OSSEC
Know More, Protect Better
Wim Remes
  (maltego me)
22-23 September (training)
24-25 September (conference)
http://www.brucon.org
Excaliburcon
http://www.newcamelotcouncil.com
  2010 CFP to be announced soon
http://www.eurotrashsecurity.eu
http://www.twitter.com/eurotrashsec
   feedback@eurotrashsecurity.eu
OSSEC
•   Daniel Cid

•   2005

•   Third Brigade

•   Trend Micro

•   GPL v3
Agenda
   Log Management

   OSSEC Features

  OSSEC Architecture

Log Analysis with OSSEC

      Conclusion
Log Management
   so easy the kid can do it ...
Sources ?

         Users




App    App       App   App



        Systems
Reasons
Because we have to :-(         Because we want to :-D



                         2%


           PCI-DSS
        ...
Standards ?
•   Syslog

    •   2001, RFC 3164

    •   The non-standard standard


•   WELF, CBE, CEF

    •   Proprietar...
What do we need ?

•   Taxonomy

•   Syntax

•   Transport

•   Recommendations
Common Event Expression
  http://cee.mitre.org
OSSEC features
OSSEC features



   Log Analysis


 Integrity Control


 Rootkit Detection
OSSEC architecture
OSSEC Architecture

(root)                      logcollector
           chroot                 Agent
                     ...
OSSEC Architecture

Firewall
                                         IDS
Switch               SRV
Router                 ...
I can haz rules ?
Log Analysis with OSSEC
Log Analysis with OSSEC

       predecoding


        decoding


         analysis
Predecoding


•   Feb 24 10:12:23 beijing appdaemon:user john
    logged in from 10.10.10.10

•   <decoder name="appdaemon...
Predecoding


•   Feb 24 10:12:23 beijing switch:appdaemon quit
    unexpectedly

•   <decoder name="pam">
    <program_na...
Decoding

•   Feb 24 10:12:23 beijing appdaemon:user john logged in from
    10.10.10.10

•   <decoder name="appdaemon-log...
Analysis

•   Feb 24 10:12:23 beijing appdaemon:user john logged in from
    10.10.10.10

•   <rule id="10001" level=”3”>
...
Analysis : The Rule Tree

                           10001




                10002                   10005




 10003   ...
Advanced rule building
os_regex library (fast, not full regex)
    w   ->   A-Z, a-z, 0-9 characters
    d   ->   0-9 char...
Advanced rule building
os_match library (more limited, faster)
   ^ -> To specify the beginning of the text.
   $ -> To sp...
Integrity Checking
ossec.conf
<syscheck>
  <!-- Frequency that syscheck is executed - default to every 22 hours -->
  <frequency>79200</frequ...
ossec_rules.xml
<rule id="550" level="7">
  <category>ossec</category>
  <decoded_as>syscheck_integrity_changed</decoded_a...
syscheck commands



/var/ossec/bin/syscheck_update -a
/var/ossec/bin/syscheck_control -l
/var/ossec/bin/syscheck_control ...
Management
commands
/var/ossec/manage_agents
   >server
   >agent

/var/ossec/agent_control -lc
/var/ossec/agent_control -i [agentid]...
Conclusion
Conclusion
nobody knows your system/
application as well as you

OSSEC is a mature starting
point for your log management
...
Thank you!
         wremes@gmail.com
 (all pictures = creative commons)
Upcoming SlideShare
Loading in …5
×

Fosdem10

1,440
-1

Published on

These are the slides of my talk on OSSEC at FOSDEM '10 in Brussels, Belgium.

http://www.fosdem.org

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,440
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
59
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Fosdem10

