$30 off During Our Annual Pro Sale. View Details »

OSSEC Overview

Clay Wells
January 11, 2016

OSSEC Overview

After a short introduction to OSSEC we look at rules/alerts, email alerts, active response, OSSEC commands, and a few reports. A few graphs and notes regarding future work are also touched upon.

Clay Wells

January 11, 2016
Tweet

More Decks by Clay Wells

Other Decks in Technology

Transcript

  1. Putting Host-based Intrusion Detection
    Into Practice Using OSSEC
    Clay Wells (clayw at upenn.edu)
    School of Arts and Sciences

    View Slide

  2. “By 2020, 75% of enterprises' information security
    budgets will be allocated for rapid detection and
    response approaches, up from less than 10% in
    2012.”
    - Gartner, Inc.

    View Slide

  3. OSSEC
    Agenda
    Introduction
    Rules
    Email Alerts
    Active Response
    OSSEC Commands
    Reports
    Graphs
    Future Work

    View Slide

  4. OSSEC-HIDS
    Open Source Security
    Host-based Intrusion Detection System

    View Slide

  5. Insights w/o OSSEC

    View Slide

  6. Insights w/o OSSEC
    https://en.wikipedia.org/wiki/Schr%C3%B6dinger's_cat

    View Slide

  7. Insights with OSSEC

    View Slide

  8. integrating log analysis*
    file integrity checking
    Windows registry monitoring
    centralized policy enforcement
    rootkit detection
    real-time alerting*
    active response*
    powerful correlation & analysis engine*
    What OSSEC Can Do

    View Slide

  9. Linux
    OpenBSD
    FreeBSD
    MacOS
    Solaris
    Windows
    Multi-platform

    View Slide

  10. https://github.com/ossec/ossec-hids
    http://ossec.github.io/docs/
    Code & Documentation

    View Slide

  11. http://ossec.github.io/docs/manual/ossec-architecture.html
    Architecture

    View Slide

  12. Rules/Alerts
    apache_rules.xml
    local_rules.xml*
    msauth_rules.xml
    mysql_rules.xml
    nginx_rules.xml
    sshd_rules.xml
    syslog_rules.xml
    wordpress_rules.xml

    View Slide

  13. Rules
    Atomic – single events, no correlation

    5700
    fatal: Timeout before authentication for
    Timeout while logging in (sshd).
    Composite – multiple events

    5710
    SSHD brute force trying to get access to
    the system.

    authentication_failures,

    View Slide

  14. Rule Levels
    00 - Ignored
    01 - None
    02 - System low priority notification
    03 - Successful/Authorized events
    04 - System low priority error
    05 - User generated error
    06 - Low relevance attack

    View Slide

  15. Rule Levels
    07 - “Bad word” matching
    08 - First time seen
    09 - Error from invalid source
    10 - Multiple user generated errors
    11 - Integrity checking warning
    12 - High importance event
    13 - Unusual error (high importance)
    14 - High importance security event
    15 - Severe attack

    View Slide

  16. Rule Groups
    authentication_success*
    authentication_failed
    attack*
    exploit_attempt*
    windows
    syslog
    adduser

    View Slide

  17. Custom Rules
    101000 Known errors (to quiet alerts)
    102000 False positives
    103000 Quiet SQL injection false positives
    104000 Custom alerts
    105000 Reclasification of unknown alerts
    106000 Reclassification of existing rules

    View Slide

  18. Custom Rules

    31106, 103006
    attack, exploit_attempt, web_scan
    scripts/setup.php

    BID 34236 PHPMyAdmin vulnerability.


    View Slide

  19. Custom Rules

    103006

    ^128.91.|^130.91.|^165.123.|^158.130.


    Possible web attack from a Penn IP address


    View Slide

  20. Decoders (complex)

    sshd
    ^reverse mapping checking

    ^\w+ for \S+ [(\S+)] |^\w+ for (\S+)

    srcip

    View Slide

  21. Decoders (simple)

    ^MySQL log:

    View Slide

  22. Output & Alert Options
    Sending alerts via syslog
    Sending alerts via E-Mail*
    Storing alerts as JSON
    Sending output to a Database*
    Daily E-Mail Reports*
    Sending alerts to picviz
    Sending output to prelude

    View Slide

  23. Email Alerts
    Single Notification addresses
    Granular Notifications to any number of addresses
    Daily Reports

    View Slide

  24. Email Alerts


    yes
    infosec @example.edu
    smtp.example.edu
    ossec @example.edu

    192.168.1.7
    1

    ...

