Host Based Intrusion Detection

Simple Menu Driven Installation

OSSEC HIDS 2 4 I ll i S i h //OSSEC HIDS v2.4 Installation Script - http://www.ossec.net

You are about to start the installation process of the OSSEC HIDS.You must have a C compiler pre-installed in your system.p p y yIf you have any questions or comments, please send an e-mailto dcid@ossec.net (or daniel.cid@gmail.com).

System: Linux myserver mysite com 2 6 18 164 15 1 el5- System: Linux myserver.mysite.com 2.6.18-164.15.1.el5- User: root- Host: myserver.mysite.com

-- Press ENTER to continue or Ctrl-C to abort. --

Log AnalysisI t it Ch kiIntegrity Checking Rootkit DetectionRootkit DetectionPolicy MonitoringAlertingActive ResponsesActive Responses

LIDSLIDS

Log‐based Intrusion Detection System

ScalableE t I t llEasy to InstallFreeFreeMultiplatformSecure by defaultLoaded with rules & decodersLoaded with rules & decoders

Log Management

AlertsC l t tCorrelates eventsTakes ActionTakes Action

Host                             VM

VM

VMVM

VM

OSSECOSSECServer

OSSEC Agent OSSEC Agent OSSEC Agent

OSSECServer

OSSECServer

OSSEC Agent OSSEC Agent OSSEC Agent

<group name=“MyCustomApp,"><rule id=“111100" level="0"><category>web‐log</category><description>Access log messages grouped.</description></rule>

<rule id=“111108" level="0"><rule id 111108  level 0 ><if_sid>111100</if_sid><id>^2|^3</id><compiled_rule>is_simple_xyz_request</compiled_rule><description>Ignored URLs (simple queries).</description>/ l</rule>

<rule id=“111101" level="5"><if_sid>111100</if_sid><id>^4</id><description>Custom server 4014 error code.</description></rule>

<rule id=“111102" level="0"><if sid>111101</if sid><if_sid>111101</if_sid><url>.jpg$|.gif$|favicon.ico$|.png$|rs.txt$|.cs$|.js$</url><compiled_rule>is_simple_cutsom_request</compiled_rule><description>Ignored extensions on 4000 error codes.</description></rule>

LogsFil ChFile ChangesRegistry ModificationsRegistry Modifications

Precoding & Decoding

So how does it work?

Stand-alone Client-Server

Stand-alone Client

&Acts as client & server

Not very useful

Testing scenarios only

Client-Server Install

More secure

Centralized Management

Greater taste

Less Filling

UNIX

Integrity Checking

SyscheckSyscheck

File Integrity Checking Registry Integrity Checking

MD‐5 SHA‐1

Active Responses

Out of the Box Active ResponsesOut of the Box Active Responses

• Disable‐account shDisable account.sh

• Firewall‐drop.sh

d h• Host‐deny.sh

• Ipfw_mac.sh

• Ipfw.sh

Secure ArchitectureEncr ption ke e change at installationEncryption key exchange at installationIntegrity Checks performed at server

Multiple processesEach process at lowest permissionsMultiple processesComponents run in chrooted jail

So how do you install OSSEC?

OSSEC Server Installation

Install.sh Questions• For installation in English, choose [en]

( /b / /d / l/ /f /i /j / l/ l/ / / ) [ ](en/br/cn/de/el/es/fr/it/jp/nl/pl/ru/sr/tr) [en]: en 

• What kind of installation do you want (server, agent, local or help)? server

• Choose where to install the OSSEC HIDS [/var/ossec]: /var/ossec

• Do you want e‐mail notification? (y/n) [y]: yDo you want e mail notification? (y/n) [y]: y– What's your e‐mail address?  guru@myfirm.com

– We found your SMTP server as: mailserver.myfirm.com.

– Do you want to use it? (y/n) [y]: y

D t t th i t it h k d ? ( / ) [ ]• Do you want to run the integrity check daemon? (y/n) [y]: y 

• Do you want to run the rootkit detection engine? (y/n) [y]: y 

• Do you want to enable active response? (y/n) [y]: y 

D bl h fi ll d ? ( / ) [ ]• Do you want to enable the firewall‐drop response? (y/n) [y]: y 

• Do you want to add more IPs to the white list? (y/n)? [n]: n

That’s it!

