OSSEC Host-Based Intrusion Detection Guide (eBook)
416 Seiten
Elsevier Science (Verlag)
978-0-08-055877-6 (ISBN)
This book is the definitive guide on the OSSEC Host-based Intrusion Detection system and frankly, to really use OSSEC you are going to need a definitive guide. Documentation has been available since the start of the OSSEC project but, due to time constraints, no formal book has been created to outline the various features and functions of the OSSEC product. This has left very important and powerful features of the product undocumented...until now! The book you are holding will show you how to install and configure OSSEC on the operating system of your choice and provide detailed examples to help prevent and mitigate attacks on your systems. -- Stephen Northcutt
OSSEC determines if a host has been compromised in this manner by taking the equivalent of a picture of the host machine in its original, unaltered state. This 'picture' captures the most relevant information about that machine's configuration. OSSEC saves this 'picture' and then constantly compares it to the current state of that machine to identify anything that may have changed from the original configuration. Now, many of these changes are necessary, harmless, and authorized, such as a system administrator installing a new software upgrade, patch, or application. But, then there are the not-so-harmless changes, like the installation of a rootkit, trojan horse, or virus. Differentiating between the harmless and the not-so-harmless changes determines whether the system administrator or security professional is managing a secure, efficient network or a compromised network which might be funneling credit card numbers out to phishing gangs or storing massive amounts of pornography creating significant liability for that organization.
Separating the wheat from the chaff is by no means an easy task. Hence the need for this book. The book is co-authored by Daniel Cid, who is the founder and lead developer of the freely available OSSEC host-based IDS. As such, readers can be certain they are reading the most accurate, timely, and insightful information on OSSEC.
* Nominee for Best Book Bejtlich read in 2008!* http://taosecurity.blogspot.com/2008/12/best-book-bejtlich-read-in-2008.html
• Get Started with OSSEC
Get an overview of the features of OSSEC including commonly used terminology, pre-install preparation, and deployment considerations.
• Follow Steb-by-Step Installation Instructions
Walk through the installation process for the 'local?, 'agent?, and 'server' install types on some of the most popular operating systems available.
• Master Configuration
Learn the basic configuration options for your install type and learn how to monitor log files, receive remote messages, configure email notification, and configure alert levels.
• Work With Rules
Extract key information from logs using decoders and how you can leverage rules to alert you of strange occurrences on your network.
• Understand System Integrity Check and Rootkit Detection
Monitor binary executable files, system configuration files, and the Microsoft Windows registry.
• Configure Active Response
Configure the active response actions you want and bind the actions to specific rules and sequence of events.
• Use the OSSEC Web User Interface
Install, configure, and use the community-developed, open source web interface available for OSSEC.
• Play in the OSSEC VMware Environment Sandbox
• Dig Deep into Data Log Mining
Take the 'high art? of log analysis to the next level by breaking the dependence on the lists of strings or patterns to look for in the logs.
Rory Bray is senior software engineer at Q1 Labs Inc. with years of experience developing Internet and security related services. In addition to being a long-time advocate of Open Source software, Rory has developed a strong interest in network security and secure development practices. Rory has a diverse background which includes embedded development, web application design, software architecture, security consulting and technical editing. This broad range of experience provides a unique perspective on security solutions.
This book is the definitive guide on the OSSEC Host-based Intrusion Detection system and frankly, to really use OSSEC you are going to need a definitive guide. Documentation has been available since the start of the OSSEC project but, due to time constraints, no formal book has been created to outline the various features and functions of the OSSEC product. This has left very important and powerful features of the product undocumented...until now! The book you are holding will show you how to install and configure OSSEC on the operating system of your choice and provide detailed examples to help prevent and mitigate attacks on your systems. -- Stephen Northcutt OSSEC determines if a host has been compromised in this manner by taking the equivalent of a picture of the host machine in its original, unaltered state. This "e;picture"e; captures the most relevant information about that