OSSEC Overview - Speaker Deck

Slide 1

Slide 1 text

Putting Host-based Intrusion Detection Into Practice Using OSSEC Clay Wells (clayw at upenn.edu) School of Arts and Sciences

Slide 2

Slide 2 text

“By 2020, 75% of enterprises' information security budgets will be allocated for rapid detection and response approaches, up from less than 10% in 2012.” - Gartner, Inc.

Slide 3

Slide 3 text

OSSEC Agenda Introduction Rules Email Alerts Active Response OSSEC Commands Reports Graphs Future Work

Slide 4

Slide 4 text

OSSEC-HIDS Open Source Security Host-based Intrusion Detection System

Slide 5

Slide 5 text

Insights w/o OSSEC

Slide 6

Slide 6 text

Insights w/o OSSEC https://en.wikipedia.org/wiki/Schr%C3%B6dinger's_cat

Slide 7

Slide 7 text

Insights with OSSEC

Slide 8

Slide 8 text

integrating log analysis* file integrity checking Windows registry monitoring centralized policy enforcement rootkit detection real-time alerting* active response* powerful correlation & analysis engine* What OSSEC Can Do

Slide 9

Slide 9 text

Linux OpenBSD FreeBSD MacOS Solaris Windows Multi-platform

Slide 10

Slide 10 text

https://github.com/ossec/ossec-hids http://ossec.github.io/docs/ Code & Documentation

Slide 11

Slide 11 text

http://ossec.github.io/docs/manual/ossec-architecture.html Architecture

Slide 12

Slide 12 text

Rules/Alerts apache_rules.xml local_rules.xml* msauth_rules.xml mysql_rules.xml nginx_rules.xml sshd_rules.xml syslog_rules.xml wordpress_rules.xml

Slide 13

Slide 13 text

Rules Atomic – single events, no correlation 5700 fatal: Timeout before authentication for Timeout while logging in (sshd). Composite – multiple events 5710 SSHD brute force trying to get access to the system. authentication_failures,

Slide 14

Slide 14 text

Rule Levels 00 - Ignored 01 - None 02 - System low priority notification 03 - Successful/Authorized events 04 - System low priority error 05 - User generated error 06 - Low relevance attack

Slide 15

Slide 15 text

Rule Levels 07 - “Bad word” matching 08 - First time seen 09 - Error from invalid source 10 - Multiple user generated errors 11 - Integrity checking warning 12 - High importance event 13 - Unusual error (high importance) 14 - High importance security event 15 - Severe attack

Slide 16

Slide 16 text

Rule Groups authentication_success* authentication_failed attack* exploit_attempt* windows syslog adduser

Slide 17

Slide 17 text

Custom Rules 101000 Known errors (to quiet alerts) 102000 False positives 103000 Quiet SQL injection false positives 104000 Custom alerts 105000 Reclasification of unknown alerts 106000 Reclassification of existing rules

Slide 18

Slide 18 text

Custom Rules 31106, 103006 attack, exploit_attempt, web_scan scripts/setup.php BID 34236 PHPMyAdmin vulnerability.

Slide 19

Slide 19 text

Custom Rules 103006 ^128.91.|^130.91.|^165.123.|^158.130. Possible web attack from a Penn IP address

Slide 20

Slide 20 text

Decoders (complex) sshd ^reverse mapping checking ^\w+ for \S+ [(\S+)] |^\w+ for (\S+) srcip

Slide 21

Slide 21 text

Decoders (simple) ^MySQL log:

Slide 22

Slide 22 text

Output & Alert Options Sending alerts via syslog Sending alerts via E-Mail* Storing alerts as JSON Sending output to a Database* Daily E-Mail Reports* Sending alerts to picviz Sending output to prelude

Slide 23

Slide 23 text

Email Alerts Single Notification addresses Granular Notifications to any number of addresses Daily Reports

Slide 24

Slide 24 text

Email Alerts yes infosec @example.edu smtp.example.edu ossec @example.edu 192.168.1.7 1 ...

