This document summarizes an advanced training on integrating OSSEC and AlienVault for open source security. The presentation covers the capabilities and architecture of OSSEC and AlienVault, how they integrate, and a demo of deploying OSSEC agents, managing alerts, and correlating events across sources. OSSEC provides log analysis, file integrity checking, and signature-based malware detection while AlienVault adds threat detection capabilities, centralized management, risk assessment, and cross-source event correlation to strengthen security monitoring.
2. AGENDA
Presentation contents (20 minutes)
Learning the basics
• OSSEC capabilities
• AlienVault capabilities
OSSEC and AlienVault integration
• Integration components
• OSSEC Collector anatomy
• OSSEC Correlation rules
• AlienVault Cross-correlation
• Management interface
Demo – See it in action (20 minutes)
Deploying OSSEC agents
• Automatic deployment for Windows
• Manual deployment for Linux
Agentless monitoring
Managing OSSEC
• Monitoring/Configuring agents
• Editing rules
Correlating OSSEC events (Brute-force)
OSSEC reports
3. ABOUT ME
Developer, security engineer, researcher and
consultant.
Member of AlienVault and OSSEC core teams.
Director of Professional Services at AlienVault
Born in Spain and relocated to Silicon Valley in
2010. Excuse my accent
5. OSSEC CAPABILITIES
Log analysis based intrusion detection
File integrity checking
Registry keys integrity checking (Windows)
Signature based malware/rootkits detection
Real time alerting and active response
6. OSSEC ARCHITECTURE
Agent components:
Logcollectord: Read logs (syslog, wmi, flat files)
Syscheckd: File integrity checking
Rootcheckd: Malware and rootkits detection
Agentd: Forwards data to the server
Server components:
Remoted: Receives data from agents
Analysisd: Processes data (main process)
Monitord: Monitor agents
7. ALIENVAULT USM CAPABILITIES
Provides threat detection capabilities
Monitors network assets
Centralizes Information and Management
Evaluates threats reliability and risk
Collaboratively learns about APT
12. OSSEC CORRELATION RULES
Common web attack detected
XSS (Cross Site Scripting) attempt
SQL injection attempt detected
Windows authentication failure attempts
MySQL authentication attempt failed detected
PostgreSQL authentication attempt failed detected
SonicWall authentication attempt failed detected
Remote access authentication attempt failed detected
SSH service authentication attempts failed detected
Multiple authentication attempt failed detected
Login authentication failed detected
13. OSSEC ALERTS RISK ASSESSMENT
AlienVault USM automatically calculate risk based on OSSEC alerts priority, reliability
and assets involved.
14. ALIENVAULT CROSS-CORRELATION
AlienVault USM correlates events from multiple sources, crossing OSSEC alerts with
information collected from embedded detectors and external sources.
Attack
Attacker
X.X.X.X
Accepted HTTP packet
from X.X.X.X to Y.Y.Y.Y
Attack: WEB-IIS multiple
decode attempt
Vulnerability: IIS Remote
Command Execution
Alert: Low
reputation IPOTX
Alert: IIS attack
detected
Target
Y.Y.Y.Y
15. OSSEC MANAGEMENT INTERFACE
AlienVault USM provides a comprehensive GUI for OSSEC alerts management:
Status monitor
Events viewer
Agents control manager
Configuration manager
Rules viewer/editor
Logs viewer
Server control manager
Deployment manager
Rules viewer/editor
PDF/HTML reports
16. LET’S SEE IT IN ACTION!
OSSEC and AlienVault USM
17. NOW FOR SOME Q&A…
Three Ways to Test Drive AlienVault
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Try our Interactive Demo Site
http://www.alienvault.com/live-demo-site
Join our weekly LIVE
Demohttp://www.alienvault.com/marketing/alienvault
-usm-live-demo
hello@alienvault.com
AlienVault’s Unified Security Management will provide LSI with complete security visibility by providing the five essential security capabilities in our unified platform including:-Asset discovery - active and passive network discovery -Vulnerability assessment – active network scanning, continuous vulnerability monitoring -Threat detection - IDS, host-based IDS (HIDS), file integrity monitoring, etc. - Behavioral monitoring - netflow analysis, log normalization, etc. -Security intelligence - log management, SIEM event correlation, etc. All of these capabilities are already built-in and managed through a single console and reporting dashboard. The defined architecture described contains core components of which are defined below in more detail as well as the quote being provided to LSI.