bookmark_borderProcess monitoring with OSSEC

We love logs. Inside OSSEC we treat everything as if it was a log and parse it appropriately with our rules. However, some information is not available in log files but we still want to monitor them. To solve that gap, we added the ability to monitor the output of commands via OSSEC and treat those just like they were log files.

For example, if you wanted to monitor the disk space utilization, you would need to setup a cron job to dump the output of “df -h” to a log file (maybe /var/log/df.log) and configure OSSEC to look at it.

*use the latest snapshot if you want to try it out: http://www.ossec.net/files/snapshots/ossec-hids-091105.tar.gz

Now, with the new version of OSSEC you can do it directly in there with the following configuration:

<localfile>
<log_format>command</log_format>
<command>df -h</command>
</localfile>

Since we already have a sample rule for df -h included into OSSEC you would see the following when any partition reached 100%:

** Alert 1257451341.28290: mail – ossec,low_diskspace,
2009 Nov 05 16:02:21 (home-ubuntu) 192.168.0.0->df -h
Rule: 531 (level 7) -> ‘Partition usage reached 100% (disk space monitor).’
Src IP: (none)
User: (none)
ossec: output: ‘df -h’: /dev/sdb1 24G 12G 11G 100% /var/backup

Another example, if you want to monitor the load average, you can configure OSSEC to monitor the “uptime” command and alert when it is higher than 2, for example:

<localfile>
<log_format>command</log_format>
<command>uptime</command>
</localfile>

And in the rule:

<rule id=”100101″ level=”7″ ignore=”7200″>
<if_sid>530</if_sid>
<match>ossec: output: ‘uptime’: </match>
<regex>load averages: 2.</regex>
<description>Load average reached 2..</description>
</rule>

Lots of possibilities with this feature. If you have ideas of commands to monitor and rules, please comment.

bookmark_borderOSSEC Award daemon

Recieved a beautiful plaque from the OSSEC community (Michael Starks, I know it was your idea :)) and it says (in the OSSEC alert format):

OSSEC HIDS Notification
2010 Oct 20 15:10:04
Received from: ossec-community->/var/log/community.log
Rule: 1000000 (Level: 15) -> “A sincere thanks”
Portion of the log(s):

Oct 20 15:10:04 allhosts ossec-awardd[423]: To: Daniel Cid. From: OSSEC Community. Thank you for your tireless devotion to making our digital world a safer place.

END OF NOTIFICATION

It was the last think I was expecting and It meant a lot to me, thanks! This week of OSSEC is getting better each day 🙂

bookmark_border2WoO: Day 3: Contributing to OSSEC

here are many types of open source projects out there. Many have the code base open (GPL, BSD, etc), but not all of them have an open culture.

On OSSEC, we try to be fully open. Not only the source code, but open to contributions, open to new developers, open to new ideas and open (friendly) to new users. So if you want to become involved and participating in this project, we have a few recommendations.

These recommendations will probably be valid for most open source projects, not only OSSEC.

How to get started:

1-The first thing you have to do is to become an active OSSEC user. I mean, install it on as many machines as you can, try different setups, see things you don’t like and start from there. Become passionate about it if you want to make a difference.

2-Start small. As any project, it takes some time to get used to how it works and how the code is organized. So start from simple things. Even if you detect a typo, try to fix that first and send us the patch.

3-Consider contributing your customizations. If you had to add a simple local rule to ignore a noisy event, send that to us! Get the log that was causing the false alert and the rule you created and send to our development mailing list or to our IRC channel (details after).

4-Get involved on our mailing lists and on IRC to see the needs and issues most users have.

5-You don’t need to be a developer or code in C. You can contribute with documentation, with the rules/decoders or even testing it. We also have our web interface (PHP), active responses/install scripts (in shell) that you can help out. So no excuses 🙂

Getting involved:

1-Our code base is available on bit bucket: http://bitbucket.org/dcid/ossec-hids/

2-Our documentation is also on bit bucket: http://bitbucket.org/jrossi/ossec-rules

3-We are always on IRC (#ossec on irc.freenode.org). That’s the best way to get quickly feedback from us and get to know everyone actively involved.

