第1页 / 共335页
第2页 / 共335页
第3页 / 共335页
第4页 / 共335页
第5页 / 共335页
第6页 / 共335页
第7页 / 共335页
第8页 / 共335页
OSSEC基于主机的入侵检测指南 Host-Based Intrusion Detection Guide.pdf
OSSEC Host-Based Intrusion Detection Guide
Copyright Page
Lead Authors
Contributors
Contents
About this Book
Foreword
Chapter 1: Getting Started with OSSEC
Introduction
Introducing Intrusion Detection
Network Intrusion Detection
Host-Based Intrusion Detection
File Integrity Checking
Registry Monitoring
Rootkit Detection
Active Response
Introducing OSSEC
Planning Your Deployment
Local Installation
Agent Installation
Server Installation
Which Type Is Right For Me?
Identifying OSSEC Pre-installation Considerations
Supported Operating Systems
Special Considerations
Microsoft Windows
Sun Solaris
Ubuntu Linux
Mac OS X
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 2: Installation
Introduction
Downloading OSSEC HIDS
Getting the Files
Preparing the System
Building and Installing
Performing Local Installation
Performing Server-Agent Installations
Installing the Server
Managing Agents
Installing Agents
Installing the Unix Agent
Installing the Windows Agent
Streamlining the Installations
Install Once, Copy Everywhere
Unix, Linux, and BSD
Push the Keys
Unix, Linux, and BSD
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 3: OSSEC HIDS Configuration
Introduction
Understanding the OSSEC HIDS Configuration File
Configuring Logging/Alerting Options
Alerting with Email
Configuring Email
Basic Email Configuration
Granular Email Configuration
Receiving Remote Events with Syslog
Configuring Database Output
Declaring Rule Files
Reading Log Files
Configuring Integrity Checking
Configuring an Agent
Configuring Advanced Options
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 4: Working with Rules
Introduction
Introducing Rules
Understanding the OSSEC HIDS Analysis Process
Predecoding Events
Decoding Events
Decoder Example: sshd Message
Decoder Example: vsftpd Message
Using the Option
Decoder Example: Cisco PIX Message
Decoder Example: Cisco IOS ACL Message
Understanding Rules
Atomic Rules
Writing a Rule
Composite Rules
Working with Real World Examples
Increasing the Severity Level of a Rule
Tuning Rule Frequency
Ignoring Rules
Ignoring IP Addresses
Correlating Multiple Snort Alerts
Ignoring Identity Change Events
Writing Decoders/Rules for Custom Applications
Deciding What Information to Extract
Creating the Decoders
Creating the Rules
Monitoring the Log File
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 5: System Integrity Check and Rootkit Detection
Introduction
Understanding System Integrity Check (syscheck)
Tuning syscheck
Working with syscheck Rules
Ignoring Specific Directories
Increasing the Alert Severity for Important Files
Increasing the Severity for Changes During the Weekend
Configuring Custom Syscheck Monitoring
Detecting Rootkits and Enforcing/Monitoring Policies
Detecting Rootkits on Linux, Unix, and BSD
Detecting Rootkits with Signatures
Monitoring and Enforcing Policy
Policy Monitoring Rules
The Rootcheck Queue
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 6: Active Response
Introduction
Introducing Active Response
Examining Active Response
Command
Active Response
Tying It Together
Creating a Simple Response
The Executable
The Command
The Response
Configuring a Response with Timeout
Host-Deny Command
Host-Deny Response
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 7: Using the OSSEC Web User Interface
Introduction
Introducing the OSSEC HIDS WUI
Identifying WUI Pre-installation Considerations
Downloading the WUI
Installing and Configuring the WUI
Advanced Installation Topics
Using htaccess for Multi-User Access
Enabling SSL Access
Optimizing PHP for Large OSSEC Deployments
Describing the WUI Components
Main
Available Agents
Latest Modified Files
Latest Events
Search
Alert Search Options
Results
Alert List
Integrity Checking
Latest Modified Files (for All Agents)
Dump Database
Stats
Stats Options
OSSEC Stats
OSSEC Stats Snapshot
Aggregate Values by Severity
Aggregate Values by Rule
Total Values per Hour
About
Summary
Solutions Fast Track
Frequently Asked Questions
Epilogue
From the Authors
Appendix A: Log Data Mining
Introduction
Data Mining Intro
Log Mining Intro
Log Mining Requirements
What We Mine For?
