (from Wikipedia) A program that is “chrooted “ is re-rooted to another directory and cannot access or name files outside that directory Processes are limited in privilege Processes run as different users OSSEC Processes OSSEC Processes ossec‐analysisd – runs as user ossec (performs Analysis) ossec‐remoted – runs as user ossecr (runs on server and collects logs from agents) ossec‐maild – runs as user ossecm (sends email alerts) ossec‐execd – runs as root (executes active responses) ossec‐logcollec – runs as root, but only reads the logs, no analysis (collects logs) ossec‐syscheckd – runs as root (file integrity monitoring) ossec‐monitord – runs as user ossec (monitors agents status) ossec‐agentd – runs as user ossec (runs on agents and forwards logs to remoted on server) t d ) Add the clients as Agents (on the server) (server)# /var/ossec/bin/manage_agents Add the Agent Add the Agent {server}#/var/ossec/bin/manage_agents **************************************** * OSSEC HIDS v0.8 Agent manager. * * The following options are available: The following options are available: * **************************************** (A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R). (Q)uit. Choose your actions: A,E,R or Q: a Choose your actions: A,E,R or Q: a Provide the name and IP Provide the name and IP ‐ Adding a new agent (use ‘q’ to return to main menu). g g ( q ) Please provide the following: * A name for the new agent: linux1 * The IP Address for the new agent: 192.168.2.32 * An ID for the new agent[001]: Agent information: ID:001 Name:linux1 IP Address:192.168.2.32 Confirm adding it?(y/n): y Confirm adding it?(y/n): y Added. Extract the Encryption Key Extract the Encryption Key **************************************** * OSSEC HIDS v0.8 Agent manager. * * The following options are available: * **************************************** (A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R) (R)emove an agent (R). (Q)uit. Choose your actions: A,E,R or Q: e Pick the client ID and copy the key Pick the client ID and copy the key Available agents: A il bl t ID: 001, Name: linux1, IP: 192.168.2.32 ID: 002, Name: obsd1, IP: 192.168.2.10 Provide the ID of the agent you want to extract the key: 001 g y y Agent key information for ‘001' is: CDAxIGxpbnX4MSAxOTIuMTY4LjAuMzIgOWM5MENlYzNXXXYYYZZZZZ== ** Press ENTER to continue Client Side Setup (linux1)# /var/ossec/bin/manage_agents **************************************** * OSSEC HIDS v0.8 Agent manager. * * The following options are available: * **************************************** (I)mport key for the server (I). (Q)uit. Choose your actions: I or Q: I Paste it here: CDAxIGxpbnX4MSAxOTIuMTY4LjAuMzIgOWM5MENlYzNXXXYYYZZZZZ== * Provide the Key generated from the server. The best approach is to cut and paste it * The best approach is to cut and paste it. * Do not include spaces or new line characters. Restart OSSEC on client and server Restart OSSEC on client and server (server)# /var/ossec/bin/osssec-control restart (client)# /var/ossec/bin/osssec-control /var/ossec/bin/osssec control restart Repeat that process for all clients/agents. Windows Agent is a GUI What can the Windows Agent do? What can the Windows Agent do? • Monitors Monitors the Windows event log at real time the Windows event log at real time • Monitors IIS logs (Web, FTP, SMTP) and any other logs present on your system (including Symantec g p y y ( g y Anti‐Virus, MySQL, Apache, etc) at near real time. y g y • Periodically checks the Windows Registry for changes. • Periodically checks your Windows folders for changes. • Periodically does policy verifications to make sure your system is configured properly. • Looks for alternate NTFS File Streams. Installation Issue OSSEC Server no likey SELINUX What does OSSEC look like? OSSEC Alert Levels 00 – Ignored 01 ‐ None 02 System low priority notification 02 ‐ S t l i it tifi ti 03 ‐ Successful/Authorized events 04 ‐ System low priority error 05 User generated error 05 ‐ User generated error 06 ‐ Low relevance attack 07 ‐ "Bad word" matching 08 ‐ First time seen 08 First time seen 09 ‐ Error from invalid source 10 ‐ Multiple user generated errors. 