دانلود کتاب OSSEC Host-Based Intrusion Detection Guide

فهرست مطالب :

OSSEC Host-Based Intrusion Detection Guide
Copyright Page
Lead Authors
Contributors
Contents
About this Book
About the DVD
Foreword
Chapter 1: Getting Started with OSSEC
Introduction
Introducing Intrusion Detection
Network Intrusion Detection
Host-Based Intrusion Detection
File Integrity Checking
Registry Monitoring
Rootkit Detection
Active Response
Introducing OSSEC
Planning Your Deployment
Local Installation
Agent Installation
Server Installation
Which Type Is Right For Me?
Identifying OSSEC Pre-installation Considerations
Supported Operating Systems
Special Considerations
Microsoft Windows
Sun Solaris
Ubuntu Linux
Mac OS X
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 2: Installation
Introduction
Downloading OSSEC HIDS
Getting the Files
Preparing the System
Building and Installing
Performing Local Installation
Performing Server-Agent Installations
Installing the Server
Managing Agents
Installing Agents
Installing the Unix Agent
Installing the Windows Agent
Streamlining the Installations
Install Once, Copy Everywhere
Unix, Linux, and BSD
Push the Keys
Unix, Linux, and BSD
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 3: OSSEC HIDS Configuration
Introduction
Understanding the OSSEC HIDS Configuration File
Configuring Logging/Alerting Options
Alerting with Email
Configuring Email
Basic Email Configuration
Granular Email Configuration
Receiving Remote Events with Syslog
Configuring Database Output
Declaring Rule Files
Reading Log Files
Configuring Integrity Checking
Configuring an Agent
Configuring Advanced Options
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 4: Working with Rules
Introduction
Introducing Rules
Understanding the OSSEC HIDS Analysis Process
Predecoding Events
Decoding Events
Decoder Example: sshd Message
Decoder Example: vsftpd Message
Using the Option
Decoder Example: Cisco PIX Message
Decoder Example: Cisco IOS ACL Message
Understanding Rules
Atomic Rules
Writing a Rule
Composite Rules
Working with Real World Examples
Increasing the Severity Level of a Rule
Tuning Rule Frequency
Ignoring Rules
Ignoring IP Addresses
Correlating Multiple Snort Alerts
Ignoring Identity Change Events
Writing Decoders/Rules for Custom Applications
Deciding What Information to Extract
Creating the Decoders
Creating the Rules
Monitoring the Log File
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 5: System Integrity Check and Rootkit Detection
Introduction
Understanding System Integrity Check (syscheck)
Tuning syscheck
Working with syscheck Rules
Ignoring Specific Directories
Increasing the Alert Severity for Important Files
Increasing the Severity for Changes During the Weekend
Configuring Custom Syscheck Monitoring
Detecting Rootkits and Enforcing/Monitoring Policies
Detecting Rootkits on Linux, Unix, and BSD
Detecting Rootkits with Signatures
Monitoring and Enforcing Policy
Policy Monitoring Rules
The Rootcheck Queue
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 6: Active Response
Introduction
Introducing Active Response
Examining Active Response
Command
Active Response
Tying It Together
Creating a Simple Response
The Executable
The Command
The Response
Configuring a Response with Timeout
Host-Deny Command
Host-Deny Response
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 7: Using the OSSEC Web User Interface
Introduction
Introducing the OSSEC HIDS WUI
Identifying WUI Pre-installation Considerations
Downloading the WUI
Installing and Configuring the WUI
Advanced Installation Topics
Using htaccess for Multi-User Access
Enabling SSL Access
Optimizing PHP for Large OSSEC Deployments
Describing the WUI Components
Main
Available Agents
Latest Modified Files
Latest Events
Search
Alert Search Options
Results
Alert List
Integrity Checking
Latest Modified Files (for All Agents)
Dump Database
Stats
Stats Options
OSSEC Stats
OSSEC Stats Snapshot
Aggregate Values by Severity
Aggregate Values by Rule
Total Values per Hour
About
Summary
Solutions Fast Track
Frequently Asked Questions
Epilogue
From the Authors
Appendix A: Log Data Mining
Introduction
Data Mining Intro
Log Mining Intro
Log Mining Requirements
What We Mine For?
Deeper into Interesting
Conclusion
Endnotes
Appendix B: Implementing a Successful OSSEC Policy
The Purpose of Policy
Policy Guides
Your Policy Comes Before Implementation
Policy Drives the Process
Solutions Follow Requirements
Step 1: Pilot Your Policy
Assessing Your Environment
Information
Environment
Risk
Risk Tolerance
Learning about the Tool
Building Effective Requirements
Broad Focus on Availability, Integrity, and Confidentiality
Involve Others
Solve the Business Problem
Pilot Your Way to Success
Step 2: Assess Your Current Policy Framework
Policy Primer
Policy
Standard
Procedure
Guideline
Assessing What You Already Have
Step 3: Build and Implement Your Policies
Build Your Policy
Build Your Standard
Implementation and Adoption
Keep in Mind
About Michael Santarcangelo
Appendix C: Rootkit Detection Using Host-based IDS
Introduction
History
Types of Rootkits
Kernel-Level Rootkits
Application or File-Level
Host-based IDS as a Solution...
Unauthorized Listening Ports and Processes
Files with Permissions that Are Uncommon for the File Type
Files that Match a Predefined List of Rootkit \"Fingerprints\"
Modification of Key Files
Watch for Network Cards that Are Listening to Network Traffic
Users Who Have UID 0
Network Anomaly Detection
HIDS Advantages
HIDS Disadvantages
Future Developments
Appendix D: The OSSEC VMware Guest Image
Introduction
Using the OSSEC VMware Guest
OSSEC VMware Image Minimum Requirements
VMware Guest Information
Creating Your Own OSSEC VMware Image
Downloading the Ubuntu 7.10 ISO
Preparing the VMware Guest Image
Configuring the Base Operating System
Installing the OSSEC HIDS
Installing the OSSEC HIDS WUI
Conclusion
Index