Month: November 2008

bookmark_borderOSSEC Reports (v1.7 preview)

Posted on by Daniel Cid

One of the most asked features in OSSEC is some kind of built-in reporting mechanism. For v1.7, we plan to have that included and we need some comments and ideas on what kind of features and formats would be most useful.

To get started, we created a standalone reporting tool so we can get the ideas flying. If you want to try it out, download the latest snapshot and look at the ossec-reportd tool. Here are some of the reports I am doing:

*the html is messing up with the output of the reports, so they will look a bit better in the terminal.

1-Show all IP addresses/users that logged in during the day

# cat /var/ossec/logs/alerts/alerts.log | ./src/monitord/ossec-reportd -n “Logins summary” -f group authentication_success

Report ‘Logins summary’ completed.
————————————————
->Processed alerts: 145557
->Post-filtering alerts: 401
->First alert: ..
->Last alert: ..

Top entries for ‘Source ip’:
————————————————
127.0.0.1 |280 |
192.168.2.10 |88 |
192.168.2.15 |16 |
192.168.2.26 |6 |
192.168.2.17 |2 |

Top entries for ‘Username’:
————————————————
dcid |336 |
aabbcxx |46 |
root |9 |
__vmware_user__ |4 |
vpxuser |2 |
Administrator |1 |
lac |1 |

2-Show all IP addresses/users that logged in during the day and related srcips locations for each user

# cat /var/ossec/logs/alerts/alerts.log | ./src/monitord/ossec-reportd -n “Logins summary” -f group authentication_success -r user srcip -r user location

Top entries for ‘Source ip’:
————————————————
127.0.0.1 |280 |
192.168.2.10 |88 |
192.168.2.15 |16 |
192.168.2.26 |6 |
192.168.2.17 |2 |

Top entries for ‘Username’:
————————————————
dcid |336 |
aabbcxx |46 |
root |9 |
__vmware_user__ |4 |
vpxuser |2 |
Administrator |1 |
lac |1 |

Related entries for ‘Username’:
————————————————
dcid |336 |
location: ‘enigma->/var/log/authlog’
srcip: ’192.168.2.15′
srcip: ’192.168.2.10′
srcip: ’127.0.0.1′
srcip: ’192.168.2.17′
srcip: ’192.168.2.26′
aabbcxx |46 |
location: ‘enigma->/var/log/authlog’
srcip: ’192.168.2.10′
root |9 |
location: ‘enigma->/var/log/authlog’
srcip: ’127.0.0.1′
srcip: ’192.168.2.15′
srcip: ’192.168.2.26′
srcip: ‘(none)’
__vmware_user__ |4 |
location: ‘(lili3win) 192.168.2.0->WinEvtLog’
srcip: ‘(none)’
vpxuser |2 |
location: ‘(vmesx51) any->/var/log/messages’
location: ‘(vmesx51) any->/var/log/vmware/hostd.log’
srcip: ’127.0.0.1′
Administrator |1 |
location: ‘(win2003-tbv4) any->WinEvtLog’
srcip: ‘(none)’
lac |1 |
location: ‘(lili3win) 192.168.2.0->WinEvtLog’
srcip: ‘(none)’

3-Show all multiple authentication failures (brute force attacks)

# cat /var/ossec/logs/alerts/alerts.log | ./src/monitord/ossec-reportd -n “Failures summary” -f group authentication_failures

Top entries for ‘Source ip’:
————————————————
127.0.0.1 |5 |
218.56.61.114 |5 |
117.36.192.75 |2 |
219.90.103.44 |2 |
121.22.8.148 |1 |
122.141.177.51 |1 |
203.171.227.18 |1 |
211.156.250.179 |1 |
222.73.0.101 |1 |
85.24.137.233 |1 |

Top entries for ‘Username’:
————————————————
root |7 |
dcid |5 |

Top entries for ‘Rule’:
————————————————
5720 – Multiple SSHD authentication failures. |12 |
5712 – SSHD brute force trying to get access.. |8 |

4-Show a summary for the month (or day)

# zcat /var/ossec/logs/alerts/2008/Nov/*.gz | ./src/monitord/ossec-reportd -n “Month Summary”

Report ‘Month Summary’ completed.
————————————————
->Processed alerts: 274744
->Post-filtering alerts: 274744
->First alert: 2008 Nov 01 00:00:03
->Last alert: 2008 Nov 25 21:00:03

