Host Based Intrusion Detection

Transcription

Host Based Intrusion Detection
Host Based Intrusion Detection
Simple Menu Driven Installation
OSSEC HIDS v2.4
2 4 IInstallation
ll i S
Script
i - http://www.ossec.net
h //
You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler
p
pre-installed
p
in yyour system.
y
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).
- System: Linux myserver.mysite.com
myserver mysite com 2.6.18-164.15.1.el5
2 6 18 164 15 1 el5
- User: root
- Host: myserver.mysite.com
-- Press ENTER to continue or Ctrl-C to abort. --
Log Analysis
I t it Checking
Integrity
Ch ki
Rootkit Detection
Policy Monitoring
Alerting
Active Responses
LIDS
Log‐based Intrusion Detection System
Scalable
E
Easy
to
t Install
I t ll
Free
Multiplatform
Secure by default
Loaded with rules & decoders
Log Management
Alerts
C
Correlates
l t events
t
Takes Action
Host VM
VM
VM
VM
OSSEC
Server
OSSEC Agent
OSSEC Agent
OSSEC Agent
OSSEC
Server
OSSEC Agent
OSSEC
Server
OSSEC Agent
OSSEC Agent
<group name=“MyCustomApp,">
<rule id=“111100" level="0">
<category>web‐log</category>
<description>Access log messages grouped.</description>
</rule>
<rule id
<rule
id=“111108"
111108 level
level="0">
0 >
<if_sid>111100</if_sid>
<id>^2|^3</id>
<compiled_rule>is_simple_xyz_request</compiled_rule>
<description>Ignored URLs (simple queries).</description>
</rule>
/ l
<rule id=“111101" level="5">
<if_sid>111100</if_sid>
<id>^4</id>
<description>Custom server 4014 error code.</description>
</rule>
<rule id=“111102" level="0">
<if sid>111101</if sid>
<if_sid>111101</if_sid>
<url>.jpg$|.gif$|favicon.ico$|.png$|rs.txt$|.cs$|.js$</url>
<compiled_rule>is_simple_cutsom_request</compiled_rule>
<description>Ignored extensions on 4000 error codes.</description>
</rule>
Logs
Fil Ch
File
Changes
Registry Modifications
Precoding & Decoding
So how does it work?
Stand-alone
Client-Server
Stand-alone Client
Acts as client & server
Not very useful
Testing scenarios only
Client-Server Install
More secure
Centralized Management
Greater taste
Less Filling
UNIX
Integrity Checking
Syscheck
File Integrity Checking
MD‐5
SHA‐1
Registry Integrity Checking
Active Responses
Out of the Box Active Responses
Out of the Box Active Responses
•
•
•
•
•
Disable account.sh
Disable‐account
sh
Firewall‐drop.sh
Host‐deny.sh
d
h
Ipfw_mac.sh
Ipfw.sh
Secure Architecture
Encryption
Encr
ption ke
key e
exchange
change at installation
Integrity Checks performed at server
Each process at lowest permissions
Multiple processes
Components run in chrooted jail
So how do you install OSSEC?
OSSEC Server Installation
Install.sh Questions
•
•
•
•
For installation in English, choose [en]
( /b / /d / l/ /f /i /j / l/ l/ / / ) [ ]
(en/br/cn/de/el/es/fr/it/jp/nl/pl/ru/sr/tr) [en]: en What kind of installation do you want (server, agent, local or help)? server
Choose where to install the OSSEC HIDS [/var/ossec]: /var/ossec
Do you want e‐mail
Do you want e
mail notification? (y/n) [y]: y
notification? (y/n) [y]: y
–
–
–
•
•
•
•
•
What's your e‐mail address? guru@myfirm.com
We found your SMTP server as: mailserver.myfirm.com.
Do you want to use it? (y/n) [y]: y
Do you want to run the integrity check daemon? (y/n) [y]: y D
tt
th i t it h k d
?( / )[ ]
Do you want to run the rootkit detection engine? (y/n) [y]: y Do you want to enable active response? (y/n) [y]: y D
Do you want to enable the firewall‐drop response? (y/n) [y]: y bl h fi
ll d
?( / )[ ]
Do you want to add more IPs to the white list? (y/n)? [n]: n
That’s it!