Installation LocationsInstallation Locations

Default installation in /var/ossec●Main configuration file is /var/ossec/etc/ossec conf●Main configuration file is /var/ossec/etc/ossec.conf● Decoders are stored at /var/ossec/etc/decoders.xml● Binaries stored at /var/ossec/bin/inaries stored at /var/ossec/bin/● Rules stored at /var/ossec/rules/*.xml● Alerts are stored at /var/ossec/logs/alerts.log

Why aren’t the OSSEC logs in /var/log?

OSSEC Processes

Secure

chroot

Chroot definition: (from Wikipedia)Chroot definition: (from Wikipedia)A program that is “chrooted “ is re-rooted to another directory and cannot access or name files outside that directory

Processes are limited in privilege

Processes run as different users

OSSEC ProcessesOSSEC Processes

ossec‐analysisd – runs as user ossec (performs Analysis)

ossec‐remoted – runs as user ossecr (runs on server and collects logs from agents)

ossec‐maild – runs as user ossecm (sends email alerts)

ossec‐execd – runs as root (executes active responses)

ossec‐logcollec – runs as root, but only reads the logs, no analysis (collects logs)

ossec‐syscheckd – runs as root (file integrity monitoring)

ossec‐monitord – runs as user ossec (monitors agents status)

ossec‐agentd – runs as user ossec (runs on agents and forwards logs to t d )remoted on server)

Add the clients as Agents(on the server)

(server)# /var/ossec/bin/manage_agents

Add the Agent{server}#/var/ossec/bin/manage_agents

Add the Agent

***************************************** OSSEC HIDS v0.8 Agent manager.       ** The following options are available: * The following options are available: ****************************************(A)dd an agent (A).(E)xtract key for an agent (E).(L)ist already added agents (L).(R)emove an agent (R).(Q)uit.

Choose your actions: A,E,R or Q: aChoose your actions: A,E,R or Q: a

Provide the name and IP‐ Adding a new agent (use ‘q’ to return to main menu).

Provide the name and IPg g ( q )

Please provide the following:* A name for the new agent: linux1* The IP Address for the new agent: 192.168.2.32

* An ID for the new agent[001]:Agent information:ID:001Name:linux1IP Address:192.168.2.32

Confirm adding it?(y/n): yConfirm adding it?(y/n): yAdded.

Extract the Encryption Key

****************************************

Extract the Encryption Key

***************************************** OSSEC HIDS v0.8 Agent manager.       ** The following options are available: *****************************************(A)dd an agent (A).(E)xtract key for an agent (E).(L)ist already added agents (L).(R)emove an agent (R)(R)emove an agent (R).(Q)uit.

Choose your actions: A,E,R or Q: e

Pick the client ID and copy the key

A il bl t

Pick the client ID and copy the key

Available agents:ID: 001, Name: linux1, IP: 192.168.2.32ID: 002, Name: obsd1, IP: 192.168.2.10

Provide the ID of the agent you want to extract the key: 001g y y

Agent key information for ‘001' is:CDAxIGxpbnX4MSAxOTIuMTY4LjAuMzIgOWM5MENlYzNXXXYYYZZZZZ==

** Press ENTER to continue

Client Side Setup (linux1)# /var/ossec/bin/manage_agents 

********************************************************************************* OSSEC HIDS v0.8 Agent manager.       ** The following options are available: *****************************************(I)mport key for the server (I).(Q)uit.Choose your actions: I or Q: I

Paste it here: CDAxIGxpbnX4MSAxOTIuMTY4LjAuMzIgOWM5MENlYzNXXXYYYZZZZZ==

* Provide the Key generated from the server.* The best approach is to cut and paste it The best approach is to cut and paste it.* Do not include spaces or new line characters.

Restart OSSEC on client and serverRestart OSSEC on client and server

(server)# /var/ossec/bin/osssec-control restart

(client)# /var/ossec/bin/osssec control restart(client)# /var/ossec/bin/osssec-control restart

Repeat that process for all clients/agents.

Windows Agent is a GUI

What can the Windows Agent do?What can the Windows Agent do?

