Ossim Active and Passive detection tool (PADS+PF0+ARPWATCH) combination application

Ossim Active and Passive detection tool (PADS+PF0+ARPWATCH) combination application

Ossim not only reduces everyone's involvement IDS and provides a fast platform for a variety of complex applications, one of the core technologies is the plugin-based event extraction, the system's built -in the plug-in, almost includes the major hardware equipment manufacturers and various network applications. Below the OSSIM3 to put some small gadgets together, can solve big problems for you. The following isa brief description ofthe use of pads+p0f+ arpwatch .

1. Tools Introduction

   For these open source tools described below, there is no need to install the configuration in Ossim, you just have to know how to apply it OK.

Arpwatch:The main function of this tool is to monitor the networkARPrecords, which can be used to monitorLinuxEthernet Address resolution on the(MACand theIPChange of Address). It continuously monitors Ethernet activity for a period of time and outputsIPand theMACa log of changes to the address pair. An increase in address pairing is a warning for detectingARPattacks are very useful, and sometimes the detection of temporary on-line servers can be found in time. Ossim enabled in the Arpwatch plug-in implements active detection, so very convenient, only need to select in the detection plug- in Arpwatch , the system will be automatically installed and configured for you, as shown in.

p0f: It is A passive Fingerprint identification tool that identifies the remote operating system by analyzing network traffic.

ossim31:~# p0f

p0f-passive OS fingerprinting utility, version 2.0.8

(C) m. Zalewski <[email protected]>, W. Stearns <[email protected]>

P0f:listening (SYN) on ' eth0 ', 262 sigs (+ generic, cksum 0f1f5ca2), rule: ' All '.

192.168.11.2:51579-unknown [8192:64:1:52:m1460,n,w2,n,n,s:.:?:?]

192.168.11.127:443 (Link:ethernet/modem)

192.168.11.1:3538-linux 2.6, seldom 2.4 (older, 2) (up:3221 hrs)

192.168.11.21:21 (distance 0, Link:ethernet/modem)

192.168.11.2:51586-unknown [8192:64:1:52:m1460,n,w2,n,n,s:.:?:?]

61.135.189.216:80 (Link:ethernet/modem)

192.168.11.1:3896-linux 2.6, seldom 2.4 (older, 2) (up:3221 hrs)

192.168.11.248:3389 (distance 0, Link:ethernet/modem)

192.168.11.2:51588-unknown [8192:64:1:52:m1460,n,w2,n,n,s:.:?:?]

192.229.145.200:443 (Link:ethernet/modem)

192.168.11.2:51587-unknown [8192:64:1:52:m1460,n,w2,n,n,s:.:?:?]

192.229.145.200:443 (Link:ethernet/modem)

192.168.11.2:51589-unknown [8192:64:1:52:m1460,n,w2,n,n,s:.:?:?]

61.240.129.78:80 (Link:ethernet/modem)

... ...

Pads: It belongs to the passive asset detection system, which is designed to detect anomalies in assets, such as service anomalies.

ossim31:~ #pads

pads-passive Asset Detection System

v1.2-06/17/05

Matt Shelton <[email protected]>

[-] processing Existing assets.csv

[-]filter: (NULL)

warning:kernel Filter Failed:socket operation Onnon-socket

[-] Listening on interface eth0

[*] Asset found:port-443/host-192.168.11.128/service-ssl/application-generic TLS 1.0 SSL

[*] Asset found:port-443/host-192.168.11.127/service-ssl/application-generic TLS 1.0 SSL

[*] Asset Found:port-80/host-111.206.80.97/service-www/application-nginx

[*] Asset found:ip address-192.168.11.5/mac address-0:d0:b7:e0:99:ae (intelcorporation)

[*] Asset Found:port-80/host-111.206.80.103/service-www/application-nginx

[*] Asset found:ip address-192.168.11.127/mac address-0:0c:29:ca:18:10

[*] Asset Found:port-80/host-111.206.80.96/service-www/application-nginx

[*] Asset found:port-49993/host-192.168.11.1/service-www/application-http/1.1)

[*] Asset found:port-2869/host-192.168.11.5/service-www/application-microsoft-httpapi/2.0

[*] Asset Found:port-80/host-111.206.80.101/service-www/application-nginx

[*] Asset found:port-80/host-111.206.37.178/service-www/application-http/1.1)

[*] Asset Found:port-80/host-123.125.80.77/service-www/application-nginx

[*] Asset found:port-80/host-61.135.186.213/service-www/application-http/1.1)

[*] Asset Found:port-80/host-111.206.80.99/service-www/application-nginx

[*] Asset found:ip address-192.168.11.129/mac address-0:0c:29:16:e8:82

[*] Asset found:port-443/host-192.168.11.129/service-ssl/application-generic TLS 1.0 SSL

[*] Asset Found:port-80/host-111.206.80.102/service-www/application-nginx

ordinary users in these three tools to solve the problem, always need to consult a large number of command output and miscellaneous logs, even if this is unavoidable flaws,

In addition to viewing the log files, there is a better solution? Let's ossim to solve these problems.

2. Application

Lab Environment: Ossim Server : OSSIM31

monitoring network segment: 192.168.11.0/24

after installing Ossim, open WebUI and enter the Siem Console, the Siem event alert appears as shown.

Click on the first alarm to view pads details as shown in:

A new OS alert is found, as shown in.

Click on this record to view the details as shown in.

For Arpwatch alarms, as shown in.

Here's a look at alarms about ARP anomalies

3. Event Classification

If there are thousands of arpwatch,p0f and pads events, how do you analyze them? First look at the effect in Ossim:

After classifying them like this, you can analyze the categories and sources of these types of alarms as a whole and click on the daily events to see the details of the events.

Looking at these forms, you may feel that it is much better to use tcpdump, Wireshark to get the arp transform than before! More cattle tools will be introduced in the future. OSSIM3 provides this feature, indeed can solve the big problem for us, but this is only an outdated version, has now developed to OSSIM5.2, I will introduce you in the new book more useful features.

Ossim Active and Passive detection tool (PADS+PF0+ARPWATCH) combination application