OSSECKnow More, Protect Better

Wim Remes(maltego me)

22-23 September (training)24-25 September (conference)http://www.brucon.org

Excaliburconhttp://www.newcamelotcouncil.com

2010 CFP to be announced soon

http://www.eurotrashsecurity.euhttp://www.twitter.com/eurotrashsec

feedback@eurotrashsecurity.eu

OSSEC• Daniel Cid

• 2005

• Third Brigade

• Trend Micro

• GPL v3

AgendaLog Management

OSSEC Features

OSSEC Architecture

Log Analysis with OSSEC

Conclusion

Log Managementso easy the kid can do it ...

Sources ?

Users

App App App App

Systems

Reasons

2%

98%

Because we have to :-( Because we want to :-D

ISO 27KPCI-DSS

HIPAA SOX

Standards ?• Syslog

• 2001, RFC 3164

• The non-standard standard

• WELF, CBE, CEF

• Proprietary

• We know what happens then ...

• IDMF

• Academic

• Complex

What do we need ?

• Taxonomy

• Syntax

• Transport

• Recommendations

Common Event Expressionhttp://cee.mitre.org

OSSEC features

OSSEC features

Log Analysis

Integrity Control

Rootkit Detection

OSSEC architecture

OSSEC Architecture

logcollector

Agent

ossec-analysisd

Server

ossec-maild ossec-execd

zlib compressedblowfish encryptedUDP 1514

(root)

chroot

chroot

chroot

chroot chroot

OSSEC Architecture

SRV

Client Client Client Client Client

Firewall

Switch

Router

IDS

Database

App1

App2

Virtualization

I can haz rules ?

Log Analysis with OSSEC

Log Analysis with OSSEC

predecoding

decoding

analysis

Predecoding

• Feb 24 10:12:23 beijing appdaemon:user john logged in from 10.10.10.10

• <decoder name="appdaemon"><program_name>appdaemon</program_name></decoder>

time/date : Feb 24 10:12:23 Hostname : beijing Program_name :appdaemon Log : user john logged in from 10.10.10.10

Predecoding

• Feb 24 10:12:23 beijing switch:appdaemon quit unexpectedly

• <decoder name="pam"><program_name></program_name><prematch>^appdaemon$</prematch></decoder>

time/date : Feb 24 10:12:23 Hostname : beijing Program_name : switch Log : appdaemon quit unexpectedly

Decoding

• Feb 24 10:12:23 beijing appdaemon:user john logged in from 10.10.10.10

• <decoder name="appdaemon-login"> <parent>appdaemon</parent> <prematch>^user$</prematch> <after_prematch>(\S+)logged in from (\S+)</after_prematch> <order>user,srcip</order></decoder>

time/date : Feb 24 10:12:23 Hostname : beijing Program_name :appdaemon user : Johnsrcip : 10.10.10.10Log : user john logged in from 10.10.10.10

Analysis

• Feb 24 10:12:23 beijing appdaemon:user john logged in from 10.10.10.10

• <rule id="10001" level=”3”> <decoded_as>appdaemon</decoded_as> <match>logged in</match> <description>Successful login</after_prematch></rule>

• <rule id=”10002” level=”7”> <if_sid>10001</if_sid> <user>!John</user> <description>Ok, this was not John !!</description></rule>

• <rule id=”10003” level=”7”> <if_sid>10001</if_sid> <srcip>!10.10.10.0/24</srcip> <description>login from unauthorized network!!</description></rule>

Analysis : The Rule Tree

10001

10002

10003 10004

10005

10006

10007 10008

ACTION

Advanced rule building

\w -> A-Z, a-z, 0-9 characters \d -> 0-9 characters \s -> For spaces " " \t -> For tabs. \p -> ()*+,-.:;<=>?[] (punctuation characters) \W -> For anything not \w \D -> For anything not \d \S -> For anything not \s \. -> For anything

os_regex library (fast, not full regex)

+ -> To match one or more times (eg \w+ or \d+) * -> To match zero or more times (eg \w* or \p*)

^ -> To specify the beginning of the text. $ -> To specify the end of the text. | -> To create an "OR" between multiple patterns.

<regex> </regex> (in rules)<regex> </regex> (in decoders)<prematch> </prematch> (in decoders)<if_matched_regex> </if_matched_regex> (in rules)

Advanced rule building

os_match library (more limited, faster) ^ -> To specify the beginning of the text. $ -> To specify the end of the text. | -> To create an "OR" between multiple patterns.

(rules only !) <match> </match> <user> </user> <url> </url> <id> </id> <status> </status> <hostname> </hostname> <program_name> </program_name> <srcport> </srcport> <dstport> </dstport>

use this whenever possible !it beats the <regex> tag

Integrity Checking

ossec.conf

<syscheck> <!-- Frequency that syscheck is executed - default to every 22 hours --> <frequency>79200</frequency>

<!-- Directories to check (perform all possible verifications) --> <directories realtime=”yes” check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/bin,/sbin</directories>

<!-- Files/directories to ignore --> <ignore>/etc/mtab</ignore> <ignore>/etc/mnttab</ignore><syscheck>

<rule id="550" level="7"> <category>ossec</category> <decoded_as>syscheck_integrity_changed</decoded_as> <description>Integrity checksum changed.</description> <group>syscheck,</group> </rule>

<rule id="551" level="7"> <category>ossec</category> <decoded_as>syscheck_integrity_changed_2nd</decoded_as> <description>Integrity checksum changed again (2nd time).</description> <group>syscheck,</group> </rule>

<rule id="552" level="7"> <category>ossec</category> <decoded_as>syscheck_integrity_changed_3rd</decoded_as> <description>Integrity checksum changed again (3rd time).</description> <group>syscheck,</group> </rule>

...

ossec_rules.xml

syscheck commands

/var/ossec/bin/syscheck_update -a/var/ossec/bin/syscheck_control -l/var/ossec/bin/syscheck_control -i [agentid]/var/ossec/bin/syscheck_control -i [agentid] -f [filename]

Management

commands

/var/ossec/manage_agents>server>agent

/var/ossec/agent_control -lc/var/ossec/agent_control -i [agentid]/var/ossec/agent_control -r -a/var/ossec/agent_control -R [agentid]/var/ossec/agent_control -r -u [agentid]

Conclusion

Conclusionnobody knows your system/application as well as you

OSSEC is a mature starting point for your log management needs

Tuning rules never stops !

Questions ?

http://www.ossec.net

Thank you!wremes@gmail.com

(all pictures = creative commons)