11 ‐ Integrity checking warning 12 ‐ High importance event 13 ‐ Unusual error (high importance) 14 ‐ High importance security event 15 ‐ Severe attack Rules /var/ossec/rules apache_rules.xml pam_rules.xml vpopmail_rules.xml ms exchange rules xml ms-exchange_rules.xml symantec-ws_rules.xml hordeimp_rules.xml sendmail_rules.xml attack_rules.xml policy_rules.xml wordpress_rules.xml mysql_rules.xml translatedzeus_rules.xml named rules.xml named_rules.xml trend-osce_rules.xml netscreenfw_rules.xml vmpop3d_rules.xml nginx_rules.xml vmware_rules.xml l l ossec_rules.xml vpn_concentrator_rules.xml firewall_rules.xml roundcube_rules.xml arpwatch_rules.xml php rules xml php_rules.xml vsftpd_rules.xml ms_ftpd_rules.xml syslog_rules.xml ids_rules.xml smbd_rules.xml backup-rules.24026 postfix_rules.xml cimserver_rules.xml postgresql rules.xml postgresql_rules.xml cisco-ios_rules.xml proftpd_rules.xml courier_rules.xml pure-ftpd_rules.xml d dovecot_rules.xml t l l racoon_rules.xml ms_dhcp_rules.xml symantec-av_rules.xml ftpd_rules.xml rules config xml rules_config.xml asterisk_rules.xml pix_rules.xml web_rules.xml ms-se_rules.xml telnetd_rules.xml imapd_rules.xml solaris_bsm_rules.xml local_rules.xml sonicwall rules.xml sonicwall_rules.xml mailscanner_rules.xml spamd_rules.xml mcafee_av_rules.xml squid_rules.xml msauth_rules.xml th l l sshd_rules.xml OSSEC RULES 00000–00999 01000–01999 02100–02299 02300–02499 02500–02699 02700–02729 02800–02829 02830–02859 02860–02899 03100–03299 03300 03499 03300–03499 03500–03599 03600–03699 03700–03799 03800–03899 03900–03999 04100–04299 04300–04499 04500–04699 04700–04799 04800–04899 05100–05299 05300–05399 05400–05499 05500–05599 05600–05699 05700 05899 05700–05899 05900–05999 07100–07199 07200–07299 Reserved for internal OSSEC HIDS rules General syslog rules Network File System (NFS) rules xinetd rules Access control rules mail /procmail rules smartd rules crond rules Mount/Automount rules Sendmail mail server rules P Postfi tfi x mailil server rules l spamd fi lter rules imapd mail server rules Mail scanner rules Microsoft Exchange mail server rules Courier mail rules (imapd/pop3d/pop3-ssl) Generic fi rewall rul es Cisco PIX/FWSM/ASA fi rewall rules Juniper Netscreen fi rewall rules Cisco IOS rules SonicWall fi rewall rules Linux, UNIX, BSD kernel rules Switch user (su) rules Super user do (sudo) rules Unix pluggable authentication mod (PAM) telnetd rules sshd hd rules l Add user or user deletion rules Tripwire rules arpwatch rules 07300–07399 Symantec Antivirus rules 07400–07499 Symantec Web Security rules 091 00–09199 Point‐to‐point tunneling protocol (PPTP) rules 09200–09299 Squid syslog ru les 09300–09399 Horde IMP rules 09900–09999 vpopmail rules 10100–101 99 FTS rules 11100–111 99 ftpd rules 11200–11299 ProFTPD rules 11300–11399 Pure‐FTPD rules 11400 11499 11400–11499 vs‐FTPD rules FTPD l 11500–11599 MS‐FTP rules 12100–12299 named (BIND DNS) rules 13100–13299 Samba (smbd) rules 14100–14199 Racoon SSL rules 14200–14299 14200 14299 Cisco VPN Concentrator rul es Cisco VPN Concentrator rul es 17100–17399 Policy rules 18100–18499 Windows system rules 20100–20299 IDS rules 20300–20499 IDS (Snort specifi c) rules 30100–30999 Apache HTTP server error log rules 31100–311199 Web access log rules 31200–31299 Zeus web server rules 35000–35999 Squid rules 401 00–40499 Attack pattern rules 40500–40599 Privilege escalation rules 40600–40999 Scan pattern rules 50100 50299 M SQL d t b 50100–50299 MySQL database rules l 50500–50799 PostgreSQL database rules 100000–119999 User‐defined rules Custom Rules //var/ossec/rules/local / / / _rules.xml Event PreDecoding Decodingg Rules Alerts emails Active Responses Logs Event PreDecoding Decodingg Rules Alerts emails Active Responses Logs Predecoding Fields Predecoding Fields Time Date Hostname Program Name Log message Jun 13 13:13:03 cle-linx01 sshd[1205]: Accepted password for admin from 10.1.1.1 port 1618 ssh2 Event PreDecoding Decodingg Rules Alerts emails Active Responses Logs Decoding Fields Decoding Fields Username IP Address Port Version Jun 13 13:13:03 cle-linx01 sshd[1205]: Accepted password for admin from 10.1.1.1 port 1618 ssh2 Accepted password for admin from 10.1.1.1 port 1618 ssh2 /var/ossec/etc/decoders.xml decoder <decoder name="sshd"> <program_name>^sshd</program_name> </decoder> <decoder name= name="sshd sshd-success success"> > <parent>sshd</parent> <prematch>^Accepted</prematch> <regex offset="after_prematch">^ \S+ for (\S+) from (\S+) port </regex> <order>user, srcip</order> <fts>name, user, location</fts></decoder> <decoder name="ssh-denied"> <parent>sshd</parent> <prematch>^User <prematch> User \S+ from </prematch> <regex offset="after_parent">^User (\S+) from (\S+) </regex> <order>user, srcip</order></decoder> …. Event PreDecoding Decodingg Rules Alerts emails Active Responses Logs 2 Types of Rules Atomic Atomic Rule Example Atomic Rule Example <group name="web,accesslog,"> " b l " <rule id="31100" level="0"> <category>web‐log</category> <description>Access log messages grouped.