4-We also have a development mailing list, but via IRC is recommended.

If you don’t know how to access our repository on bit bucket, this link should help you: http://hginit.com

Any questions, let us know.

bookmark_borderOSSC v2.5.1 released

Early this week we pushed OSSEC v2.5.1 out, but forgot to mention here in the blog. If you had issues with v2.5, you can download the new version here: http://www.ossec.net/main/downloads/

Some of the things we fixed/added:

-Logcollector crashing when using some globs.
-Logcollector crashing with the alias command monitoring.
-Analysisd crashing with report_changes enabled + local ignore rules.
-Some Windows rules were not matching properly.
-Added no_ar option to the rules (by Jeremy Rossi and Scott at atomicrocketturtle.com)
-Docs fixed by Michael Starks.

Also, if you are having issues with HPUX, try this snapshot where we fixed it: http://www.ossec.net/files/snapshots/ossec-hids-101014.tar.gz
(didn’t get included on v2.5.1).

bookmark_borderWeek of OSSEC (2WoO) – Oct 17-23

Taken from: http://www.ossec.net/main/week-of-ossec-2woo-oct-17-23

Week of OSSEC: Day -2
Michael Starks had the great idea to get everyone together and organize the second annual week of ossec. Last year he was the only one participating, but this year we hope to have many contributions.

To get started, Syngress decided to help out and release a few chapters of the OSSEC book for free. Plus, they are giving 30% off the book for anyone interested. Just go here and use the promotion code “43663″.

The PDF’s for the book can be downloaded here:

Chapter 2 – Installation
Chapter 3 – General configuration
Chapter 4 – Writing log analysis rules

For updates on the Week of OSSEC, I will be “tweeting” new articles: @danielcid and @ddpbsd as well.

Some blogs to follow for updates:

Michael Stark
Daniel Cid’
Dan Parriott
Xavier Mertens (he already started with a nice post).
Jason Frisvold
David Dede

And I am sure many others. If you plan on contributing, send me a note and I will add your blog/twitter link here.

bookmark_borderOSSEC v2.5 released

OSSEC v2.5 is out. From http://www.ossec.net/main/ossec-v25-released:

We are very happy to announce the availability of OSSEC version 2.5.

This has been a long release cycle (5 months), but it comes out pretty stable and with many new features. We also had many contributors, showing how much our community is growing and getting stronger. In addition to that, our documentation and manual has been moved to http://www.ossec.net/doc/ .

What is new?

  1. Added support for “report_changes” on syscheck to show what was changed in the file modification alert.
  2. Added support for cdb lists inside the rules.
  3. Added support for drop-in rules and decoders directory.
  4. Added a Rule unit testing framework (in python) and inside logtest
  5. Added support for a generic multi-line log reader.
  6. Added granular Windows rules.
  7. Added option to restrict integrity checking to a set of files.
  8. Added alias option to the command monitoring.
  9. Added silent switch for windows installer.
  10. Added variable expansion in command output monitoring.
  11. Fixed several windows installer bugs.

And a lot more. Check the full change log here.

Download the new version from http://www.ossec.net/main/downloads

*Special thanks to Jeremy Rossi, Dan Parriott, Scott R. Shinn and Michael Starks for the many contributions, patches and tests.

bookmark_borderOSSEC v2.4 released

Directly from: http://www.ossec.net/main/ossec-v24-released:

The OSSEC team is very happy to announce the general availability of OSSEC version 2.4.

What is new? We have lots of new features and bug fixes, but these are the main changes:

  1. Added daily email summaries/reports. (more info)
  2. Added option to alert when a log or command output changes – check_diff. (more info)
  3. Added rules to ignore crawlers causing 404s (MSN, Google, Yahoo, etc).
  4. Improved ossec-logtest to be used for the forensic analysis of log files (more info)
  5. Added support for Microsoft Security Essentials logs.

And a few important bug fixes:

  • Fixed a memory leak on the Windows agent that was not properly closing the sockets. It would cause a port exhaustion if the manager becames unavailable
    for a long period of time.
  • Fixed performance issue when the FTS queue was too large.

Check out our v2.4 changelog for the complete list of new features and bugs fixed.