Slide 25

Slide 25 text

Email Alerts ossec-notices @example.edu 7 ossec-high @example.edu 11

Slide 26

Slide 26 text

Email Alerts sysadm @example.edu host1.sas

Slide 27

Slide 27 text

Monitor Files syslog /var/log/secure apache /var/log/httpd/access_log command df -h

Slide 28

Slide 28 text

Active Response Trigger a script on an agent/server Specific alerts, alert levels, or rule groups Attack, policy violation

Slide 29

Slide 29 text

Active Response Firewall block/drop Quarantine Traffic shaping/throttling Account lockout

Slide 30

Slide 30 text

Active Response disable-account.sh host-deny.sh route-null.sh firewall-drop.sh ipfw_mac.sh ipfw.sh pf.sh

Slide 31

Slide 31 text

Active Response Part 1 – command Part 2 – bind command to rule(s)

Slide 32

Slide 32 text

Active Response Part 1 drupalban drupalban.sh srcip yes

Slide 33

Slide 33 text

Active Response Part 2 drupalban server 104590,104543,104542,104572,104620 14400 93600,180000

Slide 34

Slide 34 text

Commands agent_control rootcheck_control syscheck_control

Slide 35

Slide 35 text

agent_control # bin/agent_control -h agent_control: Control remote agents. Available options: -l List available (active or not) agents. -lc List active agents. -i Extracts information from an agent. -R Restarts agent. -r -a Runs the integrity/rootkit checking on all agents now. -r -u Runs the integrity/rootkit checking on one agent now. -b Blocks the specified ip address. -f Used with -b, specifies which response to run. -L List available active responses. -s Changes the output to CSV (comma delimited).

Slide 36

Slide 36 text

agent_control # bin/agent_control -l OSSEC HIDS agent_control. List of available agents: ID: 000, Name: info_.___.___.edu (server), IP: 127.0.0.1, Active/Local ID: 002, Name: v__.___.___.edu, IP: 128.###.###.142, Active ID: 004, Name: s__.___.___.edu, IP: 128.###.###.66, Disconnected

Slide 37

Slide 37 text

agent_control # bin/agent_control -i 002 OSSEC HIDS agent_control. Agent information: Agent ID: 002 Agent Name: v__.___.___.edu IP address: 128.###.###.142 Status: Active Operating system: Linux v_.__.__.edu 2.6.18-400.1.1.el5 #1 SMP .. Client version: OSSEC HIDS v2.7 Last keep alive: Sun Feb 7 20:15:05 2016 Syscheck last started at: Sun Feb 7 00:31:07 2016 Rootcheck last started at: Sun Feb 7 00:46:24 2016

Slide 38

Slide 38 text

rootcheck_control # bin/rootcheck_control -h rootcheck_control: Manages the policy and auditing database. -i Prints database for the agent. -r Used with -i, prints all the resolved issues. -q Used with -i, prints all the outstanding issues. -L Used with -i, prints the last scan. -s Changes the output to CSV (comma delimited).

Slide 39

Slide 39 text

rootcheck_control # bin/rootcheck_control -i 002 Policy and auditing events for agent 'v__.__.___.edu (002) - 128.###.###.142': Resolved events: 2013 Jun 27 00:45:12 (first time detected: 2013 May 28 14:50:04) System Audit: System Audit: CIS - Testing against the CIS Red Hat Enterprise Linux 5 Benchmark v1.1. File: /etc/redhat-release. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL5 . 2013 Jun 27 00:45:12 (first time detected: 2013 May 28 14:50:04) System Audit: System Audit: CIS - RHEL5 4.4 - GUI login enabled. File: /etc/inittab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL5 .

Slide 40

Slide 40 text

syscheck_control # bin/syscheck_control -h syscheck_control: Manages the integrity checking database. -i List modified files for the agent. -r -i List modified registry entries for the agent (Windows only). -f Prints information about a modified file. -s Changes the output to CSV (comma delimited).

