host based intrusion detection -...
Post on 19-Mar-2018
219 Views
Preview:
TRANSCRIPT
Host Based Intrusion Detection
Simple Menu Driven Installation
OSSEC HIDS 2 4 I ll i S i h //OSSEC HIDS v2.4 Installation Script - http://www.ossec.net
You are about to start the installation process of the OSSEC HIDS.You must have a C compiler pre-installed in your system.p p y yIf you have any questions or comments, please send an e-mailto dcid@ossec.net (or daniel.cid@gmail.com).
System: Linux myserver mysite com 2 6 18 164 15 1 el5- System: Linux myserver.mysite.com 2.6.18-164.15.1.el5- User: root- Host: myserver.mysite.com
-- Press ENTER to continue or Ctrl-C to abort. --
Log AnalysisI t it Ch kiIntegrity Checking Rootkit DetectionRootkit DetectionPolicy MonitoringAlertingActive ResponsesActive Responses
LIDSLIDS
Log‐based Intrusion Detection System
ScalableE t I t llEasy to InstallFreeFreeMultiplatformSecure by defaultLoaded with rules & decodersLoaded with rules & decoders
Log Management
AlertsC l t tCorrelates eventsTakes ActionTakes Action
Host VM
VM
VMVM
VM
OSSECOSSECServer
OSSEC Agent OSSEC Agent OSSEC Agent
OSSECServer
OSSECServer
OSSEC Agent OSSEC Agent OSSEC Agent
<group name=“MyCustomApp,"><rule id=“111100" level="0"><category>web‐log</category><description>Access log messages grouped.</description></rule>
<rule id=“111108" level="0"><rule id 111108 level 0 ><if_sid>111100</if_sid><id>^2|^3</id><compiled_rule>is_simple_xyz_request</compiled_rule><description>Ignored URLs (simple queries).</description>/ l</rule>
<rule id=“111101" level="5"><if_sid>111100</if_sid><id>^4</id><description>Custom server 4014 error code.</description></rule>
<rule id=“111102" level="0"><if sid>111101</if sid><if_sid>111101</if_sid><url>.jpg$|.gif$|favicon.ico$|.png$|rs.txt$|.cs$|.js$</url><compiled_rule>is_simple_cutsom_request</compiled_rule><description>Ignored extensions on 4000 error codes.</description></rule>
LogsFil ChFile ChangesRegistry ModificationsRegistry Modifications
Precoding & Decoding
So how does it work?
Stand-alone Client-Server
Stand-alone Client
&Acts as client & server
Not very useful
Testing scenarios only
Client-Server Install
More secure
Centralized Management
Greater taste
Less Filling
UNIX
Integrity Checking
SyscheckSyscheck
File Integrity Checking Registry Integrity Checking
MD‐5 SHA‐1
Active Responses
Out of the Box Active ResponsesOut of the Box Active Responses
• Disable‐account shDisable account.sh
• Firewall‐drop.sh
d h• Host‐deny.sh
• Ipfw_mac.sh
• Ipfw.sh
Secure ArchitectureEncr ption ke e change at installationEncryption key exchange at installationIntegrity Checks performed at server
Multiple processesEach process at lowest permissionsMultiple processesComponents run in chrooted jail
So how do you install OSSEC?
OSSEC Server Installation
Install.sh Questions• For installation in English, choose [en]
( /b / /d / l/ /f /i /j / l/ l/ / / ) [ ](en/br/cn/de/el/es/fr/it/jp/nl/pl/ru/sr/tr) [en]: en
• What kind of installation do you want (server, agent, local or help)? server
• Choose where to install the OSSEC HIDS [/var/ossec]: /var/ossec
• Do you want e‐mail notification? (y/n) [y]: yDo you want e mail notification? (y/n) [y]: y– What's your e‐mail address? guru@myfirm.com
– We found your SMTP server as: mailserver.myfirm.com.
– Do you want to use it? (y/n) [y]: y
D t t th i t it h k d ? ( / ) [ ]• Do you want to run the integrity check daemon? (y/n) [y]: y
• Do you want to run the rootkit detection engine? (y/n) [y]: y
• Do you want to enable active response? (y/n) [y]: y
D bl h fi ll d ? ( / ) [ ]• Do you want to enable the firewall‐drop response? (y/n) [y]: y
• Do you want to add more IPs to the white list? (y/n)? [n]: n
That’s it!
