OSSEC Workshop                           Wim Remes - Xavier Mertens                                 BH EU 2011Thursday 17 ...
About Us                   •     Wim                        •   Xavier                         •   works for EY Belgium   ...
Technical BreakdownThursday 17 March 2011
Technical Issues                   • Mix of OS / Application / Protocols                   • Thousands of events to proces...
Find the Differences...                   •     Aug 27 14:33:01 macosx ipfw: 12190 Deny TCP                         192.16...
Economic Issues                   • “Time is Money” (24x7, no downtime)                   • Reduced staff & budget        ...
Legal Issues                   • Compliance requirements (by “group” or                         by business)              ...
Challenges                   • Creation and archiving of log files                         (centralized)                   ...
Layers Model                                Reporting                               Correlation                           ...
OSSEC in a Nutshell                         “Because everybody must take care of logs”Thursday 17 March 2011
Core Features                   • OSSEC is an free HIDS                   • Features                    • Log Analysis / F...
OSSEC Position                         Log Management             SIEM                            Solutions             So...
OSSEC cannot...                   • Detect access to files (or based on info                         provided by the OS)   ...
It’s not a product...                                                       (c) Bruce                   • Problems? Result...
Starter’s Kit                   • A Linux box                   • Enough Storage                   • Some UNIX/networking ...
Architecture                   • Architecture                    • Server                    • Agents (UNIX & Windows)    ...
Software Components                                        Server   Agent                         logcollector      x     ...
Supported Log Formats                   • UNIX & tools                   • FTP / SMTP / HTTP servers                   • F...
Decoded Variables                   location           • command                 • hostname           • url               ...
Server Installation                   • Harden Your Linux Server                   • Allow traffic to UDP/1514             ...
$HOME Sweet $HOME                   • ossec.conf                   • local_rules.conf                   • decoder.xml     ...
Agents Phone $HOME                   • Both directions UDP/1514!                   • Tools                    • manage_age...
Centralized Management                   • $OSSECHOME/etc/shared/agent.conf                   • Setup config blocks as osse...
Reporting                   • Simple reporting is provided thru ossec-                         reportd:                   ...
Reporting (cont)                   • Top-20 Offending IP addresses                   • Top-20 Offending users             ...
Log Archives                   • Enable with the following keyword                         (default off):                 ...
Alerts Post Analysis                   • OSSEC has a WUI but outdated (IMHO)                   • Alternatives             ...
Key Design                             &                    Implementation IssuesThursday 17 March 2011
Time Synchronization                   • Use NTP to synchronize your devices                   • Mandatory to investigate ...
Access Raw Data                   • Safe & reliable collection of Syslog flows                   • Access to local files (ag...
UDP 1514                   • OSSEC adds confidentiality (packets are                         encrypted) but still relies on...
High Availability                   • Full Virtual IP + storage sync (Active/                         Passive)            ...
Long Term Retention                   • $OSSECHOME/logs/archives/YYYY/MMM                   • Could fill your filesystem ver...
Agents Mass-Deployment                   • ossec-batch-manager.pl (contrib)                   • Deployment tools          ...
Building/Customizing                             OSSEC rulesThursday 17 March 2011
Basics                   • $OSSECHOME/rules                   • local_rules.xml             1                             ...
Basics                                  step 1 : decoder.xml           <decoder name="sshd">             <program_name>^ss...
Basics                                  step 1 : decoder.xml           <decoder name="sshd">             <program_name>^ss...
Basics                         step 2 : /var/ossec/sshd_rules.xml           <rule id="5700" level="0" noalert="1">        ...
Basics                    step 3 : $OSSECHOME/rules/local_rules.xml                <rule id="100001" level="0">           ...
Hands-onThursday 17 March 2011
Lab Environment                   • ssh student@yourhost (Pass: 0SSEC4ever)                   • sudo -s                   ...
Exercice #1                   • Install OSSEC (stand-alone)                   • Start collecting events                   ...
Exercise #2                   • Generate an (email) alert when accesses to                         Facebook are detectedTh...
Solution #2                   • In $OSSECHOME/rules/local_rules.xml:                         <!-- Facebook detection rule ...
Exercice #3                   • Monitor (decode) an unknown file format:                         /var/log/application.log  ...
Solution #3                   • Log format:                         Mar 10 23:36:43 foo application[4583]: john created /d...
Solution #3 (cont)                   • In $OSSECHOME/etc/ossec.conf:                         <localfile>                   ...
Solution #3 (cont)                   • In $OSSECHOME/rules/local_rules.xml:                         <rule id=”100040” leve...
Exercice #4                   • Suspicious access detection                   • Detect SSH access from Belgium            ...
Solution #4                   • Install the GeoIP RPM                   • Copy the new Active-Response (geoip.sh)         ...
Solution #4 (cont)                   • Configure the Active-Response script in                         $OSSECHOME/etc/ossec...
Solution #4 (cont)                   • Find the right rules to attach the Active-                         Response to (ex:...
Solution #4 (cont)                   • Monitor the new logfile                         <localfile>                          ...
Other Examples                   • MySQL database integrity audit                   • USB-stick detection on Windows      ...
Happy Logging!                          xavier (at) rootshell (dot) be                          wremes (at) gmail (dot) co...
Upcoming SlideShare
Loading in...5
×

