Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • Samhain

    Încărcat de

    Denisejoséroberto Ottonelli Catão Miranda
    93 vizualizări31 pagini
    The document discusses Samhain, an open-source Host Intrusion Detection System (HIDS). It describes Samhain as providing centralized monitoring of clients through a server that stores configuration data, authenticates clients, and logs reports. Key features of Samhain include file integrity verification, log file monitoring, login/logout monitoring, and hidden process detection performed by clients and reported to the server. The Beltane II console allows reviewing client reports, updating the baseline, checking client status, and configuring Samhain through multiple user roles.

    Descriere originală:

    Drepturi de autor

    © Attribution Non-Commercial (BY-NC)

    Formate disponibile

    PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    The document discusses Samhain, an open-source Host Intrusion Detection System (HIDS). It describes Samhain as providing centralized monitoring of clients through a server that stores configuration data, authenticates clients, and logs reports. Key features of Samhain include file integrity verification, log file monitoring, login/logout monitoring, and hidden process detection performed by clients and reported to the server. The Beltane II console allows reviewing client reports, updating the baseline, checking client status, and configuring Samhain through multiple user roles.

    Drepturi de autor:

    Attribution Non-Commercial (BY-NC)
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    93 vizualizări31 pagini

    Samhain

    Încărcat de

    Denisejoséroberto Ottonelli Catão Miranda
    The document discusses Samhain, an open-source Host Intrusion Detection System (HIDS). It describes Samhain as providing centralized monitoring of clients through a server that stores configuration data, authenticates clients, and logs reports. Key features of Samhain include file integrity verification, log file monitoring, login/logout monitoring, and hidden process detection performed by clients and reported to the server. The Beltane II console allows reviewing client reports, updating the baseline, checking client status, and configuring Samhain through multiple user roles.

    Drepturi de autor:

    Attribution Non-Commercial (BY-NC)
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 31

    Motivation Potential Solutions Samhain

    SAMHAIN
    An open-source Host Intrusion Detection System (HIDS)

    Rainer Wichmann

    Rainer Wichmann

    The Samhain HIDS

    Motivation Potential Solutions Samhain

    A simple question

    How can you defend against Intrusions?

    Rainer Wichmann

    The Samhain HIDS

    Motivation Potential Solutions Samhain

    Firewalls NIDSs File Integrity Verication

    Firewalls
    A building without openings is useless

    Rainer Wichmann

    The Samhain HIDS

    Motivation Potential Solutions Samhain

    Firewalls NIDSs File Integrity Verication

    Firewalls

    Rainer Wichmann

    The Samhain HIDS

    Motivation Potential Solutions Samhain

    Firewalls NIDSs File Integrity Verication

    Firewalls
    A human body without openings would be dead

    Rainer Wichmann

    The Samhain HIDS

    Motivation Potential Solutions Samhain

    Firewalls NIDSs File Integrity Verication

    Firewalls

    Rainer Wichmann

    The Samhain HIDS

    Motivation Potential Solutions Samhain

    Firewalls NIDSs File Integrity Verication

    Firewalls
    A server without open ports is pointless

    Rainer Wichmann

    The Samhain HIDS

    Motivation Potential Solutions Samhain

    Firewalls NIDSs File Integrity Verication

    Firewalls

    Rainer Wichmann

    The Samhain HIDS

    Motivation Potential Solutions Samhain

    Firewalls NIDSs File Integrity Verication

    Firewalls

    Intruders enter through open ports not through the wall!

    Rainer Wichmann

    The Samhain HIDS

    Motivation Potential Solutions Samhain

    Firewalls NIDSs File Integrity Verication

    NIDS

    Search network trafc for known attack patterns

    Rainer Wichmann

    The Samhain HIDS

    Motivation Potential Solutions Samhain

    Firewalls NIDSs File Integrity Verication

    NIDS
    This is a known attack on health

    Rainer Wichmann

    The Samhain HIDS

    Motivation Potential Solutions Samhain

    Firewalls NIDSs File Integrity Verication

    NIDS
    But the attack can look different..

    Rainer Wichmann

    The Samhain HIDS

    Motivation Potential Solutions Samhain

    Firewalls NIDSs File Integrity Verication

    NIDS
    ..and may come in disguise.

    Rainer Wichmann

    The Samhain HIDS

    Motivation Potential Solutions Samhain

    Firewalls NIDSs File Integrity Verication

    NIDS

    Is this an attack on your server?