Installation LocationsInstallation Locations
Default installation in /var/ossec●Main configuration file is /var/ossec/etc/ossec conf●Main configuration file is /var/ossec/etc/ossec.conf● Decoders are stored at /var/ossec/etc/decoders.xml● Binaries stored at /var/ossec/bin/inaries stored at /var/ossec/bin/● Rules stored at /var/ossec/rules/*.xml● Alerts are stored at /var/ossec/logs/alerts.log
Why aren’t the OSSEC logs in /var/log?
OSSEC Processes
Secure
chroot
Chroot definition: (from Wikipedia)Chroot definition: (from Wikipedia)A program that is “chrooted “ is re-rooted to another directory and cannot access or name files outside that directory
Processes are limited in privilege
Processes run as different users
OSSEC ProcessesOSSEC Processes
ossec‐analysisd – runs as user ossec (performs Analysis)
ossec‐remoted – runs as user ossecr (runs on server and collects logs from agents)
ossec‐maild – runs as user ossecm (sends email alerts)
ossec‐execd – runs as root (executes active responses)
ossec‐logcollec – runs as root, but only reads the logs, no analysis (collects logs)
ossec‐syscheckd – runs as root (file integrity monitoring)
ossec‐monitord – runs as user ossec (monitors agents status)
ossec‐agentd – runs as user ossec (runs on agents and forwards logs to t d )remoted on server)
Add the clients as Agents(on the server)
(server)# /var/ossec/bin/manage_agents
Add the Agent{server}#/var/ossec/bin/manage_agents
Add the Agent
***************************************** OSSEC HIDS v0.8 Agent manager. ** The following options are available: * The following options are available: ****************************************(A)dd an agent (A).(E)xtract key for an agent (E).(L)ist already added agents (L).(R)emove an agent (R).(Q)uit.
Choose your actions: A,E,R or Q: aChoose your actions: A,E,R or Q: a
Provide the name and IP‐ Adding a new agent (use ‘q’ to return to main menu).
Provide the name and IPg g ( q )
Please provide the following:* A name for the new agent: linux1* The IP Address for the new agent: 192.168.2.32
* An ID for the new agent[001]:Agent information:ID:001Name:linux1IP Address:192.168.2.32
Confirm adding it?(y/n): yConfirm adding it?(y/n): yAdded.
Extract the Encryption Key
****************************************
Extract the Encryption Key
***************************************** OSSEC HIDS v0.8 Agent manager. ** The following options are available: *****************************************(A)dd an agent (A).(E)xtract key for an agent (E).(L)ist already added agents (L).(R)emove an agent (R)(R)emove an agent (R).(Q)uit.
Choose your actions: A,E,R or Q: e
Pick the client ID and copy the key
A il bl t
Pick the client ID and copy the key
Available agents:ID: 001, Name: linux1, IP: 192.168.2.32ID: 002, Name: obsd1, IP: 192.168.2.10
Provide the ID of the agent you want to extract the key: 001g y y
Agent key information for ‘001' is:CDAxIGxpbnX4MSAxOTIuMTY4LjAuMzIgOWM5MENlYzNXXXYYYZZZZZ==
** Press ENTER to continue
Client Side Setup (linux1)# /var/ossec/bin/manage_agents
********************************************************************************* OSSEC HIDS v0.8 Agent manager. ** The following options are available: *****************************************(I)mport key for the server (I).(Q)uit.Choose your actions: I or Q: I
Paste it here: CDAxIGxpbnX4MSAxOTIuMTY4LjAuMzIgOWM5MENlYzNXXXYYYZZZZZ==
* Provide the Key generated from the server.* The best approach is to cut and paste it The best approach is to cut and paste it.* Do not include spaces or new line characters.
Restart OSSEC on client and serverRestart OSSEC on client and server
(server)# /var/ossec/bin/osssec-control restart
(client)# /var/ossec/bin/osssec control restart(client)# /var/ossec/bin/osssec-control restart
Repeat that process for all clients/agents.
