ossec hids, host based intrusion detection system
DESCRIPTION
Aurora Mazzone, INFN Sezione di Torino Parte Terza. OSSEC HIDS, Host Based Intrusion Detection System. Analisi dei log: file di configurazione. decoder: /var/ossec/etc/decoder.xml /var/ossec/etc/local_decoder.xml rules: /var/ossec/rules/*.xml /var/ossec/rules/local_rules.xml. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/1.jpg)
OSSEC HIDS, Host Based Intrusion Detection System
Aurora Mazzone, INFN Sezione di Torino
Parte Terza
![Page 2: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/2.jpg)
Analisi dei log: file di configurazione
decoder:
/var/ossec/etc/decoder.xml/var/ossec/etc/local_decoder.xml
rules:
/var/ossec/rules/*.xml/var/ossec/rules/local_rules.xml
![Page 3: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/3.jpg)
Analisi dei log: file di configurazione
ossec.conf:
<rules> <include>rules_config.xml</include> <include>pam_rules.xml</include> <include>sshd_rules.xml</include> <include>telnetd_rules.xml</include>[...]</rules>
![Page 4: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/4.jpg)
Analisi dei log
Tre fasi:
pre-decoding decoding rules
![Page 5: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/5.jpg)
Pre-decoding
Informazioni statiche:
hostname program_name data/timestamp log
![Page 6: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/6.jpg)
Pre-decoding
Oct 28 14:21:39 atropo sshd[855]: Accepted password for jack from 192.135.19.13 port 45018 ssh2
![Page 7: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/7.jpg)
Pre-decoding
**Phase 1: Completed pre-decoding. full event: 'Oct 28 14:21:39 atropo sshd[855]:
Accepted password for jack from 192.135.19.13 port 45018 ssh2'
hostname: 'atropo' program_name: 'sshd' log: 'Accepted password for jack from 192.135.19.13
port 45018 ssh2'
La parte di log analizzata in questa fase è:“Oct 28 14:21:39 atropo sshd[855]:”
![Page 8: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/8.jpg)
Decoding
Informazioni dinamiche:
user protocol source/destination port source/destination ip action id url [...]
![Page 9: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/9.jpg)
Decoding
Oct 28 14:21:39 atropo sshd[855]: Accepted password for jack from 192.135.19.13 port 45018 ssh2
![Page 10: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/10.jpg)
Decoding
**Phase 2: Completed decoding.
decoder: 'sshd' dstuser: 'jack' srcip: '192.135.19.13'
![Page 11: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/11.jpg)
Decoding
Sshd parent decoder:
<decoder name="sshd"> <program_name>^sshd</program_name></decoder>
Dal pre-decoding: program_name: 'sshd'
![Page 12: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/12.jpg)
Decoding
Sshd child decoder:
<decoder name="sshd-success"> <parent>sshd</parent> <prematch>^Accepted</prematch> <regex offset="after_prematch">^ \S+ for (\
S+) from (\S+) port </regex> <order>user, srcip</order> <fts>name, user, location</fts></decoder>
![Page 13: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/13.jpg)
Decoding: alcuni tag
Sshd child decoder:
<parent>: nome del decoder padre da cui dipende.
<prematch>: match di una stringa (anche con espressioni regolari) (os_regex)
<regex>: espressioni regolari (os_regex) + “capture groups”
@offset: punto da cui partire per regex <order>: etichette per le informazioni estratte
![Page 14: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/14.jpg)
Decoding: os_regex
espressioni regolarinon troppe opzioni ma velociutilizzata da tutte le opzioni dei decoder con
espressioni regolari o match di stringhe (<prematch> e <regex>) e dal tag <regex> nelle regole
![Page 15: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/15.jpg)
Rules
Oct 28 14:21:39 atropo sshd[855]: Accepted password for jack from 192.135.19.13 port 45018 ssh2
![Page 16: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/16.jpg)
Rules: filtering
**Phase 3: Completed filtering (rules). Rule id: '5715' Level: '3' Description: 'SSHD authentication success.'**Alert to be generated.
![Page 17: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/17.jpg)
Rules: filtering
Sshd parent rule:
<rule id="5700" level="0" noalert="1"> <decoded_as>sshd</decoded_as> <description>SSHD messages
grouped.</description> </rule>
![Page 18: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/18.jpg)
Rules: alcuni tag
@id : id univoco che identifica ogni regola (più di 800)
@level: da 0 a 15, livello di importanza.