  1. 1. OSSEC Know More, Protect Better
  2. 2. Wim Remes (maltego me)
  3. 3. 22-23 September (training) 24-25 September (conference) http://www.brucon.org
  4. 4. Excaliburcon http://www.newcamelotcouncil.com 2010 CFP to be announced soon
  5. 5. http://www.eurotrashsecurity.eu http://www.twitter.com/eurotrashsec feedback@eurotrashsecurity.eu
  6. 6. OSSEC • Daniel Cid • 2005 • Third Brigade • Trend Micro • GPL v3
  7. 7. Agenda Log Management OSSEC Features OSSEC Architecture Log Analysis with OSSEC Conclusion
  8. 8. Log Management so easy the kid can do it ...
  9. 9. Sources ? Users App App App App Systems
  10. 10. Reasons Because we have to :-( Because we want to :-D 2% PCI-DSS ISO 27K HIPAA SOX 98%
  11. 11. Standards ? • Syslog • 2001, RFC 3164 • The non-standard standard • WELF, CBE, CEF • Proprietary • We know what happens then ... • IDMF • Academic • Complex
  12. 12. What do we need ? • Taxonomy • Syntax • Transport • Recommendations
  13. 13. Common Event Expression http://cee.mitre.org
  14. 14. OSSEC features
  15. 15. OSSEC features Log Analysis Integrity Control Rootkit Detection
  16. 16. OSSEC architecture
  17. 17. OSSEC Architecture (root) logcollector chroot Agent zlib compressed blowfish encrypted UDP 1514 chroot Server chroot ossec-analysisd chroot ossec-maild ossec-execd chroot
  18. 18. OSSEC Architecture Firewall IDS Switch SRV Router Database App1 App2 Client Client Client Client Client Virtualization
  19. 19. I can haz rules ?
  20. 20. Log Analysis with OSSEC
  21. 21. Log Analysis with OSSEC predecoding decoding analysis
  22. 22. Predecoding • Feb 24 10:12:23 beijing appdaemon:user john logged in from 10.10.10.10 • <decoder name="appdaemon"> <program_name>appdaemon</program_name> </decoder> time/date : Feb 24 10:12:23 Hostname : beijing Program_name :appdaemon Log : user john logged in from 10.10.10.10
  23. 23. Predecoding • Feb 24 10:12:23 beijing switch:appdaemon quit unexpectedly • <decoder name="pam"> <program_name></program_name> <prematch>^appdaemon$</prematch> </decoder> time/date : Feb 24 10:12:23 Hostname : beijing Program_name : switch Log : appdaemon quit unexpectedly
  24. 24. Decoding • Feb 24 10:12:23 beijing appdaemon:user john logged in from 10.10.10.10 • <decoder name="appdaemon-login"> <parent>appdaemon</parent> <prematch>^user$</prematch> <after_prematch>(S+)logged in from (S+)</after_prematch> <order>user,srcip</order> </decoder> time/date : Feb 24 10:12:23 Hostname : beijing Program_name :appdaemon user : John srcip : 10.10.10.10 Log : user john logged in from 10.10.10.10
  25. 25. Analysis • Feb 24 10:12:23 beijing appdaemon:user john logged in from 10.10.10.10 • <rule id="10001" level=”3”> <decoded_as>appdaemon</decoded_as> <match>logged in</match> <description>Successful login</after_prematch> </rule> • <rule id=”10002” level=”7”> <if_sid>10001</if_sid> <user>!John</user> <description>Ok, this was not John !!</description> </rule> • <rule id=”10003” level=”7”> <if_sid>10001</if_sid> <srcip>!10.10.10.0/24</srcip> <description>login from unauthorized network!!</description> </rule>
  26. 26. Analysis : The Rule Tree 10001 10002 10005 10003 10004 10006 10007 10008 N T IO AC
  27. 27. Advanced rule building os_regex library (fast, not full regex) w -> A-Z, a-z, 0-9 characters d -> 0-9 characters s -> For spaces " " t -> For tabs. p -> ()*+,-.:;<=>?[] (punctuation characters) W -> For anything not w D -> For anything not d S -> For anything not s . -> For anything + -> To match one or more times (eg w+ or d+) * -> To match zero or more times (eg w* or p*) ^ -> To specify the beginning of the text. $ -> To specify the end of the text. | -> To create an "OR" between multiple patterns. <regex> </regex> (in rules) <regex> </regex> (in decoders) <prematch> </prematch> (in decoders) <if_matched_regex> </if_matched_regex> (in rules)
  28. 28. Advanced rule building os_match library (more limited, faster) ^ -> To specify the beginning of the text. $ -> To specify the end of the text. | -> To create an "OR" between multiple patterns. (rules only !) <match> </match> <user> </user> <url> </url> <id> </id> <status> </status> <hostname> </hostname> <program_name> </program_name> <srcport> </srcport> <dstport> </dstport> use this whenever possible ! it beats the <regex> tag
  29. 29. Integrity Checking
  30. 30. ossec.conf <syscheck> <!-- Frequency that syscheck is executed - default to every 22 hours --> <frequency>79200</frequency> <!-- Directories to check (perform all possible verifications) --> <directories realtime=”yes” check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/bin,/sbin</directories> <!-- Files/directories to ignore --> <ignore>/etc/mtab</ignore> <ignore>/etc/mnttab</ignore> <syscheck>
  31. 31. ossec_rules.xml <rule id="550" level="7"> <category>ossec</category> <decoded_as>syscheck_integrity_changed</decoded_as> <description>Integrity checksum changed.</description> <group>syscheck,</group> </rule> <rule id="551" level="7"> <category>ossec</category> <decoded_as>syscheck_integrity_changed_2nd</decoded_as> <description>Integrity checksum changed again (2nd time).</description> <group>syscheck,</group> </rule> <rule id="552" level="7"> <category>ossec</category> <decoded_as>syscheck_integrity_changed_3rd</decoded_as> <description>Integrity checksum changed again (3rd time).</description> <group>syscheck,</group> </rule> ...
  32. 32. syscheck commands /var/ossec/bin/syscheck_update -a /var/ossec/bin/syscheck_control -l /var/ossec/bin/syscheck_control -i [agentid] /var/ossec/bin/syscheck_control -i [agentid] -f [filename]
  33. 33. Management
  34. 34. commands /var/ossec/manage_agents >server >agent /var/ossec/agent_control -lc /var/ossec/agent_control -i [agentid] /var/ossec/agent_control -r -a /var/ossec/agent_control -R [agentid] /var/ossec/agent_control -r -u [agentid]
  35. 35. Conclusion
  36. 36. Conclusion nobody knows your system/ application as well as you OSSEC is a mature starting point for your log management needs Tuning rules never stops ! Questions ? http://www.ossec.net
  37. 37. Thank you! wremes@gmail.com (all pictures = creative commons)

×