After a short introduction to OSSEC we look at rules/alerts, email alerts, active response, OSSEC commands, and a few reports. A few graphs and notes regarding future work are also touched upon.
“By 2020, 75% of enterprises' information security budgets will be allocated for rapid detection and response approaches, up from less than 10% in 2012.” - Gartner, Inc.
Output & Alert Options Sending alerts via syslog Sending alerts via E-Mail* Storing alerts as JSON Sending output to a Database* Daily E-Mail Reports* Sending alerts to picviz Sending output to prelude
agent_control # bin/agent_control -h agent_control: Control remote agents. Available options: -l List available (active or not) agents. -lc List active agents. -i Extracts information from an agent. -R Restarts agent. -r -a Runs the integrity/rootkit checking on all agents now. -r -u Runs the integrity/rootkit checking on one agent now. -b Blocks the specified ip address. -f Used with -b, specifies which response to run. -L List available active responses. -s Changes the output to CSV (comma delimited).
agent_control # bin/agent_control -i 002 OSSEC HIDS agent_control. Agent information: Agent ID: 002 Agent Name: v__.___.___.edu IP address: 128.###.###.142 Status: Active Operating system: Linux v_.__.__.edu 2.6.18-400.1.1.el5 #1 SMP .. Client version: OSSEC HIDS v2.7 Last keep alive: Sun Feb 7 20:15:05 2016 Syscheck last started at: Sun Feb 7 00:31:07 2016 Rootcheck last started at: Sun Feb 7 00:46:24 2016
rootcheck_control # bin/rootcheck_control -h rootcheck_control: Manages the policy and auditing database. -i Prints database for the agent. -r Used with -i, prints all the resolved issues. -q Used with -i, prints all the outstanding issues. -L Used with -i, prints the last scan. -s Changes the output to CSV (comma delimited).
rootcheck_control # bin/rootcheck_control -i 002 Policy and auditing events for agent 'v__.__.___.edu (002) - 128.###.###.142': Resolved events: 2013 Jun 27 00:45:12 (first time detected: 2013 May 28 14:50:04) System Audit: System Audit: CIS - Testing against the CIS Red Hat Enterprise Linux 5 Benchmark v1.1. File: /etc/redhat-release. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL5 . 2013 Jun 27 00:45:12 (first time detected: 2013 May 28 14:50:04) System Audit: System Audit: CIS - RHEL5 4.4 - GUI login enabled. File: /etc/inittab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL5 .
syscheck_control # bin/syscheck_control -h syscheck_control: Manages the integrity checking database. -i List modified files for the agent. -r -i List modified registry entries for the agent (Windows only). -f Prints information about a modified file. -s Changes the output to CSV (comma delimited).
Reports # bin/ossec-reportd -h ossec-reportd: Generate reports (via stdin). Available options: -f Filter the results. -r Show related entries. -n Creates a description for the report. -s Show the alert dump. Filters allowed: group, rule, level, location, user, srcip, filename Examples: -f group authentication_success (to filter on login success). -f level 10 (to filter on level >= 10). -f group authentication -r user srcip (to show the srcip for all users).
Reports Related entries for 'Rule': ------------------------------------------------ 104570 - Common web attack. Attempt to do di.. |70 srcip: '68.180.228.162' srcip: '37.57.231.111' srcip: '220.181.108.82' srcip: '217.73.208.147'