The Open Source Security (OSSEC) Blog
Some anti-virus products (BitDefender, F-Secure, etc) are detecting the version 1.6.1 of the OSSEC Windows Agent as a malware (more specifically Generic.Qhost).
We tried contacting some of them without much success. If you get any warning like that, it is a FALSE POSITIVE and let your anti-virus company know about it.
Link to the virustotal scan: http://www.virustotal.com/analisis/e1faf42be76cf372b60de79a500d7142
Thanks,
Agentless monitoring is another big feature coming up with our next version. Basically, it allows you to run integrity checking (and in the future log monitoring) on systems without an agent installed (including routers, firewalls, switches and even Linux/BSD systems).
*To try it out, download the latest snapshot from http://www.ossec.net/files/snapshots/
After you installed the latest snapshot (or v1.7), you need to enable the agentless monitoring:
# /var/ossec/bin/ossec-control enable agentless
And provide the SSH authentication to the host you want to access. For Cisco devices (PIX, routers, etc), you need to provide an additional parameter for the enable password. In this example, I am adding a Linux box (xx.net) and a PIX firewall (pix.fw.local):
# /var/ossec/agentless/register_host.sh add root@xx.net mypass1 *Host root@xx.netl added. # /var/ossec/agentless/register_host.sh add pix@pix.fw.local pixpass enablepass *Host pix@pix.fw.local added. # /var/ossec/agentless/register_host.sh list *Available hosts: pix@pix.fw.local root@xx.net
Once you have added all your systems, you need to configure OSSEC to monitor them. By default, we have 4 agentless types (but we plan to add more soon): ssh_integrity_check_bsd, ssh_integrity_check_linux, ssh_generic_diff and ssh_pixconfig_diff. For the first two, you give a list of directories in the configuration and OSSEC will do the integrity checking of them on the remote box. On the ssh_generic_diff, you give a set of commands to run on the remote box and OSSEC will alert when the output of them changes. The ssh_pixconfig_diff will alert when a Cisco PIX/router configuration changes.
So, for my first system (root@xx.net), I will monitor the /bin, /etc and /sbin directories every 10 hours (if I was using the ssh_integrity_check_bsd, the argument would be the directories as well):
<agentless>
<type>ssh_integrity_check_linux</type>
<frequency>36000</frequency>
<host>root@xx.net</host>
<state>periodic</state>
<arguments>/bin /etc/ /sbin</arguments>
</agentless>
For my PIX, the configuration looks like:
<agentless> <type>ssh_pixconfig_diff</type> <frequency>36000</frequency> <host>pix@pix.fw.local</host> <state>periodic_diff</state> </agentless>
And just to exemplify the ssh_generic_diff I will also monitor ls -la /etc; cat /etc/passwd on the root@xx.net. Note that if you want to monitor any network firewall or switch, you can use the ssh_generic_diff and just specify the commands in the arguments option.
<agentless>
<type>ssh_generic_diff</type>
<frequency>36000</frequency>
<host>root@xx.net</host>
<state>periodic_diff</state>
<arguments>ls -la /etc; cat /etc/passwd</arguments>
</agentless>
Once the configuration is completed, you can restart OSSEC. You should see something like “Started ossec-agentlessd” in the output. Before each agentless connection is started, OSSEC will do a configuration check to make sure everything is fine. Look at /var/ossec/logs/ossec.log for any error. If you see:
2008/12/12 15:20:06 ossec-agentlessd: ERROR: Expect command not found (or bad arguments) for 'ssh_integrity_check_bsd'. 2008/12/12 15:20:06 ossec-agentlessd: ERROR: Test failed for 'ssh_integrity_check_bsd' (127). Ignoring.
It means that you don’t have the expect library installed on the server (it is not necessary to install anything on the agentless systems to monitor). On Ubuntu you can do the following to install:
# apt-get install expect
After installing expect, you can restart OSSEC and you should see:
2008/12/12 15:24:12 ossec-agentlessd: INFO: Test passed for 'ssh_integrity_check_bsd'.
When it connects to the remote system, you will also see:
2008/12/12 15:25:19 ossec-agentlessd: INFO: ssh_integrity_check_bsd: root@xx.net: Starting. 2008/12/12 15:25:46 ossec-agentlessd: INFO: ssh_integrity_check_bsd: root@xx.net: Finished.
These are some of the alerts you will get:
For the ssh_generic_diff:
OSSEC HIDS Notification.
