Fosdem10
-
Upload
wremes -
Category
Technology
-
view
1.339 -
download
9
description
Transcript of Fosdem10
OSSECKnow More, Protect Better
Wim Remes(maltego me)
22-23 September (training)24-25 September (conference)http://www.brucon.org
Excaliburconhttp://www.newcamelotcouncil.com
2010 CFP to be announced soon
http://www.eurotrashsecurity.euhttp://www.twitter.com/eurotrashsec
OSSEC• Daniel Cid
• 2005
• Third Brigade
• Trend Micro
• GPL v3
AgendaLog Management
OSSEC Features
OSSEC Architecture
Log Analysis with OSSEC
Conclusion
Log Managementso easy the kid can do it ...
Sources ?
Users
App App App App
Systems
Reasons
2%
98%
Because we have to :-( Because we want to :-D
ISO 27KPCI-DSS
HIPAA SOX
Standards ?• Syslog
• 2001, RFC 3164
• The non-standard standard
• WELF, CBE, CEF
• Proprietary
• We know what happens then ...
• IDMF
• Academic
• Complex
What do we need ?
• Taxonomy
• Syntax
• Transport
• Recommendations
OSSEC features
OSSEC features
Log Analysis
Integrity Control
Rootkit Detection
OSSEC architecture
OSSEC Architecture
logcollector
Agent
ossec-analysisd
Server
ossec-maild ossec-execd
zlib compressedblowfish encryptedUDP 1514
(root)
chroot
chroot
chroot
chroot chroot
OSSEC Architecture
SRV
Client Client Client Client Client
Firewall
Switch
Router
IDS
Database
App1
App2
Virtualization
I can haz rules ?
Log Analysis with OSSEC
Log Analysis with OSSEC
predecoding
decoding
analysis
Predecoding
• Feb 24 10:12:23 beijing appdaemon:user john logged in from 10.10.10.10
• <decoder name="appdaemon"><program_name>appdaemon</program_name></decoder>
time/date : Feb 24 10:12:23 Hostname : beijing Program_name :appdaemon Log : user john logged in from 10.10.10.10
Predecoding
• Feb 24 10:12:23 beijing switch:appdaemon quit unexpectedly
• <decoder name="pam"><program_name></program_name><prematch>^appdaemon$</prematch></decoder>
time/date : Feb 24 10:12:23 Hostname : beijing Program_name : switch Log : appdaemon quit unexpectedly
Decoding
• Feb 24 10:12:23 beijing appdaemon:user john logged in from 10.10.10.10
• <decoder name="appdaemon-login"> <parent>appdaemon</parent> <prematch>^user$</prematch> <after_prematch>(\S+)logged in from (\S+)</after_prematch> <order>user,srcip</order></decoder>
time/date : Feb 24 10:12:23 Hostname : beijing Program_name :appdaemon user : Johnsrcip : 10.10.10.10Log : user john logged in from 10.10.10.10
Analysis
• Feb 24 10:12:23 beijing appdaemon:user john logged in from 10.10.10.10
• <rule id="10001" level=”3”> <decoded_as>appdaemon</decoded_as> <match>logged in</match> <description>Successful login</after_prematch></rule>
• <rule id=”10002” level=”7”> <if_sid>10001</if_sid> <user>!John</user> <description>Ok, this was not John !!</description></rule>
• <rule id=”10003” level=”7”> <if_sid>10001</if_sid> <srcip>!10.10.10.0/24</srcip> <description>login from unauthorized network!!</description></rule>
Analysis : The Rule Tree
10001
10002
10003 10004
10005
10006
10007 10008
ACTION
Advanced rule building
\w -> A-Z, a-z, 0-9 characters \d -> 0-9 characters \s -> For spaces " " \t -> For tabs. \p -> ()*+,-.:;<=>?[] (punctuation characters) \W -> For anything not \w \D -> For anything not \d \S -> For anything not \s \. -> For anything
os_regex library (fast, not full regex)
+ -> To match one or more times (eg \w+ or \d+) * -> To match zero or more times (eg \w* or \p*)
^ -> To specify the beginning of the text. $ -> To specify the end of the text. | -> To create an "OR" between multiple patterns.
<regex> </regex> (in rules)<regex> </regex> (in decoders)<prematch> </prematch> (in decoders)<if_matched_regex> </if_matched_regex> (in rules)
Advanced rule building
os_match library (more limited, faster) ^ -> To specify the beginning of the text. $ -> To specify the end of the text. | -> To create an "OR" between multiple patterns.
(rules only !) <match> </match> <user> </user> <url> </url> <id> </id> <status> </status> <hostname> </hostname> <program_name> </program_name> <srcport> </srcport> <dstport> </dstport>
use this whenever possible !it beats the <regex> tag
Integrity Checking
ossec.conf
<syscheck> <!-- Frequency that syscheck is executed - default to every 22 hours --> <frequency>79200</frequency>
<!-- Directories to check (perform all possible verifications) --> <directories realtime=”yes” check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/bin,/sbin</directories>
<!-- Files/directories to ignore --> <ignore>/etc/mtab</ignore> <ignore>/etc/mnttab</ignore><syscheck>
<rule id="550" level="7"> <category>ossec</category> <decoded_as>syscheck_integrity_changed</decoded_as> <description>Integrity checksum changed.</description> <group>syscheck,</group> </rule>
<rule id="551" level="7"> <category>ossec</category> <decoded_as>syscheck_integrity_changed_2nd</decoded_as> <description>Integrity checksum changed again (2nd time).</description> <group>syscheck,</group> </rule>
<rule id="552" level="7"> <category>ossec</category> <decoded_as>syscheck_integrity_changed_3rd</decoded_as> <description>Integrity checksum changed again (3rd time).</description> <group>syscheck,</group> </rule>
...
ossec_rules.xml
syscheck commands
/var/ossec/bin/syscheck_update -a/var/ossec/bin/syscheck_control -l/var/ossec/bin/syscheck_control -i [agentid]/var/ossec/bin/syscheck_control -i [agentid] -f [filename]
Management
commands
/var/ossec/manage_agents>server>agent
/var/ossec/agent_control -lc/var/ossec/agent_control -i [agentid]/var/ossec/agent_control -r -a/var/ossec/agent_control -R [agentid]/var/ossec/agent_control -r -u [agentid]
Conclusion
Conclusionnobody knows your system/application as well as you
OSSEC is a mature starting point for your log management needs
Tuning rules never stops !
Questions ?
http://www.ossec.net
Thank [email protected]
(all pictures = creative commons)