• Monitors the Windows event log at real timeMonitors the Windows event log at real time

• Monitors IIS logs (Web, FTP, SMTP) and any other logs present on your system (including Symantec g p y y ( g yAnti‐Virus, MySQL, Apache, etc) at near real time. 

• Periodically checks the Windows Registry for y g ychanges. 

• Periodically checks your Windows folders for changes. 

• Periodically does policy verifications to make sure your system is configured properly. 

• Looks for alternate NTFS File Streams. 

Installation Issue

OSSEC Server no likey SELINUX

What does OSSEC look like?

OSSEC Alert Levels00 – Ignored 01 ‐ None  02 S t l i it tifi ti02 ‐ System low priority notification 03 ‐ Successful/Authorized events 04 ‐ System low priority error 05 User generated error05 ‐ User generated error 06 ‐ Low relevance attack 07 ‐ "Bad word" matching 08 ‐ First time seen08  First time seen 09 ‐ Error from invalid source 10 ‐Multiple user generated errors. 11 ‐ Integrity checking warning 12 ‐ High importance event 13 ‐ Unusual error (high importance) 14 ‐ High importance security event 15 ‐ Severe attack

Rules

/var/ossec/rulesapache_rules.xml firewall_rules.xml ms_dhcp_rules.xmlpam_rules.xml roundcube_rules.xml symantec-av_rules.xmlvpopmail_rules.xml arpwatch_rules.xml ftpd_rules.xmlms exchange rules xml php rules xml rules config xmlms-exchange_rules.xml php_rules.xml rules_config.xmlsymantec-ws_rules.xml vsftpd_rules.xml asterisk_rules.xmlhordeimp_rules.xml ms_ftpd_rules.xml pix_rules.xmlsendmail_rules.xml syslog_rules.xml web_rules.xmlattack_rules.xml ids_rules.xml ms-se_rules.xml policy_rules.xml smbd_rules.xml telnetd_rules.xmlwordpress_rules.xml backup-rules.24026 imapd_rules.xml mysql_rules.xml postfix_rules.xml solaris_bsm_rules.xmltranslatedzeus_rules.xml cimserver_rules.xml local_rules.xml named rules.xml postgresql rules.xml sonicwall rules.xmlnamed_rules.xml postgresql_rules.xml sonicwall_rules.xml trend-osce_rules.xml cisco-ios_rules.xml mailscanner_rules.xmlnetscreenfw_rules.xml proftpd_rules.xml spamd_rules.xml vmpop3d_rules.xml courier_rules.xml mcafee_av_rules.xml nginx_rules.xml pure-ftpd_rules.xml squid_rules.xml

l l d t l l th l lvmware_rules.xml dovecot_rules.xml msauth_rules.xml ossec_rules.xml racoon_rules.xml sshd_rules.xml vpn_concentrator_rules.xml

OSSEC RULES07300–07399  Symantec Antivirus rules07400–07499  Symantec Web Security rules091 00–09199  Point‐to‐point tunneling protocol (PPTP) rules09200–09299  Squid syslog ru les09300–09399  Horde IMP rules

00000–00999 Reserved for internal OSSEC HIDS rules01000–01999 General syslog rules02100–02299 Network File System (NFS) rules02300–02499 xinetd rules02500–02699 Access control rules

09900–09999  vpopmail rules10100–101 99  FTS rules11100–111 99  ftpd rules11200–11299  ProFTPD rules11300–11399  Pure‐FTPD rules11400 11499 FTPD l

02700–02729 mail /procmail rules02800–02829 smartd rules02830–02859 crond rules02860–02899 Mount/Automount rules03100–03299 Sendmail mail server rules03300 03499 P tfi il l 11400–11499  vs‐FTPD rules

11500–11599  MS‐FTP rules12100–12299  named (BIND DNS) rules13100–13299  Samba (smbd) rules14100–14199  Racoon SSL rules14200–14299 Cisco VPN Concentrator rul es

03300–03499 Postfi x mail server rules03500–03599 spamd fi lter rules03600–03699 imapd mail server rules03700–03799 Mail scanner rules03800–03899 Microsoft Exchange mail server rules03900–03999 Courier mail rules (imapd/pop3d/pop3-ssl) 14200 14299  Cisco VPN Concentrator rul es

