Category: OSSEC Update

Thanks to everyone who sent some notes that our site was down last night. We were switching servers and not everything got migrated on time. I was happy that sucuri notified my on time:

Modifications:
%WARN: Size reduced by more than 50%. – Previous size: 2761. Current size: 984 (in bytes)
%INFO: Server setting changes – > <title>WordPress › Error
%ERROR: Error establishing a database connection
Changes follow:

14,20c14
< <title>
< Welcome to the Home of OSSEC
..
> Error establishing a database connection

They have a nice solution that does integrity checking on web sites, domains, etc. That was the other alert I got:

Sucuri nbim: http://www.ossec.net DNS modified

Modifications:
5d4
< ossec.net has address 75.126.x.z
> ossec.net has address 74.86.x.z

OSSEC v2.4 BETA is available and we need testers. You can find more information about it and new features in here:

http://www.ossec.net/wiki/Dev:BetaTesting

If you ever wanted to contribute to OSSEC (or to any open source project) that’s the easiest way to get involved. Just download the BETA, check if everything still works, if you have time try out some of the new features and let us know how it goes. You can submit your feedback in here, via the wiki, to the mailing list or personally to me via email.

http://www.ossec.net/wiki/Dev:BetaTesting

We appreciate any feedback.

OSSEC v2.2 will be released soon and we need help beta testing it. The code is pretty stable already and have been through a series of internal testings.

So, if you have a spare system or can install it on your production network, we would love to hear some feedback (just follow the instructions at our Beta testing wiki page.

New features/Bug fixes

1. Added tool to proper validate if the system is little or big endian.
2. Added “ignore” option to rootcheck (specially to deal with large NFS shares and avoid scaning them)
3. Added option to log every rootcheck event (not only the FTS ones).
4. Fixed configuration error when no parameter was given to the agent.conf file
5. Added rules to ignore constant CRON login/logout alerts (happening on Debian/Ubuntu)
6. Changed the way we handle Windows sockets to avoid timeouts on shared files
7. Added support for roundcube logs. (Thanks to Michael Starks for the work).
8. Added support for Netscreen alert (IDS) events.
9. Added command line options to the manage_agents tool.
10. Fixed issue of duplicated IP addresses on syscheck_control. (Patch by ddpbsd at gmail.com).
11. Fixed the way we handle /0 netmasks on all the control tools.
12. Added custom fine-grained entries to syscheck on Windows. The goal is to reduce the amount of directories check and increase usefulness.
13. Added option to disable message id checks. Useful when you plan to reuse keys.
14. Added support for WordPress logs. They come from the wpsyslog2 plugin that we modified to log everything to syslog (from new posts, new comments, logins, logouts, etc).
15. Added support for escaping “<” on the XML and regex libraries.
16. Fixed bug on syscheck_control where the zero/ignore options were not working on some systems. (Thanks to Michael Starks for the report).
17. Added support for Trend OSCE (Office scan) log files
18. Fixed installation script on AIX to only use /bin/false if it is installed.

Download

• Download Unix: http://www.ossec.net/files/snapshots/ossec-hids-090826.tar.gz
• Download Windows: http://ossec.net/files/snapshots/ossec-win32-090826.exe

Thanks!

Yes, I have been neglecting my own blog for a while… Anyway, just in case you missed the announcement, about a month ago, we released v2.1.1. Link:

http://www.ossec.net/main/ossec-v21-released

We are pleased to announce the general availability of OSSEC version 2.1.
This new version is the first one with support for centralized configurations and realtime integrity monitoring on Linux. It also includes many other features and bug fixes:

* Centralized configuration – The agent.conf file was introduced to allow granular configuration of the agents directly on the manager side.
* Remote agent restart – Functionality was added to restart the agents remotely using the agent_control tool.
* Real time integrity checking – Real time integrity checking was added to Linux systems.
* New Log Rules Support – We added support for Windows DHCP logs and fixed/improved many of the other rules for different messages.

Sucuri Security released an online version of the ossec-logtest tool. Paste your log in there and it will show what OSSEC thinks of it.

