Ossim Active and Passive detection tool (ARPWATCH+P0F+PADS) combination application

Ossim Active and Passive detection tool (PADS+PF0+ARPWATCH) combination application

Ossim not only reduces everyone's involvement IDS and provides a fast platform for a variety of complex applications, one of the core technologies is the plugin-based event extraction, the system's built -in the plug-in, almost includes the major hardware equipment manufacturers and various network applications. Below the OSSIM3 to put some small gadgets together, can solve big problems for you. The following isa brief description ofthe use of pads+p0f+ arpwatch .

1. Tools Introduction

   For these open source tools described below, there is no need to install the configuration in Ossim, you just have to know how to apply it OK.

Arpwatch:The main function of this tool is to monitor the networkARPrecords, which can be used to monitorLinuxEthernet Address resolution on the(MACand theIPChange of Address). It continuously monitors Ethernet activity for a period of time and outputsIPand theMACa log of changes to the address pair. An increase in address pairing is a warning for detectingARPattacks are very useful, and sometimes the detection of temporary on-line servers can be found in time. Ossim enabled in the Arpwatch plug-in implements active detection, so very convenient, only need to select in the detection plug- in Arpwatch , the system will be automatically installed and configured for you, as shown in.

650) this.width=650; "title=" 10-16.jpg "alt=" wkiol1ygzvlhzsxqaadhek16mq8180.jpg "src=" http://s3.51cto.com/wyfs02/ M01/74/85/wkiol1ygzvlhzsxqaadhek16mq8180.jpg "/>

p0f: It is A passive Fingerprint identification tool that identifies the remote operating system by analyzing network traffic.

Pads: It belongs to the passive asset detection system, which is designed to detect anomalies in assets, such as service anomalies.

ossim31:~ #pads

Pads-passive Asset Detection System

V1.2-06/17/05

Matt Shelton <[email protected]>

[-] Processing Existing Assets.csv

[-] Filter: (NULL)

Warning:kernel Filter Failed:socket Operation Onnon-socket

[-] Listening on Interface eth0

[*] Asset Found:port-443/host-192.168.11.128/service-ssl/application-generic TLS 1.0 SSL

[*] Asset Found:port-443/host-192.168.11.127/service-ssl/application-generic TLS 1.0 SSL

[*] Asset Found:port-80/host-111.206.80.97/service-www/application-nginx

[*] Asset found:ip Address-192.168.11.5/mac address-0:d0:b7:e0:99:ae (intelcorporation)

[*] Asset Found:port-80/host-111.206.80.103/service-www/application-nginx

[*] Asset Found:ip Address-192.168.11.127/mac Address-0:0c:29:ca:18:10

[*] Asset Found:port-80/host-111.206.80.96/service-www/application-nginx

[*] Asset found:port-49993/host-192.168.11.1/service-www/application-http/1.1)

[*] Asset found:port-2869/host-192.168.11.5/service-www/application-microsoft-httpapi/2.0

[*] Asset Found:port-80/host-111.206.80.101/service-www/application-nginx

[*] Asset found:port-80/host-111.206.37.178/service-www/application-http/1.1)

[*] Asset Found:port-80/host-123.125.80.77/service-www/application-nginx

[*] Asset found:port-80/host-61.135.186.213/service-www/application-http/1.1)

[*] Asset Found:port-80/host-111.206.80.99/service-www/application-nginx

[*] Asset Found:ip Address-192.168.11.129/mac address-0:0c:29:16:e8:82

[*] Asset Found:port-443/host-192.168.11.129/service-ssl/application-generic TLS 1.0 SSL

[*] Asset Found:port-80/host-111.206.80.102/service-www/application-nginx

Ordinary users in these three tools to solve the problem, always need to consult a large number of command output and miscellaneous logs, even if this is unavoidable flaws, there is a better solution? Let's ossim to solve these problems.

2. Application

Lab Environment: Ossim Server : OSSIM31

monitoring network segment: 192.168.11.0/24

After installing Ossim, open WebUI and enter the Siem Console, the Siem event alert appears as shown.

650) this.width=650; "title=" 10-16-arp+p0f+pads.png "alt=" wkiol1ygzkudv9ajaaodve3wjm8286.jpg "src="/HTTP/ S3.51cto.com/wyfs02/m00/74/85/wkiol1ygzkudv9ajaaodve3wjm8286.jpg "/>

650) this.width=650; "title=" 10-16-pads-1.png "style=" Float:none "alt=" wkiom1ygzlcwy_hzaalujxtznqg729.jpg "src=" Http://s3.51cto.com/wyfs02/M01/74/89/wKiom1YgZLCwy_HzAALujXtZNQg729.jpg "/>

Click on the first alarm to view pads details as shown in:

650) this.width=650; "title=" 10-16-pads-2.png "style=" Float:none "alt=" wkiol1ygznkj8il5aalctmb2kb8312.jpg "src=" Http://s3.51cto.com/wyfs02/M01/74/85/wKioL1YgZNKj8iL5AALctMb2KB8312.jpg "/>

Discover the new OS as shown in.

650) this.width=650; "title=" 10-16-p0f.png "style=" Float:none; "alt=" wkiom1ygzn-tdan_aam09ev7dvw220.jpg "src=" http ://s3.51cto.com/wyfs02/m00/74/89/wkiom1ygzn-tdan_aam09ev7dvw220.jpg "/>

Click on this record to view the details as shown in.

650) this.width=650; "title=" 10-16-p0f-1.png "style=" Float:none "alt=" wkiom1ygzocqt8mcaaknqyqrvuu331.jpg "src=" Http://s3.51cto.com/wyfs02/M00/74/89/wKiom1YgZOCQt8mCAAKNQYqrVuU331.jpg "/>

For the Arpwatch as shown in the hold.

650) this.width=650; "title=" 10-16-arpwatch.png "alt=" wkiol1ygzshxkclsaamvemrergo265.jpg "src=" http://s3.51cto.com /wyfs02/m00/74/85/wkiol1ygzshxkclsaamvemrergo265.jpg "/>

Looking at these forms, you may immediately feel that the history of using tcpdump and Wireshark to capture the packet analysis is gone! More cattle tools will be introduced in the future. OSSIM3 provides this feature, indeed can solve the big problem for us, but this is only an outdated version, has now developed to OSSIM5.2, I will introduce you in the new book more useful features.

This article is from the "Lee Chenguang Original Technology blog" blog, please be sure to keep this source http://chenguang.blog.51cto.com/350944/1703458

Ossim Active and Passive detection tool (ARPWATCH+P0F+PADS) combination application