bookmark_borderOSSEC being detected as a malware

Some anti-virus products (BitDefender, F-Secure, etc) are detecting the version 1.6.1 of the OSSEC Windows Agent as a malware (more specifically Generic.Qhost).

We tried contacting some of them without much success. If you get any warning like that, it is a FALSE POSITIVE and let your anti-virus company know about it.

Link to the virustotal scan: http://www.virustotal.com/analisis/e1faf42be76cf372b60de79a500d7142

Thanks,

bookmark_borderAgentless monitoring (v1.7 preview)

Agentless monitoring is another big feature coming up with our next version. Basically, it allows you to run integrity checking (and in the future log monitoring) on systems without an agent installed (including routers, firewalls, switches and even Linux/BSD systems).

*To try it out, download the latest snapshot from http://www.ossec.net/files/snapshots/

1-Getting started with agentless

After you installed the latest snapshot (or v1.7), you need to enable the agentless monitoring:

  # /var/ossec/bin/ossec-control enable agentless

And provide the SSH authentication to the host you want to access. For Cisco devices (PIX, routers, etc), you need to provide an additional parameter for the enable password. In this example, I am adding a Linux box (xx.net) and a PIX firewall (pix.fw.local):

  # /var/ossec/agentless/register_host.sh add root@xx.net mypass1 
   *Host root@xx.netl added.
  # /var/ossec/agentless/register_host.sh add pix@pix.fw.local pixpass enablepass
   *Host pix@pix.fw.local added.

# /var/ossec/agentless/register_host.sh list
*Available hosts:
pix@pix.fw.local
root@xx.net

2-Configuring agentless

Once you have added all your systems, you need to configure OSSEC to monitor them. By default, we have 4 agentless types (but we plan to add more soon): ssh_integrity_check_bsdssh_integrity_check_linuxssh_generic_diff and ssh_pixconfig_diff. For the first two, you give a list of directories in the configuration and OSSEC will do the integrity checking of them on the remote box. On the ssh_generic_diff, you give a set of commands to run on the remote box and OSSEC will alert when the output of them changes. The ssh_pixconfig_diff will alert when a Cisco PIX/router configuration changes.

So, for my first system (root@xx.net), I will monitor the /bin, /etc and /sbin directories every 10 hours (if I was using the ssh_integrity_check_bsd, the argument would be the directories as well):

 <agentless> 
    <type>ssh_integrity_check_linux</type>
    <frequency>36000</frequency>
    <host>root@xx.net</host>
    <state>periodic</state>
    <arguments>/bin /etc/ /sbin</arguments>
</agentless>

For my PIX, the configuration looks like:

  <agentless>
    <type>ssh_pixconfig_diff</type>
    <frequency>36000</frequency>
    <host>pix@pix.fw.local</host>
    <state>periodic_diff</state>
  </agentless>

And just to exemplify the ssh_generic_diff I will also monitor ls -la /etc; cat /etc/passwd on the root@xx.net. Note that if you want to monitor any network firewall or switch, you can use the ssh_generic_diff and just specify the commands in the arguments option.

 <agentless>
    <type>ssh_generic_diff</type>
    <frequency>36000</frequency>
    <host>root@xx.net</host>
    <state>periodic_diff</state>
    <arguments>ls -la /etc; cat /etc/passwd</arguments>
  </agentless>

3-Running it

Once the configuration is completed, you can restart OSSEC. You should see something like “Started ossec-agentlessd” in the output. Before each agentless connection is started, OSSEC will do a configuration check to make sure everything is fine. Look at /var/ossec/logs/ossec.log for any error. If you see:

  2008/12/12 15:20:06 ossec-agentlessd: ERROR: Expect command not found (or bad arguments) for 'ssh_integrity_check_bsd'.
  2008/12/12 15:20:06 ossec-agentlessd: ERROR: Test failed for 'ssh_integrity_check_bsd' (127). Ignoring.

