1. OSSEC Workshop
Wim Remes - Xavier Mertens
BH EU 2011
Thursday 17 March 2011
2. About Us
• Wim • Xavier
• works for EY Belgium • Senior Security
Consultant for a
• Security Consultant Belgium company
• Eurotrash • Security Blogger
• InfoSec Mentors •
• Brucon
Thursday 17 March 2011
4. Technical Issues
• Mix of OS / Application / Protocols
• Thousands of events to process
• Multiple consoles/tools
• Keep Security at the highest level
(“CIA” principle)
Thursday 17 March 2011
5. Find the Differences...
• Aug 27 14:33:01 macosx ipfw: 12190 Deny TCP
192.168.13.1:2060 192.168.13.104:5000 in via en1
• %PIX-3-313001: Denied ICMP type=11, code=0
from 192.168.30.2 on interface 2
Thursday 17 March 2011
6. Economic Issues
• “Time is Money” (24x7, no downtime)
• Reduced staff & budget
• Happy shareholders
• This costs $$$ and HH:MM!
(Commercial as well as Free!)
Thursday 17 March 2011
7. Legal Issues
• Compliance requirements (by “group” or
by business)
• Local laws (retention, data protection)
• Due diligence & due care
Thursday 17 March 2011
8. Challenges
• Creation and archiving of log files
(centralized)
• Analyze (Normalization)
• Follow-up
• Reporting
Thursday 17 March 2011
9. Layers Model
Reporting
Correlation
Search
Storage
Normalization
Log Collection
Thursday 17 March 2011
10. OSSEC in a Nutshell
“Because everybody must take care of logs”
Thursday 17 March 2011
11. Core Features
• OSSEC is an free HIDS
• Features
• Log Analysis / File Integrity Checks
• Policy Monitoring
• Rootkit Detection
• Actions (Alerts / Active Response)
• Open to 3rd party products
Thursday 17 March 2011
12. OSSEC Position
Log Management SIEM
Solutions Solutions
Focus on Logs Focus on Security
OSSEC
Thursday 17 March 2011
13. OSSEC cannot...
• Detect access to files (or based on info
provided by the OS)
• Use proprietary protocols > You have to
convert them to Syslog (ex: CheckPoint)
• Display nice graphs
• OSSEC is just a (dumb) tool!
Thursday 17 March 2011
14. It’s not a product...
(c) Bruce
• Problems? Results!
• Proof of Concept with limited scope
• Tests procedure from A to Z
• Procedures! (yeah, boring)
Thursday 17 March 2011
15. Starter’s Kit
• A Linux box
• Enough Storage
• Some UNIX/networking knowledge
• Script-Fu can be helpfull
• Free time!
Thursday 17 March 2011
16. Architecture
• Architecture
• Server
• Agents (UNIX & Windows)
• DB (optional)
• 3rd Party Products (optional)
Thursday 17 March 2011
17. Software Components
Server Agent
logcollector x x
agentd (x) x
execd x x
syscheckd x x
analysisd x
maild x
remoted x
monitord x
reportd x
csyslogd x
Thursday 17 March 2011
20. Server Installation
• Harden Your Linux Server
• Allow traffic to UDP/1514
• ./install.sh && Answer questions
• ./manage-agents && Create keys
Thursday 17 March 2011
26. Log Archives
• Enable with the following keyword
(default off):
<logall>on</logall>
• MD5/SHA1 for integrity
• Raw event is stored! (evidences)
Thursday 17 March 2011
27. Alerts Post Analysis
• OSSEC has a WUI but outdated (IMHO)
• Alternatives
• Picviz
• Prelude
• Splunk or LaaS (Loggly)
<syslog_output>
<server>127.0.0.1</server>
<port>10002</port>
</syslog_output>
Thursday 17 March 2011
28. Key Design
&
Implementation Issues
Thursday 17 March 2011
29. Time Synchronization
• Use NTP to synchronize your devices
• Mandatory to investigate security incidents
Thursday 17 March 2011
30. Access Raw Data
• Safe & reliable collection of Syslog flows
• Access to local files (agents)
Thursday 17 March 2011
31. UDP 1514
• OSSEC adds confidentiality (packets are
encrypted) but still relies on UDP
• No caching or heart-beat mechanism
Thursday 17 March 2011
32. High Availability
• Full Virtual IP + storage sync (Active/
Passive)
• Multiple Servers (Failover)
# ossec.conf
<client>
<server-ip>192.168.0.10</server-ip>
<server-ip>192.168.10.10</server-ip>
</client>
# internal_options.conf
remoted.verify_msg_id=0
Thursday 17 March 2011
33. Long Term Retention
• $OSSECHOME/logs/archives/YYYY/MMM
• Could fill your filesystem very quickly!
