"Open Source safe operation Dimensional plane Ossim best practices"
After years of painstaking research on open source technology, the three-year creation of the "open source safe transport dimensional plane Ossim best practices" book will be published soon. The book with more than 800,000 words recorded, the author more than 10 years of IT industry technology accumulation, highlighting the open source security management platform Ossim in large enterprises network operation and maintenance management practice. At present, there are a wide range of open-source security operation and maintenance system, through the author's comparative analysis of these tools in terms of functionality, performance or security and stability of ease of use can not be compared with the Ossim system, and many domestic open-source security operations in 1-2 years after the release of the stage gradually fade out, And Ossim continued to develop for more than 10 years. Here's a look at the book that deals with Ossim's main explanation of the content.
Directory
The first basic article
1th Chapter Ossim Architecture and Principle 2
1.1 Ossim Overview 2
1.1.1 from SIM to Ossim 3
1.1.2 Security Information and Event Management (SIEM) 4
1.1.3 Ossim's past Life 5
1.2 Ossim Architecture and Composition 11
1.2.1 Relationship of main modules 12
1.2.2 Security Plug-in (Plugins) 14
1.2.3 the difference between collection and monitoring plug-ins 15
1.2.4 Detector (Detector) 18
1.2.5 Agent (agents) 18
1.2.6 decoding of alarm formats 19
1.2.7 Ossim Agent 20
The difference between 1.2.8 agent and plug-in 24
1.2.9 Sensors (sensor) 24
1.2.10 Correlation Engine 26
1.2.11 (Database) 28
1.2.12 WEB Framework (framework) 29
1.2.13 Ajax Create Interaction 30
1.2.14 Normalization Process 31
1.2.15 Standard Security Event format 31
1.2.16 Ossim Service Port 35
1.3 Plugin-based log capture 37
1.3.1 Security Event Classification 37
1.3.2 Collection Ideas 37
1.4 Agent Event Type 43
1.4.1 General Log Example 43
1.4.2 plugin_id One-to-many relationship 44
1.4.3 Example of a Mac event log 46
1.4.4 Operating System Event Log Example 46
1.4.5 system service Event Log Example 46
1.5 RRDtool Drawing engine 47
1.5.1 Background 47
1.5.2 RRD tool differs from relational database 48
1.5.3 RRD Drawing Flow 48
1.6 Ossim Work Flow 49
1.7 Caching vs. Message Queuing 49
1.7.1 Cache System 49
1.7.2 Message Queuing Processing 50
1.7.3 RabbitMQ 51
1.7.4 Select Key/value Storage 52
1.7.5 Ossim Operation Redis 53
1.7.6 Redis Server Configuration detailed 56
1.7.7 RabbitMQ, Redis and memcached monitoring 57
1.8 Ossim High-availability Architecture 59
1.8.1 Ossim High-availability implementation Technology 59
1.8.2 Installation Environment 60
1.8.3 Configuring localhost 60
1.8.4 Configuring a remote host 61
1.8.5 Synchronizing Databases 61
1.8.6 Synchronizing Local Files 61
1.9 Ossim Firewall 62
1.9.1 Understanding the filter mechanism 62
1.9.2 Rule Matching Process 64
1.9.3 iptables Rule Base Management 65
1.10 Ossim's Scheduled Tasks 66
1.10.1 Linux Scheduled Tasks 66
1.10.2 Scheduled Tasks in Ossim 68
1.11 Summary 70
2nd Chapter Ossim Deployment and Installation 71
2.1 Ossim Installation Strategy 71
2.1.1 Custom IDs Strategy 71
2.1.2 Sensor Position 72
2.2 Distributed Ossim System 73
2.2.1 Special Application 74
2.2.2 Multi-IDS System application 74
2.3 Pre-installation preparations 75
2.3.1 Hardware and software with 75
2.3.2 Sensor Deployment 76
