OSSECLog and event management the

open source way ...

Introduction

• Me (thx 4 the nice intro, maltego me)

• Bull (not the bovine kind ...)

• Eurotrash information security podcast

• Brucon, Excaliburcon, FOSDEM, ...

Agenda

• Logging 101 (what, how, why, ...)

• OSSEC technical overview

• break

• OSSEC installation and configuration

• OSSEC rules

• OSSEC event management

Logging : what ?

• Users

• Systems

• Network

• Databases

• Applications

• .....

Logging: from ?

Firewalls, VPN, IDS/IPS, routers, switches, ...

Servers, workstations, virtualisation, UPS, ...

anti-malware, applications, databases, ...

Logging : Why ?

• System Monitoring (performance, management, troubleshooting, ...)

• Compliance (regulatory, audit, internal policy, ...)

• Incident Handling, Forensics, ...

CompliancePCI DSS

6.4. Follow change control procedures for all changes to system components

10. Track and monitor all access to network resources and cardholder data.

12. Maintain a policy that addresses information security for all employees and contractors

The Problem

• There is NO standard !!

• There is NO guidance !!

• There is NO Consitency !!

Babel be thy name

We need to agree upon...

• Format What does a log message look like ?

• Content What do we put in a log message ?

• Transport How do we send it ?

• Guidelines How do we approach logging ? (ex. NIST 800-92)

It’s time for a standard !

not Syslog

• RFC 3164 (08/2001) : BSD Syslog Protocol

• It uses UDP

• It’s a garbage bin

• it’s a non-standard standard

Syslog Hell !

•Jun 11 03:06:38 (none) login[3432] : ROOT LOGIN on `tty1`

• Jan 19 22:52:56 LT1 gdm-session-worker[1659]: pam_unix(gdm:session): session opened for user wim by (uid=0)

• Jan 4 09:38:10 LT1 su[3510]: pam_unix(su:session): session opened for user root by wim(uid=1000)

Syslog Hell !!

•<57> Jan 10 12:10:34:%SEC_LOGIN-5-LOGIN_SUCCESS:Login Success [user:frodo] [Source:192.168.10.254] [localport:23] at ...

• <13> Jan 18 10:15:45 2009 680 Security SYSTEM User Failure Audit ENTERPRISE ...

Can I continue ?•Jan 19 20:12:56 LT1 mycrappyapp

[3526]: I’m the awesome programmer behind this crappy app and since you asked me to log something I’ve chosen to use syslog to dump all this meaningless events in here so you will still have to call and pay me to get the bugs that I left in there because I was surfing the internet instead of working for you solved. Eat that! And BTW, my app crashed for no apparent reason. kthxbai !

I promise to stop

•Feb 24 15:10:24 server transact[5402]: user geoff transferred 500 dollars using credit card # XXX

• Apr 1 10:14:28 server MEDIC [6420]: user kathy logged in to module patient using password selma1970

Then what ?• IDMF (by IETF)

• XML based

• Complex

• Not widely adopted

• Academic

• WELF (by Webtrends)

• Proprietary

• didn’t scale

NEXT !

• CBE (by IBM)

• also XML based

• IBM didn’t even use it !

The future ?

Event Taxonomy

Standard terminology

Log Syntax

Consistent data elements and format

Log Transport

Standard communications mechanisms

Log Recommendations

Suggested events to log

OSSEC

Definition

OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time

alerting and active response.