2008 Dec 12 01:58:30Received From: (ssh_generic_diff) root@xx.net->agentless
Rule: 555 fired (level 7) -> “Integrity checksum for agentless device changed.”
Portion of the log(s):ossec: agentless: Change detected:
35c35
< -rw-r–r– 1 root wheel 34 Dec 10 03:55 hosts.deny
—
> -rw-r–r– 1 root wheel 34 Dec 11 18:23 hosts.deny–END OF NOTIFICATION
For the PIX:
OSSEC HIDS Notification.
2008 Dec 01 15:48:03Received From: (ssh_pixconfig_diff) pix@pix.fw.local->agentless
Rule: 555 fired (level 7) -> “Integrity checksum for agentless device changed.”
Portion of the log(s):ossec: agentless: Change detected:
48c48
< fixup protocol ftp 21
—
> no fixup protocol ftp 21
100c100
< ssh timeout 30
—
> ssh timeout 50
More changes..–END OF NOTIFICATION
That’s it. If you run into any problems, let us know.
One of the most asked features in OSSEC is some kind of built-in reporting mechanism. For v1.7, we plan to have that included and we need some comments and ideas on what kind of features and formats would be most useful.
To get started, we created a standalone reporting tool so we can get the ideas flying. If you want to try it out, download the latest snapshot and look at the ossec-reportd tool. Here are some of the reports I am doing:
*the html is messing up with the output of the reports, so they will look a bit better in the terminal.
# cat /var/ossec/logs/alerts/alerts.log | ./src/monitord/ossec-reportd -n “Logins summary” -f group authentication_success
Report ‘Logins summary’ completed.
————————————————
->Processed alerts: 145557
->Post-filtering alerts: 401
->First alert: ..
->Last alert: ..Top entries for ‘Source ip’:
————————————————
127.0.0.1 |280 |
192.168.2.10 |88 |
192.168.2.15 |16 |
192.168.2.26 |6 |
192.168.2.17 |2 |Top entries for ‘Username’:
————————————————
dcid |336 |
aabbcxx |46 |
root |9 |
__vmware_user__ |4 |
vpxuser |2 |
Administrator |1 |
lac |1 |
# cat /var/ossec/logs/alerts/alerts.log | ./src/monitord/ossec-reportd -n “Logins summary” -f group authentication_success -r user srcip -r user location
Top entries for ‘Source ip’:
————————————————
127.0.0.1 |280 |
192.168.2.10 |88 |
192.168.2.15 |16 |
192.168.2.26 |6 |
192.168.2.17 |2 |Top entries for ‘Username’:
————————————————
dcid |336 |
aabbcxx |46 |
root |9 |
__vmware_user__ |4 |
vpxuser |2 |
Administrator |1 |
lac |1 |Related entries for ‘Username’:
————————————————
dcid |336 |
location: ‘enigma->/var/log/authlog’
srcip: ’192.168.2.15′
srcip: ’192.168.2.10′
srcip: ’127.0.0.1′
srcip: ’192.168.2.17′
srcip: ’192.168.2.26′
aabbcxx |46 |
location: ‘enigma->/var/log/authlog’
srcip: ’192.168.2.10′
root |9 |
location: ‘enigma->/var/log/authlog’
srcip: ’127.0.0.1′
srcip: ’192.168.2.15′
srcip: ’192.168.2.26′
srcip: ‘(none)’
__vmware_user__ |4 |
location: ‘(lili3win) 192.168.2.0->WinEvtLog’
srcip: ‘(none)’
vpxuser |2 |
location: ‘(vmesx51) any->/var/log/messages’
location: ‘(vmesx51) any->/var/log/vmware/hostd.log’
srcip: ’127.0.0.1′
Administrator |1 |
location: ‘(win2003-tbv4) any->WinEvtLog’
srcip: ‘(none)’
lac |1 |
location: ‘(lili3win) 192.168.2.0->WinEvtLog’
srcip: ‘(none)’
# # cat /var/ossec/logs/alerts/alerts.log | ./src/monitord/ossec-reportd -n “Failures summary” -f group authentication_failures
Top entries for ‘Source ip’:
————————————————
127.0.0.1 |5 |
218.56.61.114 |5 |
117.36.192.75 |2 |
219.90.103.44 |2 |
121.22.8.148 |1 |
122.141.177.51 |1 |
203.171.227.18 |1 |
211.156.250.179 |1 |
222.73.0.101 |1 |
85.24.137.233 |1 |Top entries for ‘Username’:
————————————————
root |7 |
dcid |5 |Top entries for ‘Rule’:
————————————————
5720 – Multiple SSHD authentication failures. |12 |
5712 – SSHD brute force trying to get access.. |8 |
# # zcat /var/ossec/logs/alerts/2008/Nov/*.gz | ./src/monitord/ossec-reportd -n “Month Summary”
Report ‘Month Summary’ completed.