17100–17399  Policy rules18100–18499  Windows system rules20100–20299  IDS rules20300–20499  IDS (Snort specifi c) rules30100–30999  Apache HTTP server error log rules

03900–03999 Courier mail rules (imapd/pop3d/pop3-ssl)04100–04299 Generic fi rewall rul es04300–04499 Cisco PIX/FWSM/ASA fi rewall rules04500–04699 Juniper Netscreen fi rewall rules04700–04799 Cisco IOS rules04800–04899 SonicWall fi rewall rules

31100–311199  Web access log rules31200–31299  Zeus web server rules 35000–35999  Squid rules401 00–40499  Attack pattern rules40500–40599  Privilege escalation rules40600–40999  Scan pattern rules50100 50299 M SQL d t b l

05100–05299 Linux, UNIX, BSD kernel rules05300–05399 Switch user (su) rules05400–05499 Super user do (sudo) rules05500–05599 Unix pluggable authentication mod (PAM)05600–05699 telnetd rules05700 05899 hd l 50100–50299  MySQL database rules

50500–50799  PostgreSQL database rules100000–119999  User‐defined rules

05700–05899 sshd rules05900–05999 Add user or user deletion rules07100–07199 Tripwire rules 07200–07299 arpwatch rules

Custom Rules

/var/ossec/rules/local rules.xml/ / / / _

Event

PreDecodingPreDecoding

Decodingg

Rules

AlertsAlerts

Activeemails

ActiveResponses

Logs

Event

PreDecodingPreDecoding

Decodingg

Rules

AlertsAlerts

Activeemails

ActiveResponses

Logs

Predecoding FieldsPredecoding Fields

TimeDateHostnameProgram NameProgram NameLog message

Jun 13 13:13:03 cle-linx01 sshd[1205]: Accepted password for admin from 10.1.1.1 port 1618 ssh2

Event

PreDecodingPreDecoding

Decodingg

Rules

AlertsAlerts

Activeemails

ActiveResponses

Logs

Decoding FieldsDecoding Fields

UsernameIP AddressPortVersionVersion

Jun 13 13:13:03 cle-linx01 sshd[1205]: Accepted password for admin from 10.1.1.1 port 1618 ssh2

Accepted password for admin from 10.1.1.1 port 1618 ssh2

/var/ossec/etc/decoders.xml

decoderdecoder<decoder name="sshd"><program_name>^sshd</program_name>

</decoder> <decoder name="sshd success"></decoder> <decoder name= sshd-success > <parent>sshd</parent> <prematch>^Accepted</prematch> <regex offset="after_prematch">^ \S+ for (\S+) from (\S+) port </regex> <order>user, srcip</order> <fts>name, user, location</fts></decoder>

<decoder name="ssh-denied"> <parent>sshd</parent> <prematch>^User \S+ from </prematch><prematch> User \S+ from </prematch> <regex offset="after_parent">^User (\S+) from (\S+) </regex> <order>user, srcip</order></decoder>….

Event

PreDecodingPreDecoding

Decodingg

Rules

AlertsAlerts

Activeemails

ActiveResponses

Logs

2 Types of Rules

Atomic

Atomic Rule ExampleAtomic Rule Example

" b l "<group name="web,accesslog,"><rule id="31100" level="0"><category>web‐log</category><description>Access log messages grouped.</description></rule>

Composite

Composite Rule ExampleComposite Rule Example

<rule id="31153" level="10" frequency="8" timeframe="120"><if_matched_sid>31104</if_matched_sid><same_source_ip /><description>Multiple common web attacks from same souce ip </description><description>Multiple common web attacks from same souce ip.</description><group>attack,</group></rule>

What log files get monitored?

ossec.conf log file entriesossec.conf log file entries<!-- Files to monitor (localfiles) -->

<localfile><localfile><log_format>syslog</log_format><location>/var/log/messages</location>

</localfile>

<localfile><log_format>syslog</log_format><location>/var/log/secure</location>

</localfile>

<localfile><log_format>syslog</log_format><location>/var/log/maillog</location>

</localfile>

<localfile><log_format>apache</log_format><location>/var/log/httpd/error_log</location>

</localfile>

….

