©Justin C. Klein Keane <jukea [email protected]> Using OSSEC Open Source Host Based Intrusion Detection Justin C. Klein Keane University of Pennsylvania School of Arts & Sciences Information Security and Unix Systems
Using OSSEC Open Source Host Based Intrusion DetectionJustin C. Klein KeaneUniversity of PennsylvaniaSchool of Arts & SciencesInformation Security and Unix Systems
Justin C. Klein Keane
SolutionsOSSEC is a service you can utilize internally or offer your stakeholdersOSSEC allows you to extend your security impactOSSEC provide you greater visibility into your security postureCustomization options allow OSSEC to meet your specific needs
Justin C. Klein Keane
Presentation FormatTop downDefinitionsHow OSSEC worksCustomizationOur ImplementationLogistics and considerationsResources
Justin C. Klein Keane
Network vs. App SecurityWe've won network security (sort of)Firewalls are becoming less effective as applications standardize on port 80Defending applications requires new approachesOSSEC fits easily and naturally into an application security program
Justin C. Klein Keane
About OSSECOpen source host based intrusion detection system (HIDS)Written by Daniel Cid, who continues to participatePronunciation variesAcquired by Third Brigade in 2008, which was then acquired by Trend Micro in 2009
Justin C. Klein Keane
What is an IDSIntrusion detection system (IDS)Distinct from an intrusion prevention system (IPS) which is an active systemMonitor data points to identify malicious behaviourAnomaly detection or pattern matchingBasically just automated traffic monitoring
Justin C. Klein Keane
Differences of HIDS vs. NIDSHIDS host based IDSNIDS network based IDSNIDS uses data from the wireHIDS can use filesystem as well as networkLog files, file contentsFilesystem attributesMain difference: visibility
Justin C. Klein Keane
Advantages of HIDSLow(er) false positive rateIf your HIDS detected the traffic it was definitely parsed by the targetLeverages existing hardwareNot very resource intensiveNo interruption (complication) of networking architecture
Justin C. Klein Keane
Disadvantages of HIDSBlind spots:If it isn't logged, or stored on the filesystem, it's invisibleUnable to parse unknown or unlogged trafficCan't evaluate egressCan't spot probes that don't hit active servicesRequires an agent install on endpointsCan be defeated with a host compromise
Justin C. Klein Keane
Advantages of NIDSAll traffic becomes visible, ingress and egressRequires just one point of installationFailure doesn't affect endpoints
Justin C. Klein Keane
Disadvantages of NIDSHigh false positive rateNo way to tell if attack was realEasy to overwhelm with bad traffic or evadePacket fragmentation, etc.Can't see encrypted traffic
Justin C. Klein Keane
OSSEC Beyond HIDSFilesystem integrity checkingRegistry monitoring on WindowsActive responseCommonly used for RTBLCan be scripted for almost any behaviourRootkit detection
Justin C. Klein Keane
How OSSEC WorksThree modesLocal, client, serverClient server model (we'll focus on this)Clients receive configuration from serverClients send logs to server over an encrypted channel
Justin C. Klein Keane
OSSEC ConfigurationOSSEC is configured in two main areas:Server configurationGlobal configurations applied to all hostsClient configurationConfiguration options specific to a certain machine
Justin C. Klein Keane
OSSEC Network CommunicationUDP port 1514Compressed messages (using zlib)Blowfish based encryption using pre-shared keysLogs specified on client are collected and sent to manager for analysis
Justin C. Klein Keane
Log File MonitoringOSSEC monitors specific logs by default, including:SyslogApache http logsMail logsOSSEC can be configured to monitor any log it can gain access to
Justin C. Klein Keane
OSSEC Data Flow
Justin C. Klein Keane
OSSEC DecodersOSSEC uses decoders to parse log filesDecoders are written as XMLExtracts useful data fields from log entries to use for rule and alert matching including:Source IP and/or portDestination IP and/or portProgram name or user nameAnd more...
Justin C. Klein Keane
OSSEC RulesOSSEC rules are stored as XML filesRules are hierarchicalBy default OSSEC includes rules for: apache, arpwatch, asterisk, cisco-ios, courier, firewalls, ftpd, horde/imp, IDS systems, IMAP, McAfee antivirus, MS auth, MS DHCP, Exchange, Microsoft FTPD, MySQL, Bind, Netscreen, PAM, postfix, Postgres, ProFTP, Roundcube, sendmail, samba, Squid, SSH, Symantec AV, Syslog, Telnet, VMWare, VSFTP, Wordpress, and more...