Windows Agent is a GUI
What can the Windows Agent do?What can the Windows Agent do?
• Monitors the Windows event log at real timeMonitors the Windows event log at real time
• Monitors IIS logs (Web, FTP, SMTP) and any other logs present on your system (including Symantec g p y y ( g yAnti‐Virus, MySQL, Apache, etc) at near real time.
• Periodically checks the Windows Registry for y g ychanges.
• Periodically checks your Windows folders for changes.
• Periodically does policy verifications to make sure your system is configured properly.
• Looks for alternate NTFS File Streams.
Installation Issue
OSSEC Server no likey SELINUX
What does OSSEC look like?
OSSEC Alert Levels00 – Ignored 01 ‐ None 02 S t l i it tifi ti02 ‐ System low priority notification 03 ‐ Successful/Authorized events 04 ‐ System low priority error 05 User generated error05 ‐ User generated error 06 ‐ Low relevance attack 07 ‐ "Bad word" matching 08 ‐ First time seen08 First time seen 09 ‐ Error from invalid source 10 ‐Multiple user generated errors. 11 ‐ Integrity checking warning 12 ‐ High importance event 13 ‐ Unusual error (high importance) 14 ‐ High importance security event 15 ‐ Severe attack
Rules
/var/ossec/rulesapache_rules.xml firewall_rules.xml ms_dhcp_rules.xmlpam_rules.xml roundcube_rules.xml symantec-av_rules.xmlvpopmail_rules.xml arpwatch_rules.xml ftpd_rules.xmlms exchange rules xml php rules xml rules config xmlms-exchange_rules.xml php_rules.xml rules_config.xmlsymantec-ws_rules.xml vsftpd_rules.xml asterisk_rules.xmlhordeimp_rules.xml ms_ftpd_rules.xml pix_rules.xmlsendmail_rules.xml syslog_rules.xml web_rules.xmlattack_rules.xml ids_rules.xml ms-se_rules.xml policy_rules.xml smbd_rules.xml telnetd_rules.xmlwordpress_rules.xml backup-rules.24026 imapd_rules.xml mysql_rules.xml postfix_rules.xml solaris_bsm_rules.xmltranslatedzeus_rules.xml cimserver_rules.xml local_rules.xml named rules.xml postgresql rules.xml sonicwall rules.xmlnamed_rules.xml postgresql_rules.xml sonicwall_rules.xml trend-osce_rules.xml cisco-ios_rules.xml mailscanner_rules.xmlnetscreenfw_rules.xml proftpd_rules.xml spamd_rules.xml vmpop3d_rules.xml courier_rules.xml mcafee_av_rules.xml nginx_rules.xml pure-ftpd_rules.xml squid_rules.xml
l l d t l l th l lvmware_rules.xml dovecot_rules.xml msauth_rules.xml ossec_rules.xml racoon_rules.xml sshd_rules.xml vpn_concentrator_rules.xml
OSSEC RULES07300–07399 Symantec Antivirus rules07400–07499 Symantec Web Security rules091 00–09199 Point‐to‐point tunneling protocol (PPTP) rules09200–09299 Squid syslog ru les09300–09399 Horde IMP rules
00000–00999 Reserved for internal OSSEC HIDS rules01000–01999 General syslog rules02100–02299 Network File System (NFS) rules02300–02499 xinetd rules02500–02699 Access control rules
09900–09999 vpopmail rules10100–101 99 FTS rules11100–111 99 ftpd rules11200–11299 ProFTPD rules11300–11399 Pure‐FTPD rules11400 11499 FTPD l
02700–02729 mail /procmail rules02800–02829 smartd rules02830–02859 crond rules02860–02899 Mount/Automount rules03100–03299 Sendmail mail server rules03300 03499 P tfi il l 11400–11499 vs‐FTPD rules
11500–11599 MS‐FTP rules12100–12299 named (BIND DNS) rules13100–13299 Samba (smbd) rules14100–14199 Racoon SSL rules14200–14299 Cisco VPN Concentrator rul es
03300–03499 Postfi x mail server rules03500–03599 spamd fi lter rules03600–03699 imapd mail server rules03700–03799 Mail scanner rules03800–03899 Microsoft Exchange mail server rules03900–03999 Courier mail rules (imapd/pop3d/pop3-ssl) 14200 14299 Cisco VPN Concentrator rul es
