fosdem10
DESCRIPTION
These are the slides of my talk on OSSEC at FOSDEM '10 in Brussels, Belgium.http://www.fosdem.orgTRANSCRIPT
![Page 1: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/1.jpg)
OSSECKnow More, Protect Better
![Page 2: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/2.jpg)
Wim Remes(maltego me)
![Page 3: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/3.jpg)
22-23 September (training)24-25 September (conference)http://www.brucon.org
![Page 4: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/4.jpg)
Excaliburconhttp://www.newcamelotcouncil.com
2010 CFP to be announced soon
![Page 5: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/5.jpg)
http://www.eurotrashsecurity.euhttp://www.twitter.com/eurotrashsec
![Page 6: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/6.jpg)
OSSEC• Daniel Cid
• 2005
• Third Brigade
• Trend Micro
• GPL v3
![Page 7: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/7.jpg)
AgendaLog Management
OSSEC Features
OSSEC Architecture
Log Analysis with OSSEC
Conclusion
![Page 8: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/8.jpg)
Log Managementso easy the kid can do it ...
![Page 9: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/9.jpg)
Sources ?
Users
App App App App
Systems
![Page 10: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/10.jpg)
Reasons
2%
98%
Because we have to :-( Because we want to :-D
ISO 27KPCI-DSS
HIPAA SOX
![Page 11: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/11.jpg)
Standards ?• Syslog
• 2001, RFC 3164
• The non-standard standard
• WELF, CBE, CEF
• Proprietary
• We know what happens then ...
• IDMF
• Academic
• Complex
![Page 12: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/12.jpg)
What do we need ?
• Taxonomy
• Syntax
• Transport
• Recommendations
![Page 14: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/14.jpg)
OSSEC features
![Page 15: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/15.jpg)
OSSEC features
Log Analysis
Integrity Control
Rootkit Detection
![Page 16: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/16.jpg)
OSSEC architecture
![Page 17: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/17.jpg)
OSSEC Architecture
logcollector
Agent
ossec-analysisd
Server
ossec-maild ossec-execd
zlib compressedblowfish encryptedUDP 1514
(root)
chroot
chroot
chroot
chroot chroot
![Page 18: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/18.jpg)
OSSEC Architecture
SRV
Client Client Client Client Client
Firewall
Switch
Router
IDS
Database
App1
App2
Virtualization
![Page 19: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/19.jpg)
I can haz rules ?
![Page 20: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/20.jpg)
Log Analysis with OSSEC
![Page 21: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/21.jpg)
Log Analysis with OSSEC
predecoding
decoding
analysis
![Page 22: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/22.jpg)
Predecoding
• Feb 24 10:12:23 beijing appdaemon:user john logged in from 10.10.10.10
• <decoder name="appdaemon"><program_name>appdaemon</program_name></decoder>
time/date : Feb 24 10:12:23 Hostname : beijing Program_name :appdaemon Log : user john logged in from 10.10.10.10
![Page 23: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/23.jpg)
Predecoding
• Feb 24 10:12:23 beijing switch:appdaemon quit unexpectedly
• <decoder name="pam"><program_name></program_name><prematch>^appdaemon$</prematch></decoder>
time/date : Feb 24 10:12:23 Hostname : beijing Program_name : switch Log : appdaemon quit unexpectedly
![Page 24: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/24.jpg)
Decoding
• Feb 24 10:12:23 beijing appdaemon:user john logged in from 10.10.10.10
• <decoder name="appdaemon-login"> <parent>appdaemon</parent> <prematch>^user$</prematch> <after_prematch>(\S+)logged in from (\S+)</after_prematch> <order>user,srcip</order></decoder>
time/date : Feb 24 10:12:23 Hostname : beijing Program_name :appdaemon user : Johnsrcip : 10.10.10.10Log : user john logged in from 10.10.10.10
![Page 25: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/25.jpg)
Analysis
• Feb 24 10:12:23 beijing appdaemon:user john logged in from 10.10.10.10
• <rule id="10001" level=”3”> <decoded_as>appdaemon</decoded_as> <match>logged in</match> <description>Successful login</after_prematch></rule>
• <rule id=”10002” level=”7”> <if_sid>10001</if_sid> <user>!John</user> <description>Ok, this was not John !!</description></rule>
• <rule id=”10003” level=”7”> <if_sid>10001</if_sid> <srcip>!10.10.10.0/24</srcip> <description>login from unauthorized network!!</description></rule>
![Page 26: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/26.jpg)
Analysis : The Rule Tree
10001
10002
10003 10004
10005
10006
10007 10008
ACTION
![Page 27: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/27.jpg)
Advanced rule building
\w -> A-Z, a-z, 0-9 characters \d -> 0-9 characters \s -> For spaces " " \t -> For tabs. \p -> ()*+,-.:;<=>?[] (punctuation characters) \W -> For anything not \w \D -> For anything not \d \S -> For anything not \s \. -> For anything
os_regex library (fast, not full regex)
+ -> To match one or more times (eg \w+ or \d+) * -> To match zero or more times (eg \w* or \p*)
^ -> To specify the beginning of the text. $ -> To specify the end of the text. | -> To create an "OR" between multiple patterns.
