Like other open source projects, OSSEC suffers from a lack of good documentation. If you’re not paying for support, getting simple things done can take a bit of experimentation. Here are some tips and tricks I’ve found that make dealing with OSSEC rules easier.

Update OSSEC Rules

Daniel Cid, the OSSEC creater, updates rules and adds them to an updated installation tarball on Bitbucket. Earlier this month, he added a rule to flag and block the rash of recent PHP-CGI vulnerability scans.

To update OSSEC rules and decoders, I grab these installation files and update my OSSEC installation every so often.

wget https://bitbucket.org/dcid/ossec-hids/get/tip.tar.gz
gunzip -d dcid-ossec-hids-034fed895369.tar.gz
tar -xvf dcid-ossec-hids-034fed895369.tar
sudo ./install.sh

Follow the installation instructions. It will detect that you already have it installed and ask:

- You already have OSSEC installed. Do you want to update it? (y/n): y
- Do you want to update the rules? (y/n): y

Answer “y” to these questions and it will update everything properly. Your local rules and configuration options will not be modified.

Tuning: Filtering Out Noise

Like any other IDS, OSSEC generates an amount of false positives and other alerts that represent activity that is acceptable in your environment. In order to see the valid issues, you need to decrease the level of noise. One way to do so is by adding local rules that decrease the OSSEC alert level of the event in question to 0.

For a more in depth discussion about filtering out false positives and other examples, check out chapter 4 of the OSSEC book.

Here is an example. I have an alert on an Antivirus scan of a file that timed out:

I want an alert when AV finds a malicious file, but not when an AV scan of a file times-out. I am going to add a rule to the local rules file that drops the severity of this AV rule to “0″. To add a rule, edit the following file: /var/ossec/rules/local_rules.xml

sudo vi  /var/ossec/rules/local_rules.xml

I added the following rule. This matches anything with the text “has taken too long to complete and is being canceled” that is alerted on by the offending rule “7509″ and assigns a new priority level.

<rule id=”100504″ level=”0″>
<if_sid>7509</if_sid>
<match>has taken too long to complete and is being canceled</match>
<description>Ignoring AV scan timeouts.</description>
</rule>

After saving the file with the new rule, restart OSSEC.

sudo /var/ossec/bin/ossec-control stop
sudo /var/ossec/bin/ossec-control start

Sources

http://www.ossec.net
OSSEC HIDS (Amazon Link)

Two days and three tracks of information security goodness.

Where

Hyatt Regency Columbus
350 North High Street
Columbus, Ohio, USA 43215

When

May 17, 18

Agenda
Speakers
Registration

I’ve set up an automated, weekly nmap scan that runs, compares the results against the previous week’s scan, and emails me with what has changed on my network. Attached to the email is the nmap output so I can dive deeper if something suspicious appears in the changes.

Weekly Email

Tools

Nmap, or Network Mapper, is a security scanner used to discover hosts and services on a computer network, thus creating a “map” of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses.

One of the scripts installed with Nmap is Ndiff. It is a tool that compares two Nmap scans. Specifically, it takes two Nmap XML output files and prints the differences between them. This shows you hosts coming up and down and ports becoming open or closed. Fyodor’s NMAP Book has a simple script that I’ve altered and automated using cron.

The Script

This script lives in my home directory.

#!/bin/sh
# scans “TARGETS” with nmap
# compares with previous scan using ndiff
# emails results

#variables
TARGETS=”x.x.1.0/24 x.x.11.0/24 x.x.88.0/24″
OPTIONS=”-v -T3 -F -sV –datadir /home/pubal/nmap”
date=`date +%F`

#where to put scans
cd /home/pubal/scans

#scan
nmap $OPTIONS $TARGETS -oA scan-$date > /dev/null

#compare scans
if [ -e scan-prev.xml ]; then
ndiff scan-prev.xml scan-$date.xml > diff-$date
echo “*** NDIFF RESULTS ***”
cat diff-$date
echo
fi
echo “*** NMAP RESULTS ***”
cat scan-$date.nmap
ln -sf scan-$date.xml scan-prev.xml

