Setting up OSSEC - Step by step — Daniel Cid v2013. Published Apr/2012 People often ask me how I like to setup OSSEC or how I use it internally on my own servers.
I always do a set of customizations to make sure I use it the best way possible. In this article I will show step by step those steps and hopefully it can be helpful to other OSSEC users out there. Note that I will be focusing on a standalone install, but the principles apply to the agent/manager setup as well. File Monitoring — OSSEC v2.7.0 documentation. Overview OSSEC has a process named ossec-logcollector that monitors the configured log files for new events.
When new log messages arrive, it forwards them to other processes for analysis or transport to an OSSEC server. Configuration examples Simple example. Create Custom decoder and rules — OSSEC v2.7.0 documentation. One of the main features of OSSEC is monitoring system and application logs.
Many popular services have logs and decoders, but there are hundreds that are not covered. Custom applications and services will also not be covered. Adding decoders and rules for services is generally very easy. Untitled. Vulnerability Management: OSSEC & Secunia PSI. “Vulnerability Management“… This is an important topic for your corporate security.
One of the steps in this process is the monitoring of your applications and operating systems. With hundreds (thousands?) Of devices connected to your network, how to keep an eye on the applications and patches installed on all of them? There exists plenty of vulnerability management tools which allow you to track/install patches from a central place. This Blog is Monitored by OSSEC. As part of the second edition of the OSSEC week, I’d like to give some information about my daily usage of OSSEC.
Detecting USB Storage Usage with OSSEC. (Credits: Erik Araujo - sxc.hu) Next step in my investigations with OSSEC.
The possibilities of OSSEC are awesome and could clearly, in some case, replace a commercial log management solution! After collecting the Secunia vulnerabilities into OSSEC, I switched to the “dark side”: the Microsoft Windows agent. The USB sticks are very popular at users level and are a nightmare for system administrators. It’s so easy to get files away with critical data or to inject malicious code into the network via suspicious USB sticks. First of all, this solution is certainly not bullet-proof! Use your Logs to Detect Fraud. I was invited by the ISSA Belgium chapter to talk last night about log management & SIEM (“Security Information and Event Management“).
This is a very interesting topic but almost everything has been said (good as bad) on SIEM. I decided to innovate and to use some articles posted in this blog as practical examples of fraud detection. After the theory, some practice is always welcome! Let’s make your logs more valuable… Fraud can be defined as “a deliberate deception, trickery, or cheating intended to gain an advantage“. OSSEC Speaks “ArcSight” Log management… A hot topic!
There are plenty of solutions to manage your logs. Like in all IT domains, there are two major categories: free and commercial tools. Auditing MySQL DB Integrity with OSSEC. Databases are a core component in lot of applications and websites.
Almost everything is stored in databases. Let’s take a standard e-commerce website, we can find in databases a lot of business critical information: about customers (PII), articles, prices, stocks, payment (PCI), orders, logs, sessions, etc. Like any component of an IT infrastructure, databases must be properly monitored from a security point of view. There are often an Achille’s heel due to security issues. Common problems are a lack of access control on the SQL commands allowed or bad passwords.
Of course, MySQL already implements some logging features, configured via your my.cnf file or the command line. The most important log is the query log but it is a “performance killer“: all logged queries may use a lot of resources (CPU, storage) and the amount of events to process could be a pain to process. Detecting Fraud with OSSEC. For a while, it looks that “Fraud detection” is a hot-topic for many SIEM vendors (“Security Information and Event Management“).
Implementing Active Lists in OSSEC. The second OSSEC week just ended. Here is a reflection about a feature that does not exist (yet?) In OSSEC. The goal of a SIEM (“Security Incidents and Events Management“) is to collect logs from multiple non-heterogeneous sources and process them to add some extra value to the events. To achieve this, powerful correlation engines can be used to create rules to match different types of events coming from different sources and to create a unique security incident: if (condition1 && condition2 && condition3) { created_security_alert(); } Once created, The security incident must be processed.
An interesting feature in some commercial SIEM implementations is the ability to create “active lists.” Why use active lists? Store an item in the listQuery the list for one or more items Queries can be performed by the same correlation engine or re-used by third party applications like seen on the schema below: Setting up OSSEC - Step by step — Daniel Cid v2013. Detecting Defaced Websites with OSSEC. In the scope of the OSSEC Week, here is a quick contribution which can greatly help you to monitor suspicious changes on a website. Today, your corporate website is the very first contact you have with your customers, partners, press, etc. It’s your window to the world. Mapping OSSEC Alerts with AfterGlow. This week is the third annual OSSEC week! A good initiative to promote this open source log management solution. This post is my first contribution to the OSSEC community, I hope to publish more posts if I’ve enough time.
OSSEC is a excellent tool to collect and analyze the events generated by your (multiple) hosts and applications. But, being based on a command line interface, OSSEC lacks of “visibility” (IMHO). Tracking Malicious IP & Users with OSSEC. A few months ago I blogged about Active Lists in OSSEC. Active lists are common in SIEM environments to store temporary sensitive data like IP addresses, user names or any other relevant information. Once stored in active lists, data can be reused in rules and the security of an infrastructure can be increased.
Monitoring pastebin.com within your SIEM. (Source: pastebin.com) For those who (still) don’t know pastebin.com, it’s a website mainly for developers. Its purpose is very simple: You can “paste” text on the website to share it with other developers, friends, etc. You paste it, optionally define an expiration date, if it’s public or private data and your are good. But for a while, this on-line service is more and more used to post “sensitive” information like passwords or emails lists. By “sensitive“, I mean “stolen” or “leaked” data. Atos: caroline.crouch elliot.lowy Shantanu.mourya. Attackers Geolocation in OSSEC. If you follow my blog on a regularly basis, you probably already know that I’m a big fan of OSSEC. I’m using it to monitor all my personal systems (servers, labs, websites, etc). Being a day-to-day user, I have always new ideas to extend the product , by using 3rd party tools or by adding features. One of the missing feature (at least for me), is the lack of information when an alert is generated.
Tracking the attackers source IP addresses is very nice. Malicious DNS Traffic: Detection is Good, Proactivity is Better. It looks that our beloved DNS protocol is again the center of interest for some security $VENDORS. For a while, I see more and more the expression “DNS Firewall” used in papers or presentations. Improving File Integrity Monitoring with OSSEC. FIM or “File Integrity Monitoring” can be defined as the process of validating the integrity of operating system and applications files with a verification method using a hashing algorythm like MD5 or SHA1 and then comparing the current file state with a baseline.
A hash will allow the detection of files content modification but other information can be checked too: owner, permissions, modification time.