machine's configuration. OSSEC saves this "e;picture"e; and then constantly compares it to the current state of that machine to identify anything that may have changed from the original configuration. Now, many of these changes are necessary, harmless, and authorized, such as a system administrator installing a new software upgrade, patch, or application. But, then there are the not-so-harmless changes, like the installation of a rootkit, trojan horse, or virus. Differentiating between the harmless and the not-so-harmless changes determines whether the system administrator or security professional is managing a secure, efficient network or a compromised network which might be funneling credit card numbers out to phishing gangs or storing massive amounts of pornography creating significant liability for that organization. Separating the wheat from the chaff is by no means an easy task. Hence the need for this book. The book is co-authored by Daniel Cid, who is the founder and lead developer of the freely available OSSEC host-based IDS. As such, readers can be certain they are reading the most accurate, timely, and insightful information on OSSEC. Nominee for Best Book Bejtlich read in 2008! http://taosecurity.blogspot.com/2008/12/best-book-bejtlich-read-in-2008.html Get Started with OSSEC. Get an overview of the features of OSSEC including commonly used terminology, pre-install preparation, and deployment considerations Follow Steb-by-Step Installation Instructions. Walk through the installation process for the "e;local?, "e;agent?, and "e;server"e; install types on some of the most popular operating systems available Master Configuration. Learn the basic configuration options for your install type and learn how to monitor log files, receive remote messages, configure email notification, and configure alert levels Work With Rules. Extract key information from logs using decoders and how you can leverage rules to alert you of strange occurrences on your network Understand System Integrity Check and Rootkit Detection. Monitor binary executable files, system configuration files, and the Microsoft Windows registry Configure Active Response. Configure the active response actions you want and bind the actions to specific rules and sequence of events Use the OSSEC Web User Interface. Install, configure, and use the community-developed, open source web interface available for OSSEC Play in the OSSEC VMware Environment Sandbox Dig Deep into Data Log Mining. Take the "e;high art? of log analysis to the next level by breaking the dependence on the lists of strings or patterns to look for in the logs
Front Cover 1
OSSEC Host-Based Intrusion Detection Guide 2
Copyright Page 4
Lead Authors 6
Contributors 8
Contents 10
About this Book 18
About the DVD 24
Foreword 26
Chapter 1: Getting Started with OSSEC 29
Introduction 30
Introducing Intrusion Detection 31
Network Intrusion Detection 31
Host-Based Intrusion Detection 36
File Integrity Checking 37
Registry Monitoring 37
Rootkit Detection 38
Active Response 39
Introducing OSSEC 40
Planning Your Deployment 41
Local Installation 43
Agent Installation 44
Server Installation 44
Which Type Is Right For Me? 45
Identifying OSSEC Pre-installation Considerations 46
Supported Operating Systems 47
Special Considerations 47
Microsoft Windows 48
Sun Solaris 48
Ubuntu Linux 49
Mac OS X 49
Summary 50
Solutions Fast Track 51
Frequently Asked Questions 53
Chapter 2: Installation 57
Introduction 58
Downloading OSSEC HIDS 61
Getting the Files 62
Preparing the System 62
Building and Installing 63
Performing Local Installation 64
Performing Server-Agent Installations 68
Installing the Server 68
Managing Agents 71
Installing Agents 72
Installing the Unix Agent 72
Installing the Windows Agent 72
Streamlining the Installations 83
Install Once, Copy Everywhere 83
Unix, Linux, and BSD 84
Push the Keys 85
Unix, Linux, and BSD 85
Summary 86
Solutions Fast Track 86
Frequently Asked Questions 89
Chapter 3: OSSEC HIDS Configuration 93
Introduction 94
Understanding the OSSEC HIDS Configuration File 97
Configuring Logging/Alerting Options 98
Alerting with Email 98
Configuring Email 99
Basic Email Configuration 99
Granular Email Configuration 100
Receiving Remote Events with Syslog 102
Configuring Database Output 102
Declaring Rule Files 104
Reading Log Files 106
Configuring Integrity Checking 109
Configuring an Agent 114
Configuring Advanced Options 114
Summary 118
Solutions Fast Track 118
Frequently Asked Questions 121
Chapter 4: Working with Rules 125
Introduction 126
Introducing Rules 127
Understanding the OSSEC HIDS Analysis Process 132
Predecoding Events 134
Decoding Events 136
Decoder Example: sshd Message 137
Decoder Example: vsftpd Message 138
Using the < parent>
Decoder Example: Cisco PIX Message 141
Decoder Example: Cisco IOS ACL Message 142
Understanding Rules 143
Atomic Rules 144
Writing a Rule 144
Composite Rules 157
Working with Real World Examples 160
Increasing the Severity Level of a Rule 160
Tuning Rule Frequency 161
Ignoring Rules 161
Ignoring IP Addresses 162
