Log Analysis Using OSSEC: Daniel B. Cid

Copyright 2007 Daniel B.
Cid
Log Analysis using OSSEC
Daniel B. Cid
dcid@ossec.net
Copyright 2007 Daniel B. Cid
Agenda
Defining LIDS (Log-Based IDS)
OSSEC Overview
Installation demo
Log decoding and analysis with OSSEC
riting decoders
riting r!les
E"am#les of r!les and alerts in the real world

Conce#ts
OSSEC does security log analysis
It is not a log management tool
Only stores alerts, not every single log
I still recommend log management and long term storage of

A logs
Security og Analysis can !e called LID(S)
Log-based Intrusion Detection System
"e could even call it OSSEC IDS, since some users only
use t#e log analysis side of OSSEC
Defining LIDS
Log-Based Intr!sion Detection

Log Analysis for intr!sion detection is the #rocess or techni$!es !sed to
detect attac%s on a s#ecific environment !sing logs as the #rimary so!rce
of information&
LIDS is also !sed to detect com#!ter mis!se' #olicy violations and other
forms of ina##ro#riate activities&

LIDS (enefits
Chea# to im#lement
OSSEC is free' for e"am#le
Does not re$!ire e"#ensive hardware
)igh visi(ility of encry#ted #rotocols
SS)D and SSL traffic are good e"am#les
*isi(ility of system activity (%ernel' internal daemons'&&)
Every a##lication+system can (e a #art of it
,hey all have some %ind of log-
Incl!ding firewalls' ro!ters' we( servers' a##lications' etc

hat is OSSEC.
O#en So!rce )ost-(ased IDS ()IDS)
htt#/++www&ossec&net
0ain tas%s/
og analysis
$ile Integrity c#ec%ing &'ni( and "indo)s*
+egistry Integrity c#ec%ing &"indo)s*
,ost-!ased anomaly detection &for 'ni( . root%it detection*
Active res/onse
OSSEC is an O/en Source ,ost-!ased Intrusion Detection System. It
/erforms log analysis, integrity c#ec%ing, "indo)s registry
monitoring, 'ni(-!ased root%it detection, real-time alerting and active
res/onse.
hy OSSEC.
Solves a real #ro(lem and does it well (log analysis)
1ree (as in coo%ies and s#eech)
Easy to install
Easy to c!stomi2e (r!les and config in "ml format)
Scala(le (client+server architect!re)
0!lti-#latform (indows' Solaris' Lin!"' 3BSD' etc)
Sec!re (y defa!lt
Comes with h!ndreds of decoders+r!les o!t of the (o"/
'ni( 0am, ss#d &O/enSS,*, Solaris telnetd, Sam!a, Su, Sudo, 0roft/d,
0ure-ft/d, vsft/d, 1icrosoft $20 server, Solaris ft/d, Ima/d, 0ostfi(,
Sendmail, v/o/mail, 1icrosoft E(c#ange, A/ac#e, IIS3, IIS4, ,orde I10,
I/ta!les, I0$. 0$, 5etscreen, Cisco 0I67ASA7$"S1, Snort, Cisco IOS,
5ma/, Symantec A8, Ar/)atc#, 5amed, S9uid, "indo)s event logs, etc
,etc,
hy OSSEC (4).
E"ternal references/
OSSEC :; o/en source security tool in t#e enter/rise

#tt/<77))).linu()orld.com7ne)s7=>>?7>@;=>?-to/-3-
security.#tml
OSSEC := IDS tool in t#e security tools survey.

