Santi 'Log

Introduction

I want to announce that there is a proposal I have done for an OSSIM workshop at the Open Source Convention this year in San Jose, California. This event will take place on 20-24 July. As it is still under review I am not completely sure about our presence there, nevertheless I am glad to share with you the submittal I have done.

OSCON website: http://en.oreilly.com/oscon2009/

On the other hand, if anybody has an interesting event going on anywhere regarding infosec, where OSSIM would fit, please drop me a letter at santiago@ossim.com, we can study a talk there.

OSSIM workshop proposal for OSCON '09

OSSIM stands for Open Source Security Information Management. It is a security system made up by the compilation of more than 15 well known tools at the Open Source field. Its goal is, based on data correlation, to provide a centralized console with all necessary information for attacks and anomalies detection, forensic analysis, policies definition and risks assessment. It also has a high level visualization interface as well as reporting and incidents managing tools.

The main idea is to do a 3 hours technical tutorial explaining the system architecture and functionalities and see it working in real time with different usage cases. To achieve this goal, I propose to follow this small index:

1.- Brief introduction of the tutorial (10 minutes).

2.- OSSIM explanation:

• System architecture (10 min)
• Components and their functionalities (10 min)
• Data collection, correlation engine and policies definition (10 min)

3.- Usage cases: In order to test OSSIM features we will launch some common attacks in a virtual scenario using VMware. This way we will see real time detection, based on the correlation engine, and perform low level forensics analysis to understand as much as possible about the attack method used and its behavior.

• Brute force attacks against Unix and Microsoft environments (10 min)
• Buffer overflow exploits using metasploit and shellcode analysis (15 min)
• Detecting network scans based on anomalies preprocessor (10 min)
• Worm propagation attempt (15 min)
• Denial of Service attack (10 min)
• Security policies violation (10 min)
• Network behavior real time visualization (15 min)

4.- OSSIM deployment in real networks (15 min)

5.- Honeypots data collection and correlation (20 min)

6.- Questions and others (20 min)

Tools we are going to use:

• VMware Server
• OSSIM (virtual machine)
• Backtrack 3 Linux distribution (virtual machine)
• Windows XP Pro (virtual machine)
• Nepenthes (virtual machine)

Example: If you want to see an attack (detected with OSSIM) example video, you can check it at my blog at http://www.alienvault.com/blog/santiago/ossim/tests/index. At the conference we will explain in depth similar usage cases, so attenders will understand how to take advantage of this security system.

More info about OSSIM at: http://www.ossim.net

Confirmation

When I get an answer from OSCON people I will update this post to confirm that this workshop will really take place. And, by the way, if there is OSSIM presence in some other event please feel free to post your comments to let us know.

At last we won't be at OSCON '09

I am sorry to say that we won't be at the OSCON as they are at full capacity this year. Quoting them: "The response to our Call for Proposals was overwhelming, and we received far more than we can possibly accomodate in the program."

Nevertheless we have planned some other conferences during next months so there will be new entries at the blog announcing them :-)