Hi Hesham, My answers are in-line. On Mon, Feb 28, 2011 at 6:29 AM, Kholidy <[email protected]> wrote: > Many thanks for js.opdebeeck for his support, > > I have 4 questions regarding "using OSSEC for detecting Cloud attacks" > > 1- How OSSEC detects the unauthorized intruders (i.e., intruders who > stolen user credential using some brute force tools and authenticated > to the cloud system)? > > (i.e., Some IDSs detect the anomaly behaviours for these intruders by > comparing these behaviors to the normal one using some techniques like > neural network or expert systems), > > So is OSSEC doing some thing like that using log analysis techniques? > > I understood that OSSEC uses log mining technique but I did not find > any details about that. >
If the authentication failures are logged, OSSEC should be able to detect the initial brute force attack. If the activity of the users is well known, you can setup rules that may help. You can create a rule that is only active during certain times of the day, or certain days of the week (see http://www.ossec.net/doc/syntax/head_rules.html specifically group.rule.time and group.rule.weekday). You can also create rules to correlate source IP addresses to usernames, or possibly even destinations. > 2- Can OSSEC analyzer correlate between logs coming from different VMs > for the same user in the cloud system in order to analyze the > behaviour for this user in all VMs running in the cloud system. > Depending on your definition, OSSEC may not do a lot of correlation. So it may be able to do this, it may not. > 3- Is the VMM allowing to the collector component installed inside the > VM to send its logs to the physical host OS? > I'm sorry but I do not understand this question. An OSSEC agent can send its logs to any OSSEC manager it can connect to (physical or virtual does not matter). I have a physical OSSEC manager and a virtualized OSSEC manager. They both have a mix of virtualized and physical agents. My VMWare esxi system even sends its logs (via syslog) to my physical manager. > 4- Please, if any one has some documents explain how OSSEC detects > these unauthorized intruders and both the SQL injection and rootkit > attacks, please send me these links. > > Thanks, > Hesham > > > On Feb 22, 3:20 pm, Js Opdebeeck <[email protected]> wrote: >> Hello; >> >> On ESXi just forward the events via SYSLOG then capture the events with >> OSSEC. >> >> ESXi -> Syslog <- OSSEC >> >> Details for ESX and ESXi Syslog forward >> :http://beyondvm.com/tutorial-esx-4-0-syslog-configuration >> >> Kind regards
