OSSIM: Comprehensive Security Information Management System for Real-Time Threat Detection and Monitoring

Research on Situational Awareness, Attack Monitoring, and Log Analysis Platforms Using OSSIM

There are no free open-source platforms available domestically, but some can be trialed, such as Xiaotian and Baidu. This research mainly focuses on foreign platforms.

There are many security log analysis platforms, but few open-source platforms integrate monitoring functions.

1. OSSIM Open Source Security Information Management System

Official Website: https://cybersecurity.att.com/products/ossim

OSSIM, also known as Security Information Management System, is a very popular, complete, and mature security architecture. OSSIM integrates security products to provide a foundational platform for security monitoring functions. The core work of the OSSIM project is to integrate and correlate information provided by various products, while also integrating related functions. It features intrusion detection, vulnerability scanning, asset management, security monitoring, log analysis, traffic analysis, and other functions.

OSSIM is an open-source SIM, and its core still relies on SIEM. The main advantage is the ability to understand the overall network threat situation in real-time through information on events, data, risks, etc.. It is a network system that quickly resolves issues from operational monitoring to pre-warning, post-alarm, and SIEM log analysis.

Main integrated security programs:

• Snort: Intrusion Detection System
• Rrdtool: System Monitoring
• Nmap: Network Scanning and Sniffing Toolkit
• Nessus: System Vulnerability Scanning and Analysis Software
• Ntop: Network Traffic Monitoring
• Nagios: System and Network Application Monitoring
• Pads: Passive Network Discovery Tool
• Tcptrack: TCP Connection Sniffer
• ArpWatch: ARP Communication Monitoring

OSSIM Feature Display

Primary Interface (OSSIM)

Introduction to main modules:

DASHBOARDS: Visualizes data in charts, making it more intuitive and easier to manage

ANALYSIS: Event analysis for filtering and viewing collected data

ENVIRONMENT: Important functions such as asset inventory, vulnerability scanning, Ntop traffic analysis, network packet capture analysis, and availability monitoring are here

REPORTS: Unified reports for generating and viewing various reports

CONFIGURATION: Web system configuration menu, basic configuration, deployment management, policy management

1. OSSIM DASHBOARDS Module

In the DASHBOARDS module, there are four menus: OVERVIEW, DEPLOYMENT STATUS, RISK MAPS, and OPEN THREAT EXCHANGE. The DASHBOARDS module displays the overall network status, allowing for timely responses to security issues. The OPEN THREAT EXCHANGE feature requires an OTX account to use.

a. OSSIM Overview

• Executive: Displays information such as TOP5 Alarm, Top10 Event, Logger Event, and data sources using pie charts and bar charts
• Tickets: Displays ticket system information
• Security: Displays the top 5 alarms and events for security incidents, as well as recent security trend curves
• Taxonomy: Categorizes infected hosts on the dashboard
• Vulnerabilities: Displays asset vulnerability scanning information
• Compliance: Displays asset compliance report information

b. Deployment Status: OSSIM Classification and Status Information of Asset Deployment

c. OSSIM Risk Maps

• 
  

  Overview: Displays the risk map of assets

  
  
• 
  

  Manage Maps: Map template management

  
  

d. OSSIM: Displaying OTX Trends and IP Reputation on the Map

• Security events and log curves
• Sensor collected events
• Event categories

2. OSSIM ANALYSIS Module

In the ANALYSIS module, there are four menus: ALARMS, SECURITY EVENTS (SIEM), RAW LOGS, and TICKETS. The ANALYSIS module is mainly used to analyze network status, identify network risks, and security vulnerabilities. The TICKETS menu can be used to view the status of each machine.

3. OSSIM ENVIRONMENT Module

In the ENVIRONMENT module, there are six menus: ASSETS & GROUPS, VULNERABILITIES, NETFLOW, TRAFFIC CAPTURE, AVAILABILITY, and DETECTION.

The ASSETS & GROUPS menu monitors the machine list; the VULNERABILITIES menu is used to view scanned vulnerabilities; the NETFLOW menu is used to view network status, including TCP, UDP, ICMP, and other network resources; the TRAFFIC CAPTURE menu is used to capture data packets; the AVAILABILITY menu displays network status in a tree structure; the DETECTION menu includes intrusion detection and categorizes intrusion events.

a. OSSIM: Assets & Groups

• Assets: Lists all assets
• Asset groups: Groups assets
• Networks: Manages monitoring
• Network groups: Network grouping
• Schedule Scan: Target network scan schedule

OSSIM: Vulnerabilities

• Overview: Vulnerability scan overview
• Scan Jobs
  • New Scan Job: Create a new scan task
  • Import NBE File: Import NBE file
• Threat Database: Vulnerability database management

c. Netflow in OSSIM

• Details: Displays NetFlow details
• Overview: Displays an overview
• Graph: Displays flow graphs

d. Traffic Capture: Packet Analysis with OSSIM

e.OverView: Display HIDS log change trends and Agent status

• Agents: Agent management
• Agentless: Agentless management
• Edit Rules: Edit rules
• Config: Configuration rules
• HIDS Control: HIDS status management
• Wireless IDS: Wireless IDS management

REPORTS Module

The REPORTS module has only one menu, OVERVIEW, which includes report generation and export, and also allows sending HTML reports via email.

