Professional Documents
Culture Documents
Cid
Log Analysis using OSSEC
Daniel B. Cid
dcid@ossec.net
Copyright 2007 Daniel B. Cid
Agenda
OSSEC Overview
Installation demo
riting decoders
riting r!les
"e could even call it OSSEC IDS, since some users only
use t#e log analysis side of OSSEC
Copyright 2007 Daniel B. Cid
Defining LIDS
Chea# to im#lement
htt#/++www&ossec&net
0ain tas%s/
og analysis
Active res/onse
OSSEC is an O/en Source ,ost-!ased Intrusion Detection System. It
/erforms log analysis, integrity c#ec%ing, "indo)s registry
monitoring, 'ni(-!ased root%it detection, real-time alerting and active
res/onse.
Copyright 2007 Daniel B. Cid
hy OSSEC.
Easy to install
Sec!re (y defa!lt
'ni( 0am, ss#d &O/enSS,*, Solaris telnetd, Sam!a, Su, Sudo, 0roft/d,
0ure-ft/d, vsft/d, 1icrosoft $20 server, Solaris ft/d, Ima/d, 0ostfi(,
Sendmail, v/o/mail, 1icrosoft E(c#ange, A/ac#e, IIS3, IIS4, ,orde I10,
I/ta!les, I0$. 0$, 5etscreen, Cisco 0I67ASA7$"S1, Snort, Cisco IOS,
5ma/, Symantec A8, Ar/)atc#, 5amed, S9uid, "indo)s event logs, etc
,etc,
Copyright 2007 Daniel B. Cid
hy OSSEC (4).
E"ternal references/
Additional references/
htt#/++www&ossec&net+wi%i+inde"&#h#+Inthe5ews
Copyright 2007 Daniel B. Cid
Installing OSSEC
2)o models<
Local &)#en you #ave Aust one system to monitor*
Client/Server for centraliBed analysis &recommendedC*
Agent7Server &recommendedC*
Binaries at /var/ossec/bin/
;rocesses/
Com#ressed (2li()
,ard )or%erC
Log "re-decoding
Log decoding
Log Analysis
E"am#le of alerts
Copyright 2007 Daniel B. Cid
Internal log flow
E"tract any relevant information that yo! may !se in the r!les
sshd e"am#le/
Decoders g!idelines
Order can (e/ id' srci#' dsti#' src#ort' dst#ort' !rl' action' stat!s'
!ser' location' etc
*sft#d e"am#le/
Sun Sun F ==<>J<@I =>>4 G/id =;4;;H GdcidH OT OKI5< Client
N;I=.;4J.=.;>N
Ldecoder nameMNvsft/dNE
L/rematc#EPQ)Q)Q) Q)Q)Q)QsRQdR QSR QdR G/id QdRH L7/rematc#E
Lrege( offsetMNafterO/rematc#NEClient N&QdR.QdR.QdR.QdR*NUL7rege(E
LorderEsrci/L7orderE
L7decoderE
Copyright 2007 Daniel B. Cid
riting decoders 6C@
sshd e"am#le 4/
Ldecoder nameMNss#dNE
L/rogramOnameEPss#dL7/rogramOnameE
L7decoderE
Ldecoder nameMNss#d-successNE
L/arentEss#dL7/arentE
L/rematc#EPAcce/tedL7/rematc#E
Lrege( offsetMNafterO/rematc#NEP QSR for &QSR* from &QSR* /ort L7rege(E
LorderEuser, srci/L7orderE
L7decoderE
Copyright 2007 Daniel B. Cid
riting decoders 6C@ (4)
sshd e"am#le @/
Ldecoder nameMNss#dNE
L/rogramOnameEPss#dL7/rogramOnameE
L7decoderE
Ldecoder nameMNss#d-successNE
L/arentEss#dL7/arentE
L/rematc#EPAcce/tedL7/rematc#E
Lrege( offsetMNafterO/rematc#NEP QSR for &QSR* from &QSR* /ort L7rege(E
LorderEuser, srci/L7orderE
L7decoderE
Ldecoder nameMNss#-failedNE
L/arentEss#dL7/arentE
L/rematc#EP$ailed QSR L7/rematc#E
Lrege( offsetMNafterO/rematc#NEPfor &QSR* from &QSR* /ort L7rege(E
LorderEuser, srci/L7orderE
L7decoderE
Copyright 2007 Daniel B. Cid
riting decoders 6C@ (@)
7ser-defined B0L
e will create one generic r!le for all we( logs (>C6)
e !se here the 9id: tag' which is also set in the decoder
Lrule idM3>; levelM@E
LdecodedOasE)e!OlogL7decodedOasE
Ldescri/tionEKeneric rule for a/ac#e logsL7descri/tionE
L7ruleE
Lrule idM3>= levelM4E
LifOsidE3>;L7ifOsidE
LidEPFVP3L7idE
Ldescri/tionEog )it# id F(( or 3((L7descri/tionE
L7ruleE
Copyright 2007 Daniel B. Cid
8!le str!ct!re after &&&
Com#osite r!les
Add to local%rules.xml4
Lrule idMN;>>>>3N levelMN;>NE
LifOgrou/Eaut#enticationOsuccessL7ifOgrou/E
LtimeE4 /m - ?<@> amL7timeE
Ldescri/tionEogin during non-!usiness #ours.L7descri/tionE
L7ruleE
Copyright 2007 Daniel B. Cid
8!les in real world (@)
Add to local%rules.xml/
Lrule idMN3?;=N levelMN;>N fre9uencyMN=>N over-rite./yes/E
LifOmatc#edOsidE3?;>L7ifOmatc#edOsidE
Ldescri/tionESS,D !rute force trying to get access to L7descri/tionE
Ldescri/tionEt#e system.L7descri/tionE
Lgrou/Eaut#enticationOfailures,L7grou/E
L7ruleE
Copyright 2007 Daniel B. Cid
LID E"am#les - S$!id logs
5ot only for SS)D' (!t also ft#d' ima#d' we(mails' etc
OSSEC )IDS 5otification&
4CCE 1e( 46 C>/@E/>H
8eceived 1rom/ enigma-N+var+log+a!thlog
8!le/ >E64 fired (level 6C) -N MSS)D (r!te force trying to get access to the sys
tem&M
1e( 46 C>/@E/>Q enigma sshdRE4@>S/ 1ailed #assword for invalid !ser admin
from 64>&6>4&6E&4@I #ort ?46HQ ssh4
1e( 46 C>/@E/>Q enigma sshdR6?>CES/ Invalid !ser admin from 64>&6>4&6E&4@I
1e( 46 C>/@E/>I enigma sshdR6C>IIS/ 1ailed #assword for invalid !ser admin
from 64>&6>4&6E&4@I #ort ?46@4 ssh4
1e( 46 C>/@E/>I enigma sshdR66>C4S/ Invalid !ser admin from 64>&6>4&6E&4@I
Copyright 2007 Daniel B. Cid
LID E"am#les - A!th logs 4