Académique Documents
Professionnel Documents
Culture Documents
Justin C. Klein Keane University of Pennsylvania School of Arts & Sciences Information Security and Unix Systems
Solutions
OSSEC is a service you can utilize internally or offer your stakeholders OSSEC allows you to extend your security impact
Presentation Format
Top down
Definitions How OSSEC works Customization
Our Implementation
Logistics and considerations Resources
About OSSEC
Open source host based intrusion detection system (HIDS) Written by Daniel Cid, who continues to participate
Pronunciation varies
Acquired by Third Brigade in 2008, which was then acquired by Trend Micro in 2009
What is an IDS
Advantages of HIDS
If your HIDS detected the traffic it was definitely parsed by the target
Disadvantages of HIDS
Blind spots:
If it isn't logged, or stored on the filesystem, it's invisible Unable to parse unknown or unlogged traffic Can't evaluate egress Can't spot probes that don't hit active services
Advantages of NIDS
Disadvantages of NIDS
Rootkit detection
Three modes
- Local, client, server
OSSEC Configuration
OSSEC is configured in two main areas:
Server configuration
Global configurations applied to all hosts
Client configuration
Configuration options specific to a certain machine
Logs specified on client are collected and sent to manager for analysis
Mail logs
OSSEC Decoders
OSSEC uses decoders to parse log files
OSSEC Rules
OSSEC rules are stored as XML files
Rule Format
Rules are assigned priority levels, usually from 1 (lowest) to 15 Rules trigger based on:
Pattern matching in strings
Hostnames
Applications
Justin C. Klein Keane <jukeane@sas.upenn.edu>
OSSEC Alerts
Default settings include alerting on:
Web attacks SSH brute force Buffer overflows and program crashes
Firewall events
Users using sudo Many more...
Alert Behavior
When a rule triggers an alert several actions can be configured:
Logging (to the alert.log or MySQL)
Default behavior Usually alerts over a threshold level trigger email
Default is level 7
Typical Alert
OSSEC HIDS Notification. 2010 Aug 04 12:10:08 Received From: webdev->/var/log/httpd/access_log Rule: 31106 fired (level 12) -> "A web attack returned code 200 (success)." Portion of the log(s): 172.16.46.1 - - [04/Aug/2010:12:10:07 -0400] "GET /drupal4.7.11/?q=user/autocomplete/%3Cscript%3Ealert(%27title%27)%3 B%3C%2Fscript%3E HTTP/1.1" 200 140 "http://172.16.46.129/drupal-4.7.11/?q=node/add/page" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.11) Gecko/20100723 Fedora/3.5.11-1.fc12 Firefox/3.5.11"
Justin C. Klein Keane <jukeane@sas.upenn.edu>
Active Response
Initiates scripts
Whitelists prevent self denial of service Active response can be delegated to multiple hosts
Generating Reports
OSSEC can also log to a database so that SQL can be used for reporting
Custom scripts can be used to parse alert logs
OSSEC can detect events in custom application logs and trigger custom active response scripts
Case Study
Penn makes heavy use of the open souce Drupal content management system Drupal is a complex web application Easy to spot some attacks via Apache logs
Drupal Logging
Drupal 6 includes a syslog module that writes logs to standard syslog
Aug 2 16:00:48 webdev drupal: 172.16.46.129 http://172.16.46.129/drupal6.16|1280779248|update|172.16.46.1|http://172.16.46.12 9/drupal6.16/admin/reports/updates/check?destination=admin%2Fb uild%2Fmodules|http://172.16.46.129/drupal6.16/admin/build/modules|1|view|Unable to fetch any information about available new releases and updates.
Custom Rules
<rule id="104110" level="3"> <decoded_as>drupal</decoded_as> <description>Drupal syslog message</description> </rule> <rule id="104120" level="6"> <if_sid>104110,1002</if_sid> <match>Login attempt failed</match> <description>Drupal failed login!</description> </rule> <rule id="104225" level="11"> <if_sid>104120</if_sid> <match>Login attempt failed for administrator.</match> <description>Drupal failed attempt to log in as administrator!</description> </rule> <rule id="104130" level="10" frequency="4" timeframe="360"> <if_matched_sid>104120</if_matched_sid> <description>Possible Drupal brute force attack </description> <description>(high number of logins).</description> </rule>
Logistical Considerations
As with any intrusion detection system, expect a timeframe for tuning Be extremely careful with active response to avoid self denial of service
Overall Impact
Develop metrics to justify security resource allocation Verify effectiveness of security countermeasures
Pitfalls of OSSEC
Difficulty in upgrades between versions
Volume of alerts
In testing OSSEC is great for early warning but not so good in a post compromise situation
Justin C. Klein Keane <jukeane@sas.upenn.edu>
OSSEC Community
Questions
Thank you.
http://www.MadIrish.net
justin@MadIrish.net @madirish2600