#tt/<77sectools.org7ids.#tml
Additional references/
htt#/++www&ossec&net+wi%i+inde"&#h#+Inthe5ews
Installing OSSEC
Sim#le and easy
2)o models<
Local &)#en you #ave Aust one system to monitor*
Client/Server for centraliBed analysis &recommendedC*
Select installation ty/e and ans)er a fe) 9uestions
It )ill setu/ t#e a//ro/riate /ermissions, create users, etc
Installation Demo (of latest version 6&4)

: tar -B(vf ossecD.tar.gB
: cd ossecD
: .7install.s#
... &ans)er all 9uestions*
: 7var7ossec7!in7ossec-control start &after com/leted*
7nderstanding OSSEC
OSSEC two wor%ing models
ocal &useful )#en you #ave only one system to monitor*
Agent7Server &recommendedC*
By defa!lt installed at /var/ossec
0ain config!ration file at /var/ossec/etc/ossec.conf
Decoders stored at /var/ossec/etc/decoders.xml
Binaries at /var/ossec/bin/
All r!les at /var/ossec/rules/*.xml
Alerts are stored at /var/ossec/logs/alerts.log
Com#osed of m!lti#le #rocesses (all controlled (y

ossec-control)
Internal #rocesses
8emem(er the Sec!re (y defa!lt.
Installation scri#t does the chroot' !ser creation' #ermissions'

etc
7ser has no choice to r!n it 9less sec!re:
Each #rocess with limited #rivileges and tas%s
0ost of them r!nning on chroot
0ost of them with se#arated !n#rivileged !ser
;rocesses/
Analysisd < on chroot as !ser ossec
8emoted < on chroot as !ser ossecr
0aild < on chroot as !ser ossecm
Logcollector < as root' (!t only reads the logs' no analysis
Agentd < on chroot as !ser ossec (agent only)

Internal #rocesses (4)
Each daemon has a very limited tas%/
Analysisd < Does all the analysis (main #rocess)
Remoted < 8eceives remote logs from agents
Logcollector < 8eads log files (syslog' 1lat files' indows

event log' IIS' etc)
Agentd < 1orwards logs to the server
0aild < Sends e-mail alerts
E"ecd < E"ec!tes the active res#onses
0onitord < 0onitors agent stat!s' com#resses and signs log

files' etc
ossec-control manages the start and sto# of all of

them
Log flow (local)
=eneric log analysis flow (rea%down (for ossec local)
og collecting is done !y ossec-logcollector
Analysis and decoding are done !y ossec-analysisd
Alerting is done !y ossec-maild
Active res/onses are done !y ossec-execd

Collect
Analye
Collect
!ecode Alert
OSSEC Local
(ossec-analysisd) (ossec-maild)
(ossec-e"ecd)
(ossec-logcollector)
Log flow (agent+server)
=eneric log analysis flow for client+server architect!re
og collecting is done !y ossec-logcollector
Analysis and decoding are done !y ossec-analysisd
Alerting is done !y ossec-maild
Active res/onses are done !y ossec-execd

Collect
Analye
Collect
!ecode Alert
OSSEC Server
OSSEC Agent
(ossec-analysisd) (ossec-maild)
(ossec-e"ecd)
(ossec-logcollector)
5etwor% comm!nication
Agent+Server networ% comm!nication
Com#ressed (2li()
Encry#ted !sing #re-shared %eys with (lowfish
By defa!lt !ses 7D; #ort 6>6?
0!lti-#latform (indows' Solaris' Lin!"' etc)

Agentd
Remoted
OSSEC Server
Agent 6
Agentd
Agent 4
Syslog
Device 6
Analysisd
UDP
port !"
Dee# into Log Analysis
1oc!s now on the main #rocess (ossec-analysisd)
It does t#e log decoding and analysis
,ard )or%erC
Log "re-decoding
Log decoding
Log Analysis
E"am#le of alerts
Internal log flow
Log flow inside analysisd
,hree main #arts/
#re-decoding (e"tracts %nown fields' li%e time' etc)
!ecoding (!sing !ser-defined e"#ressions)
Signatures (!sing !ser-defined r!les)

#re-decoding
Log flow
(inside analysisd)
Log arrives
!ecoding
7ser-defined
decoders
Signatures
7ser-defined
r!les
Log #re-Decoding (6)
E"tracts generic information from logs
)ostname' #rogram name and time from syslog header
Logs m!st (e well formated
)ow OSSEC does it.
Log comes in as/

