OSSEC
Log and event management the
     open source way ...
Introduction

• Me (thx 4 the nice intro, maltego me)
• Bull (not the bovine kind ...)
• Eurotrash information security po...
Agenda
• Logging 101 (what, how, why, ...)
• OSSEC technical overview
• break
• OSSEC installation and configuration
• OSSE...
Logging : what ?
• Users
• Systems
• Network
• Databases
• Applications
• .....
Logging: from ?

Firewalls,VPN, IDS/IPS, routers, switches, ...
Servers, workstations, virtualisation, UPS, ...
anti-malwa...
Logging : Why ?

• System Monitoring
     (performance, management, troubleshooting, ...)


• Compliance
     (regulatory,...
Compliance
                         PCI DSS
6.4. Follow change control procedures for all changes to
      system componen...
The Problem

• There is NO standard !!
• There is NO guidance !!
• There is NO Consitency !!
Babel be thy name
We need to agree upon...

• Format
    What does a log message look like ?


• Content
    What do we put in a log message...
It’s time for a standard !
not Syslog

• RFC 3164 (08/2001) : BSD Syslog Protocol
• It uses UDP
• It’s a garbage bin
• it’s a non-standard standard
Syslog Hell !
• Jun 11 03:06:38 (none) login
  [3432] : ROOT LOGIN on `tty1`

• Jan 19 22:52:56 LT1 gdm-session-
  worker[...
Syslog Hell !!
• <57> Jan 10 12:10:34:%SEC_LOGIN-5-
  LOGIN_SUCCESS:Login Success
  [user:frodo] [Source:
  192.168.10.254...
Can I continue ?
• Jan 19 20:12:56 LT1 mycrappyapp
  [3526]: I’m the awesome programmer
  behind this crappy app and since...
I promise to stop

• Feb 24 15:10:24 server transact
  [5402]: user geoff transferred 500
  dollars using credit card # XX...
Then what ?
• IDMF (by IETF)
 • XML based
 • Complex
 • Not widely adopted
 • Academic
• WELF (by Webtrends)
 • Proprietar...
NEXT !

• CBE (by IBM)
 • also XML based
 • IBM didn’t even use it !
Event Taxonomy
         Standard terminology
       Log Syntax
         Consistent data elements and format
       Log Tra...
OSSEC
Definition

  OSSEC is an Open Source Host-based
 Intrusion Detection System. It performs
log analysis, file integrity check...
SIEM (commercial)
Key Facts

• 2005
• Daniel Cid
• Third Brigade
• TrendMicro
Install Modes
• Local
 •   Single Client

 •   Windows, AIX, Solaris, HP-UX, Linux


• Server
 •   Central Logging Point (...
Architecture
Architecture
  syslog               syslog




           virtualisation
Architecture
                 SIEM




virtualisation          virtualisation
OSSEC Components
            logcollector

                  Agent
                           zlib compressed
            ...
Time



For a break
ossec-analysisd
   Predecoding


    Decoding


    Analysis
Predecoding

•   Feb 24 10:12:23 beijing appdaemon:stopped

    time/date	

 : Feb 24 10:12:23
    Hostname	

: beijing
  ...
Predecoding

•   Feb 25 12:00:47 beijing appdaemon:user john logged
    on from 10.10.10.10

    time/date	

 : Feb 25 12:...
Decoding

•   Feb 25 12:00:47 beijing appdaemon:user john logged
    on from 10.10.10.10

    time/date	

 : Feb 25 12:00:...
Analysis
<rule id=666 level=”0”>
  <decoded_as>appdaemon</decoded_as>
  <description>appdaemon rule</description>
</rule>
...
Analysis
<rule id=866 level=”7”>
  <if_sid>766</if_sid>
  <hostname>^beijing</hostname>
  <srcip>!192.168.10.0/24</srcip>
...
Analysis
666


      766


            866




            966
Analysis
<rule id=1066 level=”7”>
  <if_sid>666</if_sid>
  <match>^login failed</hostname>
  <description>failed login !</...
Analysis
666


       766


              866




              966


       1066


              1166
ossec.conf
<command>
   <name>host-deny</name>
   <executable>host-deny.sh</executable>
   <expect>srcip</expect>
   <time...
ossec.conf
                               syscheck
<syscheck>
  <!-- Frequency that syscheck is executed - default to ever...
ossec.conf
                               rootcheck