Slide 41

Slide 41 text

syscheck_control # bin/syscheck_control -i 002 Changes for 2015 Nov 13: 2015 Nov 13 22:52:58,2 - /etc/passwd 2015 Nov 13 22:53:04,2 - /etc/ld.so.cache 2015 Nov 13 22:58:08,2 - /etc/shadow 2015 Nov 13 22:58:12,2 - /etc/group 2015 Nov 13 22:58:22,2 - /etc/gshadow Changes for 2015 Nov 14: 2015 Nov 14 22:56:11,0 - /usr/bin/curve_keygen 2015 Nov 14 22:57:09,0 - /usr/bin/python26 2015 Nov 14 22:57:09,0 - /usr/bin/python2.6

Slide 42

Slide 42 text

syscheck_control # bin/syscheck_control -i 002 -f /etc/passwd 2015 Oct 08 10:14:14,0 - /etc/passwd File changed. - 1st time modified. Integrity checking values: Size: >21002 Perm: rw-r--r-- Uid: 0 Gid: 0 Md5: >b01d0b11dcf30bc28b07ec3ec3ece040 Sha1: >47b5081e34481119dd8dadf963cf5056576ac17d

Slide 43

Slide 43 text

Reports # bin/ossec-reportd -h ossec-reportd: Generate reports (via stdin). Available options: -f Filter the results. -r Show related entries. -n Creates a description for the report. -s Show the alert dump. Filters allowed: group, rule, level, location, user, srcip, filename Examples: -f group authentication_success (to filter on login success). -f level 10 (to filter on level >= 10). -f group authentication -r user srcip (to show the srcip for all users).

Slide 44

Slide 44 text

Reports # cat logs/alerts/alert.log | bin/ossec-reportd -f level 10

Slide 45

Slide 45 text

Reports # cat logs/alerts/alerts.log | bin/ossec-reportd -f level 10 2016/02/07 20:59:26 ossec-reportd: INFO: Started (pid: 3547). 2016/02/07 20:59:36 ossec-reportd: INFO: Report completed. Creating output... Report completed. == ------------------------------------------------ ->Processed alerts: 654760 ->Post-filtering alerts: 53906 ->First alert: 2016 Feb 07 00:00:06 ->Last alert: 2016 Feb 07 20:59:26

Slide 46

Slide 46 text

Reports Top entries for 'Source ip': ------------------------------------------------ 183.3.202.106 |12051 | 121.150.206.215 |2084 | 190.216.146.145 |807 | 192.221.93.27 |336 | 115.28.133.234 |154 | 185.87.121.69 |111 | 222.186.34.225 |47 | 222.186.56.46 |47 | 10.0.0.4 |45 | 58.218.211.198 |37 | 222.186.56.42 |36 | 222.186.21.119 |25 | 222.186.34.74 |25 | 222.186.56.120 |19 | 222.186.56.75 |19 |

Slide 47

Slide 47 text

Reports Top entries for 'Username': ------------------------------------------------ root |14797 | mysql |23 | apache |8 | oracle |7 | sshd |3 | nagios |2 | nobody |2 | postgres |2 | ftp |1 | squid |1 | tom |1 | tomcat |1 |

Slide 48

Slide 48 text

Reports Top entries for 'Level': ------------------------------------------------ Severity 10 |53522 | Severity 11 |382 | Severity 13 |2 |

Slide 49

Slide 49 text

Reports Top entries for 'Group': ------------------------------------------------ syslog |53904 | local |53879 | attacks |10 | authentication_failures |10 | sshdauthentication_failed |8 | attack |6 | exploit_attempt |6 | web_scan |6 | invalid_login |3 | sshd |3 | apache |2 | errors |2 | invalid_request |2 |

Slide 50

Slide 50 text

Reports Top entries for 'Location': ------------------------------------------------ (a__.__.__.edu) 128.#.###.227->/v.. |12603 | (c__.__.__.edu) 128.#.###.153->/v.. |4525 | (k__.__.__.edu) 128.#.###.167->/va.. |4010 | (h__.__.__.edu) 128.#.##.61->/var/lo.. |3055 | (ti__.__.__.edu) 128.#.###.11->/var/l.. |3032 | (te_.__.__.edu) 128.#.###.141->/var/l.. |2966 | (tu__.__.__.edu) 128.#.##.141->/var/l.. |2960 | (r__.__.__.edu) 128.#.##.182->/var/.. |2676 | (g__.__.__.edu) 128.#.###.170->/.. |2674 | (t__.__.__.edu) 128.#.###.38->/var/.. |2420 | (p__.__.__.edu) 128.#.###.91->/va.. |2357 |