Top entries for ‘Level’:
————————————————
Severity 4 |236552 |
Severity 10 |33194 |
Severity 3 |2219 |
Severity 7 |1649 |
Severity 5 |999 |
Severity 8 |57 |
Severity 6 |42 |
Severity 2 |25 |
Severity 12 |5 |
Severity 9 |2 |

Top entries for ‘Group’:
————————————————
windows |270107 |
syslog |2694 |
ossec |1798 |
syscheck |1624 |
pam |1339 |
authentication_success |1321 |
sshd |953 |
errors |378 |
system_error |318 |
authentication_failed |161 |
invalid_login |120 |
vmware |117 |
recon |42 |
authentication_failures |32 |
win_authentication_failed |25 |
account_changed |24 |
stats |17 |
time_changed |17 |
service_availability |16 |
accesslog |10 |
web |10 |
su |9 |
access_control |8 |
access_denied |8 |
rootcheck |5 |
attacks |4 |
policy_changed |4 |
low_diskspace |3 |
sudo |3 |
logs_cleared |2 |
postgresql_log |1 |
system_shutdown |1 |

Top entries for ‘Location’:
————————————————
(lili3win) 192.168.2.0->WinEvtLog |269806 |
(esqueleto2) 192.168.2.99->/var/log/auth.log |1338 |
(lili3win) 192.168.2.0->syscheck |1301 |
enigma->/var/log/authlog |960 |
enigma->/var/log/messages |321 |
(lili3win) 192.168.2.0->syscheck-registry |281 |
(win2003-tbv4) any->WinEvtLog |279 |
(vmesx51) any->/var/log/vmware/hostd.log |100 |
enigma->ossec-logcollector |80 |
(vmesx51) any->/var/log/messages |53 |
(win2003-tbv3) any->WinEvtLog |39 |
enigma->ossec-monitord |29 |
(win2003-tbv4) any->syscheck-registry |26 |
(esqueleto2) 192.168.2.99->/var/log/messages |24 |
(lili3win) 192.168.2.0->ossec |22 |
(esqueleto2) 192.168.2.99->ossec-logcollector |15 |
(vmesx51) any->ossec-logcollector |15 |
(esqueleto2) 192.168.2.99->/var/log/syslog |10 |
enigma->/var/www/logs/access_log |10 |
enigma->syscheck |7 |
(win2003-tbv4) any->syscheck |6 |
(vmesx51) any->/var/log/secure |4 |
(vmesx51) any->ossec |3 |
(win2003-tbv4) any->ossec |3 |
(lili3win) 192.168.2.0->rootcheck |2 |
(vmesx51) any->syscheck |2 |
(esqueleto2) 192.168.2.99->/var/log/postgres.. |1 |
(esqueleto2) 192.168.2.99->ossec |1 |
(esqueleto2) 192.168.2.99->rootcheck |1 |
(win2003-tbv3) any->ossec |1 |
(win2003-tbv4) any->rootcheck |1 |
enigma->/var/log/secure |1 |
enigma->dcid@127.0.0.1->syscheck |1 |
enigma->rootcheck |1 |

