November 2006

OSSEC snapshot available

Posted on November 18, 2006July 3, 2020 by Daniel Cid

It has been a while since the last time I released a stable snapshot of ossec. However, after lots of new features and code changes, it is the time to start doing that again. Hopefully we will add all the features we need for version 1.0 before christmas and release it sometime in January.

What features this version have:Support for dynamic IP addresses.Events are now stored in its full format (with date, hostname).Support for Lotus Domino and Windows logs in the NTsylog format.

If you want to test the dynamic IP authentication, you need to give the network + netmask where the agent is (when adding it using manage_agents), instead of the unique IP.

For example, to add an agent that is in a 192.168.2.0/24 network, do the following (taken from manage_agents):

Please provide the following:
* A name for the new agent: test
* The IP Address of the new agent: 192.168.2.0/24

Please remember that all snapshots are in beta state and you should only use them for testing purposes. Download it from here (make sure to get the latest version available).

Release of ossec web ui (oswui) 0.1-beta

Posted on November 13, 2006July 3, 2020 by Daniel Cid

I just released the first beta version of oswui (ossec web ui). The code is very simple and does not require a database or anything special running in the server. Hopefully after this release some web programmers will join us to help improve it (I am not a gui person).Download it from here.

Installation instructions below:1.0 – Prerequisites

-Apache with PHP (4.x or 5.x) installed.
-OSSEC (version 0.9-3) already installed.

1.1 – Download the package (link)

1.2 – Uncompress/untar it and move the files to somewhere acessible by your web server

# tar -zxvf ossec-wui-0.1-BETA.tar.gz
# mv ossec-wui* /var/www/htdocs/ossec-wui

1.3 – Run the setup script

# cd /var/www/htdocs/ossec-wui
# ./setup.sh

1.4 – Add your web server user to the ossec group

# vi /etc/group
..
From:
ossec:x:1002:
To (if your web server user is www):
ossec:x:1002:www

1.5 – Fix the permissions for the tmp directory and restart Apache (for the new permissions to work)

# chmod 770 tmp/
# chgrp www tmp/
# apachectl restart

As the ossec-hids project, it is released under the GPL and donations are welcome.

Logging authentication events from IOS

Posted on November 13, 2006July 3, 2020 by Daniel Cid

At ossec we have a long list of log formats to add support for the next version, and of them is the cisco IOS logs. Since it is such a common device, I decided to start working on that…

One of my surprises when looking at the IOS logs was a new (well, not really new, but I didn’t know about) feature introduced on the version 12.3 that allows full granularity for logging authentication events. So, if you are interested to forward all failed and success login attempts from your IOS to a remote syslog server, you can just enable login logging:

If you enable that, you will get logs similar to those:

%SEC_LOGIN-5-LOGIN_SUCCESS:Login Success [user:dbc] [Source:1.2.3.4] [localport:22] at 13:51:11 UTC Web Nov 11 2006
%SEC_LOGIN-4-LOGIN_FAILED:Login failed [user:dbc] [Source:1.2.3.4] [localport:22] [Reason:Invalid login] at 13:51:19 UTC Web Nov 11 2006

From now on, whenever you enable syslog on a cisco ios, don’t forget these commands.

Documenting OSSEC rules

Posted on November 4, 2006July 3, 2020 by Daniel Cid

I am in the process to document all ossec rules at the project’s wiki. We currently have 402 rules and I just finished beta-documenting all apache and arpwatch ones. My main goal is to provide for each rule a simple explanation, false positives causes and some sample logs… Since this is a manual task, I am inviting all ossec users to help me out with that. Just go to the rules index page and choose one that is not documented yet. For a simple example, go to the rule 30108.

Fun with logs

Posted on November 3, 2006July 3, 2020 by Daniel Cid

If you have ever been involved with log analysis, you probably had the experience to look at a log entry and find it so useless and so weird that your only reaction was to laugh. Today I had this experience multiple times while looking at some Extreme logs (private information removed)…

Aug 11 09:11:19 xx MSM-B HAS TAKEN OVER AS THE MASTER
Aug 11 09:11:19 xx Free Entry Not Available
Aug 11 09:11:19 xx null pif ? exit! 0
Aug 11 09:11:19 xx eaps_runtime.c: Bug!

Check out the explanation for the last one: “This message indicates a software error and should never appear.”.. Priceless. The log analysis web site has some funny entries too.

Microsoft and Novell partnership over Linux?

Posted on November 2, 2006July 3, 2020 by Daniel Cid

I know this is off-topic for this blog, but I can’t imagine why microsoft would want to build a partnership with Novell over Linux. I heard a comment that they are doing that just to cause troubles to the Oracle move to Linux… Comments?
More info here and here.