<rootcheck>
   <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt<...
ossec.conf
                                    varia
 <alerts>
    <log_alert_level>1</log_alert_level>
 </alerts>
<localfi...
Management
/var/ossec/bin/
  ossec-control stop|start|restart

 manage_agents
  (server) manage agent keys
  (client) impo...
Management
agent_control -lc

agent_control -i [id]

agent_control -R [id]

agent_control -r -a

agent_control -r -i [id]
Management

syscheckcontrol -lc
syscheckcontrol -i [id]
syscheckcontrol -i [id] -f [file]
Centralized
        Management
/var/ossec/etc/shared/agent.conf
  distributed to all agents
  specify config per client id
...
rolling out
            Deploy


Customize             Monitor


            Analyze
Thank you !
wim.remes@bull.be
+32 495 58 59 12

http://www.twitter.com/wimremes
wim@eurotrashsecurity.eu
www.eurotrashsecu...
Upcoming SlideShare
Loading in...5
×

OSSEC @ ISSA Jan 21st 2010

2,158

Published on

These are the slides of my presentation at the ISSA Brussels-European Chapter about OSSEC and Log Management standards and principles.

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,158
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
85
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

OSSEC @ ISSA Jan 21st 2010

  1. 1. OSSEC Log and event management the open source way ...
  2. 2. Introduction • Me (thx 4 the nice intro, maltego me) • Bull (not the bovine kind ...) • Eurotrash information security podcast • Brucon, Excaliburcon, FOSDEM, ...
  3. 3. Agenda • Logging 101 (what, how, why, ...) • OSSEC technical overview • break • OSSEC installation and configuration • OSSEC rules • OSSEC event management
  4. 4. Logging : what ? • Users • Systems • Network • Databases • Applications • .....
  5. 5. Logging: from ? Firewalls,VPN, IDS/IPS, routers, switches, ... Servers, workstations, virtualisation, UPS, ... anti-malware, applications, databases, ...
  6. 6. Logging : Why ? • System Monitoring (performance, management, troubleshooting, ...) • Compliance (regulatory, audit, internal policy, ...) • Incident Handling, Forensics, ...
  7. 7. Compliance PCI DSS 6.4. Follow change control procedures for all changes to system components 10. Track and monitor all access to network resources and cardholder data. 12. Maintain a policy that addresses information security for all employees and contractors
  8. 8. The Problem • There is NO standard !! • There is NO guidance !! • There is NO Consitency !!
  9. 9. Babel be thy name
  10. 10. We need to agree upon... • Format What does a log message look like ? • Content What do we put in a log message ? • Transport How do we send it ? • Guidelines How do we approach logging ? (ex. NIST 800-92)
  11. 11. It’s time for a standard !
  12. 12. not Syslog • RFC 3164 (08/2001) : BSD Syslog Protocol • It uses UDP • It’s a garbage bin • it’s a non-standard standard
  13. 13. Syslog Hell ! • Jun 11 03:06:38 (none) login [3432] : ROOT LOGIN on `tty1` • Jan 19 22:52:56 LT1 gdm-session- worker[1659]: pam_unix (gdm:session): session opened for user wim by (uid=0) • Jan 4 09:38:10 LT1 su[3510]: pam_unix(su:session): session opened for user root by wim (uid=1000)
  14. 14. Syslog Hell !! • <57> Jan 10 12:10:34:%SEC_LOGIN-5- LOGIN_SUCCESS:Login Success [user:frodo] [Source: 192.168.10.254] [localport:23] at ... • <13> Jan 18 10:15:45 2009 680 Security SYSTEM User Failure Audit ENTERPRISE ...
  15. 15. Can I continue ? • Jan 19 20:12:56 LT1 mycrappyapp [3526]: I’m the awesome programmer behind this crappy app and since you asked me to log something I’ve chosen to use syslog to dump all this meaningless events in here so you will still have to call and pay me to get the bugs that I left in there because I was surfing the internet instead of working for you solved. Eat that! And BTW, my app crashed for no apparent reason. kthxbai !
  16. 16. I promise to stop • Feb 24 15:10:24 server transact [5402]: user geoff transferred 500 dollars using credit card # XXX • Apr 1 10:14:28 server MEDIC [6420]: user kathy logged in to module patient using password selma1970
  17. 17. Then what ? • IDMF (by IETF) • XML based • Complex • Not widely adopted • Academic • WELF (by Webtrends) • Proprietary • didn’t scale
  18. 18. NEXT ! • CBE (by IBM) • also XML based • IBM didn’t even use it !
  19. 19. Event Taxonomy Standard terminology Log Syntax Consistent data elements and format Log Transport Standard communications mechanisms Log Recommendations Suggested events to log The future ?
  20. 20. OSSEC
