Blackhat Workshop
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
4,559
On Slideshare
4,555
From Embeds
4
Number of Embeds
3

Actions

Shares
Downloads
103
Comments
0
Likes
6

Embeds 4

http://paper.li 2
https://twitter.com 1
http://www.linkedin.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. OSSEC Workshop Wim Remes - Xavier Mertens BH EU 2011Thursday 17 March 2011
  • 2. About Us • Wim • Xavier • works for EY Belgium • Senior Security Consultant for a • Security Consultant Belgium company • Eurotrash • Security Blogger • InfoSec Mentors • • BruconThursday 17 March 2011
  • 3. Technical BreakdownThursday 17 March 2011
  • 4. Technical Issues • Mix of OS / Application / Protocols • Thousands of events to process • Multiple consoles/tools • Keep Security at the highest level (“CIA” principle)Thursday 17 March 2011
  • 5. Find the Differences... • Aug 27 14:33:01 macosx ipfw: 12190 Deny TCP 192.168.13.1:2060 192.168.13.104:5000 in via en1 • %PIX-3-313001: Denied ICMP type=11, code=0 from 192.168.30.2 on interface 2Thursday 17 March 2011
  • 6. Economic Issues • “Time is Money” (24x7, no downtime) • Reduced staff & budget • Happy shareholders • This costs $$$ and HH:MM! (Commercial as well as Free!)Thursday 17 March 2011
  • 7. Legal Issues • Compliance requirements (by “group” or by business) • Local laws (retention, data protection) • Due diligence & due careThursday 17 March 2011
  • 8. Challenges • Creation and archiving of log files (centralized) • Analyze (Normalization) • Follow-up • ReportingThursday 17 March 2011
  • 9. Layers Model Reporting Correlation Search Storage Normalization Log CollectionThursday 17 March 2011
  • 10. OSSEC in a Nutshell “Because everybody must take care of logs”Thursday 17 March 2011
  • 11. Core Features • OSSEC is an free HIDS • Features • Log Analysis / File Integrity Checks • Policy Monitoring • Rootkit Detection • Actions (Alerts / Active Response) • Open to 3rd party productsThursday 17 March 2011
  • 12. OSSEC Position Log Management SIEM Solutions Solutions Focus on Logs Focus on Security OSSECThursday 17 March 2011
  • 13. OSSEC cannot... • Detect access to files (or based on info provided by the OS) • Use proprietary protocols > You have to convert them to Syslog (ex: CheckPoint) • Display nice graphs • OSSEC is just a (dumb) tool!Thursday 17 March 2011
  • 14. It’s not a product... (c) Bruce • Problems? Results! • Proof of Concept with limited scope • Tests procedure from A to Z • Procedures! (yeah, boring)Thursday 17 March 2011
  • 15. Starter’s Kit • A Linux box • Enough Storage • Some UNIX/networking knowledge • Script-Fu can be helpfull • Free time!Thursday 17 March 2011
  • 16. Architecture • Architecture • Server • Agents (UNIX & Windows) • DB (optional) • 3rd Party Products (optional)Thursday 17 March 2011
  • 17. Software Components Server Agent logcollector x x agentd (x) x execd x x syscheckd x x analysisd x maild x remoted x monitord x reportd x csyslogd xThursday 17 March 2011
  • 18. Supported Log Formats • UNIX & tools • FTP / SMTP / HTTP servers • Firewalls • DB’s • Security Tools • Commercial (CP,VMware, Bluecoat, ...) • Almost anything (custom decoders)Thursday 17 March 2011
  • 19. Decoded Variables location • command • hostname • url • log_tag • data • srcip, dstip • srcport, dstport • protocol • action • user, dstuser • idThursday 17 March 2011
  • 20. Server Installation • Harden Your Linux Server • Allow traffic to UDP/1514 • ./install.sh && Answer questions • ./manage-agents && Create keysThursday 17 March 2011
  • 21. $HOME Sweet $HOME • ossec.conf • local_rules.conf • decoder.xml • ossec-logtestThursday 17 March 2011
  • 22. Agents Phone $HOME • Both directions UDP/1514! • Tools • manage_agents • list_agents • agent_controlThursday 17 March 2011