    There is a major center of economic activity, such as Star Trek, including the Ed Sullivan show. The former Soviet Union...

    Or is it just spam?

    Rainer Wichmann

    The Samhain HIDS

    Motivation Potential Solutions Samhain

    Firewalls NIDSs File Integrity Verication

    NIDS
    Is this an attack on your server?
    There is a major center of economic activity, such as Star Trek, including the Ed Sullivan show. The former Soviet Union...

    It is ix86 binary executable code!


    English Shellcode, Mason et al. 2009

    Rainer Wichmann

    The Samhain HIDS

    Motivation Potential Solutions Samhain

    Firewalls NIDSs File Integrity Verication

    NIDS

    Recognizing an attack by pattern matching is difcult at best

    Rainer Wichmann

    The Samhain HIDS

    Motivation Potential Solutions Samhain

    Firewalls NIDSs File Integrity Verication

    File Integrity Verication


    Fingerprints are unique

    Rainer Wichmann

    The Samhain HIDS

    Motivation Potential Solutions Samhain

    Firewalls NIDSs File Integrity Verication

    File Integrity Verication

    So are cryptographic checksums MD5 ngerprint.jpg: 6d49 6d22 f8c8 b2c7 d4ab d39e 0054 9d7a

    Rainer Wichmann

    The Samhain HIDS

    Motivation Potential Solutions Samhain

    Firewalls NIDSs File Integrity Verication

    File Integrity Verication


    Firewalls and NIDSs are convenient, because they can be installed at a central point may be circumvented

    Rainer Wichmann

    The Samhain HIDS

    Motivation Potential Solutions Samhain

    Firewalls NIDSs File Integrity Verication

    File Integrity Verication


    File integrity verication is very robust requires monitoring of all individual hosts

    Rainer Wichmann

    The Samhain HIDS

    Motivation Potential Solutions Samhain

    Introduction Server Clients Beltane II

    Samhain
    Samhain is an open-source Host Intrusion Detection System (HIDS) > with central management <

    Rainer Wichmann

    The Samhain HIDS

    Motivation Potential Solutions Samhain

    Introduction Server Clients Beltane II

    A complete Samhain system

    Rainer Wichmann

    The Samhain HIDS

    Motivation Potential Solutions Samhain

    Introduction Server Clients Beltane II

    What you get

    Samhain provides a centralized client-server host monitoring system

    Rainer Wichmann

    The Samhain HIDS

    Motivation Potential Solutions Samhain

    Introduction Server Clients Beltane II

    Samhain Host Integrity Checks


    File integrity verication Logle monitoring Login/logout monitoring Hidden process detection Open port detection

    Rainer Wichmann

    The Samhain HIDS

    Motivation Potential Solutions Samhain

    Introduction Server Clients Beltane II

    The Samhain Server

    Rainer Wichmann

    The Samhain HIDS

    Motivation Potential Solutions Samhain

    Introduction Server Clients Beltane II

    The Samhain Server


    Stores critical data (conguration, baseline) Authenticates connecting clients Serves conguration and baseline data Receives reports and logs them to a RDBMS (MySQL, PostgreSQL, Oracle)

    Rainer Wichmann

    The Samhain HIDS

    Motivation Potential Solutions Samhain

    Introduction Server Clients Beltane II

    The Samhain Clients

    Rainer Wichmann

    The Samhain HIDS

    Motivation Potential Solutions Samhain

    Introduction Server Clients Beltane II

    The Samhain Clients


    At startup download conguration and baseline data from the server Perform integrity checks as congured Report anomalies to the server

    Rainer Wichmann

    The Samhain HIDS

    Motivation Potential Solutions Samhain

    Introduction Server Clients Beltane II

    The Beltane II Console

    Rainer Wichmann

    The Samhain HIDS

    Motivation Potential Solutions Samhain

    Introduction Server Clients Beltane II

    The Beltane II Console


    Review reports from clients Server-side updates of baseline data Check client status Edit and reload conguration data Multiple users with different roles

    Rainer Wichmann

    The Samhain HIDS

    Motivation Potential Solutions Samhain

    Introduction Server Clients Beltane II

    Thank you for your attention!

    Rainer Wichmann

    The Samhain HIDS

    S-ar putea să vă placă și