#email results
/home/pubal/email/smtp-cli.pl –host smtp.gmail.com –port 587 –from pubal@gmail.com –to pubal@company.org –subject “External Nmap Diff” –body-plain=/home/pubal/scans/diff-$date –attach=/home/pubal/scans/scan-$date.xml

I configured cron to run this script every weekend.

pubal@sectools:~$ crontab -l

0 1 * * 6 /home/pubal/nmap/network_diff.sh

More Fun NMAP Tricks

NMAP is free and extremely useful tool. If you want other tips, pick up the NMAP book!

Other Sources

NMAP
SANS Critical Security Controls
Useful Email Command Line Script

If you like security and beer – THIS is the event for you!

http://www.eventbrite.com/event/3225867657/

Where:
G Worthy’s
2151 W. Dublin Granville Rd.
Worthington, OH 43085

**The location changed; be sure to come to the right place!

When
May 7, 2012 – 5:30 PM

Security monitoring is essential if you want to know what is going on in your network. You need to monitor server and network logs along with account status and usage. Even on a shoestring budget, one must pay attention. Not to mention, this meets several compliance (PCI, SOX, etc…) requirements.

OSSEC combined with Splunk is a free and worthy SIEM solution. OSSEC is open source, and Splunk free allows up to 500 MB of daily logs.

OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting, and active response. It runs on most operating systems, including Linux, OpenBSD, FreeBSD, Mac OS X, Solaris, and Windows.

Splunk searches, monitors, and analyzes machine-generated data by applications, systems, and IT infrastructure at scale via a web-style interface. Splunk captures, indexes, and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations.

Together, you have a powerful method to monitor endpoints, alerts based on suspicious activity delivered via email, a dashboard view of coorelated events, lots of canned reports, and an easy way to search through the security information.

Splunk Dashboard

OSSEC Email Alert & Splunk Search

Install OSSEC

To get this set up, first we need to install OSSEC. The OSSEC management software runs on Linux. For full installation directions for both server and agents, OSSEC makes chapter two of the OSSEC book available. The following installs the OSSEC server. Download and install OSSEC.

pubal@ossec01:~> wget http://www.ossec.net/files/ossec-hids-2.6.tar.gz
pubal@ossec01:~> gunzip -d ossec-hids-2.6.tar.gz
pubal@ossec01:~> tar -xvf ossec-hids-2.6.tar
pubal@ossec01:~> cd ossec-hids-2.6
pubal@ossec01:~> sudo ./install.sh
pubal@ossec01:~> /var/ossec/bin/ossec-control start

Install Splunk

After OSSEC is in place, download and install Splunk. I’m only monitoring some high risk assets with this deployment, so I put Splunk on the same server as the OSSEC management software. Splunk has a guide and a video to walk you through the installation.

pubal@ossec01:~> wget http://www.splunk.com/index.php/download_track?file=4.3.1/splunk/linux/splunk-4.3.1-119532-linux-2.6-x86_64.rpm&ac=&wget=true&name=wget&typed=releases
pubal@ossec01:~> rpm -i splunk-4.3.1-119532-linux-2.6-x86_64.rpm
pubal@ossec01:~> /opt/splunk/bin/splunk start

Install the OSSEC for Splunk Application

Splunkbase, a repository of Splunk applications, has an OSSEC application. It contains parsing logic, saved searches, canned reports, and dashboards. As long as OSSEC is installed in the default path, it will automatically configure Splunk to pull in the OSSEC logs and alerts. With some minor configuration, it will even let you manage agents through the Splunk console.

Download the OSSEC for Splunk application and point your browser to your new Splunk site. The console will allow you to upload the file you just acquired and install the application.

Download OSSEC for Splunk.
Go to Splunk Console -> http://<servername>:8000/
Click on App in the top menu, and upload the application.