SIEM (commercial)

Key Facts

• 2005

• Daniel Cid

• Third Brigade

• TrendMicro

Install Modes• Local

• Single Client

• Windows, AIX, Solaris, HP-UX, Linux

• Server

• Central Logging Point (250 clients/server)

• AIX,Solaris,HP-UX,Linux

• Client

• Reports to server

• Windows,AIX,Solaris,HP-UX,Linux

Architecture

Architecture

syslog syslog

virtualisation

Architecture

virtualisation virtualisation

SIEM

OSSEC Components

logcollector

Agent

ossec-analysisd

Server

ossec-maild ossec-execd

zlib compressedblowfish encryptedUDP 1514

Time

For a break

ossec-analysisd

Predecoding

Decoding

Analysis

Predecoding

• Feb 24 10:12:23 beijing appdaemon:stopped

time/date : Feb 24 10:12:23 Hostname : beijing Program_name :appdaemon Log : stopped

Predecoding

• Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10

time/date : Feb 25 12:00:47 Hostname : beijing Program_name :appdaemon Log : user john logged on from 10.10.10.10

Decoding

• Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10

time/date : Feb 25 12:00:47 Hostname : beijing Program_name :appdaemon Log : user john logged on from 10.10.10.10srcip : 10.10.10.10user : john

Analysis

<rule id=666 level=”0”><decoded_as>appdaemon</decoded_as><description>appdaemon rule</description>

</rule><rule id=”766” level=”5”>

<if_sid>666</if_sid><match>^logged on</match><description>succesful logon</description>

</rule>

Analysis<rule id=866 level=”7”>

<if_sid>766</if_sid> <hostname>^beijing</hostname> <srcip>!192.168.10.0/24</srcip> <description>unauthorized logon!</description>

</rule> <rule id=”966” level=”13”>

<if_sid>766</if_sid> <hostname>^shanghai</hostname> <user>!john</user> <description>unauthorised logon !</description>

</rule>

Analysis

666

766

866

966

Analysis<rule id=1066 level=”7”>

<if_sid>666</if_sid> <match>^login failed</hostname> <description>failed login !</description>

</rule> <rule id=”1166” level=”9” frequency=”10” timeframe=”100”>

<if_matched_sid>1066</if_matched_sid> <same_source_ip /> <description>Probable Brute Force !</description>

</rule>

Analysis666

766

866

966

1066

1166

ossec.conf<command>

<name>host-deny</name> <executable>host-deny.sh</executable> <expect>srcip</expect> <timeout_allowed>yes</timeout_allowed>

</command>

<active-response> <command>command2</command><location>local</location> <rules_id>1166</rules_id> <timeout>600</timeout>

</active-response>

ossec.confsyscheck

<syscheck> <!-- Frequency that syscheck is executed - default to every 22 hours --> <frequency>79200</frequency>

<!-- Directories to check (perform all possible verifications) --> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/bin,/sbin</directories>

<!-- Files/directories to ignore --> <ignore>/etc/mtab</ignore> <ignore>/etc/mnttab</ignore> <ignore>/etc/hosts.deny</ignore>...</syscheck>

<rootcheck> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit></rootcheck>

ossec.confrootcheck

<alerts> <log_alert_level>1</log_alert_level></alerts>

ossec.confvaria

<localfile> <log_format>syslog</log_format> <location>/var/log/secure.log</location></localfile><ossec_config>

<ossec_config> <!-- rules global entry --> <rules> <include>rules_config.xml</include> <include>pam_rules.xml</include> <include>sshd_rules.xml</include> <include>telnetd_rules.xml</include>...</ossec_config>

Management

/var/ossec/bin/ossec-control stop|start|restart

manage_agents(server) manage agent keys(client) import key

Managementagent_control -lc

agent_control -i [id]

agent_control -R [id]

agent_control -r -a

agent_control -r -i [id]

Management

syscheckcontrol -lcsyscheckcontrol -i [id]syscheckcontrol -i [id] -f [file]

Centralized Management

/var/ossec/etc/shared/agent.confdistributed to all agentsspecify config per client idspecify config per OSpushed by serversame syntax as ossec.conf

Deploy

Monitor

Analyze

Customize

rolling out

Thank you !wim.remes@bull.be+32 495 58 59 12

http://www.twitter.com/wimremeswim@eurotrashsecurity.euwww.eurotrashsecurity.eu(itunes)

http://www.ossec.nethttp://www.slideshare.net/anton_chuvakin