Deeper into Interesting
Conclusion
Endnotes
Appendix B: Implementing a Successful OSSEC Policy
The Purpose of Policy
Policy Guides
Your Policy Comes Before Implementation
Policy Drives the Process
Solutions Follow Requirements
Step 1: Pilot Your Policy
Assessing Your Environment
Information
Environment
Risk
Risk Tolerance
Learning about the Tool
Building Effective Requirements
Broad Focus on Availability, Integrity, and Confidentiality
Involve Others
Solve the Business Problem
Pilot Your Way to Success
Step 2: Assess Your Current Policy Framework
Policy Primer
Policy
Standard
Procedure
Guideline
Assessing What You Already Have
Step 3: Build and Implement Your Policies
Build Your Policy
Build Your Standard
Implementation and Adoption
Keep in Mind
About Michael Santarcangelo
Appendix C: Rootkit Detection Using Host-based IDS
Introduction
History
Types of Rootkits
Kernel-Level Rootkits
Application or File-Level
Host-based IDS as a Solution...
Unauthorized Listening Ports and Processes
Files with Permissions that Are Uncommon for the File Type
Files that Match a Predefined List of Rootkit "Fingerprints"
Modification of Key Files
Watch for Network Cards that Are Listening to Network Traffic
Users Who Have UID 0
Network Anomaly Detection
HIDS Advantages
HIDS Disadvantages
Future Developments
Appendix D: The OSSEC VMware Guest Image
Introduction
Using the OSSEC VMware Guest
OSSEC VMware Image Minimum Requirements
VMware Guest Information
Creating Your Own OSSEC VMware Image
Downloading the Ubuntu 7.10 ISO
Preparing the VMware Guest Image
Configuring the Base Operating System
Installing the OSSEC HIDS
Installing the OSSEC HIDS WUI
Conclusion
Index
Andrew Hay
Daniel Cid, Creator of OSSEC
Rory Bray
Foreword by
Stephen Northcutt, President
The SANS Technology Institute,
a post graduate security college
www.sans.edu
This page intentionally left blank
Elsevier, Inc., the author(s), and any person or fi rm involved in the writing, editing, or production (collectively
“Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work is
sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state.
In no event will Makers be liable to you for damages, including any loss of profi ts, lost savings, or other
incidental or consequential damages arising out from the Work or its contents. Because some states do not
allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation
may not apply to you.
You should always use reasonable care, including backup and other appropriate precautions, when working
with computers, networks, data, and fi les.
Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author
UPDATE®,” and “Hack Proofi ng®,” are registered trademarks of Elsevier, Inc. “Syngress: The Defi nition
of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think
Like One™” are trademarks of Elsevier, Inc. Brands and product names mentioned in this book are
trademarks or service marks of their respective companies.
PUBLISHED BY
Syngress Publishing, Inc.
Elsevier, Inc.
30 Corporate Drive
Burlington, MA 01803
OSSEC Host-Based Intrusion Detection Guide
Copyright © 2008 by Elsevier, Inc. All rights reserved. Printed in the United States of America. Except as
permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in
any form or by any means, or stored in a database or retrieval system, without the prior written permission
of the publisher, with the exception that the program listings may be entered, stored, and executed in a
computer system, but they may not be reproduced for publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN 13: 978-1-59749-240-9
Page Layout and Art: SPi
Copy Editor: Beth Roberts
For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director
and Rights, at Syngress Publishing; email m.pedersen@elsevier.com.
This page intentionally left blank
Lead Authors
Andrew Hay leads a team of software developers at Q1 Labs Inc. integrating 3rd
party event and vulnerability data into QRadar, their fl agship network security
management solution. Prior to joining Q1 Labs, Andrew was CEO and co-founder
of Koteas Corporation, a leading provider of end to end security and privacy solutions
for government and enterprise. His resume also includes such organizations as Nokia
Enterprise Solutions, Nortel Networks, and Magma Communications, a division of
Primus. Andrew is a strong advocate of security training, certifi cation programs, and
public awareness initiatives. He also holds several industry certifi cations including
the CCNA, CCSA, CCSE, CCSE NGX, CCSE Plus, Security+, GCIA, GCIH,
SSP-MPA, SSP-CNSA, NSA, RHCT, and RHCE.