Conclusion

Getting OSSEC logs and alerts into Splunk is a breeze. There is a bit of work to get OSSEC agents on the servers and devices you want to monitor. Like every other SIEM I’ve encountered, in order to get any real value there is a good bit of tuning you need to do. However, once you get this up and running, you’ll have a solid log managment and security monitoring solution at your fingertips.

Sources

http://www.ossec.net
http://www.splunk.com
OSSEC HIDS (Amazon Link)

April Central Ohio ISSA Chapter Meeting

Where: J. Liu Restaurant, Worthington
When: Wednesday April 18th, 2012
Time: 7:45 AM – 11:30 AM

Presentations

Phishing Attacks – Aaron Ansari
Case Study: Breach in the Cloud – Matt Curtin
Regulatory Update – Mehmet Munur
Setting Up Internal Sting Operations – Brent Huston

http://www.centralohioissa.org/?p=1061

In this case, the text entered by the user in the “Company” field upon a failed login is sent back to the user unaltered immediately in the form of an authentication failure message. An attacker could leverage this to inject malicious code in to the browser of the user trying to login.

I wanted to show the client that this is an issue, and I wanted to use something beyond, “look, this makes a pop-up box on the client that says ‘vulnerable to XSS.’” To do this, I used the Browser Exploitation Framework.

BeEF is the Browser Exploitation Framework. It is a tool that can be used to demonstrate the real-time impact of XSS browser vulnerabilities. It uses a modular structure making new development a trivial process. It can demonstrate the collecting of zombie browsers and browser vulnerabilities in real-time. It provides a command and control interface which facilitates the targeting of individual or groups of zombie browsers. Current modules include metasploit, port scanning, keylogging, TOR detection, and more.

The vulnerable form in questions uses POST variables. As a proof of concept, I created an HTML page with a form that uses JavaScript and runs when the page loads to attempt authentication against this login form injecting script from BeEF.

When a user of the application loads this page, he will automatically get redirected to the login page. In the user’s browser, BeEF loads JavaScript in an iFrame and is able to capture keystrokes. As the user types in his credentials, the attacker can see them from another terminal.

The Browser Exploitation Framework has a lot of other fun modules besides keylogging. I highly recommend playing around with it to see what all it can do. At the very least, it’s useful in demonstrating that there is real risk in XSS vulnerabilities. The easiest way to get it up and running is to use a linux distribution with BeEF pre-installed. The Samurai Web Testing Framework comes with BeEF and lots of other web application security tools.

Sources:

• XSS Cheat Sheet – http://ha.ckers.org/xss.html
• BeEF – http://www.bindshell.net/tools/beef/
• SamuraiWTF- http://samurai.inguardians.com/

ISACA released an interesting and though provoking white paper digging in to the risks that social media poses. It covers vulnerabilities, threats, risks, and mitigating techniques.

http://www.isaca.org/Knowledge-Center/Research/Documents/Social-Media-Wh-Paper-26-May10-Research.pdf

• Introduction of viruses and malware to the organizational network
• Exposure to customers and the enterprise through a fraudulent or hijacked corporate presence
• Unclear or undefined content rights to information posted to social media sites
• A move to a digital business model may increase customer service expectations
• Mismanagement of electronic communications that may be impacted by retention regulations or e-discovery
• Use of personal accounts to communicate work-related information
• Employee posting of pictures or information that link them to the enterprise
• Excessive employee use of social media in the workplace
• Employee access to social media via enterprise-supplied mobile devices (smartphones, personal digital assistants [PDAs])

If you can’t make it, they are streaming it live on uStream.tv.

https://www.shmoocon.org/video.html

Schedule: http://www.shmoocon.org/presentations.html

This year’s event features pre-Summit training opportunities and 2 days of talks, presentations, hands-on workshops, a vendor trade-show fair and much more!  Information Security Technology, Business/Management, Law Enforcement, Career Development, Compliance and Legal issues will be featured. Joel Snyder of Opus One will be our Thursday Keynote Speaker.  Our theme this year is Information Security on a Shoestring Budget.

For detailed information and registration, please visit: http://www.informationsecuritysummit.org