  21. 21. Definition OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
  22. 22. SIEM (commercial)
  23. 23. Key Facts • 2005 • Daniel Cid • Third Brigade • TrendMicro
  24. 24. Install Modes • Local • Single Client • Windows, AIX, Solaris, HP-UX, Linux • Server • Central Logging Point (250 clients/server) • AIX,Solaris,HP-UX,Linux • Client • Reports to server • Windows,AIX,Solaris,HP-UX,Linux
  25. 25. Architecture
  26. 26. Architecture syslog syslog virtualisation
  27. 27. Architecture SIEM virtualisation virtualisation
  28. 28. OSSEC Components logcollector Agent zlib compressed blowfish encrypted UDP 1514 Server ossec-analysisd ossec-maild ossec-execd
  29. 29. Time For a break
  30. 30. ossec-analysisd Predecoding Decoding Analysis
  31. 31. Predecoding • Feb 24 10:12:23 beijing appdaemon:stopped time/date : Feb 24 10:12:23 Hostname : beijing Program_name :appdaemon Log : stopped
  32. 32. Predecoding • Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10 time/date : Feb 25 12:00:47 Hostname : beijing Program_name :appdaemon Log : user john logged on from 10.10.10.10
  33. 33. Decoding • Feb 25 12:00:47 beijing appdaemon:user john logged on from 10.10.10.10 time/date : Feb 25 12:00:47 Hostname : beijing Program_name :appdaemon Log : user john logged on from 10.10.10.10 srcip : 10.10.10.10 user : john
  34. 34. Analysis <rule id=666 level=”0”> <decoded_as>appdaemon</decoded_as> <description>appdaemon rule</description> </rule> <rule id=”766” level=”5”> <if_sid>666</if_sid> <match>^logged on</match> <description>succesful logon</description> </rule>
  35. 35. Analysis <rule id=866 level=”7”> <if_sid>766</if_sid> <hostname>^beijing</hostname> <srcip>!192.168.10.0/24</srcip> <description>unauthorized logon!</description> </rule> <rule id=”966” level=”13”> <if_sid>766</if_sid> <hostname>^shanghai</hostname> <user>!john</user> <description>unauthorised logon !</description> </rule>
  36. 36. Analysis 666 766 866 966
  37. 37. Analysis <rule id=1066 level=”7”> <if_sid>666</if_sid> <match>^login failed</hostname> <description>failed login !</description> </rule> <rule id=”1166” level=”9” frequency=”10” timeframe=”100”> <if_matched_sid>1066</if_matched_sid> <same_source_ip /> <description>Probable Brute Force !</description> </rule>
  38. 38. Analysis 666 766 866 966 1066 1166
  39. 39. ossec.conf <command> <name>host-deny</name> <executable>host-deny.sh</executable> <expect>srcip</expect> <timeout_allowed>yes</timeout_allowed> </command> <active-response> <command>command2</command> <location>local</location> <rules_id>1166</rules_id> <timeout>600</timeout> </active-response>
  40. 40. ossec.conf syscheck <syscheck> <!-- Frequency that syscheck is executed - default to every 22 hours --> <frequency>79200</frequency> <!-- Directories to check (perform all possible verifications) --> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/bin,/sbin</directories> <!-- Files/directories to ignore --> <ignore>/etc/mtab</ignore> <ignore>/etc/mnttab</ignore> <ignore>/etc/hosts.deny</ignore> ... </syscheck>
  41. 41. ossec.conf rootcheck <rootcheck> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans> <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit> <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit> </rootcheck>
  42. 42. ossec.conf varia <alerts> <log_alert_level>1</log_alert_level> </alerts> <localfile> <log_format>syslog</log_format> <location>/var/log/secure.log</location> </localfile> <ossec_config> <ossec_config> <!-- rules global entry --> <rules> <include>rules_config.xml</include> <include>pam_rules.xml</include> <include>sshd_rules.xml</include> <include>telnetd_rules.xml</include> ... </ossec_config>
  43. 43. Management /var/ossec/bin/ ossec-control stop|start|restart manage_agents (server) manage agent keys (client) import key
  44. 44. Management agent_control -lc agent_control -i [id] agent_control -R [id] agent_control -r -a agent_control -r -i [id]
  45. 45. Management syscheckcontrol -lc syscheckcontrol -i [id] syscheckcontrol -i [id] -f [file]
  46. 46. Centralized Management /var/ossec/etc/shared/agent.conf distributed to all agents specify config per client id specify config per OS pushed by server same syntax as ossec.conf
  47. 47. rolling out Deploy Customize Monitor Analyze
  48. 48. Thank you ! wim.remes@bull.be +32 495 58 59 12 http://www.twitter.com/wimremes wim@eurotrashsecurity.eu www.eurotrashsecurity.eu (itunes) http://www.ossec.net http://www.slideshare.net/anton_chuvakin
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×