Top entries for ‘Rule’:
————————————————
18105 – Windows audit failure event. |236165 |
18153 – Multiple Windows audit failure events. |33140 |
550 – Integrity checksum changed. |1484 |
5501 – Login session opened. |666 |
5502 – Login session closed. |666 |
5715 – SSHD authentication success. |580 |
18108 – Failed attempt to perform a privileg.. |354 |
18103 – Windows error event. |318 |
1005 – Syslogd restarted. |313 |
5716 – SSHD authentication failed. |155 |
551 – Integrity checksum changed again (2nd .. |121 |
5710 – Attempt to login using a non-existent.. |119 |
591 – Log file rotated. |110 |
19104 – VMware ESX warning message. |47 |
5706 – SSH insecure connection attempt (scan). |42 |
503 – Ossec agent started. |29 |
19110 – VMWare ESX authentication success. |28 |
5704 – Timeout while logging in (sshd). |28 |
1002 – Unknown problem somewhere in the syst.. |25 |
1006 – Syslogd restarted. |25 |
18130 – Logon Failure – Unknown user or bad .. |25 |
504 – Ossec agent disconnected. |25 |
18111 – User account changed. |24 |
18151 – Multiple failed attempts to perform .. |19 |
552 – Integrity checksum changed again (3rd .. |19 |
11 – Excessive number of events (above norma.. |17 |
18107 – Windows Logon Success. |17 |
18140 – System time changed. |17 |
19112 – VMWare ESX user login. |17 |
5720 – Multiple SSHD authentication failures. |17 |
1004 – Syslogd exiting (logging stopped). |12 |
19120 – Virtual machine state changed to OFF. |12 |
5712 – SSHD brute force trying to get access.. |12 |
31101 – Web server 400 error code. |10 |
5303 – User successfully changed UID to root. |9 |
2503 – Connection blocked by Tcp Wrappers. |8 |
18147 – Application Installed. |6 |
18149 – Windows User Logoff. |6 |
5503 – User login failed. |6 |
18113 – Windows Audit Policy changed. |4 |
19103 – VMware ESX error message. |4 |
40112 – Multiple authentication failures fol.. |4 |
502 – Ossec server started. |4 |
510 – Host-based anomaly detection event (ro.. |4 |
1007 – File system full. |3 |
18152 – Multiple Windows Logon Failures. |3 |
19121 – Virtual machine being turned ON. |3 |
19122 – Virtual machine state changed to ON. |3 |
19150 – Multiple VMWare ESX warning messages. |3 |
18118 – Windows audit log was cleared. |2 |
18119 – First time this user logged in this .. |2 |
18126 – Remote access login success. |2 |
5402 – Successful sudo to ROOT executed |2 |
18109 – Session reconnected/disconnected to .. |1 |
18117 – Windows is shutting down. |1 |
18146 – Application Uninstalled. |1 |
501 – New ossec agent connected. |1 |
50521 – Database shutdown messge. |1 |
512 – Windows Audit event. |1 |
5403 – First time user executed sudo. |1 |
5504 – Attempt to login with an invalid user. |1 |

Comments and suggestions are welcome. We plan to make it a part of monitord to be able to do daily or hourly reports for certain options.

bookmark_borderCompiled rules

Posted on by Daniel Cid

If you ever wanted a bit more flexibility from the OSSEC rules, you can have it now with the C compiled rules.

Compiled rules are an extension to the normal (default) XML rules and should only be used when you need additional functionality not present in there.

**Note that you need at least the snapshot ossec-hids-081030.tar.gz or v1.7 (not yet available) for it to work.

How the compiled rules work?

Inside the OSSEC package you will find the directory src/analysisd/compiled_rules/ , with the default compiled rules.
To see a list of rules, run the command (inside that directory):

  $ pwd
  ../src/analysisd/compiled_rules
  $ ./register_rule.sh list
  *Available functions:
  check_id_size
  comp_mswin_targetuser_calleruser_diff
  comp_srcuser_dstuser

To use any of them inside a rule, just add the <compiled_rule> tag with the function you want to use. Ex:

 <rule id="100155" level="10">
   <if_sid>18111</if_sid>
   <compiled_rule>comp_mswin_targetuser_calleruser_diff</compiled_rule>
   <description>User changed someone else password.</description>
 </rule>

NOTE: To know what each function does you have to look at the source code.

How to write my own rule

To create your own rule, first open a new .c file (don’t use the generic one, since it is modified during upgrades).

  $ touch myownrules.c

And create your function inside of it. In this example here we added a function to check if the url field is longer than 1024:

void *myosrule_check_url_size1024(Eventinfo *lf)
{
    if(!lf->url)
    {
        return(NULL);
    }

    if(strlen(lf->url) >= 1024)
    {
        return(lf);
    }
    return(NULL);
}

Note 1: You must return ‘lf’ (the eventinfo structure) if the function matches or NULL otherwise.
Note 2: Give a good name to your function in a way to make sure it is not used anywhere else (eg: put your company name in it).
After that, register your function:

  $ ./register_rule.sh add myosrule_check_url_size1024

You can also save it (if you have ossec installed) so that during the next upgrade it will reuse them:

  $ ./register_rule.sh save
  *Save completed at /var/ossec/compiled_rules/