17100–17399 Policy rules18100–18499 Windows system rules20100–20299 IDS rules20300–20499 IDS (Snort specifi c) rules30100–30999 Apache HTTP server error log rules
03900–03999 Courier mail rules (imapd/pop3d/pop3-ssl)04100–04299 Generic fi rewall rul es04300–04499 Cisco PIX/FWSM/ASA fi rewall rules04500–04699 Juniper Netscreen fi rewall rules04700–04799 Cisco IOS rules04800–04899 SonicWall fi rewall rules
31100–311199 Web access log rules31200–31299 Zeus web server rules 35000–35999 Squid rules401 00–40499 Attack pattern rules40500–40599 Privilege escalation rules40600–40999 Scan pattern rules50100 50299 M SQL d t b l
05100–05299 Linux, UNIX, BSD kernel rules05300–05399 Switch user (su) rules05400–05499 Super user do (sudo) rules05500–05599 Unix pluggable authentication mod (PAM)05600–05699 telnetd rules05700 05899 hd l 50100–50299 MySQL database rules
50500–50799 PostgreSQL database rules100000–119999 User‐defined rules
05700–05899 sshd rules05900–05999 Add user or user deletion rules07100–07199 Tripwire rules 07200–07299 arpwatch rules
Custom Rules
/var/ossec/rules/local rules.xml/ / / / _
Event
PreDecodingPreDecoding
Decodingg
Rules
AlertsAlerts
Activeemails
ActiveResponses
Logs
Event
PreDecodingPreDecoding
Decodingg
Rules
AlertsAlerts
Activeemails
ActiveResponses
Logs
Predecoding FieldsPredecoding Fields
TimeDateHostnameProgram NameProgram NameLog message
Jun 13 13:13:03 cle-linx01 sshd[1205]: Accepted password for admin from 10.1.1.1 port 1618 ssh2
Event
PreDecodingPreDecoding
Decodingg
Rules
AlertsAlerts
Activeemails
ActiveResponses
Logs
Decoding FieldsDecoding Fields
UsernameIP AddressPortVersionVersion
Jun 13 13:13:03 cle-linx01 sshd[1205]: Accepted password for admin from 10.1.1.1 port 1618 ssh2
Accepted password for admin from 10.1.1.1 port 1618 ssh2
/var/ossec/etc/decoders.xml
decoderdecoder<decoder name="sshd"><program_name>^sshd</program_name>
</decoder> <decoder name="sshd success"></decoder> <decoder name= sshd-success > <parent>sshd</parent> <prematch>^Accepted</prematch> <regex offset="after_prematch">^ \S+ for (\S+) from (\S+) port </regex> <order>user, srcip</order> <fts>name, user, location</fts></decoder>
<decoder name="ssh-denied"> <parent>sshd</parent> <prematch>^User \S+ from </prematch><prematch> User \S+ from </prematch> <regex offset="after_parent">^User (\S+) from (\S+) </regex> <order>user, srcip</order></decoder>….
Event
PreDecodingPreDecoding
Decodingg
Rules
AlertsAlerts
Activeemails
ActiveResponses
Logs
2 Types of Rules
Atomic
Atomic Rule ExampleAtomic Rule Example
" b l "<group name="web,accesslog,"><rule id="31100" level="0"><category>web‐log</category><description>Access log messages grouped.</description></rule>
Composite
Composite Rule ExampleComposite Rule Example
<rule id="31153" level="10" frequency="8" timeframe="120"><if_matched_sid>31104</if_matched_sid><same_source_ip /><description>Multiple common web attacks from same souce ip </description><description>Multiple common web attacks from same souce ip.</description><group>attack,</group></rule>
What log files get monitored?
ossec.conf log file entriesossec.conf log file entries<!-- Files to monitor (localfiles) -->
<localfile><localfile><log_format>syslog</log_format><location>/var/log/messages</location>
</localfile>
<localfile><log_format>syslog</log_format><location>/var/log/secure</location>
</localfile>
<localfile><log_format>syslog</log_format><location>/var/log/maillog</location>
</localfile>
<localfile><log_format>apache</log_format><location>/var/log/httpd/error_log</location>
</localfile>
….