Link: http://sucuri.net/index.php?page=docs&title=ossec

Directly from: http://www.ossec.net/main/rootcheck-updated-to-v20

Rootcheck is responsible for the rootkit detection, system auditing and policy monitoring parts of OSSEC. However, if you want to check your systems without installing the whole OSSEC package, you can run Rootcheck separately to give you an quick status on how your system is going.

The rootcheck page is http://www.ossec.net/rootcheck/.

How to use it

Rootcheck is a very simple software. Just download, unpack, compile and execute it. It will scan the system and print if it found or not anything.

[root@ossec ~]# wget http://www.ossec.net/rootcheck/files/rootcheck-2.0.tar.gz
[root@ossec ~]# tar -zxvf rootcheck-2.0.tar.gz
[root@ossec ~]# cd rootcheck-2.0
[root@ossec ~]# make all
[root@ossec ~]# ./ossec-rootcheck
..

Downloads

v2.0     md5sum

from http://www.ossec.net/main/ossec-v20-released:

We are pleased to announce the general availability of OSSEC version 2.0.
This new version is the first one with support for agentless monitoring and include many others new features and bug fixes:

• Compiled Rules – Per popular demand, we are introducing the capability in the product to be able to use pre-compiled rules written in “C”. Customers who felt that the XML format for writing rules was very limiting, can now use the strong programming capabilities of C.
• Agentless Monitoring – Lot of enterprises are faced with the requirement to monitor devices where there are restrictions on Agents to be installed either because of scalability requirements or due to the lack of the native operating system support. In version 2.0, Ossec customers can perform integrity checking and real time logs inspection on remote systems (such as Linux based devices, firewall devices such as PIX and routers etc).
• New Language Support – We added support for the Dutch language in the install
• New Log Rules Support – We added support for Yum logs and fixed/improved many of the other rules for different messages.
• New reporting tool – We added a new tool to create and help generate reports

And much more… Check the changelog to see all changes and contributors.

Download it from: http://www.ossec.net/main/downloads .

Special thanks to Michael Starks, Dean Takemori, Scott Shinn, Sebastien Tricaud, Martijn de Boer,Meir Michanie, Matthias Schmidt, Dan Pariott and Daniel Medianero for helping with this release.

This is that time of the year where everyone can help our project. Beta testers for our version 2.0 is what we need!

The list of new features, bug fixes and packages to use are all available at: http://www.ossec.net/wiki/index.php/Dev:BetaTesting

These are our goals with beta testing:

1. Make sure that everything that was working on previous versions is still on the new one.
2. Make sure your local rules still work and it can parse all your logs.
3. Make sure that all the new features work as expected.
4. Bugs reported were properly fixed.
5. Make sure that the upgrade process still works on all platforms.
6. We need to make sure it compiles fine on all platforms and operating systems. Try it on Solaris, NetBSD, FreeBSD, AIX, HP-UX, any Linux distribution that you have.
7. Test that the agentless monitoring is working as it should.
8. Test the compiled rules and reporting tool.

If you run into any issues, please let us know.

Thanks!

*updated from http://www.ossec.net/dcid/?p=154 by adding support for su and public key authentication

Agentless monitoring is another big feature coming up with our next version. Basically, it allows you to run integrity checking (and in the future log monitoring) on systems without an agent installed (including routers, firewalls, switches and even Linux/BSD systems).

*To try it out, download the latest snapshot from http://www.ossec.net/files/snapshots/

1-Getting started with agentless

After you installed the latest snapshot (or v2.0), you need to enable the agentless monitoring:

  # /var/ossec/bin/ossec-control enable agentless

And provide the SSH authentication to the host you want to access. For Cisco devices (PIX, routers, etc), you need to provide an additional parameter for the enable password. The same thing applies if you want to add support for “su”, it must be the additional parameter. In this example, I am adding a Linux box (xx.net) and a PIX firewall (pix.fw.local):

  # /var/ossec/agentless/register_host.sh add root@xx.net mypass1
   *Host root@xx.netl added.
  # /var/ossec/agentless/register_host.sh add pix@pix.fw.local pixpass enablepass
   *Host pix@pix.fw.local added.

