Like other open source projects, OSSEC suffers from a lack of good documentation. If you’re not paying for support, getting simple things done can take a bit of experimentation. Here are some tips and tricks I’ve found that make dealing with OSSEC rules easier.
Update OSSEC Rules
Daniel Cid, the OSSEC creater, updates rules and adds them to an updated installation tarball on Bitbucket. Earlier this month, he added a rule to flag and block the rash of recent PHP-CGI vulnerability scans.
To update OSSEC rules and decoders, I grab these installation files and update my OSSEC installation every so often.
gunzip -d dcid-ossec-hids-034fed895369.tar.gz
tar -xvf dcid-ossec-hids-034fed895369.tar
Follow the installation instructions. It will detect that you already have it installed and ask:
- You already have OSSEC installed. Do you want to update it? (y/n): y
- Do you want to update the rules? (y/n): y
Answer “y” to these questions and it will update everything properly. Your local rules and configuration options will not be modified.
Tuning: Filtering Out Noise
Like any other IDS, OSSEC generates an amount of false positives and other alerts that represent activity that is acceptable in your environment. In order to see the valid issues, you need to decrease the level of noise. One way to do so is by adding local rules that decrease the OSSEC alert level of the event in question to 0.
For a more in depth discussion about filtering out false positives and other examples, check out chapter 4 of the OSSEC book.
Here is an example. I have an alert on an Antivirus scan of a file that timed out:
I want an alert when AV finds a malicious file, but not when an AV scan of a file times-out. I am going to add a rule to the local rules file that drops the severity of this AV rule to “0″. To add a rule, edit the following file: /var/ossec/rules/local_rules.xml
sudo vi /var/ossec/rules/local_rules.xml
I added the following rule. This matches anything with the text “has taken too long to complete and is being canceled” that is alerted on by the offending rule “7509″ and assigns a new priority level.
<rule id=”100504″ level=”0″>
<match>has taken too long to complete and is being canceled</match>
<description>Ignoring AV scan timeouts.</description>
After saving the file with the new rule, restart OSSEC.
sudo /var/ossec/bin/ossec-control stop
sudo /var/ossec/bin/ossec-control start