It means that you don’t have the expect library installed on the server (it is not necessary to install anything on the agentless systems to monitor). On Ubuntu you can do the following to install:

# apt-get install expect

After installing expect, you can restart OSSEC and you should see:

  2008/12/12 15:24:12 ossec-agentlessd: INFO: Test passed for 'ssh_integrity_check_bsd'.

When it connects to the remote system, you will also see:

2008/12/12 15:25:19 ossec-agentlessd: INFO: ssh_integrity_check_bsd: root@xx.net: Starting.
2008/12/12 15:25:46 ossec-agentlessd: INFO: ssh_integrity_check_bsd: root@xx.net: Finished.

4-Alerts

These are some of the alerts you will get:

For the ssh_generic_diff:

OSSEC HIDS Notification.
2008 Dec 12 01:58:30

Received From: (ssh_generic_diff) root@xx.net->agentless
Rule: 555 fired (level 7) -> “Integrity checksum for agentless device changed.”
Portion of the log(s):

ossec: agentless: Change detected:
35c35
< -rw-r–r– 1 root wheel 34 Dec 10 03:55 hosts.deny

> -rw-r–r– 1 root wheel 34 Dec 11 18:23 hosts.deny

–END OF NOTIFICATION

For the PIX:

OSSEC HIDS Notification.
2008 Dec 01 15:48:03

Received From: (ssh_pixconfig_diff) pix@pix.fw.local->agentless
Rule: 555 fired (level 7) -> “Integrity checksum for agentless device changed.”
Portion of the log(s):

ossec: agentless: Change detected:
48c48
< fixup protocol ftp 21

> no fixup protocol ftp 21
100c100
< ssh timeout 30

> ssh timeout 50
More changes..

–END OF NOTIFICATION

That’s it. If you run into any problems, let us know.

bookmark_borderOSSEC Reports (v1.7 preview)

One of the most asked features in OSSEC is some kind of built-in reporting mechanism. For v1.7, we plan to have that included and we need some comments and ideas on what kind of features and formats would be most useful.

To get started, we created a standalone reporting tool so we can get the ideas flying. If you want to try it out, download the latest snapshot and look at the ossec-reportd tool. Here are some of the reports I am doing:

*the html is messing up with the output of the reports, so they will look a bit better in the terminal.

1-Show all IP addresses/users that logged in during the day

# cat /var/ossec/logs/alerts/alerts.log | ./src/monitord/ossec-reportd -n “Logins summary” -f group authentication_success

Report ‘Logins summary’ completed.
————————————————
->Processed alerts: 145557
->Post-filtering alerts: 401
->First alert: ..
->Last alert: ..

Top entries for ‘Source ip’:
————————————————
127.0.0.1 |280 |
192.168.2.10 |88 |
192.168.2.15 |16 |
192.168.2.26 |6 |
192.168.2.17 |2 |

Top entries for ‘Username’:
————————————————
dcid |336 |
aabbcxx |46 |
root |9 |
__vmware_user__ |4 |
vpxuser |2 |
Administrator |1 |
lac |1 |

2-Show all IP addresses/users that logged in during the day and related srcips locations for each user

# cat /var/ossec/logs/alerts/alerts.log | ./src/monitord/ossec-reportd -n “Logins summary” -f group authentication_success -r user srcip -r user location

Top entries for ‘Source ip’:
————————————————
127.0.0.1 |280 |
192.168.2.10 |88 |
192.168.2.15 |16 |
192.168.2.26 |6 |
192.168.2.17 |2 |

Top entries for ‘Username’:
————————————————
dcid |336 |
aabbcxx |46 |
root |9 |
__vmware_user__ |4 |
vpxuser |2 |
Administrator |1 |
lac |1 |

