ossec

Using OSSEC Open Source Host Based Intrusion DetectionJustin C. Klein KeaneUniversity of PennsylvaniaSchool of Arts & SciencesInformation Security and Unix Systems

Justin C. Klein Keane

SolutionsOSSEC is a service you can utilize internally or offer your stakeholdersOSSEC allows you to extend your security impactOSSEC provide you greater visibility into your security postureCustomization options allow OSSEC to meet your specific needs


Presentation FormatTop downDefinitionsHow OSSEC worksCustomizationOur ImplementationLogistics and considerationsResources


Network vs. App SecurityWe've won network security (sort of)Firewalls are becoming less effective as applications standardize on port 80Defending applications requires new approachesOSSEC fits easily and naturally into an application security program


About OSSECOpen source host based intrusion detection system (HIDS)Written by Daniel Cid, who continues to participatePronunciation variesAcquired by Third Brigade in 2008, which was then acquired by Trend Micro in 2009


What is an IDSIntrusion detection system (IDS)Distinct from an intrusion prevention system (IPS) which is an active systemMonitor data points to identify malicious behaviourAnomaly detection or pattern matchingBasically just automated traffic monitoring


Differences of HIDS vs. NIDSHIDS host based IDSNIDS network based IDSNIDS uses data from the wireHIDS can use filesystem as well as networkLog files, file contentsFilesystem attributesMain difference: visibility


Advantages of HIDSLow(er) false positive rateIf your HIDS detected the traffic it was definitely parsed by the targetLeverages existing hardwareNot very resource intensiveNo interruption (complication) of networking architecture


Disadvantages of HIDSBlind spots:If it isn't logged, or stored on the filesystem, it's invisibleUnable to parse unknown or unlogged trafficCan't evaluate egressCan't spot probes that don't hit active servicesRequires an agent install on endpointsCan be defeated with a host compromise


Advantages of NIDSAll traffic becomes visible, ingress and egressRequires just one point of installationFailure doesn't affect endpoints


Disadvantages of NIDSHigh false positive rateNo way to tell if attack was realEasy to overwhelm with bad traffic or evadePacket fragmentation, etc.Can't see encrypted traffic


OSSEC Beyond HIDSFilesystem integrity checkingRegistry monitoring on WindowsActive responseCommonly used for RTBLCan be scripted for almost any behaviourRootkit detection


How OSSEC WorksThree modesLocal, client, serverClient server model (we'll focus on this)Clients receive configuration from serverClients send logs to server over an encrypted channel


OSSEC ConfigurationOSSEC is configured in two main areas:Server configurationGlobal configurations applied to all hostsClient configurationConfiguration options specific to a certain machine


OSSEC Network CommunicationUDP port 1514Compressed messages (using zlib)Blowfish based encryption using pre-shared keysLogs specified on client are collected and sent to manager for analysis


Log File MonitoringOSSEC monitors specific logs by default, including:SyslogApache http logsMail logsOSSEC can be configured to monitor any log it can gain access to


OSSEC Data Flow


OSSEC DecodersOSSEC uses decoders to parse log filesDecoders are written as XMLExtracts useful data fields from log entries to use for rule and alert matching including:Source IP and/or portDestination IP and/or portProgram name or user nameAnd more...


OSSEC RulesOSSEC rules are stored as XML filesRules are hierarchicalBy default OSSEC includes rules for: apache, arpwatch, asterisk, cisco-ios, courier, firewalls, ftpd, horde/imp, IDS systems, IMAP, McAfee antivirus, MS auth, MS DHCP, Exchange, Microsoft FTPD, MySQL, Bind, Netscreen, PAM, postfix, Postgres, ProFTP, Roundcube, sendmail, samba, Squid, SSH, Symantec AV, Syslog, Telnet, VMWare, VSFTP, Wordpress, and more...


Rule FormatRules are assigned priority levels, usually from 1 (lowest) to 15Rules trigger based on:Pattern matching in stringsTiming between matches (x hits on rule y in z interval)Dependence on other rules (x rule already fired)Time of dayHostnamesApplications


OSSEC AlertsDefault settings include alerting on:Web attacksSSH brute forceBuffer overflows and program crashesFirewall eventsUsers using sudoMany more...Creating custom alerts is relatively easy


Alert BehaviorWhen a rule triggers an alert several actions can be configured:Logging (to the alert.log or MySQL)Default behaviorSending an e-mail alertUsually alerts over a threshold level trigger emailDefault is level 7Sending a SMS alertExecuting an active response script