How do I shut this thing up?

Rewriting A Rule to Silence ItRewriting A Rule to Silence ItEdit /var/ossec/rules/local_rules.xml

<rule id="100030" level="0">

<if_sid>31106</if_sid>

<description>List of rules to be ignored.</description>

</rule>/ u e

<rule id="110002" level="0" >

<if_group>authentication_failures,</if_group>

<description>Changes ignored </description><description>Changes ignored.</description>

<if_sid>18152</if_sid>

</rule>

< l id "110003" l l "0" ><rule id="110003" level="0" >

<if_group>system_error,</if_group>

<description>Changes ignored.</description>

<if_sid>31122</if_sid>

</rule>

Raise Alert Levels

Stupid OSSEC Tricks

Coding Daily ReportsCoding Daily Reports Add these lines to ossec.conf

Receive summary of all the authentication success:

<ossec_config><reports><category>authentication_success</category><user type=”relation”>srcip</user><title>Daily report: Successful logins</title><email_to>me@me .com</email_to></reports></ossec_config

Receive summary of all File integrity monitoring (syscheck) alerts:

< fi ><ossec_config><reports><category>syscheck</category><title>Daily report: File changes</title><email to>me@me com</email to><email_to>me@me .com</email_to></reports></ossec_config>

Authentication Daily ReportAuthentication Daily ReportReport 'Daily report: Successful logins' completed. Top entries for 'Group':

------------------------------------------------‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐

‐>Processed alerts: 4388

‐>Post‐filtering alerts: 2

‐>First alert: 2010 Aug 6 13:25:04

‐>Last alert: 2010 Aug 6 13:25:04

authentication_success |2 |syslog |2 |pam |1 |sshd |1 |

Top entries for 'Source ip':

‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐

10 xx xx xx |1 |

Top entries for 'Location':

‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐

(dmz‐server) 192.168.x.x‐>/var/log/secure    |2       |

10.xx.xx.xx                                      |1       |

Top entries for 'Username':

‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐

Top entries for 'Rule':

‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐

5501 ‐ Login session opened.                    |1       |

administrator                                |1       |

Top entries for 'Level':

5715 ‐ SSHD authentication success.       |1       |

Related entries for 'Username':

‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐

Severity 3                                      |2       |

‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐

administrator                                           |1       |

srcip: '10.xx.xx.xx'

Forensic Analysis of Log FilesForensic Analysis of Log Files#cat /var/log/secure | /var/ossec/bin/ossec‐logtest –a

2010/08/18 08:37:32 ossec‐testrule: INFO: Started (pid: 25489).

** Alert 1282135052.1: mail  ‐ syslog,fts,authentication_success

2010 Aug 18 08:37:32 MYSVR01‐>stdin

Rule: 10100 (level 4) ‐> 'First time user logged in.'

Src IP 192 168 14 147Src IP: 192.168.14.147

User: root

Aug 16 08:31:30 MYSVR01 sshd[28191]: Accepted password for root from 192.168.14.147 port 56321

** Alert 1282135052.2: ‐ syslog,sshd,authentication_success,

2010 Aug 18 08:37:32 MYSRV01‐>stding

Rule: 5715 (level 3) ‐> 'SSHD authentication success.'

Src IP: 192.168.0.5

User: root

Aug 16 16:24:37 MRSVR01 sshd[7089]: Accepted password for root from 192.168.0.5 port 35614 ssh2

** Alert 1282135052.3: mail  ‐ syslog,errors,

2010 Aug 18 08:37:32 MYSVR01‐>stdin

Rule: 1002 (level 2) ‐> 'Unknown problem somewhere in the system.'

Src IP: (none)

User: (none)

Aug 17 09:32:20 MYSVR01 sshd[3176]: error: Bind to port 22 on 0 0 0 0 failed: Address already in useAug 17 09:32:20 MYSVR01 sshd[3176]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.

…

Forensic Analysis Summary (1)Forensic Analysis Summary (1)# cat /var/log/secure | /var/ossec/bin/ossec‐logtest ‐a | /var/ossec/bin/ossec‐reportd

2010/08/18 08:42:53 ossec‐reportd: INFO: Started (pid: 32590).

