OSSEC Overview

23df83cefd42a57e7784bcc33527fe40?s=47 Clay Wells
January 11, 2016

OSSEC Overview

After a short introduction to OSSEC we look at rules/alerts, email alerts, active response, OSSEC commands, and a few reports. A few graphs and notes regarding future work are also touched upon.

23df83cefd42a57e7784bcc33527fe40?s=128

Clay Wells

January 11, 2016
Tweet

Transcript

  1. Putting Host-based Intrusion Detection Into Practice Using OSSEC Clay Wells

    (clayw at upenn.edu) School of Arts and Sciences
  2. “By 2020, 75% of enterprises' information security budgets will be

    allocated for rapid detection and response approaches, up from less than 10% in 2012.” - Gartner, Inc.
  3. OSSEC Agenda Introduction Rules Email Alerts Active Response OSSEC Commands

    Reports Graphs Future Work
  4. OSSEC-HIDS Open Source Security Host-based Intrusion Detection System

  5. Insights w/o OSSEC

  6. Insights w/o OSSEC https://en.wikipedia.org/wiki/Schr%C3%B6dinger's_cat

  7. Insights with OSSEC

  8. integrating log analysis* file integrity checking Windows registry monitoring centralized

    policy enforcement rootkit detection real-time alerting* active response* powerful correlation & analysis engine* What OSSEC Can Do
  9. Linux OpenBSD FreeBSD MacOS Solaris Windows Multi-platform

  10. https://github.com/ossec/ossec-hids http://ossec.github.io/docs/ Code & Documentation

  11. http://ossec.github.io/docs/manual/ossec-architecture.html Architecture

  12. Rules/Alerts apache_rules.xml local_rules.xml* msauth_rules.xml mysql_rules.xml nginx_rules.xml sshd_rules.xml syslog_rules.xml wordpress_rules.xml

  13. Rules Atomic – single events, no correlation <rule id="5704" level="4">

    <if_sid>5700</if_sid> <match>fatal: Timeout before authentication for</match> <description>Timeout while logging in (sshd).</description> Composite – multiple events <rule id="5712" level="10" frequency="6" timeframe="120" ignore="60"> <if_matched_sid>5710</if_matched_sid> <description>SSHD brute force trying to get access to </description> <description>the system.</description> <same_source_ip /> <group>authentication_failures,</group>
  14. Rule Levels 00 - Ignored 01 - None 02 -

    System low priority notification 03 - Successful/Authorized events 04 - System low priority error 05 - User generated error 06 - Low relevance attack
  15. Rule Levels 07 - “Bad word” matching 08 - First

    time seen 09 - Error from invalid source 10 - Multiple user generated errors 11 - Integrity checking warning 12 - High importance event 13 - Unusual error (high importance) 14 - High importance security event 15 - Severe attack
  16. Rule Groups authentication_success* authentication_failed attack* exploit_attempt* windows syslog adduser

  17. Custom Rules 101000 Known errors (to quiet alerts) 102000 False

    positives 103000 Quiet SQL injection false positives 104000 Custom alerts 105000 Reclasification of unknown alerts 106000 Reclassification of existing rules
  18. Custom Rules <rule id="104140" level="12"> <if_sid>31106, 103006</if_sid> <group>attack, exploit_attempt, web_scan</group>

    <url>scripts/setup.php</url> <description> BID 34236 PHPMyAdmin vulnerability. </description> </rule>
  19. Custom Rules <rule id="104200" level="15"> <if_sid>103006</if_sid> <match> ^128.91.|^130.91.|^165.123.|^158.130. </match> <description>

    Possible web attack from a Penn IP address </description> </rule>
  20. Decoders (complex) <decoder name="ssh-reverse-mapping"> <parent>sshd</parent> <prematch>^reverse mapping checking </prematch> <regex

    offset="after_prematch"> ^\w+ for \S+ [(\S+)] |^\w+ for (\S+) </regex> <order>srcip</order> </decoder>
  21. Decoders (simple) <decoder name="mysql_log"> <prematch>^MySQL log:</prematch> </decoder>

  22. Output & Alert Options Sending alerts via syslog Sending alerts

    via E-Mail* Storing alerts as JSON Sending output to a Database* Daily E-Mail Reports* Sending alerts to picviz Sending output to prelude
  23. Email Alerts Single Notification addresses Granular Notifications to any number

    of addresses Daily Reports
  24. Email Alerts <ossec_config> <global> <email_notification>yes</email_notification> <email_to>infosec @example.edu</email_to> <smtp_server>smtp.example.edu</smtp_server> <email_from>ossec @example.edu</email_from>

