The point is that I'm in the beginning of building an idea for a cloud based IDS as a proposal for my PHD work, and I'm trying to link between different ideas that I got from different documents regarding this point. I do not know if the Ideas that I'm thinking on can be applied or not. I did not started the practical work yet, just I'm proposing the ideas theoretically, and I'm sharing the ideas now in order to be sure if what I will propose can be applied or not. That is all The type of the VMM that I'm planning to use is type 2 which means that it works over the operating system. I'm thinking in using one of two VMM, the first is Xen because it is an open source, in case if I need to modify some parts inside it, the other one is VMWare but the problem for it is that If I could not send logs from different guest VMs to the analyzer which installed in the Physical host OS. The idea for doing that is
1- To separate the analyzer from the applications running inside the guest VMs OSs. 2- To collect events and logs coming from different VMs in different cloud nodes. I'm trying to exchange these logs between cloud nodes, so, by this way I will not have a centralized solution for the IDS and also I will balance the overhead to all cloud nodes. I'm trying to detect: 1- The unauthorized intruders from all cloud VMs. 2- The Malicious VMs by the SQL injection attacks or rootkit ones. This is the whole idea for what I'm proposing to do. I hope if you tell me if your current application can fit to this scenario or I should change some Ideas to my proposal. Many thanks, Hesham ________________________________ From: dan (ddp) <[email protected]> To: Hisham Kholidy <[email protected]> Cc: [email protected] Sent: Wed, March 2, 2011 11:18:51 PM Subject: Re: [ossec-list] Re: OSSEC and Cloud Systems Ugh, this apparently got sidetracked from the list. cc'ing the list... On Wed, Mar 2, 2011 at 5:00 PM, Hisham Kholidy <[email protected]> wrote: > Many thanks dan for your reply, > > > > Do you mean by the VM host, the physical host which contains the VMs or > another VM which monitor the rest of the VMs in the same physical host. > > The VM Host is the physical system "hosting" the virtual machines. It is also the operating system that hosts the virtual machines. In my case a Dell T310 running VMWare ESXi is the host. > > Is it possible to have more than ESXi VM image in one physical host and > forward their logs to the physical host OS (may be you are doing that, if > so, then that what I'm asking about). If it is possible, then I can assign > each cloud user to an ESXI VM. I hope if you clarify that for me. > > ESXi is the OS on the physical system. Maybe if you explained what you're using exactly, instead of trying to be incredibly vague and confusing, it'd be easier to help. If you're using something like VMWare server/workstation (or Virtualbox, or qemu, or one of the other systems you run on top of a full OS) you can probably do what I think you're asking about. A computer running Centos 5.x running VMWare workstation can be the OSSEC manager. The virtualized guests can be the OSSEC agents connecting to the server on the host. If that's not an answer to the question you're asking, ask the question differently. > > > > Many Thanks, > > Yours, > > Hesham > > > ________________________________ > From: dan (ddp) <[email protected]> > To: Kholidy <[email protected]> > Sent: Wed, March 2, 2011 9:49:52 PM > Subject: Re: [ossec-list] Re: OSSEC and Cloud Systems > > Hi Hesham, > > On Tue, Mar 1, 2011 at 9:31 AM, Kholidy <[email protected]> wrote: >> Thanks for your reply, >> >> I mean by the unauthorized attacks, the attacks after the brute force >> succeeded not the brute force itself. >> >> I'm trying to collect logs for each user from each VMs assigned to >> this user in the cloud system then I need to analyze them using OSSEC >> in order to determine if this user is unauthorized or not. I read that >> OSSEC detects the anomaly of the behaviours of the user from the >> normal ones using Log mining technique, nut I tried to find any >> documents describes in details this technique but I did not find. >> > > I haven't heard the term "log mining technique" used WRT OSSEC except > in the past few days on the list. Everyone that uses it is asking for > documents on how OSSEC uses it. My guess is you'll have to read the > source. > > Basically OSSEC will alert on whatever you configure it to alert on. > If you have the log, you can create a rule. > >> For the VMs collector, I do not know if OSSEC can forward logs from >> different VMs in the same host to a centralized server in the physical >> host (i.e, the host contains these VMs). I did not try this >> assumptions but I read that VMM may prevent an action like that but >> this depends if the VMM is of level 2 which means that it works >> between the host OS and the hardware. I hope if you correct for me if >> this point is not true. >> > > I think it generally depends on how you setup your VM host. You should > be able to allow traffic between the VM host and VM guests, but for > security or management reasons you may not want to. > > I'm running ESXi, which is pretty barebones, so I don't have OSSEC > installed on the VM host. I forward the ESXi logs to another physical > system entirely. > >> >> Many thanks for your help, >> Hesham >> >> >> >> dan (ddp) wrote: >>> Hi Hesham, >>> My answers are in-line. >>> >>> On Mon, Feb 28, 2011 at 6:29 AM, Kholidy <[email protected]> wrote: >>> > Many thanks for js.opdebeeck for his support, >>> > >>> > I have 4 questions regarding "using OSSEC for detecting Cloud attacks" >>> > >>> > 1- How OSSEC detects the unauthorized intruders (i.e., intruders who >>> > stolen user credential using some brute force tools and authenticated >>> > to the cloud system)? >>> > >>> > (i.e., Some IDSs detect the anomaly behaviours for these intruders by >>> > comparing these behaviors to the normal one using some techniques like >>> > neural network or expert systems), >>> > >>> > So is OSSEC doing some thing like that using log analysis techniques? >>> > >>> > I understood that OSSEC uses log mining technique but I did not find >>> > any details about that. >>> > >>> >>> If the authentication failures are logged, OSSEC should be able to >>> detect the initial brute force attack. >>> >>> If the activity of the users is well known, you can setup rules that >>> may help. You can create a rule that is only active during certain >>> times of the day, or certain days of the week (see >>> http://www.ossec.net/doc/syntax/head_rules.html specifically >>> group.rule.time and group.rule.weekday). You can also create rules to >>> correlate source IP addresses to usernames, or possibly even >>> destinations. >>> >>> > 2- Can OSSEC analyzer correlate between logs coming from different VMs >>> > for the same user in the cloud system in order to analyze the >>> > behaviour for this user in all VMs running in the cloud system. >>> > >>> >>> Depending on your definition, OSSEC may not do a lot of correlation. >>> So it may be able to do this, it may not. >>> >>> > 3- Is the VMM allowing to the collector component installed inside the >>> > VM to send its logs to the physical host OS? >>> > >>> >>> I'm sorry but I do not understand this question. An OSSEC agent can >>> send its logs to any OSSEC manager it can connect to (physical or >>> virtual does not matter). I have a physical OSSEC manager and a >>> virtualized OSSEC manager. They both have a mix of virtualized and >>> physical agents. My VMWare esxi system even sends its logs (via >>> syslog) to my physical manager. >>> >>> > 4- Please, if any one has some documents explain how OSSEC detects >>> > these unauthorized intruders and both the SQL injection and rootkit >>> > attacks, please send me these links. >>> > >>> > Thanks, >>> > Hesham >>> > >>> > >>> > On Feb 22, 3:20 pm, Js Opdebeeck <[email protected]> wrote: >>> >> Hello; >>> >> >>> >> On ESXi just forward the events via SYSLOG then capture the events >>> >> with >>> >> OSSEC. >>> >> >>> >> ESXi -> Syslog <- OSSEC >>> >> >>> >> Details for ESX and ESXi Syslog forward >>> >> :http://beyondvm.com/tutorial-esx-4-0-syslog-configuration >>> >> >>> >> Kind regards >> > >