————————————————
->Processed alerts: 274744
->Post-filtering alerts: 274744
->First alert: 2008 Nov 01 00:00:03
->Last alert: 2008 Nov 25 21:00:03Top entries for ‘Level’:
————————————————
Severity 4 |236552 |
Severity 10 |33194 |
Severity 3 |2219 |
Severity 7 |1649 |
Severity 5 |999 |
Severity 8 |57 |
Severity 6 |42 |
Severity 2 |25 |
Severity 12 |5 |
Severity 9 |2 |Top entries for ‘Group’:
————————————————
windows |270107 |
syslog |2694 |
ossec |1798 |
syscheck |1624 |
pam |1339 |
authentication_success |1321 |
sshd |953 |
errors |378 |
system_error |318 |
authentication_failed |161 |
invalid_login |120 |
vmware |117 |
recon |42 |
authentication_failures |32 |
win_authentication_failed |25 |
account_changed |24 |
stats |17 |
time_changed |17 |
service_availability |16 |
accesslog |10 |
web |10 |
su |9 |
access_control |8 |
access_denied |8 |
rootcheck |5 |
attacks |4 |
policy_changed |4 |
low_diskspace |3 |
sudo |3 |
logs_cleared |2 |
postgresql_log |1 |
system_shutdown |1 |Top entries for ‘Location’:
————————————————
(lili3win) 192.168.2.0->WinEvtLog |269806 |
(esqueleto2) 192.168.2.99->/var/log/auth.log |1338 |
(lili3win) 192.168.2.0->syscheck |1301 |
enigma->/var/log/authlog |960 |
enigma->/var/log/messages |321 |
(lili3win) 192.168.2.0->syscheck-registry |281 |
(win2003-tbv4) any->WinEvtLog |279 |
(vmesx51) any->/var/log/vmware/hostd.log |100 |
enigma->ossec-logcollector |80 |
(vmesx51) any->/var/log/messages |53 |
(win2003-tbv3) any->WinEvtLog |39 |
enigma->ossec-monitord |29 |
(win2003-tbv4) any->syscheck-registry |26 |
(esqueleto2) 192.168.2.99->/var/log/messages |24 |
(lili3win) 192.168.2.0->ossec |22 |
(esqueleto2) 192.168.2.99->ossec-logcollector |15 |
(vmesx51) any->ossec-logcollector |15 |
(esqueleto2) 192.168.2.99->/var/log/syslog |10 |
enigma->/var/www/logs/access_log |10 |
enigma->syscheck |7 |
(win2003-tbv4) any->syscheck |6 |
(vmesx51) any->/var/log/secure |4 |
(vmesx51) any->ossec |3 |
(win2003-tbv4) any->ossec |3 |
(lili3win) 192.168.2.0->rootcheck |2 |
(vmesx51) any->syscheck |2 |
(esqueleto2) 192.168.2.99->/var/log/postgres.. |1 |
(esqueleto2) 192.168.2.99->ossec |1 |
(esqueleto2) 192.168.2.99->rootcheck |1 |
(win2003-tbv3) any->ossec |1 |
(win2003-tbv4) any->rootcheck |1 |
enigma->/var/log/secure |1 |
enigma->dcid@127.0.0.1->syscheck |1 |
enigma->rootcheck |1 |Top entries for ‘Rule’:
————————————————
18105 – Windows audit failure event. |236165 |
18153 – Multiple Windows audit failure events. |33140 |
550 – Integrity checksum changed. |1484 |
5501 – Login session opened. |666 |
5502 – Login session closed. |666 |
5715 – SSHD authentication success. |580 |
18108 – Failed attempt to perform a privileg.. |354 |
18103 – Windows error event. |318 |
1005 – Syslogd restarted. |313 |
5716 – SSHD authentication failed. |155 |
551 – Integrity checksum changed again (2nd .. |121 |
5710 – Attempt to login using a non-existent.. |119 |
591 – Log file rotated. |110 |
19104 – VMware ESX warning message. |47 |
5706 – SSH insecure connection attempt (scan). |42 |
503 – Ossec agent started. |29 |
19110 – VMWare ESX authentication success. |28 |
5704 – Timeout while logging in (sshd). |28 |
1002 – Unknown problem somewhere in the syst.. |25 |
1006 – Syslogd restarted. |25 |
18130 – Logon Failure – Unknown user or bad .. |25 |
504 – Ossec agent disconnected. |25 |
18111 – User account changed. |24 |
18151 – Multiple failed attempts to perform .. |19 |
552 – Integrity checksum changed again (3rd .. |19 |
