bookmark_borderAlerting when a log or output of a command changes

If you want to create alerts when a log or the output of a command changes, take a look at the new <check_diff /> option in the rules (available on the latest snapshot).

To demonstrate with an example, we will create a rule to alert when there is a new port open in listening mode on our server.

First, we configure OSSEC to run the ‘netstat -tan |grep LISTEN’ command by adding the following to ossec.conf:

<localfile>
  <log_format>full_command</log_format>
  <command>netstat -tan |grep LISTEN|grep -v 127.0.0.1</command>
</localfile>

After that, I add a rule to alert when its output changes:

<rule id="140123" level="7">
  <if_sid>530</if_sid>
  <match>ossec: output: 'netstat -tan |grep LISTEN</match>
  <check_diff />
  <description>Listened ports have changed.</description>
</rule>

Note that we use the <check_diff /> option. The first time it receives the event, it will store in an internal database. Every time it receives the same event, it will compare against what we have store and only alert if the output changes.

In our example, after configuring OSSEC, I started netcat to listen on port 23456 and that’s the alert I got:

OSSEC HIDS Notification.
2010 Mar 11 19:56:30

Received From: XYZ->netstat -tan |grep LISTEN|grep -v 127.0.0.1
Rule: 140123 fired (level 7) -> "Listened ports have changed."
Portion of the log(s):

ossec: output: 'netstat -tan |grep LISTEN|grep -v 127.0.0.1':
tcp4       0      0 *.23456           *.*               LISTEN
tcp4       0      0 *.3306            *.*               LISTEN
tcp4       0      0 *.25              *.*               LISTEN
Previous output:
ossec: output: 'netstat -tan |grep LISTEN|grep -v 127.0.0.1':
tcp4       0      0 *.3306            *.*               LISTEN
tcp4       0      0 *.25              *.*               LISTEN

What do you think? We can probably extend this idea to create very interesting rules…

bookmark_borderDaily email reports

If you want to receive daily email reports (summaries) of your OSSEC alerts, you will like this new feature.

First, start off by downloading the latest snapshot: http://www.ossec.net/files/snapshots/ (get the latest file from there).

Then you will be able to use the “reports” option to configure what alerts do you want to receive summarized by the end of the day (instead of in realtime). You can use the following options:

group: Filter by group
categories: Filter by group (alias to the above)
rule: Filter by rule id
level: Filter by severity
location: Filter by the log location or agent name
srcip: Filter by a source ip
user: Filter by an user name

You can also use the same options with the ‘type=”relation” specified to get the relation between fields. For example <srcip type=”relation”>user</srcip> will get you a list of users per source ip.

Every report must have a <title> specified and as many “email_to” as you want.

Example 1: Receive summary of all the authentication success:

<ossec_config>
<reports>
<category>authentication_success</category>
<user type=”relation”>srcip</user>
<title>Daily report: Successful logins</title>
<email_to>me@myemail .com</email_to>
</reports>
</ossec_config>

Example 2: Receive summary of all File integrity monitoring (syscheck) alerts:

<ossec_config>
<reports>
<category>syscheck</category>
<title>Daily report: File changes</title>
<email_to>me@myemail .com</email_to>
</reports>
</ossec_config>

Please try it out and let us know if you have suggestions or find any bugs…

bookmark_borderCommunity Update

Directly from: http://www.ossec.net/main/community-updates:

The OSSEC community is on fire lately! We are very happy to see everyone talking and presenting about OSSEC. Those are some of the newest updates from our community:

Wim Remes spoke about OSSEC at the Fosdem conference. The video of his presentation is on youtube:

 
Iñaki Rodríguez fromvirtualminds.es did a webmeeting about OSSEC in spanish. Slides in PDF:
http://www.virtualminds.es/uploads/charlas/ossec-slides.pdf

 
Wim Remes (yes, he again), wrote about OSSEC for the [IN]SECURE Magazine (2010 February edition):
http://www.net-security.org/insecuremag.php

 
Michael Starks from immutablesecurity.com posted a few interesting blog posts about OSSEC:

Using OSSEC for Encrypted Log Transport
Detecting Sensitive Info with OSSEC

Have you wrote something about OSSEC? Please, let us know and we will add in here.

bookmark_borderUsing OSSEC for the forensic analysis of log files

OSSEC works well for real time analysis of log files. However, if you have one old log file that you want to check or if you are doing a forensics analysis of a box and wants to check the logs with OSSEC, we now have a solution too.