A/r ;@ ;@<>><>; enigma syslogd< restart
)ow will it loo% li%e inside OSSEC.

time/date -E A/r ;@ ;@<>><>;
#ostname -E enigma
program$name -E syslogd
log -E restart
Log #re-Decoding (4)
Decoding of a SS)D message/
Log comes in as/

A/r ;F ;?<@=<>4 enigma ss#dG;>=3H< Acce/ted /ass)ord for root from
;I=.;4J.=.;I> /ort ;4;J ss#=
)ow will it loo% li%e inside OSSEC after #re-Decoding.

time/date -E A/r ;F ;?<@=<>4
#ostname -E enigma
program$name -E ss#d
log -E Acce/ted /ass)ord for root from ;I=.;4J.=.;I> /ort ...
Log #re-Decoding (@)
Decoding of an ASL message (0ac !sers)/
Log comes in as/

G2ime =>>4.;=.=J ;3<3@<33 '2CH G$acility aut#H GSender ss#dH G0ID FJ@H
G1essage error< 0A1< Aut#entication failure for username from
;I=.;4J.>.=H Gevel @H G'ID -=H GKID -=H G,ost mymacH
)ow will it loo% li%e inside OSSEC after #re-Decoding.

time/date -E Dec =J, =>>4 ;3<3@<33
#ostname -E mymac
log -E error< 0A1< Aut#entication failure for username from ;I=.;4J.>.=
Log Decoding (6)
;rocess to identify %ey information from logs
0ost of the time yo! donAt need to worry a(o!t it
OSSEC comes with h!ndreds of decoders (y defa!lt
=enerally we want to e"tract so!rce i#' !ser name' id 'etc
7ser-defined list (B0L) at decoders.xml
,ree str!ct!re inside OSSEC
)ow a log will loo% li%e after (eing decoded/

A/r ;F ;?<@=<>4 enigma ss#dG;>=3H< Acce/ted /ass)ord for root from
;I=.;4J.=.;I> /ort ;4;J ss#=
time/date -E A/r ;F ;?<@=<>4
#ostname -E enigma
log -E Acce/ted /ass)ord for root from ;I=.;4J.=.;I> /ort ...
srcip -E ;I=.;4J.=.;I>
user -E root
riting decoders 6C6
riting a decoder& hat it re$!ires.
Decoders are all stored at etc+decoders&"ml
Choose a meaningf!l name so they can (e referenced in the

r!les
E"tract any relevant information that yo! may !se in the r!les
sshd e"am#le/
e want to e"tract the !ser name and so!rce i#
If "rogram name was "re-decoded as sshd (remem(er #re-

decoding.)' try this reg!lar e"#ression
Ldecoder nameMNss#d-successNE
L/rogramOnameEss#dL7/rogramOnameE
Lrege(EPAcce/ted QSR for &QSR* from &QSR* /ort L7rege(E
LorderEuser, srci/L7orderE
L7decoderE
riting decoders 6C4
Decoders g!idelines
Decoders m!st have either "rematc$ or "rogram%name
regex is !sed to e"tract the fields
order is !sed to s#ecify what each field means
Order can (e/ id' srci#' dsti#' src#ort' dst#ort' !rl' action' stat!s'
!ser' location' etc
Offset can (e/ 9afterD#rematch: or 9afterD#arent:
*sft#d e"am#le/
Sun Sun F ==<>J<@I =>>4 G/id =;4;;H GdcidH OT OKI5< Client
N;I=.;4J.=.;>N
Ldecoder nameMNvsft/dNE
L/rematc#EPQ)Q)Q) Q)Q)Q)QsRQdR QSR QdR G/id QdRH L7/rematc#E
Lrege( offsetMNafterO/rematc#NEClient N&QdR.QdR.QdR.QdR*NUL7rege(E
LorderEsrci/L7orderE
L7decoderE
riting decoders 6C@
=ro!#ing m!lti#le decoders !nder one #arent
7se "arent tag to s#ecify the #arent of the decoder
ill create a tree str!ct!re' where the s!(-decoders are only