Correlating Multiple Snort Alerts 163
Ignoring Identity Change Events 163
Writing Decoders/Rules for Custom Applications 165
Deciding What Information to Extract 165
Creating the Decoders 166
Creating the Rules 167
Monitoring the Log File 169
Summary 171
Solutions Fast Track 172
Frequently Asked Questions 174
Chapter 5: System Integrity Check and Rootkit Detection 177
Introduction 178
Understanding System Integrity Check (syscheck) 179
Tuning syscheck 184
Working with syscheck Rules 184
Ignoring Specific Directories 185
Increasing the Alert Severity for Important Files 186
Increasing the Severity for Changes During the Weekend 186
Configuring Custom Syscheck Monitoring 187
Detecting Rootkits and Enforcing/Monitoring Policies 188
Detecting Rootkits on Linux, Unix, and BSD 189
Detecting Rootkits with Signatures 191
Monitoring and Enforcing Policy 193
Policy Monitoring Rules 196
The Rootcheck Queue 197
Summary 199
Solutions Fast Track 199
Frequently Asked Questions 201
Chapter 6: Active Response 203
Introduction 204
Introducing Active Response 205
Examining Active Response 207
Command 208
Active Response 209
Tying It Together 212
Creating a Simple Response 213
The Executable 213
The Command 214
The Response 215
Configuring a Response with Timeout 216
Host-Deny Command 216
Host-Deny Response 216
Summary 217
Solutions Fast Track 217
Frequently Asked Questions 219
Chapter 7: Using the OSSEC Web User Interface 221
Introduction 222
Introducing the OSSEC HIDS WUI 223
Identifying WUI Pre-installation Considerations 223
Downloading the WUI 225
Installing and Configuring the WUI 227
Advanced Installation Topics 231
Using htaccess for Multi-User Access 231
Enabling SSL Access 234
Optimizing PHP for Large OSSEC Deployments 236
Describing the WUI Components 237
Main 237
Available Agents 238
Latest Modified Files 240
Latest Events 242
Search 243
Alert Search Options 243
Results 250
Alert List 252
Integrity Checking 254
Latest Modified Files (for All Agents) 254
Dump Database 256
Stats 261
Stats Options 261
OSSEC Stats 262
OSSEC Stats Snapshot 263
Aggregate Values by Severity 263
Aggregate Values by Rule 264
Total Values per Hour 265
About 268
Summary 270
Solutions Fast Track 270
Frequently Asked Questions 272
Epilogue 275
From the Authors 276
Appendix A: Log Data Mining 279
Introduction 280
Data Mining Intro 280
Log Mining Intro 284
Log Mining Requirements 287
What We Mine For? 288
Deeper into Interesting 289
Conclusion 291
Endnotes 292
Appendix B: Implementing a Successful OSSEC Policy 293
The Purpose of Policy 294
Policy Guides 294
Your Policy Comes Before Implementation 294
Policy Drives the Process 294
Solutions Follow Requirements 294
Step 1: Pilot Your Policy 295
Assessing Your Environment 295
Information 295
Environment 296
Risk 296
Risk Tolerance 296
Learning about the Tool 296
Building Effective Requirements 296
Broad Focus on Availability, Integrity, and Confidentiality 297
Involve Others 297
Solve the Business Problem 297
Pilot Your Way to Success 297
Step 2: Assess Your Current Policy Framework 298
Policy Primer 298
Policy 298
Standard 298
Procedure 299
Guideline 299
Assessing What You Already Have 299
Step 3: Build and Implement Your Policies 299
Build Your Policy 300
Build Your Standard 300
Implementation and Adoption 300
Keep in Mind 301
About Michael Santarcangelo 301
Appendix C: Rootkit Detection Using Host-based IDS 303
Introduction 304
History 304
Types of Rootkits 304
Kernel-Level Rootkits 304
Application or File-Level 305
Host-based IDS as a Solution... 305
Unauthorized Listening Ports and Processes 305
Files with Permissions that Are Uncommon for the File Type 305
Files that Match a Predefined List of Rootkit "Fingerprints" 306
Modification of Key Files 306
Watch for Network Cards that Are Listening to Network Traffic 306
Users Who Have UID 0 306
Network Anomaly Detection 306
HIDS Advantages 306
HIDS Disadvantages 307
Future Developments 308
Appendix D: The OSSEC VMware Guest Image 309
Introduction 310
Using the OSSEC VMware Guest 310
OSSEC VMware Image Minimum Requirements 310
VMware Guest Information 310
Creating Your Own OSSEC VMware Image 311
Downloading the Ubuntu 7.10 ISO 311
Preparing the VMware Guest Image 312
Configuring the Base Operating System 319
Installing the OSSEC HIDS 330
Installing the OSSEC HIDS WUI 331
Conclusion 332
Index 333
| Erscheint lt. Verlag | 9.4.2008 |
|---|---|
| Sprache | englisch |
| Themenwelt | Mathematik / Informatik ► Informatik ► Betriebssysteme / Server |
| Informatik ► Netzwerke ► Sicherheit / Firewall | |
| ISBN-10 | 0-08-055877-1 / 0080558771 |
| ISBN-13 | 978-0-08-055877-6 / 9780080558776 |
| Haben Sie eine Frage zum Produkt? |
PDF (Adobe DRM)Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: PDF (Portable Document Format)
Mit einem festen Seitenlayout eignet sich die PDF besonders für Fachbücher mit Spalten, Tabellen und Abbildungen. Eine PDF kann auf fast allen Geräten angezeigt werden, ist aber für kleine Displays (Smartphone, eReader) nur eingeschränkt geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
aus dem Bereich
