bookmark_borderOSSEC Book

It looks like that our first book about OSSEC is completed and should soon be released. Andrew Hay, Rory Bray and myself *wrote it during the last few months and we also got some great external contributions (more info to come). The book is already on **Amazon, so you can pre-order it from:

http://www.amazon.com/OSSEC-Host-Based-…

*Well, Andrew did a lot of work and pushed us a lot too, so he should get more credit for it.

**The information on Amazon is not completed, but they will hopefully update it soon.

bookmark_borderLast message repeated X times (rant)

I don’t know about you, but I really hate this “last message repeated X times” on Syslog. Some say that it is useful to avoid floods (denial of services) with repeated messages. Others say it keeps your log files “clean”… For me, it is completely useless. If you syslog daemon supports disabling this feature (-c on FreeBSD), please do so. A few reasons why:

  1. No log analysis tool will handle this correctly. Specially if we are talking about remote syslog.
  2. It buffers your logs so they are not in real time anymore.
  3. It doesn’t protect you against denial of service attacks (keep reading…)
  4. The last message can be this annoying “last message repeated” log.

To prove my point, this simple command on your Linux/Unix server: (it will generate a simple log every second)

$ while [ 1 ]; do logger "annoying..."; sleep 1; done

Wait a few minutes and check your log:

Dec 17 19:44:08 enigma dcid: annoying...
Dec 17 19:44:39 enigma last message repeated 31 times
Dec 17 19:46:40 enigma last message repeated 115 times
Dec 17 19:56:41 enigma last message repeated 589 times

The first thing you see is that the last message reported is not always the last message, but it can be the one before the last one (or more). Secondly, my logs were buffered for 40 seconds in the first time, 2 minutes in the second time and 10 minutes in the third time. Not very good for “real time” analysis (and down it goes on some compliance requirements).

As for the people who thinks it will protect you against denial of service attacks, try the following simple shell script:

$ i=0;while [ 1 ]; do logger "annoy. $i";i=`expr 1 + $i`;done

And enjoy your logs:

Dec 17 19:08:44 copacabana dcid: annoying... 1
Dec 17 19:08:45 copacabana dcid: annoying... 2
Dec 17 19:08:46 copacabana dcid: annoying... 3
Dec 17 19:08:47 copacabana dcid: annoying... 4

bookmark_borderOSSEC + Snort Active Response

Rodrigo Montoro wrote a very interesting paper on how to execute custom active responses using Snort CVS output and OSSEC. It also shows how to write custom rules and decoders… Good read!

This paper won’t teach you to install or configure snort or OSSEC HIDS, my goal
here is to teach you use snort csv output and build rules at OSSEC for active response.
Ossec must be installed with active-response enabled…

English version: http://www.brc.com.br/artigos/ossec-snort-activeresponse_english.pdf
Portuguese version: http://www.brc.com

bookmark_borderOSSEC v1.4 released

We are pleased to announce the general availability of OSSEC version 1.4. This
version comes with the following major new features:

  • Support for reading database logs from PostgreSQL and MySQL (info)
  • Support for Prelude (info)
  • Support for storing the alerts on MySQL and PostgreSQL (info)
  • Support for Sonicwall logs, HP-UX ftpd, AIX 5.3 syslog ,etc

Plus lots of bug fixes and small improvements. Check the v1.4 changelog to see all changes and contributors.

Special thanks to Michael Starks, Jeff Schroeder, Steve West, Tom Bicer, Peter M. Abraham, Colby W., Slava Semushin, Sebastien Tricaud, Leonardo Goldim, Trey Valenta, Dustin Lenz and Chris Abernethy for the contributions and John Ives, Rick McClinton, Paul Sebastian Ziegler, Daniel Medianero and Liliane Cid for beta testing this release.

Download it in here.

Official Announcement.

bookmark_borderOSSEC -> Sguil

David Bianco released a test version of an agent that can take events from
OSSEC and insert them into Sguil as alerts. This is his full msg to the ossec-list:

I’ve put together a test release of an agent that can take events from
the OSSEC alert.log and insert them into Sguil as alerts. It’s based
on the example agent that comes with sguil 0.7.0 (in CVS). It’s pretty
rough code at the moment, but I think I got most of the crash bugs out
of it. Still, I wouldn’t run it on production Sguil servers without
testing it yourself.

You can fetch the code from:

http://www.vorant.com/files/ossec_agent-0.01.tar.gz

bookmark_borderOSSEC v1.4 BETA2 Available

The second beta of our 1.4 version is available for testing. You can directly download them from here:

What kind of testings do we urgently need?

  • Testing the Windows version (clean install and update) on Windows XP, 2000 and 2003
  • Testing the Unix version on Solaris, AIX, HP-UX, Mac, etc
  • Testing the database output (and checking if the docs make sense: FAQ – DB output)

In addition to that, we also need the normal testing on Linux, BSD, etc… Check out the release of the beta 1 and the Beta testing page in the Wiki for details.

bookmark_borderOSSEC v1.4 BETA1 Available

OSSEC v1.4 is soon to be available and we really need some help beta testing it. As I always say, trying out our beta releases is a simple and very effective way of helping the project.

How can you test it?
We created an entry in our Wiki with all the information necessary regarding beta testing. The test sets are very simple, but I plan to improve it as we progress. Download information, what to test and everything else is there.

What are the new features?

  • Support for storing the alerts in real time on external databases (MySQL and PostgreSQL)
  • Support for reading logs from databases (MySQL and PostgreSQL too)
  • Lots of new rules, bug fixes and performance improvements…

Any help is very appreciated.

bookmark_borderOSSEC and Prelude

Sebastien Tricaud sent us some patches to allow the communication between OSSEC and Prelude. If you are a Prelude and OSSEC user, please check it out and let us know how it goes.

Instructions on how to set it up is available at our FAQ entry How to enable Prelude Output? and at this link.

You will also need to use our latest development version from http://www.ossec.net/files/snapshots/ossec-hids-071006.tar.gz