*the feature mentioned in here is only available on latest snapshots

Let’s say you have a file /var/log/secure that you want to analyze with OSSEC. You need to use the ossec-logtest tool with the “-a” flag to reproduce the alerts:

# cat /var/log/secure | /var/ossec/bin/ossec-logtest -a

** Alert 1264788284.11: – syslog,sshd,authentication_success,
2010 Jan 29 14:04:44 enigma->stdin
Rule: 5715 (level 3) -> ‘SSHD authentication success.’
Src IP: a.b.2.15
User: dcid
Jan 15 10:25:01 enigma sshd[17594]: Accepted password for dcid from a.b.2.15 port 47526 ssh2

** Alert 1264788284.12: – syslog,sshd,authentication_success,
2010 Jan 29 14:04:44 enigma->stdin
Rule: 5715 (level 3) -> ‘SSHD authentication success.’
Src IP: 127.0.0.1
User: dcid
Jan 15 11:19:20 enigma sshd[18853]: Accepted publickey for dcid from 127.0.0.1 port 6725 ssh2

You will get the alerts just like you would at /var/ossec/logs/alerts.log. The benefit now is that you can pipe this output to ossec-reported to get a better view of what is going on:

# cat /var/log/secure | /var/ossec/bin/ossec-logtest -a |/var/ossec/bin/ossec-reported
Report completed. ==
————————————————
->Processed alerts: 522
->Post-filtering alerts: 522

Top entries for ‘Source ip’:
————————————————
89.200.169.170 |41 |
127.0.0.1 |33 |
83.170.106.142 |20 |
204.232.206.109 |16 |
..

Top entries for ‘Username’:
————————————————
root |247 |

Top entries for ‘Level’:
————————————————
Severity 5 |406 |
Severity 3 |41 |
Severity 10 |32 |

Top entries for ‘Group’:
————————————————
syslog |522 |
sshd |509 |
authentication_failed |369 |
invalid_login |146 |

Top entries for ‘Rule’:
————————————————
5716 – SSHD authentication failed. |223 |
5710 – Attempt to login using a non-existent.. |146 |
5715 – SSHD authentication success. |41 |
5702 – Reverse lookup error (bad ISP or atta.. |37 |

To get a report of all brute force attacks (for example) that scanned my box:

# cat /var/log/secure | /var/ossec/bin/ossec-logtest -a |/var/ossec/bin/ossec-reported -f group authentication_failures

Report completed. ==
————————————————
->Processed alerts: 522
->Post-filtering alerts: 25

Top entries for ‘Source ip’:
————————————————
83.170.106.142 |2 |
89.200.169.170 |2 |
114.255.100.163 |1 |
117.135.138.183 |1 |
124.205.62.36 |1 |
173.45.108.230 |1 |
200.182.99.59 |1 |
202.63.160.50 |1 |
210.21.225.202 |1 |
211.151.64.220 |1 |
213.229.70.12 |1 |
218.30.19.48 |1 |
221.12.12.3 |1 |
59.3.239.114 |1 |
61.168.227.12 |1 |
61.233.42.47 |1 |
67.43.61.80 |1 |
72.52.75.228 |1 |
77.245.148.196 |1 |
79.125.35.214 |1 |
85.21.83.170 |1 |
92.240.75.6 |1 |
94.198.49.185 |1 |

Top entries for ‘Username’:
————————————————
root |24 |

Top entries for ‘Level’:
————————————————
Severity 10 |25 |

Top entries for ‘Group’:
————————————————
authentication_failures |25 |
sshd |25 |
syslog |25 |

