bookmark_borderWeek of OSSEC

Michael Starks from Immutable Security finished today his series of articles about OSSEC called “Week of OSSEC“. It was meant to coincide with his speak on OSSEC at the Rochester Security Summit.

From his blog:

As a service to the community and to coincide with my speaking on OSSEC at the Rochester Security Summit, every day during the week of October 25 through October 31, I’ll be posting a new tip on OSSEC based on my years of first-hand experience. These are the tips that make the software more usable for me and hopefully, it will for you, too. Have a tip that has helped you? Be sure to post it in the comments.

– Michael Starks

Links to the articles:

Be sure to check it out to learn more about OSSEC. Thanks Michael for sharing your experience with us.

bookmark_borderCreating a separated directory for testing OSSEC rules/config

A question that I often hear is how to use a separated directory for testing OSSEC rules and the configuration.

The easiest way is by doing the follow:

1. Choose the new directory to use as a test-base. In my case it is going to be /tmp/ossectest

2. Create that directory and a few important sub-directories.

# mkdir /tmp/ossectest
# mkdir /tmp/ossectest/etc
# mkdir /tmp/ossectest/queue/
# mkdir /tmp/ossectest/queue/fts
# mkdir /tmp/ossectest/rules

3. Move over your configuration files, rules and decoders

# cp -pr /var/ossec/etc/decoder.xml /tmp/ossectest/etc
# cp -pr /var/ossec/etc/ossec.conf /tmp/ossectest/etc
# cp -pr /var/ossec/rules/* /tmp/ossectest/rules/

4. Run ossec-logtest using the new configuration and rules

# /var/ossec/bin/ossec-logtest -D /tmp/ossectest/ -c /tmp/ossectest/etc/ossec.conf

5. Now you can modify the rules and configuration at /tmp/ossectest before moving over to the real running directory

If there is any error in the rules or in the configuration you will get the message:

# /var/ossec/bin/ossec-logtest -D /tmp/ossectest/ -c /tmp/ossectest/etc/ossec.conf
2009/10/28 12:40:27 ossec-config(1226): ERROR: Error reading XML file ‘/tmp/ossectest/etc/ossec.conf’: XML ERR: Element not closed: globalaa (line 7).
2009/10/28 12:40:27 ossec-testrule(1202): ERROR: Configuration error at ‘/tmp/ossectest/etc/ossec.conf’. Exiting.

Otherwise you will be able to send any logs to logtest to test your rules.

bookmark_borderRealtime file integrity monitoring

OSSEC supports realtime (continuous) file integrity monitoring on Linux systems (since v2.2) and on the latest snapshot we added support for Windows too.

The configuration is very simple. In the <directories> option where you specify what files or directories to monitor, you just need to add the realtime=”yes” attribute. For example:

<syscheck>
<directories realtime=”yes” check_all=”yes”>/etc,/usr/bin,/usr/sbin</directories>
<directories check_all=”yes”>/bin,/sbin</directories>
</syscheck>

In this case, the directories /etc/, /usr/bin and /usr/sbin will be monitored in real time. The same applies to Windows too. A few notes:

  1. The real time monitoring will not start right away. First OSSEC needs to scan the file system and adds each sub-directory to the realtime queue. It can take up to 30 minutes for that (wait for the log “ossec-syscheckd: INFO: Starting real time file monitoring” ).
  2. It only works with directories, not individual files. So you can monitor the /etc or C:program files directory, but not an individual file like /etc/file.txt.

If you are interested in this feature, please try it out on both Linux and Windows.

bookmark_borderWordPress to Syslog

WPsyslog2 is a global log plugin for WordPress. It keeps track of all system events and log them to syslog. It tracks events such as new posts, new profiles, new users, failed logins, logins, logouts, etc.

It also tracks the latest vulnerabilities and alerts if any of them are triggered, becoming very useful when integrated with a log analysis tool, like OSSEC HIDS. OSSEC requires the latest snapshot to properly analyze these logs: http://ossec.net/files/snapshots/ossec-hids-090826.tar.gz

More information, download, etc: http://www.ossec.net/wpsyslog2

bookmark_borderOSSEC v2.2 beta1 available

OSSEC v2.2 will be released soon and we need help beta testing it. The code is pretty stable already and have been through a series of internal testings.

So, if you have a spare system or can install it on your production network, we would love to hear some feedback (just follow the instructions at our Beta testing wiki page.

