Month: August 2009

bookmark_borderWordPress to Syslog

Posted on by Daniel Cid

WPsyslog2 is a global log plugin for WordPress. It keeps track of all system events and log them to syslog. It tracks events such as new posts, new profiles, new users, failed logins, logins, logouts, etc.

It also tracks the latest vulnerabilities and alerts if any of them are triggered, becoming very useful when integrated with a log analysis tool, like OSSEC HIDS. OSSEC requires the latest snapshot to properly analyze these logs: http://ossec.net/files/snapshots/ossec-hids-090826.tar.gz

More information, download, etc: http://www.ossec.net/wpsyslog2

bookmark_borderOSSEC v2.2 beta1 available

Posted on by Daniel Cid

OSSEC v2.2 will be released soon and we need help beta testing it. The code is pretty stable already and have been through a series of internal testings.

So, if you have a spare system or can install it on your production network, we would love to hear some feedback (just follow the instructions at our Beta testing wiki page.

New features/Bug fixes

  1. Added tool to proper validate if the system is little or big endian.
  2. Added “ignore” option to rootcheck (specially to deal with large NFS shares and avoid scaning them)
  3. Added option to log every rootcheck event (not only the FTS ones).
  4. Fixed configuration error when no parameter was given to the agent.conf file
  5. Added rules to ignore constant CRON login/logout alerts (happening on Debian/Ubuntu)
  6. Changed the way we handle Windows sockets to avoid timeouts on shared files
  7. Added support for roundcube logs. (Thanks to Michael Starks for the work).
  8. Added support for Netscreen alert (IDS) events.
  9. Added command line options to the manage_agents tool.
  10. Fixed issue of duplicated IP addresses on syscheck_control. (Patch by ddpbsd at gmail.com).
  11. Fixed the way we handle /0 netmasks on all the control tools.
  12. Added custom fine-grained entries to syscheck on Windows. The goal is to reduce the amount of directories check and increase usefulness.
  13. Added option to disable message id checks. Useful when you plan to reuse keys.
  14. Added support for WordPress logs. They come from the wpsyslog2 plugin that we modified to log everything to syslog (from new posts, new comments, logins, logouts, etc).
  15. Added support for escaping “<” on the XML and regex libraries.
  16. Fixed bug on syscheck_control where the zero/ignore options were not working on some systems. (Thanks to Michael Starks for the report).
  17. Added support for Trend OSCE (Office scan) log files
  18. Fixed installation script on AIX to only use /bin/false if it is installed.

Download

Thanks!

bookmark_borderQ&A: OSSEC, the open source host-based intrusion detection system

Posted on by Daniel Cid

Mirko Zorz from Help Net Security did an interview with me regarding OSSEC, how it was created, evolved, etc.

Link to the interview: http://www.net-security.org/article.php?id=1284.

Daniel B. Cid is the founder of the open source OSSEC HIDS and a principal researcher at Trend Micro. He has a special interest in intrusion detection, log analysis and secure development. In this interview he discusses the the open source host-based intrusion detection system in detail.

Give our readers some background on the OSSEC project. How did it all start and evolve?

OSSEC is an open source HIDS that merges log analysis, file integrity monitoring, rootkit detection and active responses. It started as a side-project to help me solve some problems that I had on a previous job (6-7 years ago)…

Thanks Mirko for the great questions and interview.

bookmark_borderIntroducing OSSEC

Posted on by Daniel Cid

Michael Starks published a very interesting blog post on why he uses OSSEC.

Surprisingly, I was getting much more useful information from OSSEC than I did from the commercial HIDs. What OSSEC lacked in presentation, it far made up for in actual useful, actionable information. I got alerts which indicated things I really wanted to know about. And the more I tuned, the more relevant it became. I was expecting to have to make considerable concessions by not using a commercial HIDs; what I didn’t expect was to get far more value for free.

The guys at Hacker Target published a good document on installing OSSEC: http://hackertarget.com/2009/08/ossec-introduction-and-installation-guide/ and Sucuri posted another interesting article showing the benefits of log analysis: http://blog.sucuri.net/2009/08/curiosity-killed-cat.html

bookmark_borderOSSEC v2.1.1 released

Posted on by Daniel Cid

Yes, I have been neglecting my own blog for a while… Anyway, just in case you missed the announcement, about a month ago, we released v2.1.1. Link:

http://www.ossec.net/main/ossec-v21-released

We are pleased to announce the general availability of OSSEC version 2.1.
This new version is the first one with support for centralized configurations and realtime integrity monitoring on Linux. It also includes many other features and bug fixes:

* Centralized configuration – The agent.conf file was introduced to allow granular configuration of the agents directly on the manager side.
* Remote agent restart – Functionality was added to restart the agents remotely using the agent_control tool.
* Real time integrity checking – Real time integrity checking was added to Linux systems.
* New Log Rules Support – We added support for Windows DHCP logs and fixed/improved many of the other rules for different messages.