OSCON '09 submittal - Maybe next year
Sat, 07 Mar 2009

Introduction

I want to announce that there is a proposal I have done for an OSSIM workshop at the Open Source Convention this year in San Jose, California. This event will take place on 20-24 July. As it is still under review I am not completely sure about our presence there, nevertheless I am glad to share with you the submittal I have done.

OSCON website: http://en.oreilly.com/oscon2009/

On the other hand, if anybody has an interesting event going on anywhere regarding infosec, where OSSIM would fit, please drop me a letter at santiago@ossim.com, we can study a talk there.

OSSIM workshop proposal for OSCON '09

OSSIM stands for Open Source Security Information Management. It is a security system made up by the compilation of more than 15 well known tools at the Open Source field. Its goal is, based on data correlation, to provide a centralized console with all necessary information for attacks and anomalies detection, forensic analysis, policies definition and risks assessment. It also has a high level visualization interface as well as reporting and incidents managing tools.

The main idea is to do a 3 hours technical tutorial explaining the system architecture and functionalities and see it working in real time with different usage cases. To achieve this goal, I propose to follow this small index:

1.- Brief introduction of the tutorial (10 minutes).

2.- OSSIM explanation:

  • System architecture (10 min)
  • Components and their functionalities (10 min)
  • Data collection, correlation engine and policies definition (10 min)

3.- Usage cases: In order to test OSSIM features we will launch some common attacks in a virtual scenario using VMware. This way we will see real time detection, based on the correlation engine, and perform low level forensics analysis to understand as much as possible about the attack method used and its behavior.

  • Brute force attacks against Unix and Microsoft environments (10 min)
  • Buffer overflow exploits using metasploit and shellcode analysis (15 min)
  • Detecting network scans based on anomalies preprocessor (10 min)
  • Worm propagation attempt (15 min)
  • Denial of Service attack (10 min)
  • Security policies violation (10 min)
  • Network behavior real time visualization (15 min)

4.- OSSIM deployment in real networks (15 min)

5.- Honeypots data collection and correlation (20 min)

6.- Questions and others (20 min)

Tools we are going to use:

  • VMware Server
  • OSSIM (virtual machine)
  • Backtrack 3 Linux distribution (virtual machine)
  • Windows XP Pro (virtual machine)
  • Nepenthes (virtual machine)

Example: If you want to see an attack (detected with OSSIM) example video, you can check it at my blog at http://www.alienvault.com/blog/santiago/ossim/tests/index. At the conference we will explain in depth similar usage cases, so attenders will understand how to take advantage of this security system.

More info about OSSIM at: http://www.ossim.net

Confirmation

When I get an answer from OSCON people I will update this post to confirm that this workshop will really take place. And, by the way, if there is OSSIM presence in some other event please feel free to post your comments to let us know.

At last we won't be at OSCON '09

I am sorry to say that we won't be at the OSCON as they are at full capacity this year. Quoting them: "The response to our Call for Proposals was overwhelming, and we received far more than we can possibly accomodate in the program."

Nevertheless we have planned some other conferences during next months so there will be new entries at the blog announcing them :-)

posted at: 16:50 | path: /ossim/conferences | permanent link to this entry | 1 comments |
Tags: , ,



Detecting ASN.1 buffer overflow attack
Wed, 20 Aug 2008

Introduction

I am posting for the first time at my recently opened blog. Hope issues discussed here will be interesting for OSSIM users and probably for some other people.


First thing I will try to explain is how to test OSSIM generating real time attacks, such as exploiting a buffer overflow against a non patched host. For this purpose we will use Micrososft ASN.1 library buffer overflow vulnerability, whose details can be found at http://www.phreedom.org/solar/exploits/msasn1-bitstring/ We can even find here an exploit called kill-bill to take advantage of the mentioned vulnerability ;-)


Now lets see steps in order to get an alarm with OSSIM and execute an action-response policy...


OSSIM configuration

1.- Detecting the intrusion with snort rules. In this case it's done by the rule "NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt". I paste it here, copied from the /etc/snort/rules/netbios.rules file:

netbios.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:3000; rev:4;)

2.- Next step is to create a simple directive to feed the correlation engine. It can be done at /etc/ossim/server/generic.xml. The one I have created is: 

<directive id="24" name="Buffer overflow attempt against DST_IP" priority="9">
   <rule type="detector" name="Buffer overflow rule matched" reliability="9"
   occurrence="1" from="ANY" to="ANY" port_from="ANY" port_to="ANY"
   plugin_id="1001"
   plugin_sid="2383"/>
</directive>

This is the simplest form of a directive, but if we want, we can use different levels to detect more complex attacks (i.e. we can add rules matching port scans or session duration...). Here is an example of a port scan with an open port found directive (I also use it for the video demo you will find below): 

<directive id="25" name="TCP Portscan against DST_IP" priority="6">
   <rule type="detector" name="TCP Portscan" reliability="5"
   occurrence="1" from="ANY" to="ANY" port_from="ANY" port_to="ANY"
   plugin_id="1122"
   plugin_sid="1">
      <rules>
         <rule type="detector" name="portscan: Open Port" reliability="+3"
         occurrence="1" from="1:SRC_IP" to="1:DST_IP" port_from="ANY" port_to="ANY"
         plugin_id="1122"
         plugin_sid="27"/>
      </rules>
   </rule>
</directive>

3.- Last thing is to configure an action (for example sending a mail) to execute when the alarm is generated. We can use the web framework to do it in a easy way.

Video demo

Well, at the end, I have decided to upload a video demo which has been made as a proof of concept of all I have been talking before. Its duration is 10:33, it has no sound but I think it's quite self explanatory. Hope you will enjoy it.


This text will be replaced

posted at: 16:30 | path: /ossim/tests | permanent link to this entry | 8 comments |



Categories

/ (2)
    ossim/ (2)
        conferences/ (1)
        tests/ (1)


Santiago Gonzalez
(feel free to get in touch)
Friend's blogs:



< March 2009
MoTuWeThFrSaSu
       1
2 3 4 5 6 7 8
9101112131415
16171819202122
23242526272829
3031     



Archives

2009-Mar
2008-Aug



RSS



Tags

None



Made with PyBlosxom