2010/08/18 08:42:53 ossec‐testrule: INFO: Started (pid: 32589).

2010/08/18 08:42:58 ossec‐reportd: INFO: Report completed. Creating output...

Report completedReport completed. ==

‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐

‐>Processed alerts: 7

‐>Post‐filtering alerts: 7

‐>First alert: 2010 Aug 18 08:42:53

‐>Last alert: 2010 Aug 18 08:42:53g

Top entries for 'Source ip':

‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐

192.168.14.147                                     |2       |

192.168.16.52                                      |1       |

192.168.0.5                                        |1       |

Top entries for 'Username':

‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐

root                                            |4       |

Forensic Analysis Summary (2)Forensic Analysis Summary (2)Top entries for 'Level':

‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐

Severity 3                                      |5       |

Severity 2                                      |1       |

Severity 4                                      |1       |

Top entries for 'Group':

‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐

syslog                                          |7       |

authentication_success                          |5       |

sshd                                            |3       |

pam                                             |2       |

errors |1 |errors                                          |1       |

fts                                             |1       |

Top entries for 'Location':

‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐

MYSVR01‐>stdin                                |7       || |

Forensic Analysis Summary (3)Forensic Analysis Summary (3)Top entries for 'Rule':

‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐

5715 ‐ SSHD authentication success.             |3       |

1002 ‐ Unknown problem somewhere in the syst..  |1       |

10100 ‐ First time user logged in.              |1       |

5501 ‐ Login session opened.                    |1       |

5502 ‐ Login session closed.                    |1       |

Log dump:

‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐

2010 Aug 18 08:42:53 MYSVR01‐>stdin

Rule: 10100 (level 4) > 'First time user logged in 'Rule: 10100 (level 4) ‐>  First time user logged in.

Aug 16 08:31:30 MYSVR01 sshd[28191]: Accepted password for root from 192.168.14.147 port 56321

…

Brute Force Attack ReportBrute Force Attack Report#cat /var/log/secure | /var/ossec/bin/ossec‐logtest ‐a | /var/ossec/bin/ossec‐reportd ‐f group authentication_failures

Report completed. ==————————————————‐>Processed alerts: 362‐>Post‐filtering alerts: 21

Top entries for ‘Source ip’:————————————————87.123.106.142 |2 |8 20 19 170 |2 |8.20.19.170 |2 |134.255.9.163 |1 |17.15.13.13 |1 |14.25.62.36 |1 |73.45.18.20 |1 |20.12.99.59 |1 |102.63.145.50 |1 |222.2.25.202 |1 |

Top entries for ‘Username’:————————————————root |22 |

Top entries for ‘Level’:————————————————Severity 10 |21 |

Top entries for ‘Group’:p p————————————————authentication_failures |21 |sshd |21 |syslog |21 |

Top entries for ‘Location’:————————————————enigma‐>stdin |21 |

Top entries for ‘Rule’:Top entries for  Rule :————————————————5720 ‐Multiple SSHD authentication failures. |19 |5712 ‐ SSHD brute force trying to get access.. |1 |

…

Lessons LearnedLessons Learned

• It’s simple Use itIt s simple. Use it.

• Lots of noise on upgrades.

i d 2008 2 hi d hi d• Windows 2008 R2 whines….and whines…and whines….

• Agentless monitoring allows you to monitor many appliances (routers, switches, firewalls, etc.)

Questions?

Image CreditsImage Credits

• http://mrg.bz/wrcjRr Log File

• http://www.sxc.hu/photo/1094329 Tired guy

• http://mrg.bz/rpccdD wine and beer glasses

• http://upload.wikimedia.org/wikipedia/commons/3/3e/Tux‐G2.png Tux

• http://mrg.bz/OQ3I7U Lock

• http://mrg.bz/lUCAfo Hulk

• http://mrg.bz/nXxLey Kid at Computer

• http://www.sxc.hu/photo/569804 Direction sign

• http://www.sxc.hu/photo/1255864 Wormhole

• http://www.sxc.hu/photo/1267612 Fire

The following images were used under fair use provisions of US copyright

d t d k land trademark law:Logos: Windows, Tux, FreeBSD, VMWare, MAC OSx, OSSEC and AIXOSSEC WebUI screenshots