eval!ated if their #arent matched&
sshd e"am#le 4/
Ldecoder nameMNss#dNE
L/rogramOnameEPss#dL7/rogramOnameE
L7decoderE
L/arentEss#dL7/arentE
L/rematc#EPAcce/tedL7/rematc#E
Lrege( offsetMNafterO/rematc#NEP QSR for &QSR* from &QSR* /ort L7rege(E
L7decoderE
riting decoders 6C@ (4)
sshd e"am#le @/
Ldecoder nameMNss#dNE
L/rogramOnameEPss#dL7/rogramOnameE
L7decoderE
L/rematc#EPAcce/tedL7/rematc#E
Lrege( offsetMNafterO/rematc#NEP QSR for &QSR* from &QSR* /ort L7rege(E
L7decoderE
Ldecoder nameMNss#-failedNE
L/rematc#EP$ailed QSR L7/rematc#E
Lrege( offsetMNafterO/rematc#NEPfor &QSR* from &QSR* /ort L7rege(E
L7decoderE
riting decoders 6C@ (@)
A#ache access log e"am#le/
e e"tract the srci#' id and !rl

;I=.;4J.=.;I> - - G;J7San7=>>4<;@<;><>4 ->3>>H NKE2 7(((.#tml ,2207;.;N
=>> ;?@=
Ldecoder nameMN)e!-accesslogNE
Lty/eE)e!-logL7ty/eE
L/rematc#EPQdR.QdR.QdR.QdR L7/rematc#E
Lrege(EP&QdR.QdR.QdR.QdR* QSR QSR GQSR QSQdRH L7rege(E
Lrege(ENQ)R &QSR* ,220QSR &QdR* L7rege(E
LorderEsrci/, url, idL7orderE
L7decoderE
Log 8!les (6)
5e"t ste# after decoding is to chec% the r!les
Internally stored in a tree str!ct!re
7ser-defined B0L
*ery easy to write-
Allows to match (ased on decoded information
&nde"endent of initial log format' (eca!se of decoders
OSSEC comes with more than '(( rules by default)
,wo ty#es of r!les/
Atomic ((ased on a single event)
Com"osite ((ased on #atterns across m!lti#le logs)

riting yo!r own r!les 6C6
riting yo!r first r!le& hat it re$!ires.
A 8!le id (any integer)
A Level - from C (lowest) to 6> (highest)
Level C is ignored' not alerted at all
;attern - anything from 9rege":' to 9srci#:' 9id:' 9!ser:' etc
1irst e"am#le (sim#le sshd r!le)
If log was decoded as ss#d' generate r!le ;;;

Lrule id M N;;;N level M N3NE
LdecodedOasEss#dL7decodedOasE
Ldescri/tionEogging every decoded ss#d messageL7descri/tionE
L7ruleE
riting yo!r own r!les 6C4
Second r!le' for failed sshd messages
e will create a second r!le' de#endent on the first
)igher severity (level E)
ill only (e e"ec!ted if the first one matches (ifDsid)
0atch is a sim#le #attern matching (loo%ing for 1ailed #ass)

Lrule id M N;;;N level M N3NE
LdecodedOasEss#dL7decodedOasE
Ldescri/tionEogging every decoded ss#d messageL7descri/tionE
L7ruleE
Lrule idM;== levelM?E
%i&$sid'%/i&$sid'
Lmatc#EP$ailed /ass)ordL7matc#E
Ldescri/tionE$ailed /ass)ord attem/tL7descri/tionE
L7ruleE
riting yo!r own r!les 6C@
7sing additional r!le o#tions
e will create a third r!le' de#endent on the second
ill only (e called if the second one matches-
Loo%s if the hostname was decoded as mainserver
Loo%s if the decoded I; address is o!tside the networ%