2.3.3 Distributed Ossim system probe layout 78
2.3.4 Choice of Ossim Server 78
2.3.5 selection of the NIC 80
2.3.6 manually loading the NIC driver 80
2.3.7 with multicore or single-core CPUs 81
2.3.8 Finding Hardware Information 81
2.3.9 Ossim USM and Sensor installation mode differences 82
2.3.10 Ossim Commercial Edition and free version comparison 83
2.3.11 Ossim Implementation features 84
2.3.12 Ossim Administrator Division 85
2.4 Hybrid server/Sensor installation mode 86
2.4.1 Pre-installation preparations 86
2.4.2 Start installing Ossim 86
2.4.3 Forgotten Web UI Login Password processing method 90
2.5 Initializing the System 90
2.5.1 Setting the initial page 91
2.5.2 otx--Intelligence Exchange System 97
2.6 Vmware ESXi installation Ossim Considerations 100
2.6.1 Setup Method 100
2.6.2 Unable to find disk under virtual machine 102
2.7 Ossim Distributed Installation Practice 102
2.7.1 Security Certification Center based on OpenSSL 102
2.7.2 Installation Step 102
2.7.3 Distributed Deployment (VPN connection) example 103
2.7.4 Installing multiple Ossim (Sensor) 105
2.7.5 sensor re-assembly process 110
2.8 Adding a VPN connection 111
2.8.1 Demand 111
2.8.2 Server-side configuration (10.0.0.30) 111
2.8.3 Configuration sensor (10.0.0.31) 112
2.9 Installation Final Stage 113
2.10 Ossim installation Follow-up work 114
2.10.1 Time synchronization Problem 114
2.10.2 System Upgrade 115
2.10.3 Apt-get Common Operations 118
2.10.4 Scan Assets 119
2.10.5 upgrading the system through an agent 119
2.10.6 Firewall Settings 120
2.10.7 allow the console to support high resolution 121
2.10.8 manually modifying the server IP address 121
2.10.9 Modifying the System gateway and DNS address 121
2.10.10 changing the default network interface 122
2.10.11 Remove Login Menu 122
2.10.12 entering Ossim single user mode 122
2.11 Ossim start and stop 123
2.12 Installing remote Administration Tools 125
2.12.1 Installing Webmin management Tools 125
2.12.2 Mounting phpMyAdmin 125
2.12.3 migrating a database with the phpMyAdmin sync feature 127
2.13 Distributed System view sensor status 128
2.13.1 Setting Indicator 128
2.13.2 Precautions 130
2.14 Installing the Desktop Environment 131
2.14.1 Installing the GNOME Environment 131
2.14.2 Installing the FVWM Environment 132
2.14.3 Installing virtual machines 135
2.15 Automation Configuration Management tool Ansible 137
2.15.1 SSH's core role 138
2.15.2 ansible Configuration 139
2.15.3 Ansible Combat 139
2.15.4 Rich Modules 144
2.15.5 Ansible vs. other configuration Management 144
2.16 Siem Console Basics 144
2.16.1 Siem Console Log filtering tips 145
2.16.2 adding important logs to Knowledge Base 151
Different categories of logs are displayed in 2.16.3 Siem 153
2.16.4 Common Search Information 156
2.16.5 Instrument panel Display 156
2.16.6 Event Deletion and recovery 157
2.16.7 deep use of the Siem Console 158
2.16.8 Siem Event Aggregation 162
2.16.9 SIEM Feature 163
2.16.10 SIEM Alert Displays the computer name 170
2.16.11 Siem Event Save period 170
2.16.12 Siem Data Source and plug-in relationship 171
2.16.13 Siem Log display 0.0.0.0 meaning of the address 172
2.16.14 cannot display Siem Security event when handling method 173
2.16.15 Siem Database Recovery 173
2.16.17 Meaning of EPS 174
2.16.17 Common Ossim Installation/Use error 175
2.17 Visual network attack alarm Alarm Analysis 177
2.17.1 Alarm Event Generation 177
2.17.2 Alarm Event Classification 178
2.17.35 Class Alarm Packet Sample Download 183