Typical AlertOSSEC HIDS Notification.2010 Aug 04 12:10:08

Received From: webdev->/var/log/httpd/access_logRule: 31106 fired (level 12) -> "A web attack returned code 200 (success)."Portion of the log(s):

172.16.46.1 - - [04/Aug/2010:12:10:07 -0400] "GET /drupal-4.7.11/?q=user/autocomplete/%3Cscript%3Ealert(%27title%27)%3B%3C%2Fscript%3E HTTP/1.1" 200 140 "http://172.16.46.129/drupal-4.7.11/?q=node/add/page" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.11) Gecko/20100723 Fedora/3.5.11-1.fc12 Firefox/3.5.11"


Active ResponseInitiates scriptsDefault installations include firewall rulesTime basedWhitelists prevent self denial of serviceActive response can be delegated to multiple hosts


Generating ReportsOSSEC includes ossec-reportdCan be used to generate summary reportsEx. show all brute force attempts and usernames used and number of times attemptedOSSEC can also log to a database so that SQL can be used for reportingCustom scripts can be used to parse alert logsWeb based user interface (WUI) reporting


Beyond HIDS: Monitoring ScriptsOSSEC can be used to monitor the output of custom scriptsFor instance, OSSEC can generate alerts based on changes to NMAP scan results of specific hostshttp://www.ossec.net/wiki/Know_How:NmapCan also log scripted alerts to common log (syslog) and write a rule to augment existing log monitoring


Custom Decoders and LogsOSSEC will monitor many common services out of the boxOSSEC can be extended to monitor custom applicationsOSSEC can detect events in custom application logs and trigger custom active response scripts


Case StudyPenn makes heavy use of the open souce Drupal content management systemDrupal is a complex web applicationEasy to spot some attacks via Apache logsAbuse of native Drupal features isn't visible at the Apache levelApache only logs GET variables


Drupal LoggingDrupal 6 includes a syslog module that writes logs to standard syslog Aug 2 16:00:48 webdev drupal: 172.16.46.129 http://172.16.46.129/drupal-6.16|1280779248|update|172.16.46.1|http://172.16.46.129/drupal-6.16/admin/reports/updates/check?destination=admin%2Fbuild%2Fmodules|http://172.16.46.129/drupal-6.16/admin/build/modules|1|view|Unable to fetch any information about available new releases and updates.


Parsing the LogDrupal uses a non-standard log format so we have to build a custom decoder: ^drupal \d+.\d+.\d+.\d \S+|\d+|\w+| (\d+.\d+.\d+.\d+)\|(\.+)\|\.*\|\d+\|\.*\|(\.+) srcip,url,data


Custom Rules drupal Drupal syslog message 104110,1002 Login attempt failed Drupal failed login! 104120 Login attempt failed for administrator. Drupal failed attempt to log in as administrator! 104120 Possible Drupal brute force attack (high number of logins).


Why Penn is Using OSSECFound OSSEC in a search for open source SEM and SIM solutionsNo access to network taps or span portsLooking for a sensor net to correlate alertsUsing OSSEC for over 3 years nowOpen source (allows for 10% customization)LightweightActive development and support community


How Penn is Using OSSECServer installed on a bastion hostAgents deployed on critical hostsSeparate server installed on cluster back endsAlerts go to queue monitored by security staffPer machine alerts go to individual sysadminsUsing OSSEC to monitor custom alert scripts


Logistical ConsiderationsAs with any intrusion detection system, expect a timeframe for tuningBe extremely careful with active response to avoid self denial of serviceInstallation may require coordination with sysadmins


Overall ImpactDevelop metrics to justify security resource allocationVerify effectiveness of security countermeasuresTrack outlying machines, especially virtual machinesExtend service offerings to client groupsCentralized log reporting


Pitfalls of OSSECDifficulty in upgrades between versionsCoordinating pre-shared keys can be problematicSometimes agents become unresponsiveVolume of alertsIn testing OSSEC is great for early warning but not so good in a post compromise situation


OSSEC CommunityExtremely active user communityDeveloper mailing listOSSEC mailing list (and Google group)http://groups.google.com/group/ossec-listOSSEC wikihttp://www.ossec.net/wikiCommercial support from Trend [email protected] HIDS GUIDE by Hay, Cid, and Bray. Syngress 2008


QuestionsThank you.

http://www.MadIrish.net [email protected]

@madirish2600


ossec

Documents

klein keane network

klein keane solutionsossec

ossec open source host

idsnids network based

ossec worksthree modeslocal

security impactossec

intrusion detectionjustin

nidshids host