The Open Source Security (OSSEC) Blog
I was very pleased to find out that OSSEC was featured on hack 86 – Centrally Monitor the Security Posture of Your Servers (under chapter 8 – Logging) of the Network Security Hacks (2nd edition) book.
I had the opportunity the browse through the contents and it seemed pretty good, although the author used a very old version (0.8) on their examples. Anyway, if you have a Safari account you can check it out online or you can buy the book .. Since he mentions OSSEC, it must be very good 🙂
I just finished an article about “Remote log injection”, that among other things, exposes some vulnerabilities on DenyHosts, Fail2ban and BlockHosts that can lead to arbitrarily injection of IP addresses in /etc/hosts.deny. To make it more “interesting” (i.e. worse), not only IP addresses can be added, but also the wild card “all”, causing it to block the whole Internet out of the box (bypassing white lists).
The paper is available here: https://dcid.me/texts/attacking-log-analysis-tools.html
Snippet from the article:
The purpose of this article is to point out some vulnerabilities that I found on open source log analysis tools aimed to stop brute force scans against SSH and ftp services. Since these tools also perform active response (automatically blocking the offending IP address), they would be good examples. However, any tool that parse logs can be equally vulnerable.
We will show three 0-day denial-of-service attacks caused by remote log injection on BlockHosts, DenyHosts and fail2ban.
This paper talks about remote log injection, where an external attacker can modify a log, based on the input it provides to an application (in our case OpenSSH and vsftpd). By modifying the way the application logs, we are able to attack these log analysis tools. We are not talking about local log modification or “syslog injection”.
During the month of May I went to AusCERT and Confidence to talk about OSSEC (i.e. Log analysis using OSSEC). On both presentations I mentioned LIDS (Log-Based intrusion detection), and provided an overview of the ossec architecture and how to write decoders and rules. If you want to learn a bit more about ossec, take a look at them.
**Note that both presentations are very similar, but the AusCERT one is a bit more organized, so recommended to be read first.OSSEC at AusCERT (Log-based Intrusion detection using OSSEC).OSSEC at Confidence (Log analysis using OSSEC).
Hope you enjoy!
I have three honeypots looking for web attacks/scans and lately all three of them detected scans looking for sqlmanager (mysqlmanager). It is the first time I see them looking for it and I couldn’t find any reference to new vulnerabilities related to it. I changed my honeypots to respond successfully to these scans to be able to see what the exploits are all about.
Received From: hn1->/var/log/httpd/error_log
Rule: 30114 fired (level 10) -> "Multiple attempts to access non-existent files (web scan) from same source."
Portion of the log(s):
[Mon May 28 15:56:00 2007] [error] [client 75.xx.xx.xx] File does not exist: /var/www/html/p
[Mon May 28 15:56:00 2007] [error] [client 75.xx.xx.xx] File does not exist: /var/www/html/mysqlmanager
[Mon May 28 15:55:59 2007] [error] [client 75.xx.xx.xx] File does not exist: /var/www/html/sqlmanager
[Mon May 28 15:55:59 2007] [error] [client 75.xx.xx.xx] File does not exist: /var/www/html/pma2006
[Mon May 28 15:55:59 2007] [error] [client 75.xx.xx.xx] File does not exist: /var/www/html/PMA2006
[Mon May 28 15:55:59 2007] [error] [client 75.xx.xx.xx] File does not exist: /var/www/html/dbadmin
[Mon May 28 15:55:59 2007] [error] [client 75.xx.xx.xx] File does not exist: /var/www/html/admin
[Mon May 28 15:55:59 2007] [error] [client 75.xx.xx.xx] File does not exist: /var/www/html/PMA
[Mon May 28 15:55:59 2007] [error] [client 75.xx.xx.xx] File does not exist: /var/www/html/web
[Mon May 28 15:55:59 2007] [error] [client 75.xx.xx.xx] File does not exist: /var/www/html/db
–END OF NOTIFICATION
Any ideas out there? Did I miss something?