  • 23. Centralized Management • $OSSECHOME/etc/shared/agent.conf • Setup config blocks as ossec.conf <agent_config name=”myagent”> <localfile> <location>/var/log/mylog</location> <log_format>syslog</log_format> </localfile> </agent_configThursday 17 March 2011
  • 24. Reporting • Simple reporting is provided thru ossec- reportd: -f <filter> <value> -r <filter> <value> Example: -f group authentication failed -f level 10 -f group authentication -r user srcipThursday 17 March 2011
  • 25. Reporting (cont) • Top-20 Offending IP addresses • Top-20 Offending users • Top-20 Suspicious alerts • Top-20 Triggered alertsThursday 17 March 2011
  • 26. Log Archives • Enable with the following keyword (default off): <logall>on</logall> • MD5/SHA1 for integrity • Raw event is stored! (evidences)Thursday 17 March 2011
  • 27. Alerts Post Analysis • OSSEC has a WUI but outdated (IMHO) • Alternatives • Picviz • Prelude • Splunk or LaaS (Loggly) <syslog_output> <server>127.0.0.1</server> <port>10002</port> </syslog_output>Thursday 17 March 2011
  • 28. Key Design & Implementation IssuesThursday 17 March 2011
  • 29. Time Synchronization • Use NTP to synchronize your devices • Mandatory to investigate security incidentsThursday 17 March 2011
  • 30. Access Raw Data • Safe & reliable collection of Syslog flows • Access to local files (agents)Thursday 17 March 2011
  • 31. UDP 1514 • OSSEC adds confidentiality (packets are encrypted) but still relies on UDP • No caching or heart-beat mechanismThursday 17 March 2011
  • 32. High Availability • Full Virtual IP + storage sync (Active/ Passive) • Multiple Servers (Failover) # ossec.conf <client> <server-ip>192.168.0.10</server-ip> <server-ip>192.168.10.10</server-ip> </client> # internal_options.conf remoted.verify_msg_id=0Thursday 17 March 2011
  • 33. Long Term Retention • $OSSECHOME/logs/archives/YYYY/MMM • Could fill your filesystem very quickly! • Procedure must be implemented for long term retention (ex: NAS, DVDs)Thursday 17 March 2011
  • 34. Agents Mass-Deployment • ossec-batch-manager.pl (contrib) • Deployment tools • cfengine (UNIX) • Active Directory (Windows) • New!! • Server : # /var/ossec/bin/ossec-authd -p 1515 >/dev/null 2>&1 & • Client : # /var/ossec/bin/agent-auth -m 192.168.1.1 -p 1515Thursday 17 March 2011
  • 35. Building/Customizing OSSEC rulesThursday 17 March 2011
  • 36. Basics • $OSSECHOME/rules • local_rules.xml 1 2 3 4 5 6Thursday 17 March 2011
  • 37. Basics step 1 : decoder.xml <decoder name="sshd"> <program_name>^sshd</program_name> </decoder> <decoder name="sshd-success"> <parent>sshd</parent> <prematch>^Accepted</prematch> <regex offset="after_prematch">^ S+ for (S+) from (S+) port </regex> <order>user, srcip</order> <fts>name, user, location</fts> </decoder>Thursday 17 March 2011
  • 38. Basics step 1 : decoder.xml <decoder name="sshd"> <program_name>^sshd</program_name> </decoder> <decoder name="ssh-denied"> <parent>sshd</parent> <prematch>^User S+ from </prematch> <regex offset="after_parent">^User (S+) from (S+) </regex> <order>user, srcip</order> </decoder>Thursday 17 March 2011
  • 39. Basics step 2 : /var/ossec/sshd_rules.xml <rule id="5700" level="0" noalert="1"> <decoded_as>sshd</decoded_as> <description>SSHD messages grouped.</description> </rule> 5700 <rule id="5716" level="5"> <if_sid>5700</if_sid> <match>^Failed|^error: PAM: Authentication</match> <description>SSHD authentication failed.</description> <group>authentication_failed,</group> 5716 </rule> <rule id="5720" level="10" frequency="6"> <if_matched_sid>5716</if_matched_sid> <same_source_ip /> <description>Multiple SSHD authentication failures.</description> 5720 <group>authentication_failures,</group> </rule>Thursday 17 March 2011
