Archives

bookmark_borderOSSEC WUI version 0.2 is available

Posted on by Daniel Cid

We are pleased to announce the release of the first non-BETA version of the OSSEC web interface (v0.2). This version contains the following features and bug fixes:

  • Added real time monitoring to the search page.
  • Added support for paginated search results.
  • Added “Log Format” as an option to allow searches based on the log format.
  • Added integrity checking page to allow monitoring of changed files/registry entries.

The full release message is available here.

Download it from here.

Install guide here.

As always, comments are welcome…

bookmark_borderFinding ADS on NTFS

Posted on by Daniel Cid

ADS (Alternate Data Streams) is a “feature” of the NTFS (file system used on Windows 2000, XP, etc) that permit files to be completely hidden from the system. You can read more about ADS in these two links: windowsecurity.com ADS and lads.

Currently I am working on merging rootcheck (an anomaly detection module) to Windows and one of the things it needs to detect is hidden files using NTFS ADS. However, so far, I couldn’t find any open source tool that detects them (yes, there is freeware programs out there, but no source code). Most of the articles I read point to lads, which is free, but not open source.

So, to fill this gap, I am releasing a beta version of a small tool (ads_dump) that scans a given directory and prints every ADS found. It is a standalone tool, but it will be soon included into ossec.

You can download it from here and the source code (GPL v2) from here.

Using this tool is very simple, just execute it and pass as an argument the directory to scan. It is going to print every ADS found. Example:

C:>ads_dump.exe
ads_dump.exe dir

C:>echo hidden > C:temp/a:hidden
C:>echo hidden > C:temp/a:hidden2
C:>ads_dump.exe C:temp
Found NTFS ADS: 'C:tempa:b'
Found NTFS ADS: 'C:tempa:hidden'
Found NTFS ADS: 'C:tempa:hidden2'

*Please note that it is still in beta (comments and suggestions are welcome). It will be also be included on the next version of ossec as part of the Windows anomaly detection module.

bookmark_borderOSSEC Web UI v0.2 beta 1 available

Posted on by Daniel Cid

The first beta of the ossec wui v0.2 is available for our beta testers. As I mentioned before, the best way to get involved in the project is by helping us testing our beta releases. If you do so, please let us know how it went.

You can download the beta 1 from here.

You can follow the same steps as mentioned here to install.

New features include paginated search results, real time monitoring of alerts, new integrity checking page and many other stuff (saving details for official release).

Let us know of any bugs or suggestions that you may have.

bookmark_borderOSSEC in the news

Posted on by Daniel Cid

For those that missed it, ossec has gained a lot of attention lately, specially with these articles from Linux World and Network World:

You can see all other stories about ossec at our in the news wiki section.

bookmark_borderNew ossec member

Posted on by Daniel Cid

I am happy to announce the arrival of a new member to the ossec team. He is only 51cm tall and weights around 3.4kg, but we expect great contributions from him as soon as he can start coding. He has no name yet, but we will find one soon (no one liked the “root” idea). The whole family is happy and doing well.

*Update (Mar 16) – Finally a name was chosen: Davi Cid

bookmark_borderOSSEC v1.1 BETA1 available

Posted on by Daniel Cid

If you are looking for a way to help the project, here is your chance. We just release the first beta for the 1.1 version and we need beta testers. This version has numerous bug fixes and new features, so a great deal of QA will be required. If you try it out, let us know if it worked or not (and provide the operating system/version that you used).

Partial changelog:Added support for hostnames in the server-ip configuration. Use “server-hostname” to specify it.Added granular e-mail configuration options. Extra email_alerts options can be added based on the severity or event location.Added support for Solaris 10 and OpenBSD su messages.Improved Windows installer to use NSIS Modern UI.Added overwrite attribute to the rules. It allows an entire rule to be overwritten. Example to overwrite rule 1002:

Partial changelog:

  • Added support for hostnames in the server-ip configuration.
  • Use “server-hostname” to specify it.Added granular e-mail configuration options.
  • Extra email_alerts options can be added based on the severity or event location.
  • Added support for Solaris 10 and OpenBSD su messages.
  • Improved Windows installer to use NSIS Modern UI.Added overwrite attribute to the rules. It allows an entire rule to be overwritten. Example to overwrite rule 1002:


<rule id="1002" level="8" overwrite="yes">
<match>Segmentation|XYZ</match>
<description>Rule 1002 overwriten.  </description>
</rule>

You can download the Unix and Windows files from:
http://www.ossec.net/files/snapshots/

Let us know of any question (dcid @ ossec.net).

bookmark_borderLog alerts from OSSEC (NSM 2)

Posted on by Daniel Cid

Richard Bejtlich, from taosecurity, posted two interesting blog entries, where he mentions some ossec alerts.

He says that he got some ossec log alerts, but lacked more information regarding what do you with them. I agree with his assessment, where he used Sguil to get more network-based details to see what happened during that time. However, in addition of using a network sensor, he could have setup a log server, where he would be able to do a great deal of analysis with his log data (without ever touching the affected system).

Using firewall logs, for example, he would be able to see all connections during that time from that IP address. Looking at authentication messages from all his systems, he would be able to see if that IP was ever able to connect remotely, or if it ever accessed any other service (like http or his mail server, etc).

What am I trying to say here? Well, as I said before, I just want to point that Network Security Monitoring (NSM) along with log analysis can provide much more visibility than any of this two alone.