Related entries for ‘Username’:
————————————————
dcid |336 |
location: ‘enigma->/var/log/authlog’
srcip: ’192.168.2.15′
srcip: ’192.168.2.10′
srcip: ’127.0.0.1′
srcip: ’192.168.2.17′
srcip: ’192.168.2.26′
aabbcxx |46 |
location: ‘enigma->/var/log/authlog’
srcip: ’192.168.2.10′
root |9 |
location: ‘enigma->/var/log/authlog’
srcip: ’127.0.0.1′
srcip: ’192.168.2.15′
srcip: ’192.168.2.26′
srcip: ‘(none)’
__vmware_user__ |4 |
location: ‘(lili3win) 192.168.2.0->WinEvtLog’
srcip: ‘(none)’
vpxuser |2 |
location: ‘(vmesx51) any->/var/log/messages’
location: ‘(vmesx51) any->/var/log/vmware/hostd.log’
srcip: ’127.0.0.1′
Administrator |1 |
location: ‘(win2003-tbv4) any->WinEvtLog’
srcip: ‘(none)’
lac |1 |
location: ‘(lili3win) 192.168.2.0->WinEvtLog’
srcip: ‘(none)’

3-Show all multiple authentication failures (brute force attacks)

# cat /var/ossec/logs/alerts/alerts.log | ./src/monitord/ossec-reportd -n “Failures summary” -f group authentication_failures

Top entries for ‘Source ip’:
————————————————
127.0.0.1 |5 |
218.56.61.114 |5 |
117.36.192.75 |2 |
219.90.103.44 |2 |
121.22.8.148 |1 |
122.141.177.51 |1 |
203.171.227.18 |1 |
211.156.250.179 |1 |
222.73.0.101 |1 |
85.24.137.233 |1 |

Top entries for ‘Username’:
————————————————
root |7 |
dcid |5 |

Top entries for ‘Rule’:
————————————————
5720 – Multiple SSHD authentication failures. |12 |
5712 – SSHD brute force trying to get access.. |8 |

4-Show a summary for the month (or day)

# zcat /var/ossec/logs/alerts/2008/Nov/*.gz | ./src/monitord/ossec-reportd -n “Month Summary”

Report ‘Month Summary’ completed.
————————————————
->Processed alerts: 274744
->Post-filtering alerts: 274744
->First alert: 2008 Nov 01 00:00:03
->Last alert: 2008 Nov 25 21:00:03

Top entries for ‘Level’:
————————————————
Severity 4 |236552 |
Severity 10 |33194 |
Severity 3 |2219 |
Severity 7 |1649 |
Severity 5 |999 |
Severity 8 |57 |
Severity 6 |42 |
Severity 2 |25 |
Severity 12 |5 |
Severity 9 |2 |

Top entries for ‘Group’:
————————————————
windows |270107 |
syslog |2694 |
ossec |1798 |
syscheck |1624 |
pam |1339 |
authentication_success |1321 |
sshd |953 |
errors |378 |
system_error |318 |
authentication_failed |161 |
invalid_login |120 |
vmware |117 |
recon |42 |
authentication_failures |32 |
win_authentication_failed |25 |
account_changed |24 |
stats |17 |
time_changed |17 |
service_availability |16 |
accesslog |10 |
web |10 |
su |9 |
access_control |8 |
access_denied |8 |
rootcheck |5 |
attacks |4 |
policy_changed |4 |
low_diskspace |3 |
sudo |3 |
logs_cleared |2 |
postgresql_log |1 |
system_shutdown |1 |