<regex> </regex> (in rules)<regex> </regex> (in decoders)<prematch> </prematch> (in decoders)<if_matched_regex> </if_matched_regex> (in rules)
![Page 28: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/28.jpg)
Advanced rule building
os_match library (more limited, faster) ^ -> To specify the beginning of the text. $ -> To specify the end of the text. | -> To create an "OR" between multiple patterns.
(rules only !) <match> </match> <user> </user> <url> </url> <id> </id> <status> </status> <hostname> </hostname> <program_name> </program_name> <srcport> </srcport> <dstport> </dstport>
use this whenever possible !it beats the <regex> tag
![Page 29: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/29.jpg)
Integrity Checking
![Page 30: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/30.jpg)
ossec.conf
<syscheck> <!-- Frequency that syscheck is executed - default to every 22 hours --> <frequency>79200</frequency>
<!-- Directories to check (perform all possible verifications) --> <directories realtime=”yes” check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/bin,/sbin</directories>
<!-- Files/directories to ignore --> <ignore>/etc/mtab</ignore> <ignore>/etc/mnttab</ignore><syscheck>
![Page 31: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/31.jpg)
<rule id="550" level="7"> <category>ossec</category> <decoded_as>syscheck_integrity_changed</decoded_as> <description>Integrity checksum changed.</description> <group>syscheck,</group> </rule>
<rule id="551" level="7"> <category>ossec</category> <decoded_as>syscheck_integrity_changed_2nd</decoded_as> <description>Integrity checksum changed again (2nd time).</description> <group>syscheck,</group> </rule>
<rule id="552" level="7"> <category>ossec</category> <decoded_as>syscheck_integrity_changed_3rd</decoded_as> <description>Integrity checksum changed again (3rd time).</description> <group>syscheck,</group> </rule>
...
ossec_rules.xml
![Page 32: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/32.jpg)
syscheck commands
/var/ossec/bin/syscheck_update -a/var/ossec/bin/syscheck_control -l/var/ossec/bin/syscheck_control -i [agentid]/var/ossec/bin/syscheck_control -i [agentid] -f [filename]
![Page 33: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/33.jpg)
Management
![Page 34: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/34.jpg)
commands
/var/ossec/manage_agents>server>agent
/var/ossec/agent_control -lc/var/ossec/agent_control -i [agentid]/var/ossec/agent_control -r -a/var/ossec/agent_control -R [agentid]/var/ossec/agent_control -r -u [agentid]
![Page 35: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/35.jpg)
Conclusion
![Page 36: Fosdem10](https://reader036.vdocuments.mx/reader036/viewer/2022081514/55642661d8b42a2a0a8b5a54/html5/thumbnails/36.jpg)
Conclusionnobody knows your system/application as well as you
OSSEC is a mature starting point for your log management needs
Tuning rules never stops !
Questions ?
http://www.ossec.net