    <!-- OACP Scanner --> <white_list>192.168.1.7</white_list> <email_maxperhour>1</email_maxperhour> </global> ...
  25. Email Alerts <email_alerts> <email_to> ossec-notices @example.edu </email_to> <level>7</level> <email_alerts> <email_to>

    ossec-high @example.edu </email_to> <level>11</level>
  26. Email Alerts <email_alerts> <email_to>sysadm @example.edu </email_to> <event_location>host1.sas</event_location> <do_not_delay />

  27. Monitor Files <localfile> <log_format>syslog</log_format> <location>/var/log/secure</location> <localfile> <log_format>apache</log_format> <location>/var/log/httpd/access_log</location> <localfile> <log_format>command</log_format>

    <command>df -h</command>
  28. Active Response Trigger a script on an agent/server Specific alerts,

    alert levels, or rule groups Attack, policy violation
  29. Active Response Firewall block/drop Quarantine Traffic shaping/throttling Account lockout

  30. Active Response disable-account.sh host-deny.sh route-null.sh firewall-drop.sh ipfw_mac.sh ipfw.sh pf.sh

  31. Active Response Part 1 – command Part 2 – bind

    command to rule(s)
  32. Active Response Part 1 <command> <name>drupalban</name> <executable>drupalban.sh</executable> <expect>srcip</expect> <timeout_allowed>yes</timeout_allowed> </command>

  33. Active Response Part 2 <active-response> <command>drupalban</command> <location>server</location> <rules_id> 104590,104543,104542,104572,104620 </rules_id>

    <timeout>14400</timeout> <!-- 1200 = 20 min --> <repeated_offenders>93600,180000
  34. Commands agent_control rootcheck_control syscheck_control

  35. agent_control # bin/agent_control -h agent_control: Control remote agents. Available options:

    -l List available (active or not) agents. -lc List active agents. -i <id> Extracts information from an agent. -R <id> Restarts agent. -r -a Runs the integrity/rootkit checking on all agents now. -r -u <id> Runs the integrity/rootkit checking on one agent now. -b <ip> Blocks the specified ip address. -f <ar> Used with -b, specifies which response to run. -L List available active responses. -s Changes the output to CSV (comma delimited).
  36. agent_control # bin/agent_control -l OSSEC HIDS agent_control. List of available

    agents: ID: 000, Name: info_.___.___.edu (server), IP: 127.0.0.1, Active/Local ID: 002, Name: v__.___.___.edu, IP: 128.###.###.142, Active ID: 004, Name: s__.___.___.edu, IP: 128.###.###.66, Disconnected
  37. agent_control # bin/agent_control -i 002 OSSEC HIDS agent_control. Agent information:

    Agent ID: 002 Agent Name: v__.___.___.edu IP address: 128.###.###.142 Status: Active Operating system: Linux v_.__.__.edu 2.6.18-400.1.1.el5 #1 SMP .. Client version: OSSEC HIDS v2.7 Last keep alive: Sun Feb 7 20:15:05 2016 Syscheck last started at: Sun Feb 7 00:31:07 2016 Rootcheck last started at: Sun Feb 7 00:46:24 2016
  38. rootcheck_control # bin/rootcheck_control -h rootcheck_control: Manages the policy and auditing

    database. -i <id> Prints database for the agent. -r Used with -i, prints all the resolved issues. -q Used with -i, prints all the outstanding issues. -L Used with -i, prints the last scan. -s Changes the output to CSV (comma delimited).
  39. rootcheck_control # bin/rootcheck_control -i 002 Policy and auditing events for

    agent 'v__.__.___.edu (002) - 128.###.###.142': Resolved events: 2013 Jun 27 00:45:12 (first time detected: 2013 May 28 14:50:04) System Audit: System Audit: CIS - Testing against the CIS Red Hat Enterprise Linux 5 Benchmark v1.1. File: /etc/redhat-release. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL5 . 2013 Jun 27 00:45:12 (first time detected: 2013 May 28 14:50:04) System Audit: System Audit: CIS - RHEL5 4.4 - GUI login enabled. File: /etc/inittab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL5 .
  40. syscheck_control # bin/syscheck_control -h syscheck_control: Manages the integrity checking database.