Top entries for ‘Location’:
————————————————
(lili3win) 192.168.2.0->WinEvtLog |269806 |
(esqueleto2) 192.168.2.99->/var/log/auth.log |1338 |
(lili3win) 192.168.2.0->syscheck |1301 |
enigma->/var/log/authlog |960 |
enigma->/var/log/messages |321 |
(lili3win) 192.168.2.0->syscheck-registry |281 |
(win2003-tbv4) any->WinEvtLog |279 |
(vmesx51) any->/var/log/vmware/hostd.log |100 |
enigma->ossec-logcollector |80 |
(vmesx51) any->/var/log/messages |53 |
(win2003-tbv3) any->WinEvtLog |39 |
enigma->ossec-monitord |29 |
(win2003-tbv4) any->syscheck-registry |26 |
(esqueleto2) 192.168.2.99->/var/log/messages |24 |
(lili3win) 192.168.2.0->ossec |22 |
(esqueleto2) 192.168.2.99->ossec-logcollector |15 |
(vmesx51) any->ossec-logcollector |15 |
(esqueleto2) 192.168.2.99->/var/log/syslog |10 |
enigma->/var/www/logs/access_log |10 |
enigma->syscheck |7 |
(win2003-tbv4) any->syscheck |6 |
(vmesx51) any->/var/log/secure |4 |
(vmesx51) any->ossec |3 |
(win2003-tbv4) any->ossec |3 |
(lili3win) 192.168.2.0->rootcheck |2 |
(vmesx51) any->syscheck |2 |
(esqueleto2) 192.168.2.99->/var/log/postgres.. |1 |
(esqueleto2) 192.168.2.99->ossec |1 |
(esqueleto2) 192.168.2.99->rootcheck |1 |
(win2003-tbv3) any->ossec |1 |
(win2003-tbv4) any->rootcheck |1 |
enigma->/var/log/secure |1 |
enigma->dcid@127.0.0.1->syscheck |1 |
enigma->rootcheck |1 |

Top entries for ‘Rule’:
————————————————
18105 – Windows audit failure event. |236165 |
18153 – Multiple Windows audit failure events. |33140 |
550 – Integrity checksum changed. |1484 |
5501 – Login session opened. |666 |
5502 – Login session closed. |666 |
5715 – SSHD authentication success. |580 |
18108 – Failed attempt to perform a privileg.. |354 |
18103 – Windows error event. |318 |
1005 – Syslogd restarted. |313 |
5716 – SSHD authentication failed. |155 |
551 – Integrity checksum changed again (2nd .. |121 |
5710 – Attempt to login using a non-existent.. |119 |
591 – Log file rotated. |110 |
19104 – VMware ESX warning message. |47 |
5706 – SSH insecure connection attempt (scan). |42 |
503 – Ossec agent started. |29 |
19110 – VMWare ESX authentication success. |28 |
5704 – Timeout while logging in (sshd). |28 |
1002 – Unknown problem somewhere in the syst.. |25 |
1006 – Syslogd restarted. |25 |
18130 – Logon Failure – Unknown user or bad .. |25 |
504 – Ossec agent disconnected. |25 |
18111 – User account changed. |24 |
18151 – Multiple failed attempts to perform .. |19 |
552 – Integrity checksum changed again (3rd .. |19 |
11 – Excessive number of events (above norma.. |17 |
18107 – Windows Logon Success. |17 |
18140 – System time changed. |17 |
19112 – VMWare ESX user login. |17 |
5720 – Multiple SSHD authentication failures. |17 |
1004 – Syslogd exiting (logging stopped). |12 |
19120 – Virtual machine state changed to OFF. |12 |
5712 – SSHD brute force trying to get access.. |12 |
31101 – Web server 400 error code. |10 |
5303 – User successfully changed UID to root. |9 |
2503 – Connection blocked by Tcp Wrappers. |8 |
18147 – Application Installed. |6 |
18149 – Windows User Logoff. |6 |
5503 – User login failed. |6 |
18113 – Windows Audit Policy changed. |4 |
19103 – VMware ESX error message. |4 |
40112 – Multiple authentication failures fol.. |4 |
502 – Ossec server started. |4 |
510 – Host-based anomaly detection event (ro.. |4 |
1007 – File system full. |3 |
18152 – Multiple Windows Logon Failures. |3 |
19121 – Virtual machine being turned ON. |3 |
19122 – Virtual machine state changed to ON. |3 |
19150 – Multiple VMWare ESX warning messages. |3 |
18118 – Windows audit log was cleared. |2 |
18119 – First time this user logged in this .. |2 |
18126 – Remote access login success. |2 |
5402 – Successful sudo to ROOT executed |2 |
18109 – Session reconnected/disconnected to .. |1 |
18117 – Windows is shutting down. |1 |
18146 – Application Uninstalled. |1 |
501 – New ossec agent connected. |1 |
50521 – Database shutdown messge. |1 |
512 – Windows Audit event. |1 |
5403 – First time user executed sudo. |1 |
5504 – Attempt to login with an invalid user. |1 |

