5. NIDS and HIDS
HIDS
A host-based intrusion detection system (HIDS) is a system that run on individual hosts
and monitors a computer system
Detect an intrusion and/or misuse, and responds by logging the activity
It is an agent that monitors and analyzes whether anything or anyone, whether internal
or external, has bypass the system’s security policy.
Tools like : Samhain, Ossec
NIDS
NIDS is placed within the network to monitor traffic to and from all devices on network
NIDS scan all inbound and outbound traffic
NIDS tools operate by inspecting traffic that occurs between hosts. Various Tools like
Snort, Suricata, Bro, Kismet
6. Available HIDS
OSSEC: OpenSource
Wazuh : OpenSource, Wrapper Over OSSEC with API, ELK, And Signature DB
AlianVault: Licenced, USM (Unified Security Management) is based OSSEC
MicroTrend: Licenced
AlertLogic: Licenced,
7. OSSEC ?
OSSEC is an Open Source Host-based Intrusion Detection System.
Key Features:
Log analysis
File Integrity checking (Unix and Windows)
Registry Integrity checking (Windows)
Host-based anomaly detection (for Unix – rootkit detection)
Active response
Ossec is mainly used for three things:
See what is going on
Stop brute-force attacks ( ftp, ssh, web )
8. Ossec Benefits
Open-Source
Log Analysis
Easy to install
Easy to customize (rules and config in XML format)
Scalable (client/server architecture)
High Availability (Can have multiple OSSEC Server)
Multi-Platform
Ossec comes with existing standard decoders /rules which analyse our logs
like telnetd, Sudo, SSH, FTP etc
PCI DSS Compliance at some extent.
10. Ossec Internal Components
Analysisd – Does all the analysis (main process)
Remoted – Receives remote logs from agents
Logcollector – Reads log files (syslog, Flat files, Windows event log, IIS, etc)
Agentd – Forwards logs to the server
Maild – Sends e-mail alerts
Execd – Executes the active responses
Monitord – Monitors agent status, compresses and signs log files, etc
Integratord - Integrating OSSEC with Slack and PagerDuty
Authd - Daemon will automatically add an agent to an OSSEC manager
11. Wazuh
Wazuh, A wrapper over OSSEC that provide additonal fucntionality like Restful API,
ELK integration.
12. Ossec Server/Client Installtion
Firstly, Install necessary package required
sudo apt-get install gcc make git
sudo apt-get install libssl-dev
After this clone our Github repository
mkdir ossec_tmp && cd ossec_tmp
git clone -b stable https://github.com/wazuh/ossec-wazuh.git
cd ossec-wazuh
sudo ./install.sh
Choose server for server installation and agent for client installation when being asked
about the installation type and answer the rest of questions as desired.
Once installed, you can start your OSSEC manager running:
sudo /var/ossec/bin/ossec-control start
Check the service : ps aux |grep ossec
13. Connect Client with Server
After Setting up agent we need to Connect it with OSSEC-Server .
To make life easier, OSSEC added a new daemon on the server, called ossec-authd.
it is a daemon you run on the server when you deploy your agent;
it will populate your agents key;
when you have finished to deploy, you stop it.
Once the keys are created, you can start the ossec-authd:
/var/ossec/bin/ossec-authd -p 1515
Setting up the agents
On the agents, the work is minimal. All you have to do is to run the following command:
/var/ossec/bin/agent-auth -m <ServerIP> -p 1515 -A <agent-name>
That’s it. The keys are now exchanged and you can start your agent.
sudo /var/ossec/bin/ossec-control start
15. Ossec Integration with ELK
OSSEC HIDS integration with ELK Stack provides a real-time alerts managemnet
console, as well as flexible way to store data for as long as needed.
18. Log pre-Decoding (1)
Decoding of a SSHD message:
After pre-Decoding by OSSEC?
time/date -> Apr 14 17:32:06
hostname -> ubuntu
program_name -> sshd
log -> Accepted password for root from 192.168.2.190 port ...
19. Log Decoding (2)
Process to identify key information from logs
OSSEC comes with hundreds of decoders
Generally we want to extract source ip, user name, id
After Decode by OSSEC :
time/date -> Apr 14 17:32:06
hostname -> ubuntu
program_name -> sshd
log -> Accepted password for root from 192.168.2.190 port
srcip -> 192.168.2.190
user -> root
20. Writing decoders
Writing a decoder. What it requires?
sshd example:
We want to extract the user name and source ip
If program name was pre-decoded as sshd (remember predecoding?), try this regular
expression
21. Log Rules
Next step after decoding is to check the rules
User-defined XML
Very easy to write!
Allows to match based on decoded information
OSSEC comes with more than 400 rules by default!
What it requires?
A Rule id (any integer)
A Level - from 0 (lowest) to 15 (highest)
Level 0 is ignored, not alerted at all
Pattern - anything from “regex” , to “srcip” , “id” , “user” , etc
23. PCI DSS
Payment Card industry Data Security Standard .
Visa, MasterCard and other card brands create common industry
security requirements
Intended to protect cardholders data – wherever it resides
compliance is mandated for all organization handling credit card data
12 Steps that we need to take to achieve PCI DSS compliance are
Firewall, password, storage, Encrypt, anti-virus, uniquid, track and
monitor etc
OSSEC helps to implement PCI DSS by performing log analysis, file
integrity checking, policy monitoring, intrusion detection, real-time
alerting and active response.
24. Monitor AWS logs
Cloudtrail pushes data to s3 bucket and then using python script we
store that log on ossec server
25. Alerting and Notification
Slack Integration:
Integration of logs with slack and set alert level so that only particular
message come in slack.
<integration>
<name>slack</name>
<hook_url>https://hooks.slack.com/services/T0EV123BK/B1V3JHzUko97IdmCAl</hook_url>
<level>7</level>
</integration>
Email Integration:
Integration with Email .Send granule email alert based on the
level/rulegroups/rule_id to different recipient.
<email_alerts>
<email_to>gaurav04@protonmail.com</email_to>
<group>sql_injection|authentication_failed|authentication_failures</group>
<level>6</level>
<format>sms</format>
</email_alerts>
26. HIDS Implementation Testing
Tested FTP, SSH brute force attack using HYDRA as penetration testing tool.
Example:
hydra -L /home/ubuntu/user.txt -P /home/ubuntu/pwd.txt -s 22 <IP> <service-
name>
-L file which contain list of userName
-P file which contain list of passWord
service-name : it may be ssh,ftp,mysql,telnet
-s port Number for service