Tips and Tricks with OSSEC Rules

May 13, 2012

Like other open source projects, OSSEC suffers from a lack of good documentation. If you’re not paying for support, getting simple things done can take a bit of experimentation. Here are some tips and tricks I’ve found that make dealing with OSSEC rules easier.

Update OSSEC Rules

Daniel Cid, the OSSEC creater, updates rules and adds them to an updated installation tarball on Bitbucket. Earlier this month, he added a rule to flag and block the rash of recent PHP-CGI vulnerability scans.

To update OSSEC rules and decoders, I grab these installation files and update my OSSEC installation every so often.

wget https://bitbucket.org/dcid/ossec-hids/get/tip.tar.gz
gunzip -d dcid-ossec-hids-034fed895369.tar.gz
tar -xvf dcid-ossec-hids-034fed895369.tar
sudo ./install.sh

Follow the installation instructions. It will detect that you already have it installed and ask:

- You already have OSSEC installed. Do you want to update it? (y/n): y
- Do you want to update the rules? (y/n): y

Answer “y” to these questions and it will update everything properly. Your local rules and configuration options will not be modified.

Tuning: Filtering Out Noise

Like any other IDS, OSSEC generates an amount of false positives and other alerts that represent activity that is acceptable in your environment. In order to see the valid issues, you need to decrease the level of noise. One way to do so is by adding local rules that decrease the OSSEC alert level of the event in question to 0.

For a more in depth discussion about filtering out false positives and other examples, check out chapter 4 of the OSSEC book.

Here is an example. I have an alert on an Antivirus scan of a file that timed out:

I want an alert when AV finds a malicious file, but not when an AV scan of a file times-out. I am going to add a rule to the local rules file that drops the severity of this AV rule to “0″. To add a rule, edit the following file: /var/ossec/rules/local_rules.xml

sudo vi  /var/ossec/rules/local_rules.xml

I added the following rule. This matches anything with the text “has taken too long to complete and is being canceled” that is alerted on by the offending rule “7509″ and assigns a new priority level.

<rule id=”100504″ level=”0″>
<if_sid>7509</if_sid>
<match>has taken too long to complete and is being canceled</match>
<description>Ignoring AV scan timeouts.</description>
</rule>

After saving the file with the new rule, restart OSSEC.

sudo /var/ossec/bin/ossec-control stop
sudo /var/ossec/bin/ossec-control start

Sources

http://www.ossec.net
OSSEC HIDS (Amazon Link)

One Response to Tips and Tricks with OSSEC Rules

  1. Matgt
    April 14, 2013 at 2:04 pm

    Thank you for this post. Fantastic information. Used it to the fullest and removed a nagging level 3 event.

Leave a Reply

Your email address will not be published. Required fields are marked *

Where to Find Me

NoVa OWASP: April 11

By

The NoVa chapter of OWASP is meeting on 4/11. Topic: Impact of IPv6 On Your Applications.

Read more »

ISSA Meeting: February 21

By

NoVa ISSA Chapter Meeting! Topic: The Beauty of Surveillance.

Read more »

Security MBA: January 7

By

Come and enjoy some security news while drinking an icy cold refreshment.

Read more »

Lijit Search