OSSIM to detect complex attacks - does OSSIM Snort component really work
j-cert-man
Registered Users Posts: 6 ■□□□□□□□□□
in Off-Topic
Hi all,
I've only just come across the Honeynet and the challenges they have set up over the past few years. In particular Challenge 1 of the Forensic Challenge 2010 - pcap attack trace | The Honeynet Project is about analysing a (network attack) pcap and answering some questions.
I found a guide by Alienvault on how to solve this, see page 6 http://labs.alienvault.com/labs/wp-content/uploads/2011/09/Advanced_attack_detection_using_OSSIM.pdf and have been trying to follow it through.
I've installed OSSIM on ESXi. And I've been able to use tcpreplay and scapy to inject the attack pcap.
On OSSIM box I've used tcpdump -i eth1 to confirm the packets are injected and that certainly confirms the packets are injected. (My OSSIM is setup to sniff, monitor eth1). However the expected alerts (page 7 or p56 (IN)SECURE Magazine) do not show up. In fact no meaningful alerts show up. I've used nmap scans from another box to see if that generates any alerts but still nothing. An idea I still have to try is use pulledpork to update the rules - see if that kicks Snort into life
If the above doesn't work then I've got to assume the Snort component of OSSIM does not work "out of the box" although I've followed the guides/docs. There is a lot of specific stuff in this post, I'm not expecting anyone to re-create it just to explain to me where I've gone wrong ...
It did make me wonder, what rigs or setups do people use to recreate attacks from pcaps and confirm analyse exploits/impact?
Regards
J
I've only just come across the Honeynet and the challenges they have set up over the past few years. In particular Challenge 1 of the Forensic Challenge 2010 - pcap attack trace | The Honeynet Project is about analysing a (network attack) pcap and answering some questions.
I found a guide by Alienvault on how to solve this, see page 6 http://labs.alienvault.com/labs/wp-content/uploads/2011/09/Advanced_attack_detection_using_OSSIM.pdf and have been trying to follow it through.
I've installed OSSIM on ESXi. And I've been able to use tcpreplay and scapy to inject the attack pcap.
On OSSIM box I've used tcpdump -i eth1 to confirm the packets are injected and that certainly confirms the packets are injected. (My OSSIM is setup to sniff, monitor eth1). However the expected alerts (page 7 or p56 (IN)SECURE Magazine) do not show up. In fact no meaningful alerts show up. I've used nmap scans from another box to see if that generates any alerts but still nothing. An idea I still have to try is use pulledpork to update the rules - see if that kicks Snort into life
If the above doesn't work then I've got to assume the Snort component of OSSIM does not work "out of the box" although I've followed the guides/docs. There is a lot of specific stuff in this post, I'm not expecting anyone to re-create it just to explain to me where I've gone wrong ...
It did make me wonder, what rigs or setups do people use to recreate attacks from pcaps and confirm analyse exploits/impact?
Regards
J