11 – Excessive number of events (above norma.. |17 |
18107 – Windows Logon Success. |17 |
18140 – System time changed. |17 |
19112 – VMWare ESX user login. |17 |
5720 – Multiple SSHD authentication failures. |17 |
1004 – Syslogd exiting (logging stopped). |12 |
19120 – Virtual machine state changed to OFF. |12 |
5712 – SSHD brute force trying to get access.. |12 |
31101 – Web server 400 error code. |10 |
5303 – User successfully changed UID to root. |9 |
2503 – Connection blocked by Tcp Wrappers. |8 |
18147 – Application Installed. |6 |
18149 – Windows User Logoff. |6 |
5503 – User login failed. |6 |
18113 – Windows Audit Policy changed. |4 |
19103 – VMware ESX error message. |4 |
40112 – Multiple authentication failures fol.. |4 |
502 – Ossec server started. |4 |
510 – Host-based anomaly detection event (ro.. |4 |
1007 – File system full. |3 |
18152 – Multiple Windows Logon Failures. |3 |
19121 – Virtual machine being turned ON. |3 |
19122 – Virtual machine state changed to ON. |3 |
19150 – Multiple VMWare ESX warning messages. |3 |
18118 – Windows audit log was cleared. |2 |
18119 – First time this user logged in this .. |2 |
18126 – Remote access login success. |2 |
5402 – Successful sudo to ROOT executed |2 |
18109 – Session reconnected/disconnected to .. |1 |
18117 – Windows is shutting down. |1 |
18146 – Application Uninstalled. |1 |
501 – New ossec agent connected. |1 |
50521 – Database shutdown messge. |1 |
512 – Windows Audit event. |1 |
5403 – First time user executed sudo. |1 |
5504 – Attempt to login with an invalid user. |1 |
Comments and suggestions are welcome. We plan to make it a part of monitord to be able to do daily or hourly reports for certain options.
From http://www.ossec.net/main/ossec-v161-released:
”
We are pleased to announce the general availability of OSSEC version 1.6.1. This is a small version with bug fixes for some issues found on v1.6.
For a list of features in the version 1.6, please visit: OSSEC v1.6 released.
For a list of issues that were solved, visit the Changelog.
Download it from: http://www.ossec.net/main/downloads .
Thanks!
Direct from: http://www.ossec.net/main/ossec-v16-released
”
We are pleased to announce the general availability of OSSEC version 1.6.
This new version delivers the most comprehensive update to OSSEC in its history, with numerous new features and bug fixes, including:
And much more… Check the changelog to see all changes and contributors.
Download it from: http://www.ossec.net/main/downloads .
Special thanks to Michael Starks, Chris Buechler and Joachim Vorrath for the contributions and ChuckD (mdmonk), Daniel Medianero and John Ives for beta testing this release.
“
If you would like to contribute to the project and don’t know how, beta testing our version 1.6 might be a good way to get started.
The list of new features, bug fixes and packages to use are all available at: http://www.ossec.net/wiki/index.php/Dev:BetaTesting
From BETA1, very little has changed, but we added:
If you run into any issues, please let us know. Thanks for testing!
Another big feature that we never got around to implement until now. For version 1.6, OSSEC will come with the route-null.cmd script to block an IP address on Windows by modifying the route to it.
To get started, you will need at least the snapshot http://www.ossec.net/files/snapshots/ossec-win32-080820.exe
and the latest snapshot for the management server too.