Installation Locations
Installation Locations
Default installation in /var/ossec
● Main configuration file is /var/ossec/etc/ossec.conf
Main configuration file is /var/ossec/etc/ossec conf
● Decoders are stored at /var/ossec/etc/decoders.xml
● Binaries stored at /var/ossec/bin/
inaries stored at /var/ossec/bin/
● Rules stored at /var/ossec/rules/*.xml
● Alerts are stored at /var/ossec/logs/alerts.log
Why aren’t the OSSEC logs in /var/log?
OSSEC Processes
Secure
chroot
Chroot definition: (from Wikipedia)
A program that is “chrooted “ is re-rooted to another directory and cannot
access or name files outside that directory
Processes are limited in privilege
Processes run as different users
OSSEC Processes
OSSEC Processes
ƒ ossec‐analysisd – runs as user ossec (performs Analysis)
ƒ ossec‐remoted – runs as user ossecr (runs on server and collects logs from agents)
ƒ ossec‐maild – runs as user ossecm (sends email alerts)
ƒ ossec‐execd – runs as root (executes active responses)
ƒ ossec‐logcollec – runs as root, but only reads the logs, no analysis (collects logs)
ƒ ossec‐syscheckd – runs as root (file integrity monitoring)
ƒ ossec‐monitord – runs as user ossec (monitors agents status)
ƒ ossec‐agentd – runs as user ossec (runs on agents and forwards logs to remoted on server)
t d
)
Add the clients as Agents
(on the server)
(server)# /var/ossec/bin/manage_agents
Add the Agent
Add the Agent
{server}#/var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v0.8 Agent manager. *
* The following options are available: The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your actions: A,E,R or Q: a
Choose your actions: A,E,R or Q: a
Provide the name and IP
Provide the name and IP
‐ Adding a new agent (use ‘q’ to return to main menu).
g
g
(
q
)
Please provide the following:
* A name for the new agent: linux1
* The IP Address for the new agent: 192.168.2.32
* An ID for the new agent[001]:
Agent information:
ID:001
Name:linux1
IP Address:192.168.2.32
Confirm adding it?(y/n): y
Confirm
adding it?(y/n): y
Added.
Extract the Encryption Key
Extract the Encryption Key
****************************************
* OSSEC HIDS v0.8 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R)
(R)emove an agent (R).
(Q)uit.
Choose your actions: A,E,R or Q: e
Pick the client ID and copy the key
Pick the client ID and copy the key
Available agents:
A
il bl
t
ID: 001, Name: linux1, IP: 192.168.2.32
ID: 002, Name: obsd1, IP: 192.168.2.10
Provide the ID of the agent you want to extract the key: 001
g
y
y
Agent key information for ‘001' is:
CDAxIGxpbnX4MSAxOTIuMTY4LjAuMzIgOWM5MENlYzNXXXYYYZZZZZ==
** Press ENTER to continue
Client Side Setup
(linux1)# /var/ossec/bin/manage_agents ****************************************
* OSSEC HIDS v0.8 Agent manager. *
* The following options are available: *
****************************************
(I)mport key for the server (I).
(Q)uit.
Choose your actions: I or Q: I
Paste it here: CDAxIGxpbnX4MSAxOTIuMTY4LjAuMzIgOWM5MENlYzNXXXYYYZZZZZ==
* Provide the Key generated from the server.
The best approach is to cut and paste it
* The best approach is to cut and paste it.
* Do not include spaces or new line characters.
Restart OSSEC on client and server
Restart OSSEC on client and server
(server)# /var/ossec/bin/osssec-control restart
(client)# /var/ossec/bin/osssec-control
/var/ossec/bin/osssec control restart
Repeat that process for all clients/agents.
Windows Agent is a GUI
What can the Windows Agent do?
What can the Windows Agent do?
• Monitors
Monitors the Windows event log at real time
the Windows event log at real time
• Monitors IIS logs (Web, FTP, SMTP) and any other logs present on your system (including Symantec g p
y
y
(
g y
Anti‐Virus, MySQL, Apache, etc) at near real time. y
g y
• Periodically checks the Windows Registry for changes. • Periodically checks your Windows folders for changes. • Periodically does policy verifications to make sure your system is configured properly. • Looks for alternate NTFS File Streams. Installation Issue
OSSEC Server no likey SELINUX
What does OSSEC look like?