Slide 51

Slide 51 text

Reports Top entries for 'Rule': ------------------------------------------------ 102130 - Ignore multiple PAM SSH failures. |37646 104700 - Multiple 5716 SSH authentication fa.. |10481 101095 - No email for SSH brute force |5360 104230 - Possible Drupal brute force attack .. |382 106050 - Multiple authentication failures. .. |10 106010 - SSHD brute force trying to get acce.. |8 104290 - BID 34236 PHPMyAdmin vulnerability. |6 104260 - Drupal access denied to admin screen. |4 5719 - Multiple access attempts using a deni.. |3 1003 - Non standard syslog message (size too.. |2 106030 - Multiple SSHD authentication failur.. |2 30116 - Multiple Invalid URI requests from s.. |2

Slide 52

Slide 52 text

Reports ossec.conf authentication_success srcip OSSEC Report: Successful Auths sec @example.edu

Slide 53

Slide 53 text

Reports Top entries for 'Source ip': ------------------------------------------------ 128.##.###.75 |860 10.0.0.77 |662 10.0.0.31 |368 128.##.###.28 |288 128.##.###.132 |48 84.111.25.127 |15 50.191.10.89 |11 73.141.163.82 |11 98.115.235.181 |11 192.249.6.188 |10 73.154.193.145 |10 66.250.143.158 |5

Slide 54

Slide 54 text

Slide 55

Slide 55 text

Reports Top entries for 'Group': ------------------------------------------------ authentication_success |3671 syslog |3671 sshd |2337 pam |1334

Slide 56

Slide 56 text

Reports Top entries for 'Location': ------------------------------------------------ (host1.example.edu) 128.##.##.###->/va |1010 (host7.example.edu) 128.##.##.##->/va.. |581 (host3.example.edu) 128.##.###.##->/var/log/.. |386 (host5.example.edu) 128.##.###.##->/var/log/.. |336

Slide 57

Slide 57 text

Reports Top entries for 'Rule': ------------------------------------------------ 5715 - SSHD authentication success. |2337 5501 - Login session opened. |1334

Slide 58

Slide 58 text

Reports Related entries for 'Username': ------------------------------------------------ toor |1230 | srcip: '192.168.1.11' srcip: '192.168.2.21' aag |518 | srcip: '10.0.0.77' aaamon |384 | srcip: '128.##.###.###' srcip: '10.0.0.77'

Slide 59

Slide 59 text

Reports cat alerts.log | \ /var/ossec/bin/ossec-reportd -f group attack \ -r rule srcip -r srcip rule

Slide 60

Slide 60 text

Reports Top entries for 'Rule': ------------------------------------------------ 104570 - Common web attack. Attempt to do di.. |70 104560 - SQL injection attempt. |17 106050 - Multiple authentication failures. .. |6 31104 - Common web attack. |6 31511 - Blacklisted user agent (wget). |3 104580 - XSS (Cross Site Scripting) attempt. |2 106040 - Quiet rule 40111 to implement new r.. |2 31106 - A web attack returned code 200 (succ.. |2 592 - Log file size reduced. |2

Slide 61

Slide 61 text

Reports 123.125.71.26 |1 rule: '104570' 123.125.71.88 |1 rule: '104570' 180.76.15.151 |1 rule: '104570' 207.46.13.25 |6 rule: '31104' rule: '104570' rule: '104560'

Slide 62

Slide 62 text

Reports Related entries for 'Rule': ------------------------------------------------ 104570 - Common web attack. Attempt to do di.. |70 srcip: '68.180.228.162' srcip: '37.57.231.111' srcip: '220.181.108.82' srcip: '217.73.208.147'

Slide 63

Slide 63 text

Data (attack counts) Date, Count 12/18/15, 13 12/19/15, 23 12/20/15, 11 12/21/15, 22 12/22/15, 14 12/23/15, 8 12/24/15, 11 12/25/15, 205 12/26/15, 18 12/27/15, 6 12/28/15, 7 12/29/15, 14 12/30/15, 18 12/31/15, 10