CONFIGURATION Module

The CONFIGURATION module mainly provides system configuration, adding system administrators, changing passwords, setting languages, and viewing the OSSM server status. It has four menus: ADMINISTRATION, DEPLOYMENT, THREAT INTELLIGENCE, and OPEN THREAT EXCHANGE.

Disadvantages

This open-source tool basically meets the requirements, but it does not have large-scale log collection and storage capabilities. It is more of a SEM, focusing more on real-time security monitoring, real-time risk assessment, alerting, and handling. According to the official website, the open-source version does not provide log management functionality, and the specific reasons for the lack of log management functionality were not found.

[External image link failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-E3wSz8Y4-1661912151768)(C:\Users\mokapeng\AppData\Roaming\Typora\typora-user-images\image-20220827102236453.png)]

II. Security Onion

Official website: https://securityonionsolutions.com/software/

Security Onion is a Linux distribution designed for intrusion detection and NSM (Network Security Monitoring). It integrates log analysis, traffic analysis, and security alerts.

Core Components

The components in Security Onion include: snort (intrusion detection engine), suricata (intrusion detection engine), bro (intrusion detection analysis system), sguil (intrusion detection analysis system), squert (frontend display), snorby (frontend display), wireshark (packet capture), xplico (traffic audit). They are roughly categorized as follows:

• Full packet capture;
• Network and host-based intrusion detection systems (HIDS and NIDS);
• Powerful analysis tools

Feature Demonstration

Alerts

Capture

Traffic Analysis

Dashboard

Analysis Features

Usable Data Types

III. WatchAD Internal Network Security Situational Awareness System

360’s open-source project, free for enterprises to use: https://github.com/Qianlitp/WatchAD/blob/master/README_zh-cn.md

It is an internal network situational awareness project, currently supporting the following specific detection functions:

Information Detection

1. Use SAMR to query sensitive user groups
2. Use SAMR to query sensitive users
3. Honeypot account activity
4. PsLoggedOn information collection

Credential Theft

1. Kerberoasting (traffic)
2. AS-REP Roasting
3. Remote dump of domain controller passwords

Lateral Movement

1. Account brute force
2. Explicit credential remote login
3. Remote code execution on target domain controller
4. Unknown file share names
5. Kerberos ticket encryption downgrade (traffic)
6. Abnormal Kerberos ticket requests (traffic)

Privilege Escalation

1. ACL modification
2. MS17-010 attack detection
3. New group policy monitoring
4. NTLM relay detection
5. Resource-based constrained delegation privilege grant detection
6. Attack on printer service SpoolSample
7. Unknown privilege escalation
8. MS14-068 attack detection (traffic)
9. Kerberos constrained delegation abuse (traffic)

Persistence

1. AdminSDHolder object modification
2. DCShadow attack detection
3. DSRM password reset
4. Group policy delegation privilege grant detection
5. Kerberos constrained delegation privilege grant detection
6. Sensitive user group modification
7. New system service on domain controller
8. New scheduled task on domain controller
9. SIDHistory attribute modification
10. Golden Ticket – active detection
11. Golden Ticket – passive detection (traffic)
12. Golden Ticket (traffic)

Defense Evasion

1. Event log clearing
2. Event log service shutdown

Project Architecture Diagram

IV. SafeDog: Free to use https://www.safedog.cn/index/bigDataSolution.html

Architecture:

V. SIEM Security Big Data Analysis Platform

https://www.rizhiyi.com/securityevent-manage-platform/?utm_source=BaiDuSIEM&bd_vid=11358440507496691264

Not open-source, but trial available

Splunk Free

Limitations: Can only process 5000MB of data per day, with only 7GB of storage space per month

OSSEC+

Official website: https://www.ossec.net/, OSSEC is an open-source intrusion detection system that can perform LOG analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting, and dynamic response. However, this system is a host-based detection platform and does not have traffic analysis or detection modules.

Wazuh

A host-based intrusion detection system, it does not include traffic-related functions.