# /var/ossec/agentless/register_host.sh list
*Available hosts:
pix@pix.fw.local
root@xx.net

2-Configuring agentless

Once you have added all your systems, you need to configure OSSEC to monitor them. By default, we have 4 agentless types (but we plan to add more soon): ssh_integrity_check_bsd, ssh_integrity_check_linux, ssh_generic_diff and ssh_pixconfig_diff. For the first two, you give a list of directories in the configuration and OSSEC will do the integrity checking of them on the remote box. On the ssh_generic_diff, you give a set of commands to run on the remote box and OSSEC will alert when the output of them changes. The ssh_pixconfig_diff will alert when a Cisco PIX/router configuration changes.

So, for my first system (root@xx.net), I will monitor the /bin, /etc and /sbin directories every 10 hours (if I was using the ssh_integrity_check_bsd, the argument would be the directories as well):

 <agentless>
    <type>ssh_integrity_check_linux</type>
    <frequency>36000</frequency>
    <host>root@xx.net</host>
    <state>periodic</state>
    <arguments>/bin /etc/ /sbin</arguments>
</agentless>

For my PIX, the configuration looks like:

  <agentless>
    <type>ssh_pixconfig_diff</type>
    <frequency>36000</frequency>
    <host>pix@pix.fw.local</host>
    <state>periodic_diff</state>
  </agentless>

And just to exemplify the ssh_generic_diff I will also monitor ls -la /etc; cat /etc/passwd on the root@xx.net. Note that if you want to monitor any network firewall or switch, you can use the ssh_generic_diff and just specify the commands in the arguments option. To use “su”, you need to set the value “use_su” before the hostname (eg: <host>use_su root@xx.net</host>).

 <agentless>
    <type>ssh_generic_diff</type>
    <frequency>36000</frequency>
    <host>root@xx.net</host>
    <state>periodic_diff</state>
    <arguments>ls -la /etc; cat /etc/passwd</arguments>
  </agentless>

3-Running it

Once the configuration is completed, you can restart OSSEC. You should see something like “Started ossec-agentlessd” in the output. Before each agentless connection is started, OSSEC will do a configuration check to make sure everything is fine. Look at /var/ossec/logs/ossec.log for any error. If you see:

  2008/12/12 15:20:06 ossec-agentlessd: ERROR: Expect command not found (or bad arguments) for 'ssh_integrity_check_bsd'.
  2008/12/12 15:20:06 ossec-agentlessd: ERROR: Test failed for 'ssh_integrity_check_bsd' (127). Ignoring.

It means that you don’t have the expect library installed on the server (it is not necessary to install anything on the agentless systems to monitor). On Ubuntu you can do the following to install:

# apt-get install expect

After installing expect, you can restart OSSEC and you should see:

  2008/12/12 15:24:12 ossec-agentlessd: INFO: Test passed for 'ssh_integrity_check_bsd'.

When it connects to the remote system, you will also see:

2008/12/12 15:25:19 ossec-agentlessd: INFO: ssh_integrity_check_bsd: root@xx.net: Starting.
2008/12/12 15:25:46 ossec-agentlessd: INFO: ssh_integrity_check_bsd: root@xx.net: Finished.

4-Alerts

These are some of the alerts you will get:

For the ssh_generic_diff:

OSSEC HIDS Notification.
2008 Dec 12 01:58:30

Received From: (ssh_generic_diff) root@xx.net->agentless
Rule: 555 fired (level 7) -> “Integrity checksum for agentless device changed.”
Portion of the log(s):

ossec: agentless: Change detected:
35c35
< -rw-r–r– 1 root wheel 34 Dec 10 03:55 hosts.deny
—
> -rw-r–r– 1 root wheel 34 Dec 11 18:23 hosts.deny

–END OF NOTIFICATION

For the PIX:

OSSEC HIDS Notification.
2008 Dec 01 15:48:03

Received From: (ssh_pixconfig_diff) pix@pix.fw.local->agentless
Rule: 555 fired (level 7) -> “Integrity checksum for agentless device changed.”
Portion of the log(s):

ossec: agentless: Change detected:
48c48
< fixup protocol ftp 21
—
> no fixup protocol ftp 21
100c100
< ssh timeout 30
—
> ssh timeout 50
More changes..

–END OF NOTIFICATION

That’s it. If you run into any problems, let us know.