Daniel Cid – OSSEC

Indicators of Compromised Behavior with OSSEC

Posted on March 17, 2016July 3, 2020 by Daniel Cid

The core of most security products nowadays rely on being able to identify and predict how an attacker will behave. This includes most antivirus systems, Intrusion Detection Systems (IDS), Web Application Firewalls (WAF) and log management tools. The companies behind these technologies invest heavily in research and spend countless resources, both in money and people, analyzing the latest malware trends, attack vectors and vulnerabilities.

It works well, but what if we could improve upon that? Think about it, we can never really predict, nor control how an attacker will behave anyway. And we can never really know all the tools and techniques that he has available. What if our security tools have a false negative and a zero-day slips by? How do you detect the compromise and act upon it?

Import WordPress Events to OSSEC

Posted on February 3, 2016July 3, 2020 by Daniel Cid

WordPress is a very popular in the enterprise world, but a common issue that security administrators have is with visibility into platform events. System administrators want to know what is happening inside WordPress and how those events can be incorporated into their log management and log-based intrusion detection plan.

OSSEC Integrates Slack and PagerDuty

Posted on January 20, 2016July 3, 2020 by Daniel Cid

One of the new features that we open sourced and pushed to OSSEC is an “integrator” daemon that we have been using internally to connect OSSEC to external APIs and alerting tools. The first two APIs we officially added were for Slack and PagerDuty.

To get started, you have to download OSSEC from our fork, either from the development branch or from the our stable branch:

OSSEC Updated With GeoIP Support

Posted on December 9, 2015July 3, 2020 by Daniel Cid

We recently made an improvement to OSSEC with the integration of the MaxMind GeoIP database (that maps an IP to a country and/or a city). This update was important to us, as it makes it a lot easier to monitor logs and understand what is going inside your network.

New blog location

Posted on March 17, 2013July 3, 2020 by Daniel Cid

I won’t be using this blog anymore. For new content, go to http://dcid.me/notes/

Thanks!

www.ossec.net DNS and Content modified

Posted on June 26, 2012July 1, 2020 by Daniel Cid

If you visit ossec.net you will notice a pretty new design and a new home for it. The server was officially moved to a Trend server and is now being managed by Vic Hargrave (ossec@vichargrave.com) and the Trend team. If you notice anything wrong there (or broken links), please let Vic know and he will get it sorted out.

I also want to thank Marcus Maciel (from under-linux.org) for hosting the server/site during all this time (almost 8 years).

Changing topics, this is the notification I got from sucuri a few minutes after the DNS was changed to point to the new location:

*Modifications:
4c4
< ossec.net has address 107.21.93.211
—
> ossec.net has address 150.70.191.237

thanks!

Faking (all) user agents

Posted on May 24, 2012July 1, 2020 by Daniel Cid

If you are going to fake a user agent, do it right 🙂 Seeing some web scanners faking all possible browsers out there in one single request:

Firefox/3.6
Chrome/9
Firefox/3.0
Opera/9.99?
Safari
and more..

This is the actual log (searching for vulnerable oscommerce files):

66.147.240.166 – – [24/May/2012:13:50:50 +0000] “GET /admin/file_manager.php/login.php HTTP/1.1” 404 9152 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\”,\”Mozilla/5.0 (Windows; U; Windows NT 5.1; pl-PL; rv:1.8.1.24pre) Gecko/20100228 K-Meleon/1.5.4\”,\”Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/540.0 (KHTML,like Gecko) Chrome/9.1.0.0 Safari/540.0\”,\”Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Comodo_Dragon/4.1.1.11 Chrome/4.1.249.1042 Safari/532.5\”,\”Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.0.16) Gecko/2009122206 Firefox/3.0.16 Flock/2.5.6\”,\”Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/533.1 (KHTML, like Gecko) Maxthon/3.0.8.2 Safari/533.1\”,\”Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.8pre) Gecko/20070928 Firefox/2.0.0.7 Navigator/9.0RC1\”,\”Opera/9.99 (Windows NT 5.1; U; pl) Presto/9.9.9\”,\”Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-HK) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5\”,\”Seamonkey-1.1.13-1(X11; U; GNU Fedora fc 10) Gecko/20081112\”,\”Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 2.0.50727; SLCC2; .NET CLR

I wonder if it is a bug in their scanners or they did on purpose to bypass user agent restrictions.