How do I shut this thing up?
Rewriting A Rule to Silence ItRewriting A Rule to Silence ItEdit /var/ossec/rules/local_rules.xml
<rule id="100030" level="0">
<if_sid>31106</if_sid>
<description>List of rules to be ignored.</description>
</rule>/ u e
<rule id="110002" level="0" >
<if_group>authentication_failures,</if_group>
<description>Changes ignored </description><description>Changes ignored.</description>
<if_sid>18152</if_sid>
</rule>
< l id "110003" l l "0" ><rule id="110003" level="0" >
<if_group>system_error,</if_group>
<description>Changes ignored.</description>
<if_sid>31122</if_sid>
</rule>
Raise Alert Levels
Stupid OSSEC Tricks
Coding Daily ReportsCoding Daily Reports Add these lines to ossec.conf
Receive summary of all the authentication success:
<ossec_config><reports><category>authentication_success</category><user type=”relation”>srcip</user><title>Daily report: Successful logins</title><email_to>me@me .com</email_to></reports></ossec_config
Receive summary of all File integrity monitoring (syscheck) alerts:
< fi ><ossec_config><reports><category>syscheck</category><title>Daily report: File changes</title><email to>me@me com</email to><email_to>me@me .com</email_to></reports></ossec_config>
Authentication Daily ReportAuthentication Daily ReportReport 'Daily report: Successful logins' completed. Top entries for 'Group':
------------------------------------------------‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
‐>Processed alerts: 4388
‐>Post‐filtering alerts: 2
‐>First alert: 2010 Aug 6 13:25:04
‐>Last alert: 2010 Aug 6 13:25:04
authentication_success |2 |syslog |2 |pam |1 |sshd |1 |
Top entries for 'Source ip':
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
10 xx xx xx |1 |
Top entries for 'Location':
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
(dmz‐server) 192.168.x.x‐>/var/log/secure |2 |
10.xx.xx.xx |1 |
Top entries for 'Username':
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
Top entries for 'Rule':
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
5501 ‐ Login session opened. |1 |
administrator |1 |
Top entries for 'Level':
5715 ‐ SSHD authentication success. |1 |
Related entries for 'Username':
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
Severity 3 |2 |
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
administrator |1 |
srcip: '10.xx.xx.xx'
Forensic Analysis of Log FilesForensic Analysis of Log Files#cat /var/log/secure | /var/ossec/bin/ossec‐logtest –a
2010/08/18 08:37:32 ossec‐testrule: INFO: Started (pid: 25489).
** Alert 1282135052.1: mail ‐ syslog,fts,authentication_success
2010 Aug 18 08:37:32 MYSVR01‐>stdin
Rule: 10100 (level 4) ‐> 'First time user logged in.'
Src IP 192 168 14 147Src IP: 192.168.14.147
User: root
Aug 16 08:31:30 MYSVR01 sshd[28191]: Accepted password for root from 192.168.14.147 port 56321
** Alert 1282135052.2: ‐ syslog,sshd,authentication_success,
2010 Aug 18 08:37:32 MYSRV01‐>stding
Rule: 5715 (level 3) ‐> 'SSHD authentication success.'
Src IP: 192.168.0.5
User: root
Aug 16 16:24:37 MRSVR01 sshd[7089]: Accepted password for root from 192.168.0.5 port 35614 ssh2
** Alert 1282135052.3: mail ‐ syslog,errors,
2010 Aug 18 08:37:32 MYSVR01‐>stdin
Rule: 1002 (level 2) ‐> 'Unknown problem somewhere in the system.'
Src IP: (none)
User: (none)
Aug 17 09:32:20 MYSVR01 sshd[3176]: error: Bind to port 22 on 0 0 0 0 failed: Address already in useAug 17 09:32:20 MYSVR01 sshd[3176]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
…
Forensic Analysis Summary (1)Forensic Analysis Summary (1)# cat /var/log/secure | /var/ossec/bin/ossec‐logtest ‐a | /var/ossec/bin/ossec‐reportd
2010/08/18 08:42:53 ossec‐reportd: INFO: Started (pid: 32590).