    -i <id> List modified files for the agent. -r -i <id> List modified registry entries for the agent (Windows only). -f <file> Prints information about a modified file. -s Changes the output to CSV (comma delimited).
  41. syscheck_control # bin/syscheck_control -i 002 Changes for 2015 Nov 13:

    2015 Nov 13 22:52:58,2 - /etc/passwd 2015 Nov 13 22:53:04,2 - /etc/ld.so.cache 2015 Nov 13 22:58:08,2 - /etc/shadow 2015 Nov 13 22:58:12,2 - /etc/group 2015 Nov 13 22:58:22,2 - /etc/gshadow Changes for 2015 Nov 14: 2015 Nov 14 22:56:11,0 - /usr/bin/curve_keygen 2015 Nov 14 22:57:09,0 - /usr/bin/python26 2015 Nov 14 22:57:09,0 - /usr/bin/python2.6
  42. syscheck_control # bin/syscheck_control -i 002 -f /etc/passwd 2015 Oct 08

    10:14:14,0 - /etc/passwd File changed. - 1st time modified. Integrity checking values: Size: >21002 Perm: rw-r--r-- Uid: 0 Gid: 0 Md5: >b01d0b11dcf30bc28b07ec3ec3ece040 Sha1: >47b5081e34481119dd8dadf963cf5056576ac17d
  43. Reports # bin/ossec-reportd -h ossec-reportd: Generate reports (via stdin). Available

    options: -f <filter> <value> Filter the results. -r <filter> <value> Show related entries. -n Creates a description for the report. -s Show the alert dump. Filters allowed: group, rule, level, location, user, srcip, filename Examples: -f group authentication_success (to filter on login success). -f level 10 (to filter on level >= 10). -f group authentication -r user srcip (to show the srcip for all users).
  44. Reports # cat logs/alerts/alert.log | bin/ossec-reportd -f level 10

  45. Reports # cat logs/alerts/alerts.log | bin/ossec-reportd -f level 10 2016/02/07

    20:59:26 ossec-reportd: INFO: Started (pid: 3547). 2016/02/07 20:59:36 ossec-reportd: INFO: Report completed. Creating output... Report completed. == ------------------------------------------------ ->Processed alerts: 654760 ->Post-filtering alerts: 53906 ->First alert: 2016 Feb 07 00:00:06 ->Last alert: 2016 Feb 07 20:59:26
  46. Reports Top entries for 'Source ip': ------------------------------------------------ 183.3.202.106 |12051 |

    121.150.206.215 |2084 | 190.216.146.145 |807 | 192.221.93.27 |336 | 115.28.133.234 |154 | 185.87.121.69 |111 | 222.186.34.225 |47 | 222.186.56.46 |47 | 10.0.0.4 |45 | 58.218.211.198 |37 | 222.186.56.42 |36 | 222.186.21.119 |25 | 222.186.34.74 |25 | 222.186.56.120 |19 | 222.186.56.75 |19 |
  47. Reports Top entries for 'Username': ------------------------------------------------ root |14797 | mysql

    |23 | apache |8 | oracle |7 | sshd |3 | nagios |2 | nobody |2 | postgres |2 | ftp |1 | squid |1 | tom |1 | tomcat |1 |
  48. Reports Top entries for 'Level': ------------------------------------------------ Severity 10 |53522 |

    Severity 11 |382 | Severity 13 |2 |
  49. Reports Top entries for 'Group': ------------------------------------------------ syslog |53904 | local

    |53879 | attacks |10 | authentication_failures |10 | sshdauthentication_failed |8 | attack |6 | exploit_attempt |6 | web_scan |6 | invalid_login |3 | sshd |3 | apache |2 | errors |2 | invalid_request |2 |
  50. Reports Top entries for 'Location': ------------------------------------------------ (a__.__.__.edu) 128.#.###.227->/v.. |12603 |

    (c__.__.__.edu) 128.#.###.153->/v.. |4525 | (k__.__.__.edu) 128.#.###.167->/va.. |4010 | (h__.__.__.edu) 128.#.##.61->/var/lo.. |3055 | (ti__.__.__.edu) 128.#.###.11->/var/l.. |3032 | (te_.__.__.edu) 128.#.###.141->/var/l.. |2966 | (tu__.__.__.edu) 128.#.##.141->/var/l.. |2960 | (r__.__.__.edu) 128.#.##.182->/var/.. |2676 | (g__.__.__.edu) 128.#.###.170->/.. |2674 | (t__.__.__.edu) 128.#.###.38->/var/.. |2420 | (p__.__.__.edu) 128.#.###.91->/va.. |2357 |
  51. Reports Top entries for 'Rule': ------------------------------------------------ 102130 - Ignore multiple