Lrule idM;== levelM?E
LifOsidE;;;L7ifOsidE
L7ruleE
Lrule idM;@@ levelM;@E
LifOsidE;==L7ifOsidE
L#ostnameEPmainserverL7#ostnameE
Lsrci/EC;I=.;4J.=.>7=FL7srci/E
Ldescri/tionE,ig#er severityC $ailure on t#e main serverL7descri/tionE
L7ruleE
riting yo!r own r!les 6C@(4)
8!le for A#ache we( logs
e will create one generic r!le for all we( logs (>C6)
One s!(-r!le to alert on ids ?"" or >"" (),,; errors)
e !se here the 9id: tag' which is also set in the decoder
Lrule idM3>; levelM@E
LdecodedOasE)e!OlogL7decodedOasE
Ldescri/tionEKeneric rule for a/ac#e logsL7descri/tionE
L7ruleE
Lrule idM3>= levelM4E
LifOsidE3>;L7ifOsidE
LidEPFVP3L7idE
Ldescri/tionEog )it# id F(( or 3((L7descri/tionE
L7ruleE
8!le str!ct!re after &&&
Internal str!ct!re after first five r!les&
5ot a flat format (li%e most log analysis tools)-
*ery fast) +on-ss$d messages are only c$ec,ed against

t$e first rule -.../0 not t$e sub ones
Average of only 1/2 rules "er log0 instead of '(( -3$at 3e

$ave enabled by default/
666
6@@
644
Log Arrives
,ry first one (64@)F If matches'
try s!(-r!lesF &&&
>C6 """
If doesnAt match' try ne"t one &&&
riting yo!r own r!les 6C@(@)
A few more advanced r!le o#tions
8!le for s!ccessf!l sshd logins
;olicy-(ased o#tions' (ased on time' day of the wee%' etc
Go! can !se gro!#s to classify yo!r r!les (etter

Lrule id M N;3@N level M N3NE
Lmatc#EAcce/ted /ass)ord L7matc#E
Ldescri/tionESuccessful loginL7descri/tionE
Lgrou/EloginOo%L7grou/E
L7ruleE
Lrule idM;3F levelM;>E
LifOsidE;3@L7ifOsidE
%time'( pm - )*+, am%/time'
Ldescri/tionEAlertC ogins outside !usiness #oursCL7descri/tionE
Lgrou/EloginOo%,/olicyOviolationL7grou/E
L7ruleE
riting yo!r own r!les 4CC
Com#osite r!les
8!le for m!lti#le failed #assword attem#ts
e set fre$!ency and timeframe
if%matc$ed%sid4 &f 3e see t$is rule more t$an 5 times

3it$in 6 seconds.
same%source%i"4 &f t$ey 3ere decoded from same &#.

Lrule idM;@@ levelM?E
L7ruleE
Lrule idM;>3> levelM;; fre9uencyM3 timeframeM;=>E
%i&$matc#ed$sid'++%/i&$matc#ed$sid'
LsameOsourceOi/ 7E
Ldescri/tionE1ulti/le failed attem/ts from same I0CL7descri/tionE
L7ruleE
8!les in real world
Do not modify defa!lt r!les
,hey are overwritten on every !#grade
7se local%rules.xml instead (not modified d!ring !#grade)
7se and a(!se of ifDsid' ifDgro!# (remem(er' classify yo!r

r!les !nder gro!#s)' etc
7se an ID within the range 6CCCCC-6CHHHH (!ser assigned)
If adding s!##ort for new r!les or new log formats
Send them to !s' so we can incl!de in ossec
e will assign a range ID for yo!r r!les