• Procedure must be implemented for long
term retention (ex: NAS, DVDs)
Thursday 17 March 2011
40. Basics
step 3 : $OSSECHOME/rules/local_rules.xml
<rule id="100001" level="0">
<if_sid>5711</if_sid>
<srcip>1.1.1.1</srcip>
<description>Example of rule that will ignore sshd </description>
<description>failed logins from IP 1.1.1.1.</description>
</rule>
$OSSECHOME/bin/ossec-logtest
Thursday 17 March 2011
42. Lab Environment
• ssh student@yourhost (Pass: 0SSEC4ever)
• sudo -s
• Stuff in $HOME/files/
• Live Syslog feed received in /var/log/
• Sendmail available
• Do NOT abuse!
Thursday 17 March 2011
43. Exercice #1
• Install OSSEC (stand-alone)
• Start collecting events
• Play with configuration files
• Send notifications via e-mail
Thursday 17 March 2011
44. Exercise #2
• Generate an (email) alert when accesses to
Facebook are detected
Thursday 17 March 2011
45. Solution #2
• In $OSSECHOME/rules/local_rules.xml:
<!-- Facebook detection rule -->
<rule id=”100030” level=”10”>
<match>facebook.com</match>
<description>Access to Facebook detected!</description>
</rule>
• Restart OSSEC
Thursday 17 March 2011
46. Exercice #3
• Monitor (decode) an unknown file format:
/var/log/application.log
• Report activity for the user ‘admin’
• Tip: Use ossec-logtest
Thursday 17 March 2011
47. Solution #3
• Log format:
Mar 10 23:36:43 foo application[4583]: john created /data/report134.ppt
• In $OSSECHOME/etc/decoder.xml:
<decoder name=”newapp”>
<program_name>application</program_name>
</decoder>
<decoder name=”newapp-event”>
<parent>newapp</parent>
<regex>^(S+)</regex>
<order>user</order>
</decoder>
Thursday 17 March 2011
48. Solution #3 (cont)
• In $OSSECHOME/etc/ossec.conf:
<localfile>
<log_format>syslog</format>
<location>/var/log/application.log</location>
</localfile>
Thursday 17 March 2011
50. Exercice #4
• Suspicious access detection
• Detect SSH access from Belgium
• Tips
• Use an Active-Response script
• GeoIP API in $HOME/files/geoip
Thursday 17 March 2011
51. Solution #4
• Install the GeoIP RPM
• Copy the new Active-Response (geoip.sh)
script in $OSSECHOME/active-response/
bin
• Review the script content
Thursday 17 March 2011
52. Solution #4 (cont)
• Configure the Active-Response script in
$OSSECHOME/etc/ossec.conf
<command>
<name>geoip-lookup</name>
<executable>geoip.sh</executable>
<expect>srcip</expect>
</command>
Thursday 17 March 2011
53. Solution #4 (cont)
• Find the right rules to attach the Active-
Response to (ex: #5501 - Login session
opened)
• Link the Active-Response to the rule:
<active-response>
<command>geoip-lookup</command>
<location>server</location>
<rules_id>5501</rules_id>
<active_response>
• Restart OSSEC
Thursday 17 March 2011
54. Solution #4 (cont)
• Monitor the new logfile
<localfile>
<location>/var/log/geoip.log</location>
<log_format>syslog</log_format>
</localfile>
• Create a new rule
<rule id=”100100” level=”10”>
<regex>Detected S+ from BE, Belgium</regex>
<description>Suspicious login from Belgium</description>
</rule>
• Restart OSSEC and watch alerts.log
Thursday 17 March 2011
55. Other Examples
• MySQL database integrity audit
• USB-stick detection on Windows
• Rogue access detection (using geo-
localization)
• Mapping data on Google Maps
• Temporary lookup tables
Thursday 17 March 2011
56. Happy Logging!
xavier (at) rootshell (dot) be
wremes (at) gmail (dot) com
Thursday 17 March 2011