0 evaluări0% au considerat acest document util (0 voturi)
140 vizualizări5 pagini
OSSIM aims to unify network monitoring, security, correlation and qualification in one single tool. Directive based correlation engine is the key feature of ossim which can detect complicated potential threads more reliably than regular IDS.
OSSIM aims to unify network monitoring, security, correlation and qualification in one single tool. Directive based correlation engine is the key feature of ossim which can detect complicated potential threads more reliably than regular IDS.
OSSIM aims to unify network monitoring, security, correlation and qualification in one single tool. Directive based correlation engine is the key feature of ossim which can detect complicated potential threads more reliably than regular IDS.
What is OSSIM OSSIM aims to unify network monitoring, security, correlation and qualification in one single tool. Using Snort, Acid, Mrtg, NTOP, OpenNMS, nmap, nessus and rrdtool we want the user to have full control over every network or security aspect. http://www.ossim.net
How does correlation engine of OSSIM works Directive based correlation engine is the key feature of OSSIM which can detect complicated potential threads more reliably than regular IDS. Here are some background information for you to understand the principle of OSSIMs directive-based correlation engine. http://www.ossim.net/docs/correlation_engine_explained_rpc_dcom_example.pdf
What do I practise The purpose of this practice is to validate the effect of OSSIM to the DCOM RPC exploit and to have a deep understand with the engine under the hood.
Firstly I hack the target with a rpc tool so that the snort sensor will find DCOM signature in the traffic generated by the attack behaviour. If the attack is successful, definitely it will be, there will be a connection to an abnormal port of the target machine, that leads to an alert by spade(The anomalies sensor). Both of these two alerts match the directives so as to the correlation engine will require ntop to see if there is a session duration existing between the attacker and the target, if the ntop monitor reply that it does so, which means the alert reliability is very very high and target is really in danger.
Test topology
For convenience, I deployed almost every module on 10.8.0.2 except the target. Target Test Items Ossim 0.9.1 http://www.ossim.net/download.php
Test Tools Rpc - /* Windows remote RPC DCOM exploit Coded by oc192 */
Test procedure 1. change the server config file(/etc/ossim/server/ directives.xml) as follows
U can verify the directives by the web ui
2. Start the ossim server /usr/bin/ossim -c /etc/ossim/server/config.xml
3. Start the ossim agent /usr/bin/agent
The config of agent(/etc/ossim/agent/config.xml) is as the screenshot:
4. Lets do the hack and take a look at the log [root@localhost root]#./rpc -d 10.5.5.17 -t 1 -l 674
The agents output is:
U can note that agent receive the request from server to monitor the ntop session. Ntop find there is a 10 seconds duration and reply to the server.
Event correlation engine will generate a alert when the backlog is matched.