8!les in real world (4)
Alerting on every a!thentication s!ccess o!tside

(!siness ho!rs
Every a!thentication message is classified as 9a!thentication

s!ccess: (why we !se ifDgro!#)
Add to local%rules.xml4
Lrule idMN;>>>>3N levelMN;>NE
LifOgrou/Eaut#enticationOsuccessL7ifOgrou/E
LtimeE4 /m - ?<@> amL7timeE
Ldescri/tionEogin during non-!usiness #ours.L7descri/tionE
L7ruleE
8!les in real world (@)
Changing fre$!ency or severity of a s#ecific r!le
8!le >E64 alerts on SS)D (r!te forces after I failed attem#ts
,o increase the fre$!ency' J!st overwrite this r!le with a

higher val!e& Same a##lies to severity (level)&
Go! can change any val!e from the original r!le (y

overwriting it
Add to local%rules.xml/
Lrule idMN3?;=N levelMN;>N fre9uencyMN=>N over-rite./yes/E
LifOmatc#edOsidE3?;>L7ifOmatc#edOsidE
Ldescri/tionESS,D !rute force trying to get access to L7descri/tionE
Ldescri/tionEt#e system.L7descri/tionE
Lgrou/Eaut#enticationOfailures,L7grou/E
L7ruleE
LID E"am#les - S$!id logs
8!le to detect internal hosts scanning the o!tside
7sef!l to detect worms' malicio!s !sers' etc
ill fire if same internal system generates multi"le 7((/8((

error codes on different 9RLs
Kr!le idLM@>CCHM levelLM>MN
KidNO>POIK+idN
Kdescri#tionNS$!id >CC+ICC error code (server error)&K+descri#tionN
K+r!leN
Kr!le idLM@>C>QM levelLM6CM fre$!encyLMIM timeframeLM4?CMN
KifDmatchedDsidN@>CCHK+ifDmatchedDsidN
KsameDso!rceDi# +N
KdifferentD!rl +N
Kdescri#tionN0!lti#le >CC+ICC error codes (server error)&K+descri#tionN
K+r!leN
LID E"am#les - S$!id logs 4
Indication of an internal com#romised system/

8eceived 1rom/ (#ro"y) 6C&6&4&@-N+var+log+s$!id+access&log
8!le/ @>C>Q fired (level 6C) -N M:ulti"le 7((/8(( error codes -server error/.M
;ortion of the log(s)/
6EHHH@ 6&4&@&? ,C;D0ISS+>C? 6?@C =E, $tt"4//xx.com/cgi/stats/a3stats."l
- 5O5E+- te"t+html
6EH>C? 6&4&@&? ,C;D0ISS+>C? 6?6C =E, $tt"4//xx.com/a3stats."l - 5O5E+-
te"t+html
6EH?H@ 6&4&@&? ,C;D0ISS+>C? 6?44 =E, $tt"4//xx;.com/stats/a3stats."l -
5O5E+- te"t+html
6EH?H? 6&4&@&? ,C;D0ISS+>C? 6?@Q =E, $tt"4//xx;.com//cgi-
bin/stats/a3stats."l - 5O5E+- te"t+html
6EH>CE 6&4&@&? ,C;D0ISS+>C? 6?4I =E,
$tt"4//xx<.com/a3stats/a3stats."l - 5O5E+- te"t+html
LID E"am#les - e( logs
8!le to detect large 78Ls
Any 78L longer than 4HCC characters is very s!s#icio!s

Kr!le idLM@666>M levelLM6@M ma"si2eLM4HCCMN
KifDsidN@66CCK+ifDsidN
Kdescri#tionN78L too long& )igher than allowed on most K+descri#tionN
Kdescri#tionN(rowsers& ;ossi(le attac%&K+descri#tionN
Kgro!#NinvalidDaccess'K+gro!#N
K+r!leN
LID E"am#les - e( logs 4
Indication of an attac% detected
5ow' what if yo! see that from an internal (o".

