docSAMHAIN - An open-source Host Intrusion Detection System (HIDS)
download 
Report Transcription
SAMHAIN - An open-source Host Intrusion Detection System (HIDS)
Motivation Potential Solutions Samhain SAMHAIN An open-source Host Intrusion Detection System (HIDS) Rainer Wichmann Rainer Wichmann The Samhain HIDS Motivation Potential Solutions Samhain A simple question How can you defend against Intrusions? Rainer Wichmann The Samhain HIDS Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification Firewalls A building without openings is useless Rainer Wichmann The Samhain HIDS Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification Firewalls Rainer Wichmann The Samhain HIDS Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification Firewalls A human body without openings would be dead Rainer Wichmann The Samhain HIDS Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification Firewalls Rainer Wichmann The Samhain HIDS Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification Firewalls A server without open ports is pointless Rainer Wichmann The Samhain HIDS Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification Firewalls Rainer Wichmann The Samhain HIDS Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification Firewalls Intruders enter through open ports not through the wall! Rainer Wichmann The Samhain HIDS Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification NIDS Search network traffic for known attack patterns Rainer Wichmann The Samhain HIDS Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification NIDS This is a known attack on health Rainer Wichmann The Samhain HIDS Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification NIDS But the attack can look different.. Rainer Wichmann The Samhain HIDS Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification NIDS ..and may come in disguise. Rainer Wichmann The Samhain HIDS Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification NIDS Is this an attack on your server? There is a major center of economic activity, such as Star Trek, including the Ed Sullivan show. The former Soviet Union... Or is it just spam? Rainer Wichmann The Samhain HIDS Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification NIDS Is this an attack on your server? There is a major center of economic activity, such as Star Trek, including the Ed Sullivan show. The former Soviet Union... It is ix86 binary executable code! English Shellcode, Mason et al. 2009 Rainer Wichmann The Samhain HIDS Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification NIDS Recognizing an attack by pattern matching is difficult at best Rainer Wichmann The Samhain HIDS Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification File Integrity Verification Fingerprints are unique Rainer Wichmann The Samhain HIDS Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification File Integrity Verification So are cryptographic checksums MD5 fingerprint.jpg: 6d49 6d22 f8c8 b2c7 d4ab d39e 0054 9d7a Rainer Wichmann The Samhain HIDS Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification File Integrity Verification Firewalls and NIDSs are convenient, because they can be installed at a central point may be circumvented Rainer Wichmann The Samhain HIDS Motivation Potential Solutions Samhain Firewalls NIDSs File Integrity Verification File Integrity Verification File integrity verification is very robust requires monitoring of all individual hosts Rainer Wichmann The Samhain HIDS Motivation Potential Solutions Samhain Introduction Server Clients Beltane II Samhain Samhain is an open-source Host Intrusion Detection System (HIDS) > with central management < Rainer Wichmann The Samhain HIDS Motivation Potential Solutions Samhain Introduction Server Clients Beltane II A complete Samhain system Rainer Wichmann The Samhain HIDS Motivation Potential Solutions Samhain Introduction Server Clients Beltane II What you get Samhain provides a centralized client-server host monitoring system Rainer Wichmann The Samhain HIDS Motivation Potential Solutions Samhain Introduction Server Clients Beltane II Samhain Host Integrity Checks File integrity verification Logfile monitoring Login/logout monitoring Hidden process detection Open port detection Rainer Wichmann The Samhain HIDS Motivation Potential Solutions Samhain Introduction Server Clients Beltane II The Samhain Server Rainer Wichmann The Samhain HIDS Motivation Potential Solutions Samhain Introduction Server Clients Beltane II The Samhain Server Stores critical data (configuration, baseline) Authenticates connecting clients Serves configuration and baseline data Receives reports and logs them to a RDBMS (MySQL, PostgreSQL, Oracle) Rainer Wichmann The Samhain HIDS Motivation Potential Solutions Samhain Introduction Server Clients Beltane II The Samhain Clients Rainer Wichmann The Samhain HIDS Motivation Potential Solutions Samhain Introduction Server Clients Beltane II The Samhain Clients At startup download configuration and baseline data from the server Perform integrity checks as configured Report anomalies to the server Rainer Wichmann The Samhain HIDS Motivation Potential Solutions Samhain Introduction Server Clients Beltane II The Beltane II Console Rainer Wichmann The Samhain HIDS Motivation Potential Solutions Samhain Introduction Server Clients Beltane II The Beltane II Console Review reports from clients Server-side updates of baseline data Check client status Edit and reload configuration data Multiple users with different roles Rainer Wichmann The Samhain HIDS Motivation Potential Solutions Samhain Introduction Server Clients Beltane II Thank you for your attention! Rainer Wichmann The Samhain HIDS