June 2009 – OSSEC

I (HEART) OSSEC

Posted on June 19, 2009July 2, 2020 by Daniel Cid

Justin Foster of DevelopingSecurity.com wrote an amazing article for the OSSEC site:

In the open source world some projects have taken on beloved status by their loyal user base. OSSEC is one of them, and for good reason.
For those of you unfamiliar, OSSEC (pronounced Oh-Sec) is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
Over a year and a half ago I was tasked to review OSSEC as a potential acquisition for Third Brigade. I was of course, sufficiently impressed with OSSEC’s capabilities, but I was surprised at the level of respect it had developed in the community. I was curious as to why OSSEC had such a solid reputation.

Read in FULL: I heart OSSEC

Compiling the Windows Agent from a Linux system

Posted on June 12, 2009July 2, 2020 by Daniel Cid

It has always been a pain to generate snapshots for Windows because it required me to open up my Windows VM (slow), push the code there, compile, etc. Well, until this week when I started to play with MinGW cross-compilation feature to completely build an Windows agent from Linux.

How it works? First, you need to install MinGW and makensis (to build the installer). On Ubuntu, it is just:

# apt-get install mingw32 mingw32-binutils mingw32-runtime
# apt-get install nsis

After that, download the latest snapshot: http://ossec.net/files/snapshots/ and generate the Windows package directory (where XX is the latest date):

# wget http://www.ossec.net/files/snapshots/ossec-hids-xx.tar.gz
# tar -zxvf ossec-hids-xx.tar.gz
# cd ossec-hids-xx/src/win32
# ./gen-win.sh

Now, you will have the win-pkg directory under src. Just go there and run make.sh. Your Windows agent package should be created in a few minutes:

# cd ../win-pkg
# sh ./make.sh

You will see the following in the screen:

Making windows agent
rootcheck/win-common.c: In function ‘__os_winreg_querykey’:
rootcheck/win-common.c:279: warning: pointer targets in passing argument 7 of ‘RegEnumValueA’ differ in signedness
win-registry.c: In function ‘os_winreg_querykey’:
…
Output: “ossec-win32-agent.exe”
Install: 7 pages (448 bytes), 3 sections (3144 bytes), 379 instructions (10612 bytes), 247 strings (42580 bytes), 1 language table (346 bytes).
Uninstall: 5 pages (320 bytes),
1 section (1048 bytes), 301 instructions (8428 bytes), 166 strings (2646 bytes), 1 language table (290 bytes).
Datablock optimizer saved 8371 bytes (~0.7%).

Which means that your agent executable ossec-win32-agent.exe has been created properly.

Centralized agent configuration

Posted on June 11, 2009July 2, 2020 by Daniel Cid

If you wanted to be able to configure your agents remotely, you will be happy to know that we are supporting it now. Right now, we allow centralized configuration for file integrity checking (syscheckd), rootkit detection (rootcheck) and log analysis.

This is how it works.

Create the file /var/ossec/etc/shared/agent.conf

Inside the file you can configure the agent just as you would normally at ossec.conf

<agent_config>
<localfile>
<location>/var/log/my.log</location>
<logtype>syslog</logtype>
</localfile>
</agent_config>

But you have a few more options. You can restrict the config by agent name or by operating system:

<agent_config name=”agent1|agent2″>
<localfile>
<location>/var/log/my.log</location>
<logtype>syslog</logtype>
</localfile>
</agent_config>
<agent_config os=”Linux|OpenBSD”>
<localfile>
<location>/var/log/my.log2</location>
<logtype>syslog</logtype>
</localfile>
</agent_config>
<agent_config os=”Windows”>
<localfile>
<location>C:myappmy.log</location>
<logtype>syslog</logtype>
</localfile>
</agent_config>

And only the proper agent will read them, giving us great granularity to push the configuration to all your agents.

After you configured, the manager will push it to the agents. Note that it can take a while for it to complete (since the manager caches the shared files and only re-reads them every few hours). If you restart the manager the configuration will be pushed much quicker.

OSSEC uservoice

Posted on June 3, 2009July 2, 2020 by Daniel Cid

We are always getting lots of feature suggestions and ideas for ossec and sometimes via email it is hard to track. We have our bugzilla, but most users find it too complicated to use.

Because of that, we are putting online an OSSEC user voice, where you can share your ideas, vote on other people ideas, add bugs, comments, etc. With the voting mechanism we will be able to get the most desirable features and work harder on them..

Link:
http://ossec.uservoice.com/

Thanks,

Splunk + OSSEC Integration

Posted on June 3, 2009July 2, 2020 by Daniel Cid

This is a guest article by Dale Neufeld – canuck.eh at gmail.com
The status of the next version of the OSSEC web interface is one of the more commonly asked questions on the mailing list and is currently #2 on the community requested feature list (http://ossec.uservoice.com).While web interfaces are nice to have, many of us suffer from information island overload by having dedicated web interfaces for each application. This is why I was stoked when the syslog ouput feature was announced last summer (http://www.ossec.net/dcid/?p=139) and officially added in version 1.6. Now I can incorporate OSSEC alerts into my SIM/SIEM or log management tool of choice, which not only eliminates the need for a dedicated OSSEC web interface but also allows for simplified incident analysis through aggregation and correlation.

Full article at http://www.ossec.net/main/splunk-ossec-integration

OSSEC logtest online

Posted on June 3, 2009July 2, 2020 by Daniel Cid

Sucuri Security released an online version of the ossec-logtest tool. Paste your log in there and it will show what OSSEC thinks of it.

Link: http://sucuri.net/index.php?page=docs&title=ossec