    View Slide

  25. Email Alerts


    ossec-notices @example.edu

    7


    ossec-high @example.edu

    11

    View Slide

  26. Email Alerts

    sysadm @example.edu

    host1.sas

    View Slide

  27. Monitor Files

    syslog
    /var/log/secure

    apache
    /var/log/httpd/access_log

    command
    df -h

    View Slide

  28. Active Response
    Trigger a script on an agent/server
    Specific alerts, alert levels, or rule groups
    Attack, policy violation

    View Slide

  29. Active Response
    Firewall block/drop
    Quarantine
    Traffic shaping/throttling
    Account lockout

    View Slide

  30. Active Response
    disable-account.sh
    host-deny.sh
    route-null.sh
    firewall-drop.sh
    ipfw_mac.sh
    ipfw.sh
    pf.sh

    View Slide

  31. Active Response
    Part 1 – command
    Part 2 – bind command to rule(s)

    View Slide

  32. Active Response
    Part 1

    drupalban
    drupalban.sh
    srcip
    yes

    View Slide

  33. Active Response
    Part 2

    drupalban
    server

    104590,104543,104542,104572,104620

    14400
    93600,180000

    View Slide

  34. Commands
    agent_control
    rootcheck_control
    syscheck_control

    View Slide

  35. agent_control
    # bin/agent_control -h
    agent_control: Control remote agents.
    Available options:
    -l List available (active or not) agents.
    -lc List active agents.
    -i Extracts information from an agent.
    -R Restarts agent.
    -r -a Runs the integrity/rootkit checking on all agents now.
    -r -u Runs the integrity/rootkit checking on one agent now.
    -b Blocks the specified ip address.
    -f Used with -b, specifies which response to run.
    -L List available active responses.
    -s Changes the output to CSV (comma delimited).

    View Slide

  36. agent_control
    # bin/agent_control -l
    OSSEC HIDS agent_control. List of available agents:
    ID: 000, Name: info_.___.___.edu (server), IP: 127.0.0.1, Active/Local
    ID: 002, Name: v__.___.___.edu, IP: 128.###.###.142, Active
    ID: 004, Name: s__.___.___.edu, IP: 128.###.###.66, Disconnected

    View Slide

  37. agent_control
    # bin/agent_control -i 002
    OSSEC HIDS agent_control. Agent information:
    Agent ID: 002
    Agent Name: v__.___.___.edu
    IP address: 128.###.###.142
    Status: Active
    Operating system: Linux v_.__.__.edu 2.6.18-400.1.1.el5 #1 SMP ..
    Client version: OSSEC HIDS v2.7
    Last keep alive: Sun Feb 7 20:15:05 2016
    Syscheck last started at: Sun Feb 7 00:31:07 2016
    Rootcheck last started at: Sun Feb 7 00:46:24 2016

    View Slide

  38. rootcheck_control
    # bin/rootcheck_control -h
    rootcheck_control: Manages the policy and auditing database.
    -i Prints database for the agent.
    -r Used with -i, prints all the resolved issues.
    -q Used with -i, prints all the outstanding issues.
    -L Used with -i, prints the last scan.
    -s Changes the output to CSV (comma delimited).

    View Slide

  39. rootcheck_control
    # bin/rootcheck_control -i 002
    Policy and auditing events for agent 'v__.__.___.edu (002) - 128.###.###.142':
    Resolved events:
    2013 Jun 27 00:45:12 (first time detected: 2013 May 28 14:50:04)
    System Audit: System Audit: CIS - Testing against the CIS Red Hat
    Enterprise Linux 5 Benchmark v1.1. File: /etc/redhat-release. Reference:
    http://www.ossec.net/wiki/index.php/CIS_RHEL5 .
    2013 Jun 27 00:45:12 (first time detected: 2013 May 28 14:50:04)
    System Audit: System Audit: CIS - RHEL5 4.4 - GUI login enabled. File:
    /etc/inittab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL5 .

    View Slide

  40. syscheck_control
    # bin/syscheck_control -h
    syscheck_control: Manages the integrity checking database.
    -i List modified files for the agent.
    -r -i List modified registry entries for the agent (Windows only).
    -f Prints information about a modified file.
    -s Changes the output to CSV (comma delimited).

