OSSEC Overview

23df83cefd42a57e7784bcc33527fe40?s=47 Clay Wells
January 11, 2016

OSSEC Overview

After a short introduction to OSSEC we look at rules/alerts, email alerts, active response, OSSEC commands, and a few reports. A few graphs and notes regarding future work are also touched upon.

23df83cefd42a57e7784bcc33527fe40?s=128

Clay Wells

January 11, 2016
Tweet

Transcript

  1. 1.

    Putting Host-based Intrusion Detection Into Practice Using OSSEC Clay Wells

    (clayw at upenn.edu) School of Arts and Sciences
  2. 2.

    “By 2020, 75% of enterprises' information security budgets will be

    allocated for rapid detection and response approaches, up from less than 10% in 2012.” - Gartner, Inc.
  3. 8.

    integrating log analysis* file integrity checking Windows registry monitoring centralized

    policy enforcement rootkit detection real-time alerting* active response* powerful correlation & analysis engine* What OSSEC Can Do
  4. 13.

    Rules Atomic – single events, no correlation <rule id="5704" level="4">

    <if_sid>5700</if_sid> <match>fatal: Timeout before authentication for</match> <description>Timeout while logging in (sshd).</description> Composite – multiple events <rule id="5712" level="10" frequency="6" timeframe="120" ignore="60"> <if_matched_sid>5710</if_matched_sid> <description>SSHD brute force trying to get access to </description> <description>the system.</description> <same_source_ip /> <group>authentication_failures,</group>
  5. 14.

    Rule Levels 00 - Ignored 01 - None 02 -

    System low priority notification 03 - Successful/Authorized events 04 - System low priority error 05 - User generated error 06 - Low relevance attack
  6. 15.

    Rule Levels 07 - “Bad word” matching 08 - First

    time seen 09 - Error from invalid source 10 - Multiple user generated errors 11 - Integrity checking warning 12 - High importance event 13 - Unusual error (high importance) 14 - High importance security event 15 - Severe attack
  7. 17.

    Custom Rules 101000 Known errors (to quiet alerts) 102000 False

    positives 103000 Quiet SQL injection false positives 104000 Custom alerts 105000 Reclasification of unknown alerts 106000 Reclassification of existing rules
  8. 18.

    Custom Rules <rule id="104140" level="12"> <if_sid>31106, 103006</if_sid> <group>attack, exploit_attempt, web_scan</group>

    <url>scripts/setup.php</url> <description> BID 34236 PHPMyAdmin vulnerability. </description> </rule>
  9. 20.

    Decoders (complex) <decoder name="ssh-reverse-mapping"> <parent>sshd</parent> <prematch>^reverse mapping checking </prematch> <regex

    offset="after_prematch"> ^\w+ for \S+ [(\S+)] |^\w+ for (\S+) </regex> <order>srcip</order> </decoder>
  10. 22.

    Output & Alert Options Sending alerts via syslog Sending alerts

    via E-Mail* Storing alerts as JSON Sending output to a Database* Daily E-Mail Reports* Sending alerts to picviz Sending output to prelude
  11. 28.

    Active Response Trigger a script on an agent/server Specific alerts,

    alert levels, or rule groups Attack, policy violation
  12. 35.

    agent_control # bin/agent_control -h agent_control: Control remote agents. Available options:

    -l List available (active or not) agents. -lc List active agents. -i <id> Extracts information from an agent. -R <id> Restarts agent. -r -a Runs the integrity/rootkit checking on all agents now. -r -u <id> Runs the integrity/rootkit checking on one agent now. -b <ip> Blocks the specified ip address. -f <ar> Used with -b, specifies which response to run. -L List available active responses. -s Changes the output to CSV (comma delimited).
  13. 36.

    agent_control # bin/agent_control -l OSSEC HIDS agent_control. List of available

    agents: ID: 000, Name: info_.___.___.edu (server), IP: 127.0.0.1, Active/Local ID: 002, Name: v__.___.___.edu, IP: 128.###.###.142, Active ID: 004, Name: s__.___.___.edu, IP: 128.###.###.66, Disconnected
  14. 37.

    agent_control # bin/agent_control -i 002 OSSEC HIDS agent_control. Agent information:

    Agent ID: 002 Agent Name: v__.___.___.edu IP address: 128.###.###.142 Status: Active Operating system: Linux v_.__.__.edu 2.6.18-400.1.1.el5 #1 SMP .. Client version: OSSEC HIDS v2.7 Last keep alive: Sun Feb 7 20:15:05 2016 Syscheck last started at: Sun Feb 7 00:31:07 2016 Rootcheck last started at: Sun Feb 7 00:46:24 2016
  15. 38.

