Month: March 2010

bookmark_borderSite down last night

Posted on by Daniel Cid

Thanks to everyone who sent some notes that our site was down last night. We were switching servers and not everything got migrated on time. I was happy that sucuri notified my on time:

Modifications:
%WARN: Size reduced by more than 50%. – Previous size: 2761. Current size: 984 (in bytes)
%INFO: Server setting changes – > <title>WordPress › Error
%ERROR: Error establishing a database connection
Changes follow:

14,20c14
< <title>
< Welcome to the Home of OSSEC
..
> Error establishing a database connection

They have a nice solution that does integrity checking on web sites, domains, etc. That was the other alert I got:

Sucuri nbim: http://www.ossec.net DNS modified

Modifications:
5d4
< ossec.net has address 75.126.x.z
> ossec.net has address 74.86.x.z

bookmark_borderOSSEC v2.4 BETA available

Posted on by Daniel Cid

OSSEC v2.4 BETA is available and we need testers. You can find more information about it and new features in here:

http://www.ossec.net/wiki/Dev:BetaTesting

If you ever wanted to contribute to OSSEC (or to any open source project) that’s the easiest way to get involved. Just download the BETA, check if everything still works, if you have time try out some of the new features and let us know how it goes. You can submit your feedback in here, via the wiki, to the mailing list or personally to me via email.

http://www.ossec.net/wiki/Dev:BetaTesting

We appreciate any feedback.

bookmark_borderDetecting USB Storage Usage with OSSEC

Posted on by Daniel Cid

Xavier wrote a very interesting article on Detecting USB Storage Usage with OSSEC. He used our policy auditing module for that, but I think USB monitoring can be done in a much easier way with our new check_diff feature. You need our latest snapshot for it to work (or wait until v2.4 is out).

To get started, first configure your Windows agents to monitor the USBSTOR registry entry using the reg command:

<agent_config os="windows">
  <localfile>
    <log_format>full_command</log_format>
    <command>reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</command>
  </localfile>

</agent_config>

Next create a local rule for that command:

<rule id="140125" level="7">
    <if_sid>530</if_sid>
    <match>ossec: output: 'reg QUERY</match>
    <check_diff />
    <description>New USB device connected</description>
  </rule>

Now after a few minutes you will see a directory at /var/ossec/queue/diff/[agent_name]/[rule_id] with the current snapshot of this command. Once someone adds a new USB device you will get this alert:

** Alert 1268687754.35062: mail  - local,syslog,
2010 Mar 15 18:15:54 (xx-netbook) any->reg QUERY HKLMSYSTEMCurrentControlSetEnumUSBSTOR
Rule: 140125 (level 7) -> 'New USB device connected'
Src IP: (none)
User: (none)
ossec: output: 'reg QUERY HKLMSYSTEMCurrentControlSetEnumUSBSTOR':! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTOR
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&Ven_&Prod_USB_Flash_Memory&Rev_5.00
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&Ven_Generic&Prod_Flash_Disk&Rev_8.0
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&Ven_Hitachi&Prod_HTS543225L9A300&Rev_
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&Ven_LEXAR&Prod_JD_FIREFLY&Rev_1100
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&Ven_SAMSUNG&Prod_HM160JC&Rev_0000
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&Ven_Sony&Prod_DSC&Rev_1.00
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&Ven_TomTom&Prod_ONE_XXL_IQ_Rts
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&Ven_USB_2.0&Prod_USB_Flash_Drive&Rev_0.00

Previous output:

ossec: output: 'reg QUERY HKLMSYSTEMCurrentControlSetEnumUSBSTOR':
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTOR
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&Ven_&Prod_USB_Flash_Memory&Rev_5.00
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&Ven_Generic&Prod_Flash_Disk&Rev_8.07
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&Ven_Hitachi&Prod_HTS543225L9A300&Rev_
HKEY_LOCAL_ACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&Ven_SAMSUNG&Prod_HM160JC&Rev_0000
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&Ven_Sony&Prod_DSC&Rev_1.00
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&Ven_TomTom&Prod_ONE_XXL_IQ_Rts
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&Ven_USB_2.0&Prod_USB_Flash_Drive&R

I think we can expand this to create all sort of nice rules…

bookmark_borderAlerting when a log or output of a command changes

Posted on by Daniel Cid

If you want to create alerts when a log or the output of a command changes, take a look at the new <check_diff /> option in the rules (available on the latest snapshot).

To demonstrate with an example, we will create a rule to alert when there is a new port open in listening mode on our server.

First, we configure OSSEC to run the ‘netstat -tan |grep LISTEN’ command by adding the following to ossec.conf:

<localfile>
  <log_format>full_command</log_format>
  <command>netstat -tan |grep LISTEN|grep -v 127.0.0.1</command>
</localfile>

After that, I add a rule to alert when its output changes:

<rule id="140123" level="7">
  <if_sid>530</if_sid>
  <match>ossec: output: 'netstat -tan |grep LISTEN</match>
  <check_diff />
  <description>Listened ports have changed.</description>
</rule>

Note that we use the <check_diff /> option. The first time it receives the event, it will store in an internal database. Every time it receives the same event, it will compare against what we have store and only alert if the output changes.

In our example, after configuring OSSEC, I started netcat to listen on port 23456 and that’s the alert I got:

OSSEC HIDS Notification.
2010 Mar 11 19:56:30

Received From: XYZ->netstat -tan |grep LISTEN|grep -v 127.0.0.1
Rule: 140123 fired (level 7) -> "Listened ports have changed."
Portion of the log(s):

ossec: output: 'netstat -tan |grep LISTEN|grep -v 127.0.0.1':
tcp4       0      0 *.23456           *.*               LISTEN
tcp4       0      0 *.3306            *.*               LISTEN
tcp4       0      0 *.25              *.*               LISTEN
Previous output:
ossec: output: 'netstat -tan |grep LISTEN|grep -v 127.0.0.1':
tcp4       0      0 *.3306            *.*               LISTEN
tcp4       0      0 *.25              *.*               LISTEN

What do you think? We can probably extend this idea to create very interesting rules…

bookmark_borderDaily email reports

Posted on by Daniel Cid

If you want to receive daily email reports (summaries) of your OSSEC alerts, you will like this new feature.

First, start off by downloading the latest snapshot: http://www.ossec.net/files/snapshots/ (get the latest file from there).

Then you will be able to use the “reports” option to configure what alerts do you want to receive summarized by the end of the day (instead of in realtime). You can use the following options:

group: Filter by group
categories: Filter by group (alias to the above)
rule: Filter by rule id
level: Filter by severity
location: Filter by the log location or agent name
srcip: Filter by a source ip
user: Filter by an user name

You can also use the same options with the ‘type=”relation” specified to get the relation between fields. For example <srcip type=”relation”>user</srcip> will get you a list of users per source ip.

Every report must have a <title> specified and as many “email_to” as you want.

Example 1: Receive summary of all the authentication success:

<ossec_config>
<reports>
<category>authentication_success</category>
<user type=”relation”>srcip</user>
<title>Daily report: Successful logins</title>
<email_to>me@myemail .com</email_to>
</reports>
</ossec_config>

Example 2: Receive summary of all File integrity monitoring (syscheck) alerts:

<ossec_config>
<reports>
<category>syscheck</category>
<title>Daily report: File changes</title>
<email_to>me@myemail .com</email_to>
</reports>
</ossec_config>

Please try it out and let us know if you have suggestions or find any bugs…