Tutorial 7: Feature highlight / pre-tutorial on Risk Maps
Wed, 15 Oct 2008

Introduction

Today I would to share something interesting we're working on: Risk/Availability/Vulnerability indicator Maps.

The purpose was to fit the most important information that can be gained from ossim all over it's interface, into a simple to use, simple to manage and simple to analyze interface.
We already had an approach to both, to using maps (images) and to aggregate/organize different input into meta-objets (what we called business processes). But, both of them had the same problem: they were complex and they were ugly.



::read more

posted at: 14:26 | path: /ossim/tutorials | permanent link to this entry | 1 comments |
Tags: , , ,



Tutorial 6: Plugin writing primer
Tue, 11 Mar 2008

A couple of days ago I was fixing the fortinet/fortigate with the kind help of a Swiss OSSIM user (thanks Mikael ;-) ) and I wrote this little piece of python in order to help me out with it. Now I'm using it a lot to debug plugins so I guess more people could benefit from this also :-)
And well, I'll paste a sample plugin debugging session in order to give ideas.
BTW, this assumes basic knowledge of regular expressions, check this Regexp Primer out if you want to refresh that knowledge. And BTW2, some log lines are broken for readability.



::read more

posted at: 11:38 | path: /ossim/tutorials | permanent link to this entry | 2 comments |
Tags: , ,



Tutorial 5: Windows event logging
Wed, 19 Dec 2007

The windows event log

As an introduction to windows event logging I recommend reading the following article: Monitoring and Troubleshooting Using Event Logs. It's the first interesting one I've found after googling for an introduction.

Quoting the article, which also talks about EventCombMT.exe which we'll mention later:

This article reviews best practices for working with Windows event logs including how to interpret 
event messages, how to configure event logs, how to search and filter events, how to view events on 
remote systems, and how to use EventCombMT.exe and other tools to monitor events on multiple systems.


::read more

posted at: 15:54 | path: /ossim/tutorials | permanent link to this entry | 11 comments |
Tags: , , , ,



Tutorial 4: Correlation engine primer
Mon, 10 Dec 2007

Introduction

In order to answer to a recent forum post I had to do a quick research since it had been some time since I last tested this.
The exact question was:

Hello,

Is there a document talking about how the directives are processed?  One question
that I have is if you have multiple directives created and an event comes in
that matches the initial states of more than a single directive will both actually
process the event, or only the first match (which I think is the case)?

Thanks for any clarification you can provide.

Stephen

This post gives a bit of insight to how the correlation engine works and features some simple, custom made directives that help me answer that question.

The test environment features two events belonging to the ssh plugin (plugin_id 4003):
  • SSH password failed (plugin_sid 1)
  • SSH password accepted (plugin_sid 7)
In order to test this I've created three directives (plugin_id 1505)
  • Test directive 21, grouping one login failure and one success
  • Test directive 22, grouping one login failure and one success
  • Test directive 23, used in the second case, grouping those two
So, with all of this in place it was easy to simulate this failing a login and succeeding afterwards.


::read more

posted at: 12:47 | path: /ossim/tutorials | permanent link to this entry | 3 comments |
Tags: , , ,



Tutorial 3: First recommended steps after installation
Fri, 07 Dec 2007

This tutorial tries to show the first common steps you could perform if you're new to ossim and just finished installation, without knowing what to do next.
The tutorial will cover:

  • Policies
  • Initial Inventory
  • Scans
  • Scheduled scans
  • What to do next
Many topics we'll cover on this tutorial can be extended checking the documentation wiki.


::read more

posted at: 16:53 | path: /ossim/tutorials | permanent link to this entry | 4 comments |
Tags: , ,



Tutorial 2: Syslog data mining with attached md5sum. AKA "Store 100% of data".
Thu, 06 Dec 2007

1. The need. The Hype.

There's obviously a need for storing vast amount of logs, and few things today aren't able to log into syslog. So it's just obvious to stumble upon that request every once in a while, and this tutorial illustrates the OSSIM approach at massive syslog data storage. Of course, where you say syslog you can say windows event log, snmp data, whatever generates a big amount of raw data.

Compliance

I don't know much yet about all of this compliance stuff (I were lucky, Julio always has been much more knowledgeable on that area than me so I could skip it) but I guess I'll have to start learning, there are just too many people asking for it and I'm getting very curious.

From what I've seen, a short list of regulations requiring, or at least strongly recommending a certain amount of raw data storage and reports are:
  • ISO27001/17799
  • SOX
  • HIPAA
  • PCI
  • Basel II
  • NIST 800-53
  • Many more...
(Searching for SIM and compliance information I see that's a major marketing point from vendors too, well, just for the records, ossim helps you to be compliant with all that stuff)

Centralized logging

Maybe the need is pure sysadmin's lazyness. You want to be able to answer to questions you get asked by your management / customers in the easiest possible way.
I heard this from a guy a couple of days ago: the more information about your network you've got, the more answers you can give, and that's exactly what SIM/SEM systems are good at.

Data mining

This is a bit redundant with the previous entry, but there are people that just don't care about exact data, but they're in desperate need of colorful graphs in order to be able to keep their bosses calm. Well, having logs from everything in your network allows for easy colorful report generation with little knowledge of the underlying data. The worthyness of those reports in the end will be highly questionable of course.


::read more

posted at: 20:10 | path: /ossim/tutorials | permanent link to this entry | 11 comments |
Tags: , , , , ,



Tutorial 1: Host Inventory using OSSIM
Sun, 25 Nov 2007

This post will be the first of a series of tutorials describing how to accompliush certain useful things using OSSIM. A friendly IT teacher from Oklahoma suggested that it would be a good idea, and I have to agree. And on top, it's relaxing :-).

So here we go, this first installment will focus on deploying OCS Inventory on a couple of hosts, getting them to log to the central ossim server and see how it shows up in our interface. This will demonstrate the powerful cross-platform inventory capabilities built into ossim thanks to the new OCS integration.

The test environment consists of 6 devices:

  • Apple 10.5 Leopard
  • Debian 4.0 Linux inside Parallels
  • IPhone MacosX
  • OpenBSD 4.x
  • Windows XP inside Parallels
  • Yellow Dog Linux running on a PS3

::read more

posted at: 11:26 | path: /ossim/tutorials | permanent link to this entry | 9 comments |
Tags: , , ,



Categories

/ (36)
    code/ (1)
    feed/ (1)
    ossim/ (24)
        installer/ (3)
        plugins/ (2)
        tuning/ (3)
        tutorials/ (7)
    personal/ (9)
        campus/ (2)
        opinion/ (1)
        travel/ (1)
    rants/ (1)



RSS



< October 2008
MoTuWeThFrSaSu
   1 2 3 4 5
6 7 8 9101112
13141516171819
20212223242526
2728293031  



Archives

2008-Oct
2008-Aug
2008-Jul
2008-May
2008-Mar
2008-Feb
2008-Jan
2007-Dec
2007-Nov



Tags


Made with PyBlosxom