Blackhat Workshop

4,080

Published on

0 Comments
7 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,080
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
114
Comments
0
Likes
7
Embeds 0
No embeds

No notes for slide

Blackhat Workshop

  1. 1. OSSEC Workshop Wim Remes - Xavier Mertens BH EU 2011Thursday 17 March 2011
  2. 2. About Us • Wim • Xavier • works for EY Belgium • Senior Security Consultant for a • Security Consultant Belgium company • Eurotrash • Security Blogger • InfoSec Mentors • • BruconThursday 17 March 2011
  3. 3. Technical BreakdownThursday 17 March 2011
  4. 4. Technical Issues • Mix of OS / Application / Protocols • Thousands of events to process • Multiple consoles/tools • Keep Security at the highest level (“CIA” principle)Thursday 17 March 2011
  5. 5. Find the Differences... • Aug 27 14:33:01 macosx ipfw: 12190 Deny TCP 192.168.13.1:2060 192.168.13.104:5000 in via en1 • %PIX-3-313001: Denied ICMP type=11, code=0 from 192.168.30.2 on interface 2Thursday 17 March 2011
  6. 6. Economic Issues • “Time is Money” (24x7, no downtime) • Reduced staff & budget • Happy shareholders • This costs $$$ and HH:MM! (Commercial as well as Free!)Thursday 17 March 2011
  7. 7. Legal Issues • Compliance requirements (by “group” or by business) • Local laws (retention, data protection) • Due diligence & due careThursday 17 March 2011
  8. 8. Challenges • Creation and archiving of log files (centralized) • Analyze (Normalization) • Follow-up • ReportingThursday 17 March 2011
  9. 9. Layers Model Reporting Correlation Search Storage Normalization Log CollectionThursday 17 March 2011
  10. 10. OSSEC in a Nutshell “Because everybody must take care of logs”Thursday 17 March 2011
  11. 11. Core Features • OSSEC is an free HIDS • Features • Log Analysis / File Integrity Checks • Policy Monitoring • Rootkit Detection • Actions (Alerts / Active Response) • Open to 3rd party productsThursday 17 March 2011
  12. 12. OSSEC Position Log Management SIEM Solutions Solutions Focus on Logs Focus on Security OSSECThursday 17 March 2011
  13. 13. OSSEC cannot... • Detect access to files (or based on info provided by the OS) • Use proprietary protocols > You have to convert them to Syslog (ex: CheckPoint) • Display nice graphs • OSSEC is just a (dumb) tool!Thursday 17 March 2011
  14. 14. It’s not a product... (c) Bruce • Problems? Results! • Proof of Concept with limited scope • Tests procedure from A to Z • Procedures! (yeah, boring)Thursday 17 March 2011
  15. 15. Starter’s Kit • A Linux box • Enough Storage • Some UNIX/networking knowledge • Script-Fu can be helpfull • Free time!Thursday 17 March 2011
  16. 16. Architecture • Architecture • Server • Agents (UNIX & Windows) • DB (optional) • 3rd Party Products (optional)Thursday 17 March 2011
  17. 17. Software Components Server Agent logcollector x x agentd (x) x execd x x syscheckd x x analysisd x maild x remoted x monitord x reportd x csyslogd xThursday 17 March 2011
  18. 18. Supported Log Formats • UNIX & tools • FTP / SMTP / HTTP servers • Firewalls • DB’s • Security Tools • Commercial (CP,VMware, Bluecoat, ...) • Almost anything (custom decoders)Thursday 17 March 2011
  19. 19. Decoded Variables location • command • hostname • url • log_tag • data • srcip, dstip • srcport, dstport • protocol • action • user, dstuser • idThursday 17 March 2011
  20. 20. Server Installation • Harden Your Linux Server • Allow traffic to UDP/1514 • ./install.sh && Answer questions • ./manage-agents && Create keysThursday 17 March 2011
  21. 21. $HOME Sweet $HOME • ossec.conf • local_rules.conf • decoder.xml • ossec-logtestThursday 17 March 2011
  22. 22. Agents Phone $HOME • Both directions UDP/1514! • Tools • manage_agents • list_agents • agent_controlThursday 17 March 2011