  • 40. Basics step 3 : $OSSECHOME/rules/local_rules.xml <rule id="100001" level="0"> <if_sid>5711</if_sid> <srcip>1.1.1.1</srcip> <description>Example of rule that will ignore sshd </description> <description>failed logins from IP 1.1.1.1.</description> </rule> $OSSECHOME/bin/ossec-logtestThursday 17 March 2011
  • 41. Hands-onThursday 17 March 2011
  • 42. Lab Environment • ssh student@yourhost (Pass: 0SSEC4ever) • sudo -s • Stuff in $HOME/files/ • Live Syslog feed received in /var/log/ • Sendmail available • Do NOT abuse!Thursday 17 March 2011
  • 43. Exercice #1 • Install OSSEC (stand-alone) • Start collecting events • Play with configuration files • Send notifications via e-mailThursday 17 March 2011
  • 44. Exercise #2 • Generate an (email) alert when accesses to Facebook are detectedThursday 17 March 2011
  • 45. Solution #2 • In $OSSECHOME/rules/local_rules.xml: <!-- Facebook detection rule --> <rule id=”100030” level=”10”> <match>facebook.com</match> <description>Access to Facebook detected!</description> </rule> • Restart OSSECThursday 17 March 2011
  • 46. Exercice #3 • Monitor (decode) an unknown file format: /var/log/application.log • Report activity for the user ‘admin’ • Tip: Use ossec-logtestThursday 17 March 2011
  • 47. Solution #3 • Log format: Mar 10 23:36:43 foo application[4583]: john created /data/report134.ppt • In $OSSECHOME/etc/decoder.xml: <decoder name=”newapp”> <program_name>application</program_name> </decoder> <decoder name=”newapp-event”> <parent>newapp</parent> <regex>^(S+)</regex> <order>user</order> </decoder>Thursday 17 March 2011
  • 48. Solution #3 (cont) • In $OSSECHOME/etc/ossec.conf: <localfile> <log_format>syslog</format> <location>/var/log/application.log</location> </localfile>Thursday 17 March 2011
  • 49. Solution #3 (cont) • In $OSSECHOME/rules/local_rules.xml: <rule id=”100040” level=”0”> <decoded_as>newapp</decoded_as> <description>New Application Event</description> </rule> <rule id=”100041” level=”10”> <if_sid>100040</if_sid> <user>admin</user> <description>User admin activity detected</description> </rule> • Restart OSSECThursday 17 March 2011
  • 50. Exercice #4 • Suspicious access detection • Detect SSH access from Belgium • Tips • Use an Active-Response script • GeoIP API in $HOME/files/geoipThursday 17 March 2011
  • 51. Solution #4 • Install the GeoIP RPM • Copy the new Active-Response (geoip.sh) script in $OSSECHOME/active-response/ bin • Review the script contentThursday 17 March 2011
  • 52. Solution #4 (cont) • Configure the Active-Response script in $OSSECHOME/etc/ossec.conf <command> <name>geoip-lookup</name> <executable>geoip.sh</executable> <expect>srcip</expect> </command>Thursday 17 March 2011
  • 53. Solution #4 (cont) • Find the right rules to attach the Active- Response to (ex: #5501 - Login session opened) • Link the Active-Response to the rule: <active-response> <command>geoip-lookup</command> <location>server</location> <rules_id>5501</rules_id> <active_response> • Restart OSSECThursday 17 March 2011
  • 54. Solution #4 (cont) • Monitor the new logfile <localfile> <location>/var/log/geoip.log</location> <log_format>syslog</log_format> </localfile> • Create a new rule <rule id=”100100” level=”10”> <regex>Detected S+ from BE, Belgium</regex> <description>Suspicious login from Belgium</description> </rule> • Restart OSSEC and watch alerts.logThursday 17 March 2011
  • 55. Other Examples • MySQL database integrity audit • USB-stick detection on Windows • Rogue access detection (using geo- localization) • Mapping data on Google Maps • Temporary lookup tablesThursday 17 March 2011
  • 56. Happy Logging! xavier (at) rootshell (dot) be wremes (at) gmail (dot) comThursday 17 March 2011