Introduction to open Source secure operations platform: OSSIM Best Practices

Open Source Secure operations platform: OSSIM Best Practices

Li Chenguang

Published by Tsinghua University Press

Content Introduction
In the traditional heterogeneous network environment, operators often use a variety of sophisticated regulatory tools to manage the network, due to the lack of an integrated security
The whole operation and maintenance platform, when encountering the fault is always in the passive "fire" state, how to asset management, traffic monitoring, vulnerability management, intrusion surveillance
and compliance management, through the integration of open source software into a unified platform for security event correlation analysis, can be introduced from this book
Find the answer in the Ossim platform. This book is based on the author's experience in the field of Ossim for more than 10 years to develop practical
The example illustrates the essence of collecting logs based on plug-ins, standardizing classification of security events, and analyzing the correlation, which is shown in the book for readers.
All knowledge and examples come from a complex production environment in a large enterprise and provide solutions for a variety of challenges.

The book is divided into three articles, 10 chapters: The first (the 1th to 2nd Chapter) mainly introduces Ossim architecture and working principle, system planning, implementation of the key
Features and filters analyze the essentials of Siem Events. The second (3rd to 6th chapter) mainly introduces several background databases involved in Ossim,
Points emphasize security event classification aggregation, extraction process, correlation analysis algorithm, Snort rule analysis and other techniques. The third chapter (7th to 10th) mainly
This paper introduces the method of log collection and standardization realization, and the method of analyzing abnormal traffic with hids/nids and NetFlow in Ossim.
In-depth analysis of OpenVAS architecture and script analysis methods.

This book can be used as a reference for open source security technology researchers, network security administrators and university computer majors.

The textual structure of the book

The structure of the book is like a frame, while the content is a concrete constituent element, the book uses the form of words, charts and examples,
Visualize the complex structure and workflow of Ossim to the reader. The book is divided into three parts, a total of 10 chapters.

1. Basic article

The 1th chapter: From the origin of Ossim, this chapter introduces the present situation of operation and maintenance personnel, and gradually discusses the need to apply Siem
To introduce the Ossim architecture and composition principle, and also introduces the idea of log collection based on plug-in, puts forward the standard
A new concept of quasi-security incidents, and a detailed analysis of Ossim's highly available architecture and implementation methods.
The 2nd Chapter: This chapter begins with Ossim implementation of key elements, installation strategy, hardware selection, in-depth analysis of single-machine deployment,
Distributed system, sensor setup and other important installation work. Analysis of the installation process in an illustrated manner, pointing out the system with
The installation process, including physical machines, virtual machines in different environments, and considerations. Finally, the main analysis of Siem
The use of the console and the event filtering method.

2. Improve the article

The 3rd Chapter: This chapter is very helpful for OSSIM developers, in addition to introducing Ossim database composition, table structure,
As well as the system migration backup techniques, but also includes a variety of common MySQL failures and other content.
The 4th Chapter: This chapter starts from the Correlation Analysis Foundation, the gradual depth to the Ossim security event extraction process, introduced the constant
The correlation analysis algorithm used. The aggregation principle of alarm events is also analyzed in detail, and combined with the present situation of Ossim, multiple
Examples explain how association rules and custom policies are used.
5th Chapter: This chapter mainly introduces the use of monitoring and debugging tools in various Ossim systems, and the diagnosis of system bottleneck
The method is broken.
6th Chapter: This chapter focuses on the snort principle and the role of pre-processing programs, including snort alarm method. Deep
Into the analysis of the application techniques of snort rules written in Ossim and the analysis method of network anomaly behavior.

3. Real-Combat articles

The 7th Chapter: This chapter from the log standardization and collection analysis methods, detailed analysis of various services, network equipment generated
logs, including Apache, FTP, Squid, DHCP, etc., and introduces the Ossim plug-in development process in detail through an example.
8th: This chapter explains the methods of NetFlow for abnormal flow analysis, including NetFlow data acquisition and filtering
method, this paper introduces the technique of using NetFlow to monitor abnormal traffic in distributed environment, and Ossim ntop and
The use of Nagios and NetFlow three detection tools is compared. Finally, the third cacti and Zabbix were introduced.
Methods for the integration of open source monitoring software.
The 9th Chapter: This chapter from the Ossim Control Management Center Role Authority control, comprehensively introduced the Ossim Web UI
Structure, explains the configuration usage of OSSEC Log Analysis tool and the agent installation method. This paper introduces the management network in Ossim
The OpenVAS scan module, scripts, and rules are analyzed in depth. Demonstrates the use of multiple Ossim
Examples of advanced attack detection, as well as methods of using Ossim for compliance management and system Unified report output.
10th Chapter: This chapter mainly explains the Web-based packet capture and packet filtering method, and uses the tool to remotely
The method of solving the network fault, mainly introduces the advanced use method of Tshark, tcpdump and so on grasping the package tool, finally with a
Typical IE browser's 0 day vulnerability attack example to test the role of this tool.

Introduction to open Source secure operations platform: OSSIM Best Practices