<decoded_as>: nome del decoder che ha già decodificato il log (se presente)
![Page 19: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/19.jpg)
Rules: filtering
Sshd child rules:
<rule id="5715" level="3"> <if_sid>5700</if_sid> <match>^Accepted|authenticated.$</match> <description>SSHD authentication
success.</description> <group>authentication_success,</group></rule>
![Page 20: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/20.jpg)
Rules: alcuni tag
<if_sid>: id della regola padre da cui questa dipende
<match>: match di una stringa (os_match)
<group>: gruppo aggiuntivo assegnato all'evento
![Page 21: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/21.jpg)
Rules: os_match
match veloce di una stringanon supporta espressioni regolarimolto semplice ma più veloce di os_regexusata nelle regole da tutti i tag che confrontano un dato (non da regex)
![Page 22: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/22.jpg)
Relazione tra regole e decoder
Decoder: utilizzato solo nel caso in cui sia necessario estrarre informazioni dinamiche dal log da confrontare successivamente nelle regole, da utilizzare per l'fts o nell'active-response.
Regole: possono esserci regole che non fanno riferimento a nessun decoder.
![Page 23: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/23.jpg)
Regole composite
Correlazione di eventi:
condizionecountertimeframeelementi in comune (stesso utente, stesso ip sorgente, ...)
![Page 24: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/24.jpg)
Regole composite
Correlazione di eventi:
condizione
<if_matched_sid><if_matched_group><if_matched_regex>
![Page 25: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/25.jpg)
Regole composite
Correlazione di eventi:
counter
@frequency[rule]
timeframe
@timeframe[rule]
![Page 26: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/26.jpg)
Regole composite
Correlazione di eventi:
elementi in comune
same_source_ipsame_src_portsame_dst_portsame_usersame_locationsame_iddifferent_url
![Page 27: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/27.jpg)
Regole composite
10xDec 8 23:56:33 localhost sshd[2688]: Failed password for root from 192.168.108.1 port 57084 ssh2
+ 1xDec 8 23:56:51 localhost sshd[2699]: Accepted password for root from 192.168.108.1 port 57087 ssh2
![Page 28: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/28.jpg)
Regole composite
Failed login:
**Phase 2: Completed decoding. decoder: 'sshd' dstuser: 'root' srcip: '192.168.108.1'
**Phase 3: Completed filtering (rules). Rule id: '5716' Level: '5' Description: 'SSHD authentication failed.'**Alert to be generated.
![Page 29: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/29.jpg)
Regole composite
Rule 5716
<rule id="5716" level="5"> <if_sid>5700</if_sid> <match>^Failed|^error: PAM: Authentication</match> <description>SSHD authentication
failed.</description> <group>authentication_failed,</group></rule>
![Page 30: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/30.jpg)
Regole composite
Authentication success:
**Phase 2: Completed decoding. decoder: 'sshd' dstuser: 'root' srcip: '192.168.108.1'
**Phase 3: Completed filtering (rules). Rule id: '5715' Level: '3' Description: 'SSHD authentication success.'**Alert to be generated.
![Page 31: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/31.jpg)
Regole composite
Regola 5715
<rule id="5715" level="3"> <if_sid>5700</if_sid> <match>^Accepted|authenticated.$</match> <description>SSHD authentication
success.</description> <group>authentication_success,</group></rule>
![Page 32: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/32.jpg)
Regole composite
Regola 5720
<rule id="5720" level="10" frequency="6"> <if_matched_sid>5716</if_matched_sid> <same_source_ip /> <description>Multiple SSHD authentication
failures.</description> <group>authentication_failures,</group> </rule>
Match dopo 6 login falliti su ssh (5716).
![Page 33: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/33.jpg)
Regole composite
Failed login:
6 tentativi di accesso falliti = 6 match della regola 5716 = regola 5720
regola 5720: group: authentication_failures srcip: '192.168.108.1'
![Page 34: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/34.jpg)
Regole composite
Authentication success:
1 login corretto = 1 match della regola 5715 regola 5715: group: authentication_success srcip: '192.168.108.1'
![Page 35: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/35.jpg)
Regole composite
Regola 40112
<rule id="40112" level="12" timeframe="240"> <if_group>authentication_success</if_group> <if_matched_group>authentication_failures</if_matched_group>
<same_source_ip /> <description>Multiple authentication failures followed
</description> <description>by a success.</description></rule>
![Page 36: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/36.jpg)
Regole composite
6x 5716 (authentication failed) = 5720 (authentication_failures)
+1x 5715 (authentication_success)=40112 (same_source_ip)
![Page 37: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/37.jpg)
Regole composite
**Phase 2: Completed decoding. decoder: 'sshd' dstuser: 'root' srcip: '192.168.108.1'
**Phase 3: Completed filtering (rules). Rule id: '40112' Level: '12' Description: 'Multiple authentication
failures followed by a success.'**Alert to be generated.
![Page 38: OSSEC HIDS, Host Based Intrusion Detection System](https://reader036.vdocuments.us/reader036/viewer/2022062501/56815e0c550346895dcc6836/html5/thumbnails/38.jpg)