</description> </rule> Composite Composite Rule Example Composite Rule Example <rule id="31153" level="10" frequency="8" timeframe="120"> <if_matched_sid>31104</if_matched_sid> <same_source_ip /> <description>Multiple common web attacks from same souce ip </description> <description>Multiple common web attacks from same souce ip.</description> <group>attack,</group> </rule> What log files get monitored? ossec.conf log file entries ossec.conf log file entries <!-- Files to monitor (localfiles) --> <localfile> <log_format>syslog</log_format> <location>/var/log/messages</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/secure</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/maillog</location> </localfile> <localfile> <log_format>apache</log_format> <location>/var/log/httpd/error_log</location> </localfile> …. How do I shut this thing up? Rewriting A Rule to Silence It Rewriting A Rule to Silence It Edit /var/ossec/rules/local_rules.xml <rule id="100030" level="0"> <if_sid>31106</if_sid> <description>List of rules to be ignored.</description> / ue </rule> <rule id="110002" level="0" > <if_group>authentication_failures,</if_group> <description>Changes ignored </description> <description>Changes ignored.</description> <if_sid>18152</if_sid> </rule> <<rule id="110003" level="0" > l id "110003" l l "0" > <if_group>system_error,</if_group> <description>Changes ignored.</description> <if_sid>31122</if_sid> </rule> Raise Alert Levels Stupid OSSEC Tricks Coding Daily Reports Coding Daily Reports Add these lines to ossec.conf Receive summary of all the authentication success: <ossec_config> <reports> <category>authentication_success</category> <user type=”relation”>srcip</user> <title>Daily report: Successful logins</title> <email_to>me@me .com</email_to> </reports> </ossec_config Receive summary of all File integrity monitoring (syscheck) alerts: < <ossec_config> fi > <reports> <category>syscheck</category> <title>Daily report: File changes</title> <email to>me@me com</email to> <email_to>me@me .com</email_to> </reports> </ossec_config> Authentication Daily Report Authentication Daily Report Report 'Daily report: Successful logins' completed. ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐>Processed alerts: 4388 ‐>Post‐filtering alerts: 2 ‐>First alert: 2010 Aug 6 13:25:04 ‐>Last alert: 2010 Aug 6 13:25:04 Top entries for 'Source ip': ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ 10 xx xx xx 10.xx.xx.xx |1 | |1 | Top entries for 'Username': ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ administrator |1 | Top entries for 'Level': ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ Severity 3 |2 | Top entries for 'Group': -----------------------------------------------authentication_success |2 | syslog |2 pam |1 sshd |1 | | | Top entries for 'Location': ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ (dmz‐server) 192.168.x.x‐>/var/log/secure |2 | Top entries for 'Rule': ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ 5501 ‐ Login session opened. |1 | 5715 ‐ SSHD authentication success. |1 | Related entries for 'Username': ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ administrator |1 | srcip: '10.xx.xx.xx' Forensic Analysis of Log Files Forensic Analysis of Log Files #cat /var/log/secure | /var/ossec/bin/ossec‐logtest –a 2010/08/18 08:37:32 ossec‐testrule: INFO: Started (pid: 25489). ** Alert 1282135052.1: mail ‐ syslog,fts,authentication_success 2010 Aug 18 08:37:32 MYSVR01‐>stdin Rule: 10100 (level 4) ‐> 'First time user logged in.' Src IP 192 168 14 147 Src IP: 192.168.14.147 User: root Aug 16 08:31:30 MYSVR01 sshd[28191]: Accepted password for root from 192.168.14.147 port 56321 ** Alert 1282135052.2: ‐ syslog,sshd,authentication_success, 2010 Aug 