A Practice of OSSIM

-- DCOM Exploit Event Correlation Test

What is OSSIM
OSSIM aims to unify network monitoring, security, correlation and qualification in one
single tool. Using Snort, Acid, Mrtg, NTOP, OpenNMS, nmap, nessus and rrdtool we want
the user to have full control over every network or security aspect.
http://www.ossim.net

How does correlation engine of OSSIM works
Directive based correlation engine is the key feature of OSSIM which can detect complicated
potential threads more reliably than regular IDS. Here are some background information for you
to understand the principle of OSSIMs directive-based correlation engine.
http://www.ossim.net/docs/correlation_engine_explained_rpc_dcom_example.pdf

What do I practise
The purpose of this practice is to validate the effect of OSSIM to the DCOM RPC exploit and to
have a deep understand with the engine under the hood.

Firstly I hack the target with a rpc tool so that the snort sensor will find DCOM signature in the
traffic generated by the attack behaviour. If the attack is successful, definitely it will be, there will
be a connection to an abnormal port of the target machine, that leads to an alert by spade(The
anomalies sensor). Both of these two alerts match the directives so as to the correlation engine will
require ntop to see if there is a session duration existing between the attacker and the target, if the
ntop monitor reply that it does so, which means the alert reliability is very very high and target
is really in danger.

Test topology

For convenience, I deployed almost every module on 10.8.0.2 except the target.
Target Test Items
Ossim 0.9.1
http://www.ossim.net/download.php

Test Tools
Rpc - /* Windows remote RPC DCOM exploit Coded by oc192 */

Test procedure
1. change the server config file(/etc/ossim/server/ directives.xml) as follows


U can verify the directives by the web ui


2. Start the ossim server
/usr/bin/ossim -c /etc/ossim/server/config.xml

3. Start the ossim agent
/usr/bin/agent

The config of agent(/etc/ossim/agent/config.xml) is as the screenshot:


4. Lets do the hack and take a look at the log
[root@localhost root]#./rpc -d 10.5.5.17 -t 1 -l 674

The agents output is:


U can note that agent receive the request from server to monitor the ntop session. Ntop find there
is a 10 seconds duration and reply to the server.

Event correlation engine will generate a alert when the backlog is matched.


The CA monitor pic during the attack.


Youyou chensy@netway.net.cn
Lance lance@antpower.org