    PAM SSH failures. |37646 104700 - Multiple 5716 SSH authentication fa.. |10481 101095 - No email for SSH brute force |5360 104230 - Possible Drupal brute force attack .. |382 106050 - Multiple authentication failures. .. |10 106010 - SSHD brute force trying to get acce.. |8 104290 - BID 34236 PHPMyAdmin vulnerability. |6 104260 - Drupal access denied to admin screen. |4 5719 - Multiple access attempts using a deni.. |3 1003 - Non standard syslog message (size too.. |2 106030 - Multiple SSHD authentication failur.. |2 30116 - Multiple Invalid URI requests from s.. |2
  52. Reports ossec.conf <reports> <category>authentication_success</category> <user type="relation">srcip</user> <title>OSSEC Report: Successful Auths</title>

    <email_to>sec @example.edu</email_to> </reports>
  53. Reports Top entries for 'Source ip': ------------------------------------------------ 128.##.###.75 |860 10.0.0.77

    |662 10.0.0.31 |368 128.##.###.28 |288 128.##.###.132 |48 84.111.25.127 |15 50.191.10.89 |11 73.141.163.82 |11 98.115.235.181 |11 192.249.6.188 |10 73.154.193.145 |10 66.250.143.158 |5
  54. Reports Top entries for 'Username': ------------------------------------------------ aaoot |1230 aaag |518

    aaamon |384 aaagios |48 bbbmon |48 bbblwiss |20 bbbappe |15 bbbaron |11 bbbele |11 bbbster |11 bbbidz |5
  55. Reports Top entries for 'Group': ------------------------------------------------ authentication_success |3671 syslog |3671

    sshd |2337 pam |1334
  56. Reports Top entries for 'Location': ------------------------------------------------ (host1.example.edu) 128.##.##.###->/va |1010 (host7.example.edu)

    128.##.##.##->/va.. |581 (host3.example.edu) 128.##.###.##->/var/log/.. |386 (host5.example.edu) 128.##.###.##->/var/log/.. |336
  57. Reports Top entries for 'Rule': ------------------------------------------------ 5715 - SSHD authentication

    success. |2337 5501 - Login session opened. |1334
  58. Reports Related entries for 'Username': ------------------------------------------------ toor |1230 | srcip:

    '192.168.1.11' srcip: '192.168.2.21' aag |518 | srcip: '10.0.0.77' aaamon |384 | srcip: '128.##.###.###' srcip: '10.0.0.77'
  59. Reports cat alerts.log | \ /var/ossec/bin/ossec-reportd -f group attack \

    -r rule srcip -r srcip rule
  60. Reports Top entries for 'Rule': ------------------------------------------------ 104570 - Common web

    attack. Attempt to do di.. |70 104560 - SQL injection attempt. |17 106050 - Multiple authentication failures. .. |6 31104 - Common web attack. |6 31511 - Blacklisted user agent (wget). |3 104580 - XSS (Cross Site Scripting) attempt. |2 106040 - Quiet rule 40111 to implement new r.. |2 31106 - A web attack returned code 200 (succ.. |2 592 - Log file size reduced. |2
  61. Reports 123.125.71.26 |1 rule: '104570' 123.125.71.88 |1 rule: '104570' 180.76.15.151

    |1 rule: '104570' 207.46.13.25 |6 rule: '31104' rule: '104570' rule: '104560'
  62. Reports Related entries for 'Rule': ------------------------------------------------ 104570 - Common web

    attack. Attempt to do di.. |70 srcip: '68.180.228.162' srcip: '37.57.231.111' srcip: '220.181.108.82' srcip: '217.73.208.147'
  63. Data (attack counts) Date, Count 12/18/15, 13 12/19/15, 23 12/20/15,

    11 12/21/15, 22 12/22/15, 14 12/23/15, 8 12/24/15, 11 12/25/15, 205 12/26/15, 18 12/27/15, 6 12/28/15, 7 12/29/15, 14 12/30/15, 18 12/31/15, 10
  64. Graphs

  65. Graphs

  66. Graphs

  67. Future Work Add/refine alerts Policies Interesting reports Visualizations

  68. Thank you!