Download the new version from http://www.ossec.net/main/downloads

bookmark_borderSite down last night

Thanks to everyone who sent some notes that our site was down last night. We were switching servers and not everything got migrated on time. I was happy that sucuri notified my on time:

Modifications:
%WARN: Size reduced by more than 50%. – Previous size: 2761. Current size: 984 (in bytes)
%INFO: Server setting changes – > <title>WordPress › Error
%ERROR: Error establishing a database connection
Changes follow:

14,20c14
< <title>
< Welcome to the Home of OSSEC
..
> Error establishing a database connection

They have a nice solution that does integrity checking on web sites, domains, etc. That was the other alert I got:

Sucuri nbim: http://www.ossec.net DNS modified

Modifications:
5d4
< ossec.net has address 75.126.x.z
> ossec.net has address 74.86.x.z

bookmark_borderOSSEC v2.4 BETA available

OSSEC v2.4 BETA is available and we need testers. You can find more information about it and new features in here:

http://www.ossec.net/wiki/Dev:BetaTesting

If you ever wanted to contribute to OSSEC (or to any open source project) that’s the easiest way to get involved. Just download the BETA, check if everything still works, if you have time try out some of the new features and let us know how it goes. You can submit your feedback in here, via the wiki, to the mailing list or personally to me via email.

http://www.ossec.net/wiki/Dev:BetaTesting

We appreciate any feedback.

bookmark_borderDetecting USB Storage Usage with OSSEC

Xavier wrote a very interesting article on Detecting USB Storage Usage with OSSEC. He used our policy auditing module for that, but I think USB monitoring can be done in a much easier way with our new check_diff feature. You need our latest snapshot for it to work (or wait until v2.4 is out).

To get started, first configure your Windows agents to monitor the USBSTOR registry entry using the reg command:

<agent_config os="windows">
  <localfile>
    <log_format>full_command</log_format>
    <command>reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</command>
  </localfile>

</agent_config>

Next create a local rule for that command:

<rule id="140125" level="7">
    <if_sid>530</if_sid>
    <match>ossec: output: 'reg QUERY</match>
    <check_diff />
    <description>New USB device connected</description>
  </rule>

Now after a few minutes you will see a directory at /var/ossec/queue/diff/[agent_name]/[rule_id] with the current snapshot of this command. Once someone adds a new USB device you will get this alert:

** Alert 1268687754.35062: mail  - local,syslog,
2010 Mar 15 18:15:54 (xx-netbook) any->reg QUERY HKLMSYSTEMCurrentControlSetEnumUSBSTOR
Rule: 140125 (level 7) -> 'New USB device connected'
Src IP: (none)
User: (none)
ossec: output: 'reg QUERY HKLMSYSTEMCurrentControlSetEnumUSBSTOR':! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTOR
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&Ven_&Prod_USB_Flash_Memory&Rev_5.00
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&Ven_Generic&Prod_Flash_Disk&Rev_8.0
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&Ven_Hitachi&Prod_HTS543225L9A300&Rev_
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&Ven_LEXAR&Prod_JD_FIREFLY&Rev_1100
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&Ven_SAMSUNG&Prod_HM160JC&Rev_0000
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&Ven_Sony&Prod_DSC&Rev_1.00
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&Ven_TomTom&Prod_ONE_XXL_IQ_Rts
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&Ven_USB_2.0&Prod_USB_Flash_Drive&Rev_0.00

Previous output:

ossec: output: 'reg QUERY HKLMSYSTEMCurrentControlSetEnumUSBSTOR':
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTOR
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&Ven_&Prod_USB_Flash_Memory&Rev_5.00
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&Ven_Generic&Prod_Flash_Disk&Rev_8.07
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&Ven_Hitachi&Prod_HTS543225L9A300&Rev_
HKEY_LOCAL_ACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&Ven_SAMSUNG&Prod_HM160JC&Rev_0000
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&Ven_Sony&Prod_DSC&Rev_1.00
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&Ven_TomTom&Prod_ONE_XXL_IQ_Rts
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&Ven_USB_2.0&Prod_USB_Flash_Drive&R

I think we can expand this to create all sort of nice rules…