  23. 23. Centralized Management • $OSSECHOME/etc/shared/agent.conf • Setup config blocks as ossec.conf <agent_config name=”myagent”> <localfile> <location>/var/log/mylog</location> <log_format>syslog</log_format> </localfile> </agent_configThursday 17 March 2011
  24. 24. Reporting • Simple reporting is provided thru ossec- reportd: -f <filter> <value> -r <filter> <value> Example: -f group authentication failed -f level 10 -f group authentication -r user srcipThursday 17 March 2011
  25. 25. Reporting (cont) • Top-20 Offending IP addresses • Top-20 Offending users • Top-20 Suspicious alerts • Top-20 Triggered alertsThursday 17 March 2011
  26. 26. Log Archives • Enable with the following keyword (default off): <logall>on</logall> • MD5/SHA1 for integrity • Raw event is stored! (evidences)Thursday 17 March 2011
  27. 27. Alerts Post Analysis • OSSEC has a WUI but outdated (IMHO) • Alternatives • Picviz • Prelude • Splunk or LaaS (Loggly) <syslog_output> <server>127.0.0.1</server> <port>10002</port> </syslog_output>Thursday 17 March 2011
  28. 28. Key Design & Implementation IssuesThursday 17 March 2011
  29. 29. Time Synchronization • Use NTP to synchronize your devices • Mandatory to investigate security incidentsThursday 17 March 2011
  30. 30. Access Raw Data • Safe & reliable collection of Syslog flows • Access to local files (agents)Thursday 17 March 2011
  31. 31. UDP 1514 • OSSEC adds confidentiality (packets are encrypted) but still relies on UDP • No caching or heart-beat mechanismThursday 17 March 2011
  32. 32. High Availability • Full Virtual IP + storage sync (Active/ Passive) • Multiple Servers (Failover) # ossec.conf <client> <server-ip>192.168.0.10</server-ip> <server-ip>192.168.10.10</server-ip> </client> # internal_options.conf remoted.verify_msg_id=0Thursday 17 March 2011
  33. 33. Long Term Retention • $OSSECHOME/logs/archives/YYYY/MMM • Could fill your filesystem very quickly! • Procedure must be implemented for long term retention (ex: NAS, DVDs)Thursday 17 March 2011
  34. 34. Agents Mass-Deployment • ossec-batch-manager.pl (contrib) • Deployment tools • cfengine (UNIX) • Active Directory (Windows) • New!! • Server : # /var/ossec/bin/ossec-authd -p 1515 >/dev/null 2>&1 & • Client : # /var/ossec/bin/agent-auth -m 192.168.1.1 -p 1515Thursday 17 March 2011
  35. 35. Building/Customizing OSSEC rulesThursday 17 March 2011
  36. 36. Basics • $OSSECHOME/rules • local_rules.xml 1 2 3 4 5 6Thursday 17 March 2011
  37. 37. Basics step 1 : decoder.xml <decoder name="sshd"> <program_name>^sshd</program_name> </decoder> <decoder name="sshd-success"> <parent>sshd</parent> <prematch>^Accepted</prematch> <regex offset="after_prematch">^ S+ for (S+) from (S+) port </regex> <order>user, srcip</order> <fts>name, user, location</fts> </decoder>Thursday 17 March 2011
  38. 38. Basics step 1 : decoder.xml <decoder name="sshd"> <program_name>^sshd</program_name> </decoder> <decoder name="ssh-denied"> <parent>sshd</parent> <prematch>^User S+ from </prematch> <regex offset="after_parent">^User (S+) from (S+) </regex> <order>user, srcip</order> </decoder>Thursday 17 March 2011
  39. 39. Basics step 2 : /var/ossec/sshd_rules.xml <rule id="5700" level="0" noalert="1"> <decoded_as>sshd</decoded_as> <description>SSHD messages grouped.</description> </rule> 5700 <rule id="5716" level="5"> <if_sid>5700</if_sid> <match>^Failed|^error: PAM: Authentication</match> <description>SSHD authentication failed.</description> <group>authentication_failed,</group> 5716 </rule> <rule id="5720" level="10" frequency="6"> <if_matched_sid>5716</if_matched_sid> <same_source_ip /> <description>Multiple SSHD authentication failures.</description> 5720 <group>authentication_failures,</group> </rule>Thursday 17 March 2011