OSSEC rule for the PHP-CGI vulnerability

Posted on May 9, 2012June 29, 2020 by Daniel Cid

I am seeing many scans for the PHP-CGI vulnerability in the wild and put up a quick OSSEC rule to detect/block those:

<rule id="31110" level="6">
<if_sid>31100</if_sid>
<url>?-d|?-s|?-a|?-b|?-w</url>
<description>PHP CGI-bin vulnerability attempt.</description>
<group>attack,</group>
</rule>

It looks for the possibly dangerous options (-d,-s,-a,-b and -w) and alerts if it sees those. This is the alert it generates when detected:

** Alert 1336547515.182029: - web,accesslog,attack,
2012 May 09 03:11:55 (honeypot3) any->/var/log/httpd/access.log
Rule: 31110 (level 6) -> 'PHP CGI-bin vulnerability attempt.'
Src IP: 93.233.72.66
93.233.72.66 - - [09/May/2012:07:11:55 +0000] "GET /index.php?-s HTTP/1.1" 200 39479 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0"

This rule is also in my repository and you can download the latest from here.

Database Logging (PostgreSQL and MySQL)

Posted on May 8, 2012June 29, 2020 by Daniel Cid

Nobody cares about database logging, but I really recommend enabling them to see what is happening behind the scenes (specially for web applications).

To enable on PostgreSQL (and be compatible with OSSEC):

# Adding the timestamp, hostname and database.
log_line_prefix = '[%m] %h:%d '

# Recommended settings:
log_connections = on
log_disconnections = on
log_duration = on

# Maybe a good idea to reduce the default log level to info:
client_min_messages = info
log_min_messages = info

# To enable query logging (all for everything or mod for inserts, updates, etc)
log_statement = 'all'

On MySQL:

To enable the generic Query log on MySQL (the error log in on by default), you need to start MySQL with –log:

/bin/sh /usr/bin/mysqld_safe --log

The best option is to modify /etc/init.d/mysqld (if using Centos) and inside the –log in there.

Nothing new, but I was searching for this information online and couldn’t find much info.

Alexa toolbar and https (not best friends)

Posted on April 12, 2012June 29, 2020 by Daniel Cid

For some reason (don’t ask my why), I decided to install the Alexa toolbar for Chrome to try it out. It works well for what it does, and I didn’t see anything wrong with it besides the expected privacy violation (tracking) of them sending all your traffic to their servers.

So every time you visit a site, a request is made to their servers to query the site rank:

192.168.1.X.44210 > 107.22.173.51.80:
GET /data/ABCD?cli=10&ver=alxg-1.1.0&dat=ns&url=http%3A//sucuri.net/ HTTP/1.1
Host: data.alexa.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.91…
Accept: */*

If you are using it, you expect those requests to be made (wich is supposed to be anonymous), so not a problem.

However, I just noticed one big issue is that they also do that for all your HTTPS traffic. So if you are visiting a https site (which would be encrypted in the wire), you are also leaking the sites you are visiting via their rank requests. So if I go to gmail.com (https), a HTTP request is made at the same time:

192.168.1.X.47733 > 23.21.107.170.80:
GET /data/ABCD?cli=10&ver=alxg-1.1.0&dat=ns&url=https%3A//gmail.com HTTP/1.1
Host: data.alexa.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.91…
Accept: */*

I actually thought their plugin (extension) would not work for HTTPS or would at least have a setting to disable it. This is specially bad because now you are leaking all your encrypted traffic browsing for anyone that is watching the wire.

*I know, I know, if you are using that toolbar you probably don’t care about privacy, but it is something to keep in mind. A simple fix is to just remove it and move on.