    View Slide

  41. syscheck_control
    # bin/syscheck_control -i 002
    Changes for 2015 Nov 13:
    2015 Nov 13 22:52:58,2 - /etc/passwd
    2015 Nov 13 22:53:04,2 - /etc/ld.so.cache
    2015 Nov 13 22:58:08,2 - /etc/shadow
    2015 Nov 13 22:58:12,2 - /etc/group
    2015 Nov 13 22:58:22,2 - /etc/gshadow
    Changes for 2015 Nov 14:
    2015 Nov 14 22:56:11,0 - /usr/bin/curve_keygen
    2015 Nov 14 22:57:09,0 - /usr/bin/python26
    2015 Nov 14 22:57:09,0 - /usr/bin/python2.6

    View Slide

  42. syscheck_control
    # bin/syscheck_control -i 002 -f /etc/passwd
    2015 Oct 08 10:14:14,0 - /etc/passwd
    File changed. - 1st time modified.
    Integrity checking values:
    Size: >21002
    Perm: rw-r--r--
    Uid: 0
    Gid: 0
    Md5: >b01d0b11dcf30bc28b07ec3ec3ece040
    Sha1: >47b5081e34481119dd8dadf963cf5056576ac17d

    View Slide

  43. Reports
    # bin/ossec-reportd -h
    ossec-reportd: Generate reports (via stdin).
    Available options:
    -f Filter the results.
    -r Show related entries.
    -n Creates a description for the report.
    -s Show the alert dump.
    Filters allowed: group, rule, level, location,
    user, srcip, filename
    Examples:
    -f group authentication_success (to filter on login success).
    -f level 10 (to filter on level >= 10).
    -f group authentication -r user srcip (to show the srcip for all users).

    View Slide

  44. Reports
    # cat logs/alerts/alert.log | bin/ossec-reportd -f level 10

    View Slide

  45. Reports
    # cat logs/alerts/alerts.log | bin/ossec-reportd -f level 10
    2016/02/07 20:59:26 ossec-reportd: INFO: Started (pid: 3547).
    2016/02/07 20:59:36 ossec-reportd: INFO: Report completed. Creating
    output...
    Report completed. ==
    ------------------------------------------------
    ->Processed alerts: 654760
    ->Post-filtering alerts: 53906
    ->First alert: 2016 Feb 07 00:00:06
    ->Last alert: 2016 Feb 07 20:59:26

    View Slide

  46. Reports
    Top entries for 'Source ip':
    ------------------------------------------------
    183.3.202.106 |12051 |
    121.150.206.215 |2084 |
    190.216.146.145 |807 |
    192.221.93.27 |336 |
    115.28.133.234 |154 |
    185.87.121.69 |111 |
    222.186.34.225 |47 |
    222.186.56.46 |47 |
    10.0.0.4 |45 |
    58.218.211.198 |37 |
    222.186.56.42 |36 |
    222.186.21.119 |25 |
    222.186.34.74 |25 |
    222.186.56.120 |19 |
    222.186.56.75 |19 |

    View Slide

  47. Reports
    Top entries for 'Username':
    ------------------------------------------------
    root |14797 |
    mysql |23 |
    apache |8 |
    oracle |7 |
    sshd |3 |
    nagios |2 |
    nobody |2 |
    postgres |2 |
    ftp |1 |
    squid |1 |
    tom |1 |
    tomcat |1 |

    View Slide

  48. Reports
    Top entries for 'Level':
    ------------------------------------------------
    Severity 10 |53522 |
    Severity 11 |382 |
    Severity 13 |2 |

    View Slide

  49. Reports
    Top entries for 'Group':
    ------------------------------------------------
    syslog |53904 |
    local |53879 |
    attacks |10 |
    authentication_failures |10 |
    sshdauthentication_failed |8 |
    attack |6 |
    exploit_attempt |6 |
    web_scan |6 |
    invalid_login |3 |
    sshd |3 |
    apache |2 |
    errors |2 |
    invalid_request |2 |

    View Slide

  50. Reports
    Top entries for 'Location':
    ------------------------------------------------
    (a__.__.__.edu) 128.#.###.227->/v.. |12603 |
    (c__.__.__.edu) 128.#.###.153->/v.. |4525 |
    (k__.__.__.edu) 128.#.###.167->/va.. |4010 |
    (h__.__.__.edu) 128.#.##.61->/var/lo.. |3055 |
    (ti__.__.__.edu) 128.#.###.11->/var/l.. |3032 |
    (te_.__.__.edu) 128.#.###.141->/var/l.. |2966 |
    (tu__.__.__.edu) 128.#.##.141->/var/l.. |2960 |
    (r__.__.__.edu) 128.#.##.182->/var/.. |2676 |
    (g__.__.__.edu) 128.#.###.170->/.. |2674 |
    (t__.__.__.edu) 128.#.###.38->/var/.. |2420 |
    (p__.__.__.edu) 128.#.###.91->/va.. |2357 |