  40. 40. Basics step 3 : $OSSECHOME/rules/local_rules.xml <rule id="100001" level="0"> <if_sid>5711</if_sid> <srcip>1.1.1.1</srcip> <description>Example of rule that will ignore sshd </description> <description>failed logins from IP 1.1.1.1.</description> </rule> $OSSECHOME/bin/ossec-logtestThursday 17 March 2011
  41. 41. Hands-onThursday 17 March 2011
  42. 42. Lab Environment • ssh student@yourhost (Pass: 0SSEC4ever) • sudo -s • Stuff in $HOME/files/ • Live Syslog feed received in /var/log/ • Sendmail available • Do NOT abuse!Thursday 17 March 2011
  43. 43. Exercice #1 • Install OSSEC (stand-alone) • Start collecting events • Play with configuration files • Send notifications via e-mailThursday 17 March 2011
  44. 44. Exercise #2 • Generate an (email) alert when accesses to Facebook are detectedThursday 17 March 2011
  45. 45. Solution #2 • In $OSSECHOME/rules/local_rules.xml: <!-- Facebook detection rule --> <rule id=”100030” level=”10”> <match>facebook.com</match> <description>Access to Facebook detected!</description> </rule> • Restart OSSECThursday 17 March 2011
  46. 46. Exercice #3 • Monitor (decode) an unknown file format: /var/log/application.log • Report activity for the user ‘admin’ • Tip: Use ossec-logtestThursday 17 March 2011
  47. 47. Solution #3 • Log format: Mar 10 23:36:43 foo application[4583]: john created /data/report134.ppt • In $OSSECHOME/etc/decoder.xml: <decoder name=”newapp”> <program_name>application</program_name> </decoder> <decoder name=”newapp-event”> <parent>newapp</parent> <regex>^(S+)</regex> <order>user</order> </decoder>Thursday 17 March 2011
  48. 48. Solution #3 (cont) • In $OSSECHOME/etc/ossec.conf: <localfile> <log_format>syslog</format> <location>/var/log/application.log</location> </localfile>Thursday 17 March 2011
  49. 49. Solution #3 (cont) • In $OSSECHOME/rules/local_rules.xml: <rule id=”100040” level=”0”> <decoded_as>newapp</decoded_as> <description>New Application Event</description> </rule> <rule id=”100041” level=”10”> <if_sid>100040</if_sid> <user>admin</user> <description>User admin activity detected</description> </rule> • Restart OSSECThursday 17 March 2011
  50. 50. Exercice #4 • Suspicious access detection • Detect SSH access from Belgium • Tips • Use an Active-Response script • GeoIP API in $HOME/files/geoipThursday 17 March 2011
  51. 51. Solution #4 • Install the GeoIP RPM • Copy the new Active-Response (geoip.sh) script in $OSSECHOME/active-response/ bin • Review the script contentThursday 17 March 2011
  52. 52. Solution #4 (cont) • Configure the Active-Response script in $OSSECHOME/etc/ossec.conf <command> <name>geoip-lookup</name> <executable>geoip.sh</executable> <expect>srcip</expect> </command>Thursday 17 March 2011
  53. 53. Solution #4 (cont) • Find the right rules to attach the Active- Response to (ex: #5501 - Login session opened) • Link the Active-Response to the rule: <active-response> <command>geoip-lookup</command> <location>server</location> <rules_id>5501</rules_id> <active_response> • Restart OSSECThursday 17 March 2011
  54. 54. Solution #4 (cont) • Monitor the new logfile <localfile> <location>/var/log/geoip.log</location> <log_format>syslog</log_format> </localfile> • Create a new rule <rule id=”100100” level=”10”> <regex>Detected S+ from BE, Belgium</regex> <description>Suspicious login from Belgium</description> </rule> • Restart OSSEC and watch alerts.logThursday 17 March 2011
  55. 55. Other Examples • MySQL database integrity audit • USB-stick detection on Windows • Rogue access detection (using geo- localization) • Mapping data on Google Maps • Temporary lookup tablesThursday 17 March 2011
  56. 56. Happy Logging! xavier (at) rootshell (dot) be wremes (at) gmail (dot) comThursday 17 March 2011
  1. Gostou de algum slide específico?

    Recortar slides é uma maneira fácil de colecionar informações para acessar mais tarde.

×