OSSEC )IDS 5otification&
4CCE 1e( 6Q 4C/>4/4E
8eceived 1rom/ (J!l) 6H4&6IQ&4&C-N+var+log+a#ache+accessDlog
8!le/ @666> fired (level 6@) -N M78L too long& )igher than allowed on most
(rowsers&M
;ortion of the log(s)/
6?4&6IE&H&4?4 - - R6Q+1e(+4CCE/46/?@/?H -C?CCS MSEA8C)
+T"HCT"cHT"cHT"cHT"cHT"cH
T"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT
HT"cHHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"H
T"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cH
T"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cHT"cH&&&
LID E"am#les < Snort logs
0!lti#le IDS events from same so!rce I; address

4CCE 0ay CQ 6?/6C/>Q (J!l) 6H4&6IQ&4&C-N+var+log+snort+alert
8!le/ 4C6>4 (level 6C) -N A0!lti#le IDS alerts from same I; Address&A
R33S R6/I?Q/ES S)ELLCODE "QI 5OO; R33SRClassification/ E"ec!ta(le code was
detectedS R;riority/ 6S 6?4&6IE&4?&6>?/64@Q -N 6H4&6IQ&4&@4/QC
R33S R66H/?/6S (htt#Dins#ect) BA8E BG,E 75ICODE E5CODI5=
RClassification/ ;re#rocessorS 6?4&6IE&4?&6>?/64@Q -N 6H4&6IQ&4&@4/QC
R33S R66H/6>/6S (htt#Dins#ect) O*E8SIUE 8EV7ES,-78I DI8EC,O8G
R33SRClassification/ access to a #otentially v!lnera(le we( a##licationS
R;riority/ 4S 6?4&6IE&4?&6>?/64@Q -N 6H4&6IQ&4&@4/QC
R33S R6/6CEC/HS EB-0ISC e(DA* search access Classification/ access to a
#otentially v!lnera(le a##licationS 6?4&6IE&4?&6>?/64@Q -N 6H4&6IQ&4&@4/QC
LID E"am#les - A!th logs
Br!te force attem#ts
5ot only for SS)D' (!t also ft#d' ima#d' we(mails' etc
OSSEC )IDS 5otification&
4CCE 1e( 46 C>/@E/>H
8eceived 1rom/ enigma-N+var+log+a!thlog
8!le/ >E64 fired (level 6C) -N MSS)D (r!te force trying to get access to the sys
tem&M
1e( 46 C>/@E/>Q enigma sshdRE4@>S/ 1ailed #assword for invalid !ser admin
from 64>&6>4&6E&4@I #ort ?46HQ ssh4
1e( 46 C>/@E/>Q enigma sshdR6?>CES/ Invalid !ser admin from 64>&6>4&6E&4@I
1e( 46 C>/@E/>I enigma sshdR6C>IIS/ 1ailed #assword for invalid !ser admin
from 64>&6>4&6E&4@I #ort ?46@4 ssh4
1e( 46 C>/@E/>I enigma sshdR66>C4S/ Invalid !ser admin from 64>&6>4&6E&4@I
LID E"am#les - A!th logs 4
Br!te force attem#ts followed (y a s!ccess

+ule< 3?=> &level ;>* -E W1ulti/le SS,D aut#entication failures.W
Src I0< ;=3.;I=.((.((
$e! ;; >I<@;<3J )/or ss#dGF343H< $ailed /ass)ord for root from
;=3.;I=.((.(( /ort F=I?4 ss#=
$e! ;; >I<@;<3J )/or ss#dGF343H< $ailed /ass)ord for admin from
;=3.;I=.((.(( /ort F=I?4 ss#=
$e! ;; >I<@;<3J )/or ss#dGF343H< $ailed /ass)ord for admin from
;=3.;I=.((.(( /ort F=I?4 ss#=
Rule4 '(..; -level .;/ -N A:ulti"le aut$entication failures follo3ed by
a success.A
Src I;/ 64>&6H4&""&""
7ser/ admin
=eb .. (>4<.472 3"or ss$d?1;<7@4 Acce"ted "ass3ord for admin
from .;7..>;.xx.xx "ort ';.>2 ss$;
Concl!sion
OSSEC is very e"tensi(le and #rovides o!t of the (o"

