bookmark_borderIndicators of Compromised Behavior with OSSEC

The core of most security products nowadays rely on being able to identify and predict how an attacker will behave. This includes most antivirus systems, Intrusion Detection Systems (IDS), Web Application Firewalls (WAF) and log management tools. The companies behind these technologies invest heavily in research and spend countless resources, both in money and people, analyzing the latest malware trends, attack vectors and vulnerabilities.

It works well, but what if we could improve upon that? Think about it, we can never really predict, nor control how an attacker will behave anyway. And we can never really know all the tools and techniques that he has available. What if our security tools have a false negative and a zero-day slips by? How do you detect the compromise and act upon it?

Continue reading “Indicators of Compromised Behavior with OSSEC”

bookmark_borderImport WordPress Events to OSSEC

WordPress is a very popular in the enterprise world, but a common issue that security administrators have is with visibility into platform events. System administrators want to know what is happening inside WordPress and how those events can be  incorporated into their log management and log-based intrusion detection plan.

Continue reading “Import WordPress Events to OSSEC”

bookmark_borderOSSEC Integrates Slack and PagerDuty

One of the new features that we open sourced and pushed to OSSEC is an “integrator” daemon that we have been using internally to connect OSSEC to external APIs and alerting tools. The first two APIs we officially added were for Slack and PagerDuty.

To get started, you have to download OSSEC from our fork, either from the development branch or from the our stable branch:

Continue reading “OSSEC Integrates Slack and PagerDuty” DNS and Content modified

If you visit you will notice a pretty new design and a new home for it. The server was officially moved to a Trend server and is now being managed by Vic Hargrave ( and the Trend team. If you notice anything wrong there (or broken links), please let Vic know and he will get it sorted out.

I also want to thank Marcus Maciel (from for hosting the server/site during all this time (almost 8 years).

Changing topics, this is the notification I got from sucuri a few minutes after the DNS was changed to point to the new location:

< has address
> has address


bookmark_borderFaking (all) user agents

If you are going to fake a user agent, do it right 🙂 Seeing some web scanners faking all possible browsers out there in one single request:

  • Firefox/3.6
  • Chrome/9
  • Firefox/3.0
  • Opera/9.99?
  • Safari
  • and more..

This is the actual log (searching for vulnerable oscommerce files): – – [24/May/2012:13:50:50 +0000] “GET /admin/file_manager.php/login.php HTTP/1.1” 404 9152 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20101026 Firefox/3.6.12\”,\”Mozilla/5.0 (Windows; U; Windows NT 5.1; pl-PL; rv: Gecko/20100228 K-Meleon/1.5.4\”,\”Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/540.0 (KHTML,like Gecko) Chrome/ Safari/540.0\”,\”Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Comodo_Dragon/ Chrome/ Safari/532.5\”,\”Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv: Gecko/2009122206 Firefox/3.0.16 Flock/2.5.6\”,\”Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/533.1 (KHTML, like Gecko) Maxthon/ Safari/533.1\”,\”Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv: Gecko/20070928 Firefox/ Navigator/9.0RC1\”,\”Opera/9.99 (Windows NT 5.1; U; pl) Presto/9.9.9\”,\”Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-HK) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5\”,\”Seamonkey-1.1.13-1(X11; U; GNU Fedora fc 10) Gecko/20081112\”,\”Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 2.0.50727; SLCC2; .NET CLR

I wonder if it is a bug in their scanners or they did on purpose to bypass user agent restrictions.

bookmark_borderOSSEC rule for the PHP-CGI vulnerability

I am seeing many scans for the PHP-CGI vulnerability in the wild and put up a quick OSSEC rule to detect/block those:

<rule id="31110" level="6">
<description>PHP CGI-bin vulnerability attempt.</description>

It looks for the possibly dangerous options (-d,-s,-a,-b and -w) and alerts if it sees those. This is the alert it generates when detected:

** Alert 1336547515.182029: - web,accesslog,attack,
2012 May 09 03:11:55 (honeypot3) any->/var/log/httpd/access.log
Rule: 31110 (level 6) -> 'PHP CGI-bin vulnerability attempt.'
Src IP: - - [09/May/2012:07:11:55 +0000] "GET /index.php?-s HTTP/1.1" 200 39479 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0"

This rule is also in my repository and you can download the latest from here.

bookmark_borderDatabase Logging (PostgreSQL and MySQL)

Nobody cares about database logging, but I really recommend enabling them to see what is happening behind the scenes (specially for web applications).

To enable on PostgreSQL (and be compatible with OSSEC):

# Adding the timestamp, hostname and database.
log_line_prefix = '[%m] %h:%d '

# Recommended settings:
log_connections = on
log_disconnections = on
log_duration = on

# Maybe a good idea to reduce the default log level to info:
client_min_messages = info
log_min_messages = info

# To enable query logging (all for everything or mod for inserts, updates, etc)
log_statement = 'all'


To enable the generic Query log on MySQL (the error log in on by default), you need to start MySQL with –log:

/bin/sh /usr/bin/mysqld_safe --log

The best option is to modify /etc/init.d/mysqld (if using Centos) and inside the –log in there.

Nothing new, but I was searching for this information online and couldn’t find much info.

bookmark_borderAlexa toolbar and https (not best friends)

For some reason (don’t ask my why), I decided to install the Alexa toolbar for Chrome to try it out. It works well for what it does, and I didn’t see anything wrong with it besides the expected privacy violation (tracking) of them sending all your traffic to their servers.

So every time you visit a site, a request is made to their servers to query the site rank:

192.168.1.X.44210 >
GET /data/ABCD?cli=10&ver=alxg-1.1.0&dat=ns&url=http%3A// HTTP/1.1
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.91…
Accept: */*

If you are using it, you expect those requests to be made (wich is supposed to be anonymous), so not a problem.

However, I just noticed one big issue is that they also do that for all your HTTPS traffic. So if you are visiting a https site (which would be encrypted in the wire), you are also leaking the sites you are visiting via their rank requests. So if I go to (https), a HTTP request is made at the same time:

192.168.1.X.47733 >
GET /data/ABCD?cli=10&ver=alxg-1.1.0&dat=ns&url=https%3A// HTTP/1.1
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.91…
Accept: */*

I actually thought their plugin (extension) would not work for HTTPS or would at least have a setting to disable it. This is specially bad because now you are leaking all your encrypted traffic browsing for anyone that is watching the wire.

*I know, I know, if you are using that toolbar you probably don’t care about privacy, but it is something to keep in mind. A simple fix is to just remove it and move on.