Justin C. Klein Keane
Rule FormatRules are assigned priority levels, usually from 1 (lowest) to 15Rules trigger based on:Pattern matching in stringsTiming between matches (x hits on rule y in z interval)Dependence on other rules (x rule already fired)Time of dayHostnamesApplications
Justin C. Klein Keane
OSSEC AlertsDefault settings include alerting on:Web attacksSSH brute forceBuffer overflows and program crashesFirewall eventsUsers using sudoMany more...Creating custom alerts is relatively easy
Justin C. Klein Keane
Alert BehaviorWhen a rule triggers an alert several actions can be configured:Logging (to the alert.log or MySQL)Default behaviorSending an e-mail alertUsually alerts over a threshold level trigger emailDefault is level 7Sending a SMS alertExecuting an active response script
Justin C. Klein Keane
Typical AlertOSSEC HIDS Notification.2010 Aug 04 12:10:08
Received From: webdev->/var/log/httpd/access_logRule: 31106 fired (level 12) -> "A web attack returned code 200 (success)."Portion of the log(s):
172.16.46.1 - - [04/Aug/2010:12:10:07 -0400] "GET /drupal-4.7.11/?q=user/autocomplete/%3Cscript%3Ealert(%27title%27)%3B%3C%2Fscript%3E HTTP/1.1" 200 140 "http://172.16.46.129/drupal-4.7.11/?q=node/add/page" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.11) Gecko/20100723 Fedora/3.5.11-1.fc12 Firefox/3.5.11"
Justin C. Klein Keane
Active ResponseInitiates scriptsDefault installations include firewall rulesTime basedWhitelists prevent self denial of serviceActive response can be delegated to multiple hosts
Justin C. Klein Keane
Generating ReportsOSSEC includes ossec-reportdCan be used to generate summary reportsEx. show all brute force attempts and usernames used and number of times attemptedOSSEC can also log to a database so that SQL can be used for reportingCustom scripts can be used to parse alert logsWeb based user interface (WUI) reporting
Justin C. Klein Keane
Beyond HIDS: Monitoring ScriptsOSSEC can be used to monitor the output of custom scriptsFor instance, OSSEC can generate alerts based on changes to NMAP scan results of specific hostshttp://www.ossec.net/wiki/Know_How:NmapCan also log scripted alerts to common log (syslog) and write a rule to augment existing log monitoring
Justin C. Klein Keane
Custom Decoders and LogsOSSEC will monitor many common services out of the boxOSSEC can be extended to monitor custom applicationsOSSEC can detect events in custom application logs and trigger custom active response scripts
Justin C. Klein Keane
Case StudyPenn makes heavy use of the open souce Drupal content management systemDrupal is a complex web applicationEasy to spot some attacks via Apache logsAbuse of native Drupal features isn't visible at the Apache levelApache only logs GET variables
Justin C. Klein Keane
Drupal LoggingDrupal 6 includes a syslog module that writes logs to standard syslog Aug 2 16:00:48 webdev drupal: 172.16.46.129 http://172.16.46.129/drupal-6.16|1280779248|update|172.16.46.1|http://172.16.46.129/drupal-6.16/admin/reports/updates/check?destination=admin%2Fbuild%2Fmodules|http://172.16.46.129/drupal-6.16/admin/build/modules|1|view|Unable to fetch any information about available new releases and updates.
Justin C. Klein Keane
Parsing the LogDrupal uses a non-standard log format so we have to build a custom decoder: ^drupal \d+.\d+.\d+.\d \S+|\d+|\w+| (\d+.\d+.\d+.\d+)\|(\.+)\|\.*\|\d+\|\.*\|(\.+) srcip,url,data
Justin C. Klein Keane
Custom Rules drupal Drupal syslog message 104110,1002 Login attempt failed Drupal failed login! 104120 Login attempt failed for administrator. Drupal failed attempt to log in as administrator! 104120 Possible Drupal brute force attack (high number of logins).
Justin C. Klein Keane
Why Penn is Using OSSECFound OSSEC in a search for open source SEM and SIM solutionsNo access to network taps or span portsLooking for a sensor net to correlate alertsUsing OSSEC for over 3 years nowOpen source (allows for 10% customization)LightweightActive development and support community
Justin C. Klein Keane
How Penn is Using OSSECServer installed on a bastion hostAgents deployed on critical hostsSeparate server installed on cluster back endsAlerts go to queue monitored by security staffPer machine alerts go to individual sysadminsUsing OSSEC to monitor custom alert scripts
Justin C. Klein Keane
Logistical ConsiderationsAs with any intrusion detection system, expect a timeframe for tuningBe extremely careful with active response to avoid self denial of serviceInstallation may require coordination with sysadmins
Justin C. Klein Keane
Overall ImpactDevelop metrics to justify security resource allocationVerify effectiveness of security countermeasuresTrack outlying machines, especially virtual machinesExtend service offerings to client groupsCentralized log reporting
Justin C. Klein Keane
Pitfalls of OSSECDifficulty in upgrades between versionsCoordinating pre-shared keys can be problematicSometimes agents become unresponsiveVolume of alertsIn testing OSSEC is great for early warning but not so good in a post compromise situation
Justin C. Klein Keane
OSSEC CommunityExtremely active user communityDeveloper mailing listOSSEC mailing list (and Google group)http://groups.google.com/group/ossec-listOSSEC wikihttp://www.ossec.net/wikiCommercial support from Trend [email protected] HIDS GUIDE by Hay, Cid, and Bray. Syngress 2008
Justin C. Klein Keane
QuestionsThank you.
http://www.MadIrish.net [email protected]
@madirish2600
Justin C. Klein Keane