Top entries for ‘Location’:
————————————————
enigma->stdin |25 |

Top entries for ‘Rule’:
————————————————
5720 – Multiple SSHD authentication failures. |24 |
5712 – SSHD brute force trying to get access.. |1 |

Thanks!

bookmark_borderProcess monitoring with OSSEC

OSSEC v2.3 was just released and one feature that really interested me was the Process monitoring. That’s what the OSSEC team says about it:

“We love logs. Inside OSSEC we treat everything as if it was a log and parse it appropriately with our rules. However, some information is not available in log files but we still want to monitor them. To solve that gap, we added the ability to monitor the output of commands via OSSEC and treat those just like they were log files.”

Basically, it allows you to monitor the output of any command and generate alerts/active responses from them.

Cool, let’s try it out. First, let’s monitor the output of “httpd status” to receive alerts if Apache ever goes down. I added the following command to my ossec.conf and the following rule to my local_rules:


command
/etc/init.d/httpd status


530
ossec: output: ‘/etc/init.d/httpd status’:
is stopped
Apache STOPPED.

Now, if I manually stop Apache to try it out, I get in a few seconds via email:

2009 Dec 08 10:45:04 (sucuri) xx->/etc/init.d/httpd status
Rule: 100200 (level 10) -> ‘Apache STOPPED.’
Src IP: (none)
User: (none)
ossec: output: ‘/etc/init.d/httpd status’: httpd is stopped

Perfect! Now I can have all my monitoring in just one tool… Next step is to create an active response to restart the service on failure.

bookmark_borderOSSEC v2.3 released

Directly from http://www.ossec.net/main/ossec-v23-released:

What is new?

  1. Log analysis rules for the Nginx web server
  2. Log analysis rules for Suhosin (Hardened PHP)
  3. Support for real time file integrity monitoring on Windows systems
  4. Support for monitoring the output of commands (process monitoring)
  5. And a lot more…

Check out our v2.3 changelog of the complete list of new features and bugs fixed.

Download the new version from http://www.ossec.net/main/downloads

*Special thanks to our contributors Jeremy Rossi, Fabio Paracchini and Michael Starks and our beta testers Dan Parriott, Michael Starks, Timo Vehvilainen and Jeremy Rossi.

bookmark_borderOSSEC In the Enterprise Presentation Available

Michael Starks from Immutable Security just released his presentation “OSSEC in the Enterprise” (with more than 100 slides). It is very technical and well recommended for everyone interested to learn more about OSSEC.

Link: OSSEC Presentation Available

Direct download: ossec_in_the_enterprise-2009-mstarks.pdf

bookmark_borderOSSEC Survey & get a free shirt!

Directly from the ossec site:

OSSEC Usage Survey (& get a free OSSEC shirt!)

We need your help. In an effort to better understand how the OSSEC project is being used and look for ways to improve OSSEC moving forward, Trend Micro would like you to participate in a brief survey. Why is this coming from Trend Micro? The OSSEC project has been around since 2003. It was acquired by Third Brigade in 2008, and then Third Brigade was acquired by Trend Micro in 2009.

The first 500 OSSEC users to respond to this survey can provide their contact information to obtain a stylish OSSEC T-shirt that Trend Micro is happy to provide as a token of our thanks, and appreciation for your support of the OSSEC project. (Note: shirts available in Europe, Canada & the US for logistical reasons).

Please visit the following URL to start the 5 minute survey:
http://www.zoomerang.com/Survey/?p=WEB229VJE8AWP8

Thank you in advance for your participation and ongoing support!

bookmark_borderLearning OSSEC’s agentless monitoring

JD McCloud from Praetorian Prefect wrote two articles that explain very well how the agentless monitoring works on OSSEC.

The first one, OSSEC: Agentless to save the day, explains how to setup and use agentless to monitor any remote device via ssh.

The second one, OSSEC: Agentless scripts, goes a bit deeper and explains how they work internally and how you can make your own scripts for agentless monitoring.

Recommended read for every OSSEC user.