bookmark_borderOSSEC snapshot available

It has been a while since the last time I released a stable snapshot of ossec. However, after lots of new features and code changes, it is the time to start doing that again. Hopefully we will add all the features we need for version 1.0 before christmas and release it sometime in January.

What features this version have:Support for dynamic IP addresses.Events are now stored in its full format (with date, hostname).Support for Lotus Domino and Windows logs in the NTsylog format.

If you want to test the dynamic IP authentication, you need to give the network + netmask where the agent is (when adding it using manage_agents), instead of the unique IP.

For example, to add an agent that is in a 192.168.2.0/24 network, do the following (taken from manage_agents):

Please provide the following:
* A name for the new agent: test
* The IP Address of the new agent: 192.168.2.0/24

Please remember that all snapshots are in beta state and you should only use them for testing purposes. Download it from here (make sure to get the latest version available).

bookmark_borderRelease of ossec web ui (oswui) 0.1-beta

I just released the first beta version of oswui (ossec web ui). The code is very simple and does not require a database or anything special running in the server. Hopefully after this release some web programmers will join us to help improve it (I am not a gui person).Download it from here.

Installation instructions below:1.0 – Prerequisites

  • -Apache with PHP (4.x or 5.x) installed.
  • -OSSEC (version 0.9-3) already installed.

1.1 – Download the package (link)

1.2 – Uncompress/untar it and move the files to somewhere acessible by your web server

# tar -zxvf ossec-wui-0.1-BETA.tar.gz
# mv ossec-wui* /var/www/htdocs/ossec-wui

1.3 – Run the setup script

# cd /var/www/htdocs/ossec-wui
# ./setup.sh

1.4 – Add your web server user to the ossec group

# vi /etc/group
..
From:
ossec:x:1002:
To (if your web server user is www):
ossec:x:1002:www

1.5 – Fix the permissions for the tmp directory and restart Apache (for the new permissions to work)

# chmod 770 tmp/
# chgrp www tmp/
# apachectl restart

As the ossec-hids project, it is released under the GPL and donations are welcome.

bookmark_borderLogging authentication events from IOS

At ossec we have a long list of log formats to add support for the next version, and of them is the cisco IOS logs. Since it is such a common device, I decided to start working on that…

One of my surprises when looking at the IOS logs was a new (well, not really new, but I didn’t know about) feature introduced on the version 12.3 that allows full granularity for logging authentication events. So, if you are interested to forward all failed and success login attempts from your IOS to a remote syslog server, you can just enable login logging:

login on-failure log
login on-success log

If you enable that, you will get logs similar to those:

%SEC_LOGIN-5-LOGIN_SUCCESS:Login Success [user:dbc] [Source:1.2.3.4] [localport:22] at 13:51:11 UTC Web Nov 11 2006
%SEC_LOGIN-4-LOGIN_FAILED:Login failed [user:dbc] [Source:1.2.3.4] [localport:22] [Reason:Invalid login] at 13:51:19 UTC Web Nov 11 2006

From now on, whenever you enable syslog on a cisco ios, don’t forget these commands.

bookmark_borderDocumenting OSSEC rules

I am in the process to document all ossec rules at the project’s wiki. We currently have 402 rules and I just finished beta-documenting all apache and arpwatch ones. My main goal is to provide for each rule a simple explanation, false positives causes and some sample logs…  Since this is a manual task, I am inviting all ossec users to help me out with that. Just go to the rules index page and choose one that is not documented yet. For a simple example, go to the rule 30108.

bookmark_borderFun with logs

If you have ever been involved with log analysis, you probably had the experience to look at a log entry and find it so useless and so weird that your only reaction was to laugh. Today I had this experience multiple times while looking at some Extreme logs (private information removed)…

Aug 11 09:11:19 xx MSM-B HAS TAKEN OVER AS THE MASTER
Aug 11 09:11:19 xx Free Entry Not Available
Aug 11 09:11:19 xx null pif ? exit! 0
Aug 11 09:11:19 xx eaps_runtime.c: Bug!

Check out the explanation for the last one: “This message indicates a software error and should never appear.”.. Priceless. The log analysis web site has some funny entries too.