Next version of OSSEC will come with support for PostgreSQL logs and MySQL error/query logs. Since database logging is not something widely done (and even hard to find documentation about), I started in the OSSEC wiki some sections about it. If you are interested in database log analysis, please check out the following pages and help us improve them:
If you have information about logging on other databases (Oracle, MS SQL, etc), send some information to us so we can add support for them on ossec.
*This alpha version of 1.4 has the database support enabled for anyone interested to test: http://www.ossec.net/files/snapshots/ossec-hids-070930.tar.gz
For the last few weeks many articles and news stories were published about the Chinese hacking USA government computers. The reality is that the Chinese have been hacking the US, Russian, Australian (,etc) computers for years, but they are not the only to blame, since the US, Russia and all other countries have been doing the same for a long time.
Why this is news stories now? Richard Bejtlich pointed that it might be for political reasons, but why would a country let the enemy know that they succeeded? Even worse, why would the US air force publish in their own site that the Chinese is the leader in cyber warfare?
That might be a reason… one of the things that I learned from history is that governments use “desinformation warfare” to achieve their goals. My take is that the US gov (and intelligence agencies) setup some honeypots with fake information for the Chinese to hack. The Chinese were successful and now the US gov wants the Chinese to believe that they hacked real information… What’s the best way to make them believe so? Yes, tell the whole world about it..
*Yes, this is not news anymore, but I am still catching up on my reads.
**Sorry for off-topic, back to ossec from now on 🙂
- Get the marketing team together for a clever name.
- Copy and paste Microsoft’s IIS W3C log format
- Write a press release and tell the world about it
I am not joking, but eIQnetworks released their Open Source Event Logging Standard which fits exactly on my description above. First, they call it “Open Source”. Do they know what open source means? Which OSI approved license did they use? Second, why require a registration to download it? What are they going to do with the information provided? Is it open or not? Lastly, their format is a ugly copy and paste of the Microsoft one. Look at their proposed header:
#Software: eIQ Open Log Format (OLF)
#Date: 02-18-2007 12:14:25 300
#Fields: date time gmt-offset internalIP externalIP virtualdevice..
Look at Microsoft’s:
#Software: Microsoft Internet Information Services 5.1
#Date: 2006-10-09 02:11:51
#Fields: date time c-ip cs-username s-sitename s-computername
I will refrain from commenting further, but you can take a look at it: Open Log Format.
Update 1:Anton Chuvakin and Raffael Marty reviewed their “standard”: chuvakin.blogspot and raffy.ch.
I have a few honeypots out there just collecting information about web attacks and they have been great to help me improve OSSEC and how it parses web/proxy logs. Since I couldn’t find any public resource dedicated to store this kind of information, I decided to create one at the OSSEC wiki to keep track of them. It is all manual right now, but I plan to automate a lot of work to keep the page current.
I have a few entries with sites storing php/perl bots, common attack patterns, copies of the tools used, etc. If you want to help out keeping it updated, let me know. If you want to share your logs (from real servers or honeypots), it would be great too..
More info: Web attacks links
Paul Ziegler (tatsumori) sent me a very interesting e-mail explaining how he used OSSEC to protect his box at the Defcon’s 15 “Øwn the box” competition.
During Defcon15 there was a new kind of contest called the “Øwn the box” competition where anyone who 0wned a box got to take it home. I was over there as a speaker so I thought it might be fun to try defending a box. My box was based on Gentoo-Linux and hardened using various techniques…
So the results were recently published on the DC-Homepage (http://defcon.org/) – and if you look closely there is this line saying “Most evil entry: Tatsumori (Gentoo Hardened with arp poisoning evilness)” The arp-foo was actually done using scapy, but I scripted it as an active response for OSSEC 1.2. So part of my success to survive there (and really make people curse out while hacking) is OSSEC.
It’s great modularity and easy extensibility makes creating kick-ass crazy dedicated solutions so much easier then it was ever before.
He also posted some information at his blog. Very cool stuff Paul!