    rootcheck_control # bin/rootcheck_control -h rootcheck_control: Manages the policy and auditing

    database. -i <id> Prints database for the agent. -r Used with -i, prints all the resolved issues. -q Used with -i, prints all the outstanding issues. -L Used with -i, prints the last scan. -s Changes the output to CSV (comma delimited).
  16. 39.

    rootcheck_control # bin/rootcheck_control -i 002 Policy and auditing events for

    agent 'v__.__.___.edu (002) - 128.###.###.142': Resolved events: 2013 Jun 27 00:45:12 (first time detected: 2013 May 28 14:50:04) System Audit: System Audit: CIS - Testing against the CIS Red Hat Enterprise Linux 5 Benchmark v1.1. File: /etc/redhat-release. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL5 . 2013 Jun 27 00:45:12 (first time detected: 2013 May 28 14:50:04) System Audit: System Audit: CIS - RHEL5 4.4 - GUI login enabled. File: /etc/inittab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL5 .
  17. 40.

    syscheck_control # bin/syscheck_control -h syscheck_control: Manages the integrity checking database.

    -i <id> List modified files for the agent. -r -i <id> List modified registry entries for the agent (Windows only). -f <file> Prints information about a modified file. -s Changes the output to CSV (comma delimited).
  18. 41.

    syscheck_control # bin/syscheck_control -i 002 Changes for 2015 Nov 13:

    2015 Nov 13 22:52:58,2 - /etc/passwd 2015 Nov 13 22:53:04,2 - /etc/ld.so.cache 2015 Nov 13 22:58:08,2 - /etc/shadow 2015 Nov 13 22:58:12,2 - /etc/group 2015 Nov 13 22:58:22,2 - /etc/gshadow Changes for 2015 Nov 14: 2015 Nov 14 22:56:11,0 - /usr/bin/curve_keygen 2015 Nov 14 22:57:09,0 - /usr/bin/python26 2015 Nov 14 22:57:09,0 - /usr/bin/python2.6
  19. 42.

    syscheck_control # bin/syscheck_control -i 002 -f /etc/passwd 2015 Oct 08

    10:14:14,0 - /etc/passwd File changed. - 1st time modified. Integrity checking values: Size: >21002 Perm: rw-r--r-- Uid: 0 Gid: 0 Md5: >b01d0b11dcf30bc28b07ec3ec3ece040 Sha1: >47b5081e34481119dd8dadf963cf5056576ac17d
  20. 43.

    Reports # bin/ossec-reportd -h ossec-reportd: Generate reports (via stdin). Available

    options: -f <filter> <value> Filter the results. -r <filter> <value> Show related entries. -n Creates a description for the report. -s Show the alert dump. Filters allowed: group, rule, level, location, user, srcip, filename Examples: -f group authentication_success (to filter on login success). -f level 10 (to filter on level >= 10). -f group authentication -r user srcip (to show the srcip for all users).
  21. 45.

    Reports # cat logs/alerts/alerts.log | bin/ossec-reportd -f level 10 2016/02/07

    20:59:26 ossec-reportd: INFO: Started (pid: 3547). 2016/02/07 20:59:36 ossec-reportd: INFO: Report completed. Creating output... Report completed. == ------------------------------------------------ ->Processed alerts: 654760 ->Post-filtering alerts: 53906 ->First alert: 2016 Feb 07 00:00:06 ->Last alert: 2016 Feb 07 20:59:26
  22. 46.

    Reports Top entries for 'Source ip': ------------------------------------------------ 183.3.202.106 |12051 |

    121.150.206.215 |2084 | 190.216.146.145 |807 | 192.221.93.27 |336 | 115.28.133.234 |154 | 185.87.121.69 |111 | 222.186.34.225 |47 | 222.186.56.46 |47 | 10.0.0.4 |45 | 58.218.211.198 |37 | 222.186.56.42 |36 | 222.186.21.119 |25 | 222.186.34.74 |25 | 222.186.56.120 |19 | 222.186.56.75 |19 |
  23. 47.

    Reports Top entries for 'Username': ------------------------------------------------ root |14797 | mysql

    |23 | apache |8 | oracle |7 | sshd |3 | nagios |2 | nobody |2 | postgres |2 | ftp |1 | squid |1 | tom |1 | tomcat |1 |
  24. 49.

    Reports Top entries for 'Group': ------------------------------------------------ syslog |53904 | local

    |53879 | attacks |10 | authentication_failures |10 | sshdauthentication_failed |8 | attack |6 | exploit_attempt |6 | web_scan |6 | invalid_login |3 | sshd |3 | apache |2 | errors |2 | invalid_request |2 |
  25. 50.