2.17.4 Alarm Grouping 183
2.17.5 Identification Alarm Authenticity 185
2.17.6 Trigger Ossim Alarm 185
2.18 Summary 193
The second article improves
3rd Chapter Ossim Database Overview
3.1 Ossim Database Composition 195
3.1.1 MySQL 195
3.1.2 Local Access 196
3.1.3 Inspection, Analysis table 198
3.1.4 Enable MySQL slow query record 199
3.1.5 Remote Access 199
3.1.6 MongoDB 200
3.1.7 SQLite 201
3.2 Ossim Database analysis Tools 201
3.2.1 Load Simulation Method 202
3.2.2 using the MySQL Workbench tool to analyze the database 203
3.3 View Ossim database table structure Resolution 209
3.4 MySQL basic Operation 212
3.5 Ossim System Migration 213
3.5.1 Migration Preparation 213
3.5.2 Recovery Ossim 214
3.6 Ossim Database Frequently asked Questions 216
1. How to rebuild the database when the Ossim 4 system database is damaged.
2. How to query the table at the beginning of the host of the Ossim database.
3. How to back up the Ossim Siem database.
4. How to view MySQL database information.
5. How to view the Siem Database backup of the Ossim system.
6. How to terminate the Ossim database zombie process.
7. If the load is too large in the Ossim system, the "Mysql:error 1040:too many connections" situation is handled.
8. How to export the Ossim database table structure remotely.
9.OSSIM system how to handle acid table error.
10. Can I modify the MySQL database password in the Ossim system?
11. When a database write is accidentally interrupted, the table in the database is corrupted and the table is checked.
12. How to clean up the Ossim database.
13. How to back up the Ossim database with Xtrabackup.
14. How to quickly clear the Siem database.
15. How to record the Ossim database execution process.
16. How to optimize the table.
17. How to back up the database with mysqldump.
3.7 Summary 226
4th Chapter Ossim Correlation Analysis Technology 227
4.1 Correlation Analysis Technical Background 227
4.1.1 Current challenges 227
4.1.2 Basic Concepts 228
4.1.3 The relationship between security events 228
4.2 Correlation Analysis Basics 229
4.2.1 from massive data to accurate data 229
4.2.2 Classification of network security Events 230
The difference between 4.2.3 Alarm and ticket 234
4.2.4 Using Ticket 235
4.2.5 joined the Knowledge Base 236
4.2.6 Security Event Extraction 237
4.2.7 Ossim's Correlation engine 238
Cross-correlation of 4.2.8 events 239
4.3 Alarm aggregation 240
Example of 4.3.1 alarm sample 240
4.3.2 Event Aggregation 241
4.3.3 Event Aggregation Example 242
Representation of 4.3.4 Event aggregation in Ossim 243
Redundant alarms in 4.3.5 Siem 244
4.3.6 Merging similar events 245
Discrimination of similar events in 4.3.7 245
4.3.8 Merge Process 246
4.3.9 Event Mapping 246
4.3.10 ossec Alarm Information Cluster 247
4.3.11 ossec and Snort events merge 248
4.4 Risk Assessment Method 249
4.4.1 Risk assessment three elements 249
4.4.2 Risk & Priority & Reliability Relationship Example 250
4.4.3 Dynamic Confidence Value (reliability) 253
4.4.4 viewing SIEM different events 254
4.5 Ossim System Risk Measurement Method 256
4.5.1 Risk Determination 256
4.5.2 Event Accumulation Process 258
4.6 Ossim in the association category 259
4.6.1 Related Categories 259
4.6.2 Association Directive Classification 260
4.6.3 Directive Composition 262
4.6.4 Reading Instruction rules 264
4.6.5 Directive Info 265
4.7 New Association Directive 266
4.8 Association rules for Ossim 270
4.8.1 correlation directive Configuration Interface 271
