bookmark_borderCompiling the Windows Agent from a Linux system

It has always been a pain to generate snapshots for Windows because it required me to open up my Windows VM (slow), push the code there, compile, etc. Well, until this week when I started to play with MinGW cross-compilation feature to completely build an Windows agent from Linux.

How it works? First, you need to install MinGW and makensis (to build the installer). On Ubuntu, it is just:

apt-get install mingw32 mingw32-binutils mingw32-runtime
apt-get install nsis

After that, download the latest snapshot: http://ossec.net/files/snapshots/ and generate the Windows package directory (where XX is the latest date):

wget http://www.ossec.net/files/snapshots/ossec-hids-xx.tar.gz
tar -zxvf ossec-hids-xx.tar.gz
cd ossec-hids-xx/src/win32
./gen-win.sh

Now, you will have the win-pkg directory under src. Just go there and run make.sh. Your Windows agent package should be created in a few minutes:

cd ../win-pkg
sh ./make.sh

You will see the following in the screen:

Making windows agent
rootcheck/win-common.c: In function ‘__os_winreg_querykey’:
rootcheck/win-common.c:279: warning: pointer targets in passing argument 7 of ‘RegEnumValueA’ differ in signedness
win-registry.c: In function ‘os_winreg_querykey’:

Output: “ossec-win32-agent.exe”
Install: 7 pages (448 bytes), 3 sections (3144 bytes), 379 instructions (10612 bytes), 247 strings (42580 bytes), 1 language table (346 bytes).
Uninstall: 5 pages (320 bytes),
1 section (1048 bytes), 301 instructions (8428 bytes), 166 strings (2646 bytes), 1 language table (290 bytes).
Datablock optimizer saved 8371 bytes (~0.7%).

Which means that your agent executable ossec-win32-agent.exe has been created properly.

bookmark_borderCentralized agent configuration

If you wanted to be able to configure your agents remotely, you will be happy to know that we are supporting it now. Right now, we allow centralized configuration for file integrity checking (syscheckd), rootkit detection (rootcheck) and log analysis.

This is how it works.

Create the file /var/ossec/etc/shared/agent.conf

Inside the file you can configure the agent just as you would normally at ossec.conf

<agent_config>
<localfile>
<location>/var/log/my.log</location>
<logtype>syslog</logtype>
</localfile>
</agent_config>

But you have a few more options. You can restrict the config by agent name or by operating system:

<agent_config name=”agent1|agent2″>
<localfile>
<location>/var/log/my.log</location>
<logtype>syslog</logtype>
</localfile>
</agent_config>

<agent_config os=”Linux|OpenBSD”>
<localfile>
<location>/var/log/my.log2</location>
<logtype>syslog</logtype>
</localfile>
</agent_config>

<agent_config os=”Windows”>
<localfile>
<location>C:myappmy.log</location>
<logtype>syslog</logtype>
</localfile>
</agent_config>

And only the proper agent will read them, giving us great granularity to push the configuration to all your agents.

After you configured, the manager will push it to the agents. Note that it can take a while for it to complete (since the manager caches the shared files and only re-reads them every few hours). If you restart the manager the configuration will be pushed much quicker.

bookmark_borderOSSEC uservoice

We are always getting lots of feature suggestions and ideas for ossec and sometimes via email it is hard to track. We have our bugzilla, but most users find it too complicated to use.

Because of that, we are putting online an OSSEC user voice, where you can share your ideas, vote on other people ideas, add bugs, comments, etc. With the voting mechanism we will be able to get the most desirable features and work harder on them..

Link:
http://ossec.uservoice.com/

Thanks,

bookmark_borderSplunk + OSSEC Integration

This is a guest article by Dale Neufeld – canuck.eh at gmail.com

The status of the next version of the OSSEC web interface is one of the more commonly asked questions on the mailing list and is currently #2 on the community requested feature list (http://ossec.uservoice.com).While web interfaces are nice to have, many of us suffer from information island overload by having dedicated web interfaces for each application. This is why I was stoked when the syslog ouput feature was announced last summer (http://www.ossec.net/dcid/?p=139) and officially added in version 1.6. Now I can incorporate OSSEC alerts into my SIM/SIEM or log management tool of choice, which not only eliminates the need for a dedicated OSSEC web interface but also allows for simplified incident analysis through aggregation and correlation.

Full article at http://www.ossec.net/main/splunk-ossec-integration

bookmark_borderTrend Micro to Acquire Third Brigade

Fresh news from http://www.ossec.net/main/trend-micro-to-acquire-third-brigade:

On April 29, 2009 Trend Micro announced a definitive agreement to acquire the business of Third Brigade, a privately-held security and compliance software company headquartered in Ottawa, Canada that owns the OSSEC project. The acquisition is subject to customary approvals and is expected to close in the 2nd quarter of 2009.

So basically, they will be acquiring Third Brigade and the OSSEC project. They are committed to maintaining OSSEC as an open source project.

More updates soon…

Thanks,

bookmark_borderOSSEC to Twitter

Want to see your OSSEC alerts on twitter? We just added support for that on the latest snapshot.

To make it work, first update to the latest snapshot and add the following to your ossec.conf:

<command>
<name>ossec-tweeter</name>
<expect></expect>
<executable>ossec-tweeter.sh</executable>
</command>

<active-response>
<command>ossec-tweeter</command>
<location>server</location>
<level>6</level>
</active-response>

Where the first entry “command” is defining the active response script and the second one “active-response” is configuring when to execute it. In my example above, I chose to execute it for every alert >= level 6. Note, that you can’t run it on the individual agents, just on the management server.

After that, you need to configure the twitter script with the appropriate credentials. So, open the file /var/ossec/active-response/bin/ossec-tweeter.sh and modify the first 2 entries:

TWITTERUSER=”youruser”
TWITTERPASS=’yourpass’

If you want to send direct messages to yourself (or any other account), also set the direct msg user variable:

DIRECTMSGUSER=””

After that, just restart OSSEC and wait for the updates. If you want some examples, check the ossec twitter page.

bookmark_borderIntegrity checking application profiles

We are trying to make syscheck (the integrity checking module on ossec) more useful than what it is now and we are looking for contributions to create application profiles. What we are looking exactly is a list of files/directories (or registry entries) per application to be added to ossec.

For example, files used by qmail:

/var/qmail/control/
/var/qmail/rc

by Named:

/var/named/chroot/etc
/var/named/data/

By Apache:

/var/www/htdocs/

A few more is on the wiki: http://www.ossec.net/wiki/index.php/Dev:Syscheck

We need that for Windows and Unix applications (including IIS, Anti virus, etc), open source and commercial… Any feedback is more than welcome.

*You can add on your own to the wiki or just reply in here..