Comments and suggestions are welcome. We plan to make it a part of monitord to be able to do daily or hourly reports for certain options.

bookmark_borderOSSEC v1.6.1 released

From http://www.ossec.net/main/ossec-v161-released:


We are pleased to announce the general availability of OSSEC version 1.6.1. This is a small version with bug fixes for some issues found on v1.6.

For a list of features in the version 1.6, please visit: OSSEC v1.6 released.

For a list of issues that were solved, visit the Changelog.

Download it from: http://www.ossec.net/main/downloads .

Thanks!

bookmark_borderOSSEC v1.6 released

Direct from: http://www.ossec.net/main/ossec-v16-released


We are pleased to announce the general availability of OSSEC version 1.6.
This new version delivers the most comprehensive update to OSSEC in its history, with numerous new features and bug fixes, including:

  • New multi-server architecture
  • New platform support for Microsoft Vista (and Server 2008)
  • New platform support for VMware ESX
  • Added active response module for Windows
  • CIS benchmarks on Linux (through the policy auditing)
  • Added the VMWare Security hardening guideline to the policy auditing
  • Added support for McAfee VirusScan Enterprise logs
  • Added support for VMware ESX hostd logs
  • Added support for Mac OS FTP server logs
  • New tools to better manage the data stored (syscheck_control, rootcheck_control, log_test)

And much more… Check the changelog to see all changes and contributors.

Download it from: http://www.ossec.net/main/downloads .

Special thanks to Michael Starks, Chris Buechler and Joachim Vorrath for the contributions and ChuckD (mdmonk), Daniel Medianero and John Ives for beta testing this release.

bookmark_borderv1.6 BETA2 begins

If you would like to contribute to the project and don’t know how, beta testing our version 1.6 might be a good way to get started.

The list of new features, bug fixes and packages to use are all available at: http://www.ossec.net/wiki/index.php/Dev:BetaTesting

From BETA1, very little has changed, but we added:

  1. support for VMware ESX logs.
  2. support for McAfee AV.
  3. Fixed some bugs in the policy scanning and other parts of the system.

If you run into any issues, please let us know. Thanks for testing!

bookmark_borderActive response on Windows

Another big feature that we never got around to implement until now. For version 1.6, OSSEC will come with the route-null.cmd script to block an IP address on Windows by modifying the route to it.

To get started, you will need at least the snapshot http://www.ossec.net/files/snapshots/ossec-win32-080820.exe
and the latest snapshot for the management server too.

With that installed, you need to enable active response on Windows (disabled by default). To do that, just add the following to the agent’s ossec.conf:

<active-response>
<disabled>no</disabled>
</active-response>

After that, you need to go to the manager and specify when to run the response. Adding the following to ossec.conf will enable the responses for alerts above level 6:

<command>
<name>win_nullroute</name>
<executable>route-null.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>

<active-response>
<command>win_nullroute</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>

With the configuration completed (and the manager restarted), you can test the active response by running the agent-control script (in this case, I am running it on agent id 185 to block ip 2.3.4.5):

/var/ossec/bin/agent_control -L

OSSEC HIDS agent_control. Available active responses:

Response name: host-deny600, command: host-deny.sh
Response name: firewall-drop600, command: firewall-drop.sh
Response name: win_nullroute600, command: route-null.cmd

/var/ossec/bin/agent_control -b 2.3.4.5 -f win_nullroute600 -u 185

OSSEC HIDS agent_control: Running active response ‘win_nullroute600′ on: 185

And looking at the agent you should see the new entry in the route table:

C:>route print
..
Active Routes:
Network Destination Netmask Gateway Interface Metric
2.3.4.5 255.255.255.255 x.y.z x.y.z 1
..