4.8.2 Building Rules 274
4.9 In-depth association rules 276
4.9.1 Basic Operations 276
4.9.2 Understanding the Rules tree 277
4.9.3 Attack Scenario Build 281
4.9.4 Alarm Aggregation Calculation Method 282
4.10 Custom Policy Implementation SSH login failure alarm 282
4.11 Summary 286
5th Chapter Ossim System Monitoring Tool 287
5.1 Linux Performance Evaluation 287
5.1.1 Performance Evaluation Tool 287
5.1.2 finding processes that consume resources 289
5.2 Ossim Pressure Test 289
5.2.1 Hardware and software test environment 289
5.2.2 Test Project 290
5.2.3 Test Tool 290
5.2.4 IDs test Tool Nidsbench 293
5.3 Example of a profiling tool 295
5.3.1 SAR 296
5.3.2 Vmstat 296
5.3.3 Analyzing I/O subsystem with IOSTAT 297
5.3.4 Dstat 298
5.3.5 Iotop 300
5.3.6 atop 300
5.3.7 replaces Netstat's tool SS. 300
MySQL Health in 5.4 Ossim platform 301
5.4.1 factors that affect MySQL performance 301
5.4.2 System IOPS 302
5.5 Syslog pressure test tool--mustsyslog use 303
5.5.1 Mounting Mustsyslog 304
5.5.2 Log Template Design 306
5.5.3 Log Label Description 306
5.5.4 Domain Label Example 306
5.6 Frequently Asked Questions 307
1.OSSIM system space is not enough where to find large files.
2. When you should consider increasing system memory.
3. Command-line tool to detect the overall state of the Ossim system
4. Monitor MySQL tool-mytop
5. Tools to monitor Linux system resources and processes.
6. How to find the most memory consuming process (SMEM)
7. How do I sort the ossim system catalog size? (NCDU).
The 8.OSSIM Flow monitoring tool iftop.
9. How to test Ossim response speed with Apache self-tool AB.
10. How to learn more about network bandwidth usage for Ossim system processes
11. Tcpreplay The pressure test for the Ossim system.
12. Pressure test Tool Tsung use.
Use of Hping3
5.7 Summary 322
Chapter 6th snort Rule Analysis 323
6.1 Preprocessor 323
6.1.1 Preprocessor Introduction 323
6.1.2 Adjusting the preprocessor 330
6.1.3 Network attack Pattern Classification 330
6.2 Snort Log Analysis Weapon 332
6.3 Snort Log Analysis 333
6.3.1 operating mode and output plug-in 333
6.3.2 Packet logging Mode 335
6.3.3 Network intrusion detection mode HIDs 338
6.3.4 output plug-in 338
6.4 Snort Rule Writing 345
6.4.1 Snort Rule Analysis 346
6.4.2 rule composition and meaning 347
6.4.3 writing snort rules 353
6.4.4 Manual modification of Suricata rules 356
6.4.5 enabling the new ET rule 356
6.4.6 Apply new Rule 357
6.4.7 active detection and passive detection 358
6.5 Suspicious traffic detection technology 358
6.5.1 through feature detection 358
6.5.2 detection of suspicious loads 358
6.5.3 Detecting specific Elements 359
Snort rules and spade detection in 6.5.4 Ossim 360
6.5.5 Malicious Code behavioral feature Analysis 360
6.5.6 honeypot Detection 361
6.6 Snort Rules Advanced 362
6.6.1 Alarm for suspicious traffic 362
6.6.2 null session attack vulnerability Alarm 363
6.6.3 User Rights Get 363
6.6.4 failed elevation of privilege alarm rule 364
6.6.5 attempting to get administrator privileges 364
6.6.6 successfully obtaining administrator privileges 364
6.6.7 denial of service 365
6.7 Application of high-speed network environment 367
6.7.1 Suricata VS Snort 367
6.7.2 pf_ring Working mode 368
6.8 Network Abnormal behavior Analysis 368
6.8.1 Process Analysis 368
6.8.2 Example 370
6.9 Summary 371
Seventh Chapter
Eighth Chapter
Nineth Chapter
Tenth Chapter
"Open Source safe operation Dimensional plane Ossim best practices"