f!nctionality
,ry it o!t and chec% for yo!rself- /)
Lots of new feat!res #lanned for the f!t!re
e( Interface also availa(le
Loo% at o!r man!al and 1AV for more information/

htt#/++www&ossec&net
1or $!estions and s!##ort' s!(scri(e to o!r mailing list

or visit !s at Aossec on freenode

V7ES,IO5S .

Log Analysis Using OSSEC: Daniel B. Cid

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Log Analysis Using OSSEC: Daniel B. Cid

Uploaded by

Copyright:

Available Formats

Copyright 2007 Daniel B.

Defining LIDS (Log-Based IDS)

Log decoding and analysis with OSSEC

E"am#les of r!les and alerts in the real world

OSSEC does security log analysis

It is not a log management tool

Only stores alerts, not every single log

I still recommend log management and long term storage of

Security og Analysis can !e called LID(S)

Log-based Intrusion Detection System

Log-Based Intr!sion Detection

OSSEC is free' for e"am#le

Does not re$!ire e"#ensive hardware

)igh visi(ility of encry#ted #rotocols

SS)D and SSL traffic are good e"am#les

*isi(ility of system activity (%ernel' internal daemons'&&)

Every a##lication+system can (e a #art of it

,hey all have some %ind of log-

Incl!ding firewalls' ro!ters' we( servers' a##lications' etc

O#en So!rce )ost-(ased IDS ()IDS)

$ile Integrity c#ec%ing &'ni( and "indo)s*

+egistry Integrity c#ec%ing &"indo)s*

,ost-!ased anomaly detection &for 'ni( . root%it detection*

Solves a real #ro(lem and does it well (log analysis)

1ree (as in coo%ies and s#eech)

Easy to c!stomi2e (r!les and config in "ml format)

Scala(le (client+server architect!re)

0!lti-#latform (indows' Solaris' Lin!"' 3BSD' etc)

Comes with h!ndreds of decoders+r!les o!t of the (o"/

OSSEC :; o/en source security tool in t#e enter/rise

OSSEC := IDS tool in t#e security tools survey.

Sim#le and easy

Select installation ty/e and ans)er a fe) 9uestions

It )ill setu/ t#e a//ro/riate /ermissions, create users, etc

Installation Demo (of latest version 6&4)

OSSEC two wor%ing models

ocal &useful )#en you #ave only one system to monitor*

By defa!lt installed at /var/ossec

0ain config!ration file at /var/ossec/etc/ossec.conf

Decoders stored at /var/ossec/etc/decoders.xml

All r!les at /var/ossec/rules/*.xml

Alerts are stored at /var/ossec/logs/alerts.log

Com#osed of m!lti#le #rocesses (all controlled (y

8emem(er the Sec!re (y defa!lt.

Installation scri#t does the chroot' !ser creation' #ermissions'

7ser has no choice to r!n it 9less sec!re:

Each #rocess with limited #rivileges and tas%s

0ost of them r!nning on chroot

0ost of them with se#arated !n#rivileged !ser

Analysisd < on chroot as !ser ossec

8emoted < on chroot as !ser ossecr

0aild < on chroot as !ser ossecm

Logcollector < as root' (!t only reads the logs' no analysis

Agentd < on chroot as !ser ossec (agent only)

Each daemon has a very limited tas%/

Analysisd < Does all the analysis (main #rocess)

Remoted < 8eceives remote logs from agents

Logcollector < 8eads log files (syslog' 1lat files' indows

Agentd < 1orwards logs to the server

0aild < Sends e-mail alerts

E"ecd < E"ec!tes the active res#onses

0onitord < 0onitors agent stat!s' com#resses and signs log

ossec-control manages the start and sto# of all of