If you run into any issues, look at the ossec.log file (on the agent) for any entry for ossec-execd. If you enabled it correctly, you will see:

2008/08/20 11:53:49 ossec-execd: INFO: Started (pid: 3896).

As always, we are very open to suggestions, comments, bug reports, etc.

Thanks,

bookmark_borderOSSEC on the OLPC

For those looking to install OSSEC on the OLPC (One Laptop per Child), I was able to do it without major issues. Their system is based on the Fedora 7, so I just had to install make, gcc and the libc-headers.
A quick sequence of commands:

# yum -y install gcc make glibc-headers glibc-dev
# wget http://www.ossec.net/files/ossec-hids-1.5.1.tar.gz
# tar -zxvf ossec-hids-1.5.1.tar.gz
# cd ossec-hids-1.5.1
# ./install.sh
..

bookmark_borderOSSEC on Microsoft Vista/Server 2008

I just finished adding support for Vista/Server 2008 on OSSEC. We had some server(manager)-side changes to understand the new events ids and lots of changes on the agent side. If you have any Vista or Server 2008, please help us test it.

You can download the server at: http://www.ossec.net/files/snapshots/ossec-hids-080721.tar.gz
Agent download at: http://www.ossec.net/files/snapshots/ossec-win32-080721.exe

Make sure to update the server first, before the agent. If you find any issues, or if you test and it works fine, please let me know.

*I would also like to thank Chris Buechler for the remote access to some of his boxes to make this possible.

bookmark_borderCIS benchmark tests

We just included support in the OSSEC Policy monitor to audit if a system is in compliance with the CIS Security Benchmarks (as of right now, only RHEL2-5, Fedora 1-5 and Debian/Ubuntu are supported – the other versions will be soon).

If you want to try it out manually and provide some feedback to us, please follow the instructions bellow to test:

First, grab the latest CVS snapshot and compile it (it will be included on v1.6 and above):

# wget http://www.ossec.net/files/snapshots/ossec-hids-080710.tar.gz
# tar -zxvf ossec-hids-080710.tar.gz
# cd ossec-hids-080710/src/
# make clean
# make libs
# cd rootcheck
# make binary

The binary ossec-rootcheck will be created on the current directory and we can start using it. A simple scan on my Ubuntu box looked like this: (note, that it will do all the normal rootcheck tests plus the CIS scans — just grep for CIS if you don’t want to see the rest):

# ./ossec-rootcheck
..

[INFO]: System Audit: CIS – Testing against the CIS Debian Linux Benchmark v1.0. File: /proc/sys/kernel/ostype. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS – Debian Linux 1.4 – Robust partition scheme – /tmp is not on its own partition. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS – Debian Linux 1.4 – Robust partition scheme – /var is not on its own partition. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS – Debian Linux 2.3 – SSH Configuration – Root login allowed. File: /etc/ssh/sshd_config. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS – Debian Linux 2.4 – System Accounting – Sysstat not enabled. File: /etc/default/sysstat. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS – Debian Linux 4.18 – Disable standard boot services – Squid Enabled. File: /etc/init.d/squid. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS – Debian Linux 7.2 – Removable partition /media without ‘nodev’ set. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS – Debian Linux 7.2 – Removable partition /media without ‘nosuid’ set. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS – Debian Linux 7.3 – User-mounted removable partition /media. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS – Debian Linux 8.8 – GRUB Password not set. File: /boot/grub/menu.lst. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

..

Anyone here using CIS (or FDCC)? As always, feedback and suggestions are welcome.