Andrew would fi rst like to thank his wife Keli for her support, guidance, and unlimited
understanding when it comes to his interests. He would also like to thank George Hanna, Chris
Cahill, Chris Fanjoy, Daniella Degrace, Shawn McPartlin, the Trusted Catalyst Community,
and of course his parents, Michel and Ellen Hay (and no mom, this is nothing like Star Trek),
for their continued support. He would also like to thank Daniel Cid for creating such a great
product.
Daniel Cid is the creator and main developer of the OSSEC HIDS (Open Source
Security Host Intrusion Detection System). Daniel has been working in the security
area for many years, with a special interest in intrusion detection, log analysis and
secure development. He is currently working at Q1 Labs Inc. as a software engineer.
In the past, he worked at Sourcefi re, NIH and Opensolutions. Daniel holds several
industry certifi cations including the CCNP, GCIH, and CISSP.
Daniel would like to thank God for the gift of life, his wife Liliane for all the help and
understanding, his son, Davi, for all the countless nights without sleep, and his family for all
the support in life so far.
Rory Bray is senior software engineer at Q1 Labs Inc. with years of experience
developing Internet and security related services. In addition to being a long-time
advocate of Open Source software, Rory has developed a strong interest in network
security and secure development practices. Rory has a diverse background which
v
includes embedded development, web application design, software architecture, security
consulting and technical editing. This broad range of experience provides a unique
perspective on security solutions.
Rory would like to thank his lovely wife Rachel for putting up with the interruptions to
normal life caused by work on this book. His career path has always been a hectic one, requiring
a great deal of her patience and fl exibility. He knows it has never been easy to live with a member
of the “Nerd Herd”.
The authors would like to thank Andrew Williams at Syngress for his help, support, and
understanding as we worked together through our fi rst book. We’d also like the thank Anton
Chuvakin, Peter Giannoulis, Adam Winnington, and Michael Santarcangelo for their appendix
contributions and Stephen Northcutt for taking the time out of his busy schedule to write the
forward.
vi
Contributors
Dr Anton Chuvakin, GCIA, GCIH, GCFA (http://www.chuvakin.org)
is a recognized security expert and book author. In his current role as a
Chief Logging Evangelist with LogLogic, a log management and intelli-
gence company, he is involved with projecting LogLogic’s product vision
and strategy to the outside world, conducting logging research as well as
infl uencing company vision and roadmap.
A frequent conference speaker, he also represents the company at
various security meetings and standards organizations. He is an author of
a book “Security Warrior” and a contributor to “Know Your Enemy II”,
“Information Security Management Handbook”, “Hacker’s Challenge 3”,
“PCI Compliance” and the upcoming book on logs. Anton also published
numerous papers on a broad range of security and logging subjects. In his
spare time he maintains his security portal http://www.info-secure.org and
several blogs such as one at http://www.securitywarrior.org”. Anton wrote
Appendix A.
Michael Santarcangelo is a human catalyst. As an expert who speaks
on information protection, including compliance, privacy, and awareness,
Michael energizes and inspires his audiences to change how they protect
information. His passion and approach gets results that change behaviors.
As a full member of the National Speakers Association, Michael is known
for delivering substantial content in a way that is energetic and entertaining.
Michael connects with those he works with, and helps them engage in
natural and comfortable ways. He literally makes security relevant and
simple to understand!
His unique insights, innovative concepts, and effective strategies are
informed by extensive experience and continued research. His fi rst book,
Into the Breach (early 2008; www.intothebreach.com), is the answer business
executives have been looking for to defend their organization against breaches,
while discovering how to increase revenue, protect the bottom line, and
manage people, information, and risk effi ciently. Michael wrote Appendix B.
vii
相关推荐
2023年江西萍乡中考道德与法治真题及答案.doc
2012年重庆南川中考生物真题及答案.doc
2013年江西师范大学地理学综合及文艺理论基础考研真题.doc
2020年四川甘孜小升初语文真题及答案I卷.doc
2020年注册岩土工程师专业基础考试真题及答案.doc
2023-2024学年福建省厦门市九年级上学期数学月考试题及答案.doc
2021-2022学年辽宁省沈阳市大东区九年级上学期语文期末试题及答案.doc
2022-2023学年北京东城区初三第一学期物理期末试卷及答案.doc
2018上半年江西教师资格初中地理学科知识与教学能力真题及答案.doc
2012年河北国家公务员申论考试真题及答案-省级.doc
2020-2021学年江苏省扬州市江都区邵樊片九年级上学期数学第一次质量检测试题及答案.doc
2022下半年黑龙江教师资格证中学综合素质真题及答案.doc
