Host-­‐Based  Intrusion  Detec2on  and   Preven2on  System   

OSSEC   •  Host-­‐based  Intrusion  Detec2on  and  Preven2on   –  As  opposed  to  Network-­‐Based  Intrusion  Detec2on   –  Can  be  use  in  conjunc2on  with  NIDS     •  Mature,  open  source  (GPLv2)  offering     –  Ac2vely  developed,  well-­‐documented   –  Most  current  major  release    v2.7  (12/2012)   –  Developed  by  Trend  Micro,  commercial  support  available   •  Scalable,  modular,  and  highly  configurable   •  Home  Page:  hUp://www.ossec.net/   •  Runs  on  most  OSs:  Linux,  Unix,  Mac...even  Windows  ;-­‐)   

Why  do  I  need  an  IDS/IPS  ?   •  Most  sites  that  are  compromised  don’t  even   know  it  or  find  out  long  a]er  the  fact   •  Most  sites  will  experience  script  kiddie  and   some2mes  more  sophis2cated  aUack   •  The  aUackers  can  take  over  your  system  and  lock   you  out  of  it  and/or  secretly  replace  the  tools  you   use  to  administer  your  system  and  detect  issues   with  hacked  versions  that  conceal  the  malware   •  Serves  required  func2ons  for  compliance   

Indica2ons  that  you’re  under  aUack  or   have  been  hacked   AUack:   •  Failed  password  aUempts   •  Malformed  requests   •  Unexpected  errors  in  logs   •  Unexpected  flows  through  applica2on   •  Bad  referrers   Hacked:   •  Unexpected  interac2ve  logins   •  Files  created/changed/deleted  unexpectedly   •  New  processes,  interfaces,  services  listening   

Features   •  Mul2-­‐plaborm   •  Centralized  Management   •  Agent  and  Agent-­‐less  Monitoring   –  agent_control  tool  allows  you  to  query  and  get   informa2on  from  any  agent  you  have  configured  on   your  server  and  it  also  allows  you  to  restart  (run  now)   the  syscheck/rootcheck  scan  on  any  agent.   •  Can  be  installed  in  virtualiza2on  host,  guests   •  Real-­‐2me  aler2ng  +  web  console   –  Email,  SMS,  Console,  3rd  party  tools  like  sguil       

Features  Cont’d   •  Log  file  and  command  output  analysis   – OS,  Applica2on,  Firewalls,  Switches,  Routers,  etc..   – Look  for  things  like  bad  login  aUempts     – Unusual  requests,  usage  paUerns   – Supports  large  number  of  files/formats  (Apache,   MySQL,  Postgres,  na2ve  system  logs)   – Also  supports  analyzing  output  of  processes  (e.g.   netstat,  ifconfig,  …)   – Can  be  used  in  conjunc2on  with  WAFs,  DAFs   

Features  Cont’d   •  File  integrity  checking  and  enforcement   (syscheck)   –  Checksum  database   –  ino2fy  integra2on  for  real2me  monitoring  of   directories   –  Can  alert  on  new  file  crea2on   –  Can  configure  files/dirs  to  ignore   –  Built-­‐in  flood  preven2on  (default  3)   –  Use  with  OS  Audi2ng  to  see  who  changed  files   –  syscheck_control  provides  an  interface  for  managing   and  viewing  the  integrity  checking  database   

Features  cont’d   •  Ac2ve  response  (/var/ossec/ac2ve-­‐response)   – Associated  with  specific  rules   – Can  do  things  like:   •  Restore  Changed  Files   •  Firewall  drop,  null  route   •  Host  deny   •  Disable  account   – By  default  –  lockout  for  some  amount  of  2me   – Can  increase  lockout  2me  for  repeat  offenders   

Features  cont’d   •  Rootkit  detec2on      Checks  for:   – Hidden  processes  (not  shown  by  ps)   – Hidden  ports  (not  shown  by  netstat)   – Promiscuous  interfaces  (not  shown  by  ifconfig)   – Known  bad  files,  and  known  bad  signatures   – Suspicious  file  permissions,  hidden  directories,   etc.   – /dev  anomalies,  etc.     

Features  cont’d   •  Policy  monitoring   – Interac2ve  logins  aler2ng   – Audit:  CIS  and  VMWare  guidelines  compliance   – File  change/access     

Architecture   •  One  Manager     –  Centralizes  config  and  analysis   –  No  HA  for  Manager  by  default  but  some  have   implemented  using  shared  storage  (drbd,  etc.)   –  Manager  can  handle  large  #  of  agents   •  Mul2ple  Agents   –  Large  numbers  supported   –  Low  privileges  for  most  components,  chroot  jail   –  Can  send  alerts  on  their  own   –  If  config  changed  –  manager  no2fied   •  Support  Agent-­‐less  for  things  like  firewalls,  routers,   etc.     

Uses   •  Intrusion  Detec2on  and  Preven2on   –  Part  of  a  broader  arsenal  of  tools  for  “good  guys”   –  Most  sites  that  are  compromised  never  even  know  it   or  don’t  know  for  some  2me   –  Ac2ve  Response  is  a  key  aspect   •  Compliance   –  Helps  meet  requirements  such  as  PCI,  HIPAA   –  For  PCI,  it  covers  the  sec2ons  of  file  integrity   monitoring  (PCI  11.5,  10.5),  log  inspec2on  and   monitoring  (sec2on  10)  and  policy  enforcement/ checking.     

Benefits   •  Rela2vely  easy  to  set  up  and  maintain   •  Free  (as  in  beer)   •  Highly  configurable  adaptable  to  your  applica2on   •  Will  help  you  know  you’ve  been  aUacked   •  Can  prevent  you  from  being  locked  out  of  your   own  system  and/or  restore  hacked  files/configs   •  Use  in  combina2on  with  Virtualiza2on,   Automated  deployment  systems  like  Chef/ Puppet   •  Real-­‐2me  aler2ng,  monitors  file  changes  using   ino2fy  –  some  systems  rely  just  on  periodic  scans   

Random  Notes   •  Supports  both  Atomic  and  Composite  Rules   (Event  Correla2on)     

Resources   •  Download:  hUp://www.ossec.net/?page_id=19   •  Web  UI:  hUp://www.ossec.net/files/ossec-­‐wui-­‐0.8-­‐alpha-­‐0.tar.gz   •  Install  Guide:   hUp://www.ossec.net/doc/manual/installa2on/index.html   •  Reference  Guide:          hUp://www.ossec.net/doc/   •  OSSEC  Google  Group:   hUps://groups.google.com/group/ossec-­‐list‎   •  OSSEC  Log  Analysis/Inspec2on  Architecture     hUp://ossec.net/ossec-­‐docs/auscert-­‐2007-­‐dcid.pdf   

Alterna2ves  and  Related  Items   Host-­‐based  IDSs   •  Samhain  hUp://www.la-­‐samhna.de/samhain/   Network-­‐based  IDSs     •  SNORT  hUp://www.snort.org/   •  BRO  hUp://www.bro.org/   •  Subricata  hUp://suricata-­‐ids.org/   Log  Analysis   •  Fail2Ban  hUp://www.fail2ban.org/   •  Logwatch  hUp://sourceforge.net/projects/logwatch   •  SSHGuard  hUp://www.sshguard.net/   

Alterna2ves  and  Related  Items   Ac2ve  Response  Tools   •  (D)Dos  Deflate  hUp://deflate.medialayer.com/   Logging   •  rsyslogd   •  logstash   •  kibana   •  fluentd     

WAFS  /  DAFS