    View Slide

  51. Reports
    Top entries for 'Rule':
    ------------------------------------------------
    102130 - Ignore multiple PAM SSH failures. |37646
    104700 - Multiple 5716 SSH authentication fa.. |10481
    101095 - No email for SSH brute force |5360
    104230 - Possible Drupal brute force attack .. |382
    106050 - Multiple authentication failures. .. |10
    106010 - SSHD brute force trying to get acce.. |8
    104290 - BID 34236 PHPMyAdmin vulnerability. |6
    104260 - Drupal access denied to admin screen. |4
    5719 - Multiple access attempts using a deni.. |3
    1003 - Non standard syslog message (size too.. |2
    106030 - Multiple SSHD authentication failur.. |2
    30116 - Multiple Invalid URI requests from s.. |2

    View Slide

  52. Reports
    ossec.conf

    authentication_success
    srcip
    OSSEC Report: Successful Auths
    sec @example.edu

    View Slide

  53. Reports
    Top entries for 'Source ip':
    ------------------------------------------------
    128.##.###.75 |860
    10.0.0.77 |662
    10.0.0.31 |368
    128.##.###.28 |288
    128.##.###.132 |48
    84.111.25.127 |15
    50.191.10.89 |11
    73.141.163.82 |11
    98.115.235.181 |11
    192.249.6.188 |10
    73.154.193.145 |10
    66.250.143.158 |5

    View Slide

  54. Reports
    Top entries for 'Username':
    ------------------------------------------------
    aaoot |1230
    aaag |518
    aaamon |384
    aaagios |48
    bbbmon |48
    bbblwiss |20
    bbbappe |15
    bbbaron |11
    bbbele |11
    bbbster |11
    bbbidz |5

    View Slide

  55. Reports
    Top entries for 'Group':
    ------------------------------------------------
    authentication_success |3671
    syslog |3671
    sshd |2337
    pam |1334

    View Slide

  56. Reports
    Top entries for 'Location':
    ------------------------------------------------
    (host1.example.edu) 128.##.##.###->/va |1010
    (host7.example.edu) 128.##.##.##->/va.. |581
    (host3.example.edu) 128.##.###.##->/var/log/.. |386
    (host5.example.edu) 128.##.###.##->/var/log/.. |336

    View Slide

  57. Reports
    Top entries for 'Rule':
    ------------------------------------------------
    5715 - SSHD authentication success. |2337
    5501 - Login session opened. |1334

    View Slide

  58. Reports
    Related entries for 'Username':
    ------------------------------------------------
    toor |1230 |
    srcip: '192.168.1.11'
    srcip: '192.168.2.21'
    aag |518 |
    srcip: '10.0.0.77'
    aaamon |384 |
    srcip: '128.##.###.###'
    srcip: '10.0.0.77'

    View Slide

  59. Reports
    cat alerts.log | \
    /var/ossec/bin/ossec-reportd -f group attack \
    -r rule srcip -r srcip rule

    View Slide

  60. Reports
    Top entries for 'Rule':
    ------------------------------------------------
    104570 - Common web attack. Attempt to do di.. |70
    104560 - SQL injection attempt. |17
    106050 - Multiple authentication failures. .. |6
    31104 - Common web attack. |6
    31511 - Blacklisted user agent (wget). |3
    104580 - XSS (Cross Site Scripting) attempt. |2
    106040 - Quiet rule 40111 to implement new r.. |2
    31106 - A web attack returned code 200 (succ.. |2
    592 - Log file size reduced. |2

    View Slide

  61. Reports
    123.125.71.26 |1
    rule: '104570'
    123.125.71.88 |1
    rule: '104570'
    180.76.15.151 |1
    rule: '104570'
    207.46.13.25 |6
    rule: '31104'
    rule: '104570'
    rule: '104560'

    View Slide

  62. Reports
    Related entries for 'Rule':
    ------------------------------------------------
    104570 - Common web attack. Attempt to do di.. |70
    srcip: '68.180.228.162'
    srcip: '37.57.231.111'
    srcip: '220.181.108.82'
    srcip: '217.73.208.147'

    View Slide

  63. Data (attack counts)
    Date, Count
    12/18/15, 13
    12/19/15, 23
    12/20/15, 11
    12/21/15, 22
    12/22/15, 14
    12/23/15, 8
    12/24/15, 11
    12/25/15, 205
    12/26/15, 18
    12/27/15, 6
    12/28/15, 7
    12/29/15, 14
    12/30/15, 18
    12/31/15, 10

    View Slide

  64. Graphs

    View Slide

  65. Graphs

    View Slide

  66. Graphs

    View Slide

  67. Future Work
    Add/refine alerts
    Policies
    Interesting reports
    Visualizations

    View Slide

  68. Thank you!

    View Slide