    Reports Top entries for 'Location': ------------------------------------------------ (a__.__.__.edu) 128.#.###.227->/v.. |12603 |

    (c__.__.__.edu) 128.#.###.153->/v.. |4525 | (k__.__.__.edu) 128.#.###.167->/va.. |4010 | (h__.__.__.edu) 128.#.##.61->/var/lo.. |3055 | (ti__.__.__.edu) 128.#.###.11->/var/l.. |3032 | (te_.__.__.edu) 128.#.###.141->/var/l.. |2966 | (tu__.__.__.edu) 128.#.##.141->/var/l.. |2960 | (r__.__.__.edu) 128.#.##.182->/var/.. |2676 | (g__.__.__.edu) 128.#.###.170->/.. |2674 | (t__.__.__.edu) 128.#.###.38->/var/.. |2420 | (p__.__.__.edu) 128.#.###.91->/va.. |2357 |
  26. 51.

    Reports Top entries for 'Rule': ------------------------------------------------ 102130 - Ignore multiple

    PAM SSH failures. |37646 104700 - Multiple 5716 SSH authentication fa.. |10481 101095 - No email for SSH brute force |5360 104230 - Possible Drupal brute force attack .. |382 106050 - Multiple authentication failures. .. |10 106010 - SSHD brute force trying to get acce.. |8 104290 - BID 34236 PHPMyAdmin vulnerability. |6 104260 - Drupal access denied to admin screen. |4 5719 - Multiple access attempts using a deni.. |3 1003 - Non standard syslog message (size too.. |2 106030 - Multiple SSHD authentication failur.. |2 30116 - Multiple Invalid URI requests from s.. |2
  27. 53.

    Reports Top entries for 'Source ip': ------------------------------------------------ 128.##.###.75 |860 10.0.0.77

    |662 10.0.0.31 |368 128.##.###.28 |288 128.##.###.132 |48 84.111.25.127 |15 50.191.10.89 |11 73.141.163.82 |11 98.115.235.181 |11 192.249.6.188 |10 73.154.193.145 |10 66.250.143.158 |5
  28. 54.

    Reports Top entries for 'Username': ------------------------------------------------ aaoot |1230 aaag |518

    aaamon |384 aaagios |48 bbbmon |48 bbblwiss |20 bbbappe |15 bbbaron |11 bbbele |11 bbbster |11 bbbidz |5
  29. 56.

    Reports Top entries for 'Location': ------------------------------------------------ (host1.example.edu) 128.##.##.###->/va |1010 (host7.example.edu)

    128.##.##.##->/va.. |581 (host3.example.edu) 128.##.###.##->/var/log/.. |386 (host5.example.edu) 128.##.###.##->/var/log/.. |336
  30. 58.

    Reports Related entries for 'Username': ------------------------------------------------ toor |1230 | srcip:

    '192.168.1.11' srcip: '192.168.2.21' aag |518 | srcip: '10.0.0.77' aaamon |384 | srcip: '128.##.###.###' srcip: '10.0.0.77'
  31. 60.

    Reports Top entries for 'Rule': ------------------------------------------------ 104570 - Common web

    attack. Attempt to do di.. |70 104560 - SQL injection attempt. |17 106050 - Multiple authentication failures. .. |6 31104 - Common web attack. |6 31511 - Blacklisted user agent (wget). |3 104580 - XSS (Cross Site Scripting) attempt. |2 106040 - Quiet rule 40111 to implement new r.. |2 31106 - A web attack returned code 200 (succ.. |2 592 - Log file size reduced. |2
  32. 61.

    Reports 123.125.71.26 |1 rule: '104570' 123.125.71.88 |1 rule: '104570' 180.76.15.151

    |1 rule: '104570' 207.46.13.25 |6 rule: '31104' rule: '104570' rule: '104560'
  33. 62.

    Reports Related entries for 'Rule': ------------------------------------------------ 104570 - Common web

    attack. Attempt to do di.. |70 srcip: '68.180.228.162' srcip: '37.57.231.111' srcip: '220.181.108.82' srcip: '217.73.208.147'
  34. 63.

    Data (attack counts) Date, Count 12/18/15, 13 12/19/15, 23 12/20/15,

    11 12/21/15, 22 12/22/15, 14 12/23/15, 8 12/24/15, 11 12/25/15, 205 12/26/15, 18 12/27/15, 6 12/28/15, 7 12/29/15, 14 12/30/15, 18 12/31/15, 10
  35. 64.
  36. 65.
  37. 66.