In the snort mailing list there was a thread about detecting authentication failures (on ssh, apache, ftp, etc) using Snort. I love Snort, but using a NIDS (Network-Based IDS) for this kind of stuff is trying to use the right tool for the wrong reasons (yes, we could even write a syslog parser using it).
That’s why we need LIDS (Log-based Intrusion detection). Check out my reply to this thread:
That’s what I would call using the right tool for the wrong reasons (or something like that).
The provided sshd signature does not detect brute force attacks, but multiple connections from the same
source ip (failed or not). The HTTP signature can easily generate false positivies since you are just
looking for the content “404″, and it would not work with SSL…My point is: why not use log analysis to detect failed logins (and brute force attacks)? Both sshd, apache,
apache-ssl, ftp, telnet, etc ,etc log every failed login attempt (and every successful login attempt)?By using log analysis you can reliably detect every failure and you don’t need to worry about encrypted
traffic. Plus, you can do more useful stuff, like detecting multiple failed login attempts followed
by a success (successful brute force attack) and monitoring every successful login to your systems.I wrote a paper while back with some patterns that we can look in authentication logs:
http://www.ossec.net/en/loganalysis.html
And if you are looking for an open source tool to monitor all your logs (from Apache to sshd, proftpd,
Windows logs, etc, etc), with the ability to execute active responses based on them (blocking ips,
disabling users, etc), you can try ossec*:Homehttp://www.ossec.net/wiki/index.php/FAQ
*note that I am the author of this tool.
hope it helps.
If anyone is noticing that I am too quiet lately, it is because of looong hours in the plane (first Canada to Poland, now Canada to Australia). Anyway, this week I will be representing OSSEC at AusCERT 2007 and my presentation will be “Log-based Intrusion detection using OSSEC“. If you want to learn more about OSSEC and log analysis, it is a good opportunity.
Btw, if there is any OSSEC user attending the conference, let me know and we can get together and chat somewhere. Specially considering that they reduced my talk to only 35 minutes, I will not be able to talk about everything I wanted…
We are pleased to announce the availability of OSSEC version 1.2. This new version comes with lots of new features, including:
We also completed a large re-design of the internal architecture of analysisd (ossec process responsible for decoding and analysis), greatly improving performance and organization.
A list with all the new functionality and bug fixes is available at the Changelog.
Download the new version: http://www.ossec.net/en/downloads.html
OSSEC will be represented at CONFIDENCE 2007 where I will be speaking about Log analysis using ossec. If you live in Poland (or near by), and want to learn a little more about OSSEC, make sure to attend. Some great speakers will be there, including Anton Chuvakin, Richard Bejtlich, etc.
I will make sure to provide a link to the presentation once the conference is over.
Our logo/mascot contest has just finished and we have a winner (and a brand new logo)! The Winner is Andres Armeda from Applied Watch with the following design:
We also want to thank all the other designs that were sent to us, and say that they were all great! We really appreciate the contribution.
Check out all the submissions here and the final contest page.
Thanks again everyone!! I want so much a t-shirt out of this logo.. 🙂
OSSEC v1.2 is soon to be released and we need some help beta testing it. As I always say, trying out our beta releases is a simpler and very effective way of helping the project.
Where can you download it?
v1.2 beta for Unix/Linux
v1.2 beta for Windows
What kind of things do we need to be tested?We need to make sure it compiles fine on all platforms and operating systems. We changed the internals quite a bit and we may have missed something. Try on Solaris, NetBSD, FreeBSD, AIX, HP-UX, any Linux distribution that you have.Make sure your local rules still work and it can parse all your logs.Try the new features, including the log signing and the granular e-mail configuration that I mentioned on previous posts.On Windows, make sure there are no false positives regarding our new NTFS ADS check.
Let us know if you find anything wrong…