With that installed, you need to enable active response on Windows (disabled by default). To do that, just add the following to the agent’s ossec.conf:
<active-response>
<disabled>no</disabled>
</active-response>
After that, you need to go to the manager and specify when to run the response. Adding the following to ossec.conf will enable the responses for alerts above level 6:
<command>
<name>win_nullroute</name>
<executable>route-null.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command><active-response>
<command>win_nullroute</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
With the configuration completed (and the manager restarted), you can test the active response by running the agent-control script (in this case, I am running it on agent id 185 to block ip 2.3.4.5):
# /var/ossec/bin/agent_control -L
OSSEC HIDS agent_control. Available active responses:
Response name: host-deny600, command: host-deny.sh
Response name: firewall-drop600, command: firewall-drop.sh
Response name: win_nullroute600, command: route-null.cmd# /var/ossec/bin/agent_control -b 2.3.4.5 -f win_nullroute600 -u 185
OSSEC HIDS agent_control: Running active response ‘win_nullroute600′ on: 185
And looking at the agent you should see the new entry in the route table:
C:>route print
..
Active Routes:
Network Destination Netmask Gateway Interface Metric
2.3.4.5 255.255.255.255 x.y.z x.y.z 1
..
If you run into any issues, look at the ossec.log file (on the agent) for any entry for ossec-execd. If you enabled it correctly, you will see:
2008/08/20 11:53:49 ossec-execd: INFO: Started (pid: 3896).
As always, we are very open to suggestions, comments, bug reports, etc.
Thanks,
For those looking to install OSSEC on the OLPC (One Laptop per Child), I was able to do it without major issues. Their system is based on the Fedora 7, so I just had to install make, gcc and the libc-headers.
A quick sequence of commands:
# yum -y install gcc make glibc-headers glibc-dev
# wget http://www.ossec.net/files/ossec-hids-1.5.1.tar.gz
# tar -zxvf ossec-hids-1.5.1.tar.gz
# cd ossec-hids-1.5.1
# ./install.sh
..
I just finished adding support for Vista/Server 2008 on OSSEC. We had some server(manager)-side changes to understand the new events ids and lots of changes on the agent side. If you have any Vista or Server 2008, please help us test it.
You can download the server at: http://www.ossec.net/files/snapshots/ossec-hids-080721.tar.gz
Agent download at: http://www.ossec.net/files/snapshots/ossec-win32-080721.exe
Make sure to update the server first, before the agent. If you find any issues, or if you test and it works fine, please let me know.
*I would also like to thank Chris Buechler for the remote access to some of his boxes to make this possible.
We just included support in the OSSEC Policy monitor to audit if a system is in compliance with the CIS Security Benchmarks (as of right now, only RHEL2-5, Fedora 1-5 and Debian/Ubuntu are supported – the other versions will be soon).
If you want to try it out manually and provide some feedback to us, please follow the instructions bellow to test:
First, grab the latest CVS snapshot and compile it (it will be included on v1.6 and above):
# wget http://www.ossec.net/files/snapshots/ossec-hids-080710.tar.gz
# tar -zxvf ossec-hids-080710.tar.gz
# cd ossec-hids-080710/src/
# make clean
# make libs
# cd rootcheck
# make binary
The binary ossec-rootcheck will be created on the current directory and we can start using it. A simple scan on my Ubuntu box looked like this: (note, that it will do all the normal rootcheck tests plus the CIS scans — just grep for CIS if you don’t want to see the rest):
# ./ossec-rootcheck
..[INFO]: System Audit: CIS – Testing against the CIS Debian Linux Benchmark v1.0. File: /proc/sys/kernel/ostype. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .
[INFO]: System Audit: CIS – Debian Linux 1.4 – Robust partition scheme – /tmp is not on its own partition. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .
[INFO]: System Audit: CIS – Debian Linux 1.4 – Robust partition scheme – /var is not on its own partition. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .
[INFO]: System Audit: CIS – Debian Linux 2.3 – SSH Configuration – Root login allowed. File: /etc/ssh/sshd_config. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .
[INFO]: System Audit: CIS – Debian Linux 2.4 – System Accounting – Sysstat not enabled. File: /etc/default/sysstat. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .
[INFO]: System Audit: CIS – Debian Linux 4.18 – Disable standard boot services – Squid Enabled. File: /etc/init.d/squid. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .
[INFO]: System Audit: CIS – Debian Linux 7.2 – Removable partition /media without ‘nodev’ set. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .
[INFO]: System Audit: CIS – Debian Linux 7.2 – Removable partition /media without ‘nosuid’ set. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .
[INFO]: System Audit: CIS – Debian Linux 7.3 – User-mounted removable partition /media. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .
[INFO]: System Audit: CIS – Debian Linux 8.8 – GRUB Password not set. File: /boot/grub/menu.lst. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .
..
Anyone here using CIS (or FDCC)? As always, feedback and suggestions are welcome.