18 08:37:32 MYSRV01‐>stdin g Rule: 5715 (level 3) ‐> 'SSHD authentication success.' Src IP: 192.168.0.5 User: root Aug 16 16:24:37 MRSVR01 sshd[7089]: Accepted password for root from 192.168.0.5 port 35614 ssh2 ** Alert 1282135052.3: mail ‐ syslog,errors, 2010 Aug 18 08:37:32 MYSVR01‐>stdin Rule: 1002 (level 2) ‐> 'Unknown problem somewhere in the system.' Src IP: (none) User: (none) Aug 17 09:32:20 MYSVR01 sshd[3176]: error: Bind to port 22 on 0 0 0 0 failed: Address already in use Aug 17 09:32:20 MYSVR01 sshd[3176]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use. … Forensic Analysis Summary (1) Forensic Analysis Summary (1) # cat /var/log/secure | /var/ossec/bin/ossec‐logtest ‐a | /var/ossec/bin/ossec‐reportd 2010/08/18 08:42:53 ossec‐reportd: INFO: Started (pid: 32590). 2010/08/18 08:42:53 ossec‐testrule: INFO: Started (pid: 32589). 2010/08/18 08:42:58 ossec‐reportd: INFO: Report completed. Creating output... Report completed. == Report completed ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐>Processed alerts: 7 ‐>Post‐filtering alerts: 7 ‐>First alert: 2010 Aug 18 08:42:53 ‐>Last alert: 2010 Aug 18 08:42:53 g Top entries for 'Source ip': ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ 192.168.14.147 |2 | 192.168.16.52 |1 | 192.168.0.5 |1 | Top entries for 'Username': ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ root |4 | Forensic Analysis Summary (2) Forensic Analysis Summary (2) Top entries for 'Level': ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ Severity 3 |5 | Severity 2 |1 | Severity 4 |1 | Top entries for 'Group': ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ syslog |7 | authentication_success |5 | sshd |3 | pam |2 | errors errors |1 | |1 | fts |1 | Top entries for 'Location': ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ MYSVR01‐>stdin |7 | | | Forensic Analysis Summary (3) Forensic Analysis Summary (3) Top entries for 'Rule': ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ 5715 ‐ SSHD authentication success. |3 | 1002 ‐ Unknown problem somewhere in the syst.. |1 | 10100 ‐ First time user logged in. |1 | 5501 ‐ Login session opened. |1 | 5502 ‐ Login session closed. |1 | Log dump: ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ 2010 Aug 18 08:42:53 MYSVR01‐>stdin Rule: 10100 (level 4) > 'First Rule: 10100 (level 4) ‐> First time user logged in. time user logged in ' Aug 16 08:31:30 MYSVR01 sshd[28191]: Accepted password for root from 192.168.14.147 port 56321 … Brute Force Attack Report Brute Force Attack Report #cat /var/log/secure | /var/ossec/bin/ossec‐logtest ‐a | /var/ossec/bin/ossec‐reportd ‐f group authentication_failures Report completed. == ———————————————— ‐>Processed alerts: 362 ‐>Post‐filtering alerts: 21 Top entries for ‘Source ip’: ———————————————— 87.123.106.142 |2 | 8 20 19 170 |2 | 8.20.19.170 |2 | 134.255.9.163 |1 | 17.15.13.13 |1 | 14.25.62.36 |1 | 73.45.18.20 |1 | 20.12.99.59 |1 | 102.63.145.50 |1 | 222.2.25.202 |1 | Top entries for ‘Username’: ———————————————— root |22 | Top entries for ‘Level’: ———————————————— Severity 10 |21 | Top entries for ‘Group’: p p ———————————————— authentication_failures |21 | sshd |21 | syslog |21 | Top entries for ‘Location’: ———————————————— enigma‐>stdin |21 | Top entries for ‘Rule’: Top entries for Rule : ———————————————— 5720 ‐ Multiple SSHD authentication failures. |19 | 5712 ‐ SSHD brute force trying to get access.. |1 | … Lessons Learned Lessons Learned • It’s It s simple. Use it. simple Use it • Lots of noise on upgrades. • Windows 2008 R2 whines….and whines…and i d 2008 2 hi d hi d whines…. • Agentless monitoring allows you to monitor many appliances (routers, switches, firewalls, etc.) Questions? Image Credits Image Credits • • • • • • • • • • http://mrg.bz/wrcjRr Log File http://www.sxc.hu/photo/1094329 Tired guy http://mrg.bz/rpccdD wine and beer glasses http://upload.wikimedia.org/wikipedia/commons/3/3e/Tux‐G2.png Tux http://mrg.bz/OQ3I7U Lock Hulk http://mrg.bz/lUCAfo Kid at Computer http://mrg.bz/nXxLey http://www.sxc.hu/photo/569804 Direction sign http://www.sxc.hu/photo/1255864 Wormhole http://www.sxc.hu/photo/1267612 Fire The following images were used under fair use provisions of US copyright and d ttrademark d k llaw: Logos: Windows, Tux, FreeBSD, VMWare, MAC OSx, OSSEC and AIX OSSEC WebUI screenshots