New features/Bug fixes

  1. Added tool to proper validate if the system is little or big endian.
  2. Added “ignore” option to rootcheck (specially to deal with large NFS shares and avoid scaning them)
  3. Added option to log every rootcheck event (not only the FTS ones).
  4. Fixed configuration error when no parameter was given to the agent.conf file
  5. Added rules to ignore constant CRON login/logout alerts (happening on Debian/Ubuntu)
  6. Changed the way we handle Windows sockets to avoid timeouts on shared files
  7. Added support for roundcube logs. (Thanks to Michael Starks for the work).
  8. Added support for Netscreen alert (IDS) events.
  9. Added command line options to the manage_agents tool.
  10. Fixed issue of duplicated IP addresses on syscheck_control. (Patch by ddpbsd at gmail.com).
  11. Fixed the way we handle /0 netmasks on all the control tools.
  12. Added custom fine-grained entries to syscheck on Windows. The goal is to reduce the amount of directories check and increase usefulness.
  13. Added option to disable message id checks. Useful when you plan to reuse keys.
  14. Added support for WordPress logs. They come from the wpsyslog2 plugin that we modified to log everything to syslog (from new posts, new comments, logins, logouts, etc).
  15. Added support for escaping “<” on the XML and regex libraries.
  16. Fixed bug on syscheck_control where the zero/ignore options were not working on some systems. (Thanks to Michael Starks for the report).
  17. Added support for Trend OSCE (Office scan) log files
  18. Fixed installation script on AIX to only use /bin/false if it is installed.

Download

Thanks!

bookmark_borderQ&A: OSSEC, the open source host-based intrusion detection system

Mirko Zorz from Help Net Security did an interview with me regarding OSSEC, how it was created, evolved, etc.

Link to the interview: http://www.net-security.org/article.php?id=1284.

Daniel B. Cid is the founder of the open source OSSEC HIDS and a principal researcher at Trend Micro. He has a special interest in intrusion detection, log analysis and secure development. In this interview he discusses the the open source host-based intrusion detection system in detail.

Give our readers some background on the OSSEC project. How did it all start and evolve?

OSSEC is an open source HIDS that merges log analysis, file integrity monitoring, rootkit detection and active responses. It started as a side-project to help me solve some problems that I had on a previous job (6-7 years ago)…

Thanks Mirko for the great questions and interview.

bookmark_borderIntroducing OSSEC

Michael Starks published a very interesting blog post on why he uses OSSEC.

Surprisingly, I was getting much more useful information from OSSEC than I did from the commercial HIDs. What OSSEC lacked in presentation, it far made up for in actual useful, actionable information. I got alerts which indicated things I really wanted to know about. And the more I tuned, the more relevant it became. I was expecting to have to make considerable concessions by not using a commercial HIDs; what I didn’t expect was to get far more value for free.

The guys at Hacker Target published a good document on installing OSSEC: http://hackertarget.com/2009/08/ossec-introduction-and-installation-guide/ and Sucuri posted another interesting article showing the benefits of log analysis: http://blog.sucuri.net/2009/08/curiosity-killed-cat.html

bookmark_borderOSSEC v2.1.1 released

Yes, I have been neglecting my own blog for a while… Anyway, just in case you missed the announcement, about a month ago, we released v2.1.1. Link:

http://www.ossec.net/main/ossec-v21-released

We are pleased to announce the general availability of OSSEC version 2.1.
This new version is the first one with support for centralized configurations and realtime integrity monitoring on Linux. It also includes many other features and bug fixes:

* Centralized configuration – The agent.conf file was introduced to allow granular configuration of the agents directly on the manager side.
* Remote agent restart – Functionality was added to restart the agents remotely using the agent_control tool.
* Real time integrity checking – Real time integrity checking was added to Linux systems.
* New Log Rules Support – We added support for Windows DHCP logs and fixed/improved many of the other rules for different messages.

bookmark_borderI (HEART) OSSEC

Justin Foster of DevelopingSecurity.com wrote an amazing article for the OSSEC site:

In the open source world some projects have taken on beloved status by their loyal user base. OSSEC is one of them, and for good reason.

For those of you unfamiliar, OSSEC (pronounced Oh-Sec) is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

Over a year and a half ago I was tasked to review OSSEC as a potential acquisition for Third Brigade. I was of course, sufficiently impressed with OSSEC’s capabilities, but I was surprised at the level of respect it had developed in the community. I was curious as to why OSSEC had such a solid reputation.

Read in FULL: I heart OSSEC