2010/08/18 08:42:53 ossec‐testrule: INFO: Started (pid: 32589).
2010/08/18 08:42:58 ossec‐reportd: INFO: Report completed. Creating output...
Report completedReport completed. ==
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
‐>Processed alerts: 7
‐>Post‐filtering alerts: 7
‐>First alert: 2010 Aug 18 08:42:53
‐>Last alert: 2010 Aug 18 08:42:53g
Top entries for 'Source ip':
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
192.168.14.147 |2 |
192.168.16.52 |1 |
192.168.0.5 |1 |
Top entries for 'Username':
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
root |4 |
Forensic Analysis Summary (2)Forensic Analysis Summary (2)Top entries for 'Level':
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
Severity 3 |5 |
Severity 2 |1 |
Severity 4 |1 |
Top entries for 'Group':
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
syslog |7 |
authentication_success |5 |
sshd |3 |
pam |2 |
errors |1 |errors |1 |
fts |1 |
Top entries for 'Location':
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
MYSVR01‐>stdin |7 || |
Forensic Analysis Summary (3)Forensic Analysis Summary (3)Top entries for 'Rule':
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
5715 ‐ SSHD authentication success. |3 |
1002 ‐ Unknown problem somewhere in the syst.. |1 |
10100 ‐ First time user logged in. |1 |
5501 ‐ Login session opened. |1 |
5502 ‐ Login session closed. |1 |
Log dump:
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
2010 Aug 18 08:42:53 MYSVR01‐>stdin
Rule: 10100 (level 4) > 'First time user logged in 'Rule: 10100 (level 4) ‐> First time user logged in.
Aug 16 08:31:30 MYSVR01 sshd[28191]: Accepted password for root from 192.168.14.147 port 56321
…
Brute Force Attack ReportBrute Force Attack Report#cat /var/log/secure | /var/ossec/bin/ossec‐logtest ‐a | /var/ossec/bin/ossec‐reportd ‐f group authentication_failures
Report completed. ==————————————————‐>Processed alerts: 362‐>Post‐filtering alerts: 21
Top entries for ‘Source ip’:————————————————87.123.106.142 |2 |8 20 19 170 |2 |8.20.19.170 |2 |134.255.9.163 |1 |17.15.13.13 |1 |14.25.62.36 |1 |73.45.18.20 |1 |20.12.99.59 |1 |102.63.145.50 |1 |222.2.25.202 |1 |
Top entries for ‘Username’:————————————————root |22 |
Top entries for ‘Level’:————————————————Severity 10 |21 |
Top entries for ‘Group’:p p————————————————authentication_failures |21 |sshd |21 |syslog |21 |
Top entries for ‘Location’:————————————————enigma‐>stdin |21 |
Top entries for ‘Rule’:Top entries for Rule :————————————————5720 ‐Multiple SSHD authentication failures. |19 |5712 ‐ SSHD brute force trying to get access.. |1 |
…
Lessons LearnedLessons Learned
• It’s simple Use itIt s simple. Use it.
• Lots of noise on upgrades.
i d 2008 2 hi d hi d• Windows 2008 R2 whines….and whines…and whines….
• Agentless monitoring allows you to monitor many appliances (routers, switches, firewalls, etc.)
Questions?
Image CreditsImage Credits
• http://mrg.bz/wrcjRr Log File
• http://www.sxc.hu/photo/1094329 Tired guy
• http://mrg.bz/rpccdD wine and beer glasses
• http://upload.wikimedia.org/wikipedia/commons/3/3e/Tux‐G2.png Tux
• http://mrg.bz/OQ3I7U Lock
• http://mrg.bz/lUCAfo Hulk
• http://mrg.bz/nXxLey Kid at Computer
• http://www.sxc.hu/photo/569804 Direction sign
• http://www.sxc.hu/photo/1255864 Wormhole
• http://www.sxc.hu/photo/1267612 Fire
The following images were used under fair use provisions of US copyright
d t d k land trademark law:Logos: Windows, Tux, FreeBSD, VMWare, MAC OSx, OSSEC and AIXOSSEC WebUI screenshots
top related