OSSEC Alert Levels
00 – Ignored 01 ‐ None 02 System low priority notification 02 ‐
S t
l
i it
tifi ti
03 ‐ Successful/Authorized events 04 ‐ System low priority error 05 User generated error 05 ‐
User generated error
06 ‐ Low relevance attack 07 ‐ "Bad word" matching 08 ‐ First time seen 08 First time seen
09 ‐ Error from invalid source 10 ‐ Multiple user generated errors. 11 ‐ Integrity checking warning 12 ‐ High importance event 13 ‐ Unusual error (high importance) 14 ‐ High importance security event 15 ‐ Severe attack
Rules
/var/ossec/rules
apache_rules.xml
pam_rules.xml
vpopmail_rules.xml
ms exchange rules xml
ms-exchange_rules.xml
symantec-ws_rules.xml
hordeimp_rules.xml
sendmail_rules.xml
attack_rules.xml
policy_rules.xml
wordpress_rules.xml
mysql_rules.xml
translatedzeus_rules.xml
named rules.xml
named_rules.xml
trend-osce_rules.xml
netscreenfw_rules.xml
vmpop3d_rules.xml
nginx_rules.xml
vmware_rules.xml
l
l
ossec_rules.xml
vpn_concentrator_rules.xml
firewall_rules.xml
roundcube_rules.xml
arpwatch_rules.xml
php rules xml
php_rules.xml
vsftpd_rules.xml
ms_ftpd_rules.xml
syslog_rules.xml
ids_rules.xml
smbd_rules.xml
backup-rules.24026
postfix_rules.xml
cimserver_rules.xml
postgresql rules.xml
postgresql_rules.xml
cisco-ios_rules.xml
proftpd_rules.xml
courier_rules.xml
pure-ftpd_rules.xml
d
dovecot_rules.xml
t l
l
racoon_rules.xml
ms_dhcp_rules.xml
symantec-av_rules.xml
ftpd_rules.xml
rules config xml
rules_config.xml
asterisk_rules.xml
pix_rules.xml
web_rules.xml
ms-se_rules.xml
telnetd_rules.xml
imapd_rules.xml
solaris_bsm_rules.xml
local_rules.xml
sonicwall rules.xml
sonicwall_rules.xml
mailscanner_rules.xml
spamd_rules.xml
mcafee_av_rules.xml
squid_rules.xml
msauth_rules.xml
th l
l
sshd_rules.xml
OSSEC RULES
00000–00999
01000–01999
02100–02299
02300–02499
02500–02699
02700–02729
02800–02829
02830–02859
02860–02899
03100–03299
03300 03499
03300–03499
03500–03599
03600–03699
03700–03799
03800–03899
03900–03999
04100–04299
04300–04499
04500–04699
04700–04799
04800–04899
05100–05299
05300–05399
05400–05499
05500–05599
05600–05699
05700 05899
05700–05899
05900–05999
07100–07199
07200–07299
Reserved for internal OSSEC HIDS rules
General syslog rules
Network File System (NFS) rules
xinetd rules
Access control rules
mail /procmail rules
smartd rules
crond rules
Mount/Automount rules
Sendmail mail server rules
P
Postfi
tfi x mailil server rules
l
spamd fi lter rules
imapd mail server rules
Mail scanner rules
Microsoft Exchange mail server rules
Courier mail rules (imapd/pop3d/pop3-ssl)
Generic fi rewall rul es
Cisco PIX/FWSM/ASA fi rewall rules
Juniper Netscreen fi rewall rules
Cisco IOS rules
SonicWall fi rewall rules
Linux, UNIX, BSD kernel rules
Switch user (su) rules
Super user do (sudo) rules
Unix pluggable authentication mod (PAM)
telnetd rules
sshd
hd rules
l
Add user or user deletion rules
Tripwire rules
arpwatch rules
07300–07399 Symantec Antivirus rules
07400–07499 Symantec Web Security rules
091 00–09199 Point‐to‐point tunneling protocol (PPTP) rules
09200–09299 Squid syslog ru les
09300–09399 Horde IMP rules
09900–09999 vpopmail rules
10100–101 99 FTS rules
11100–111 99 ftpd rules
11200–11299 ProFTPD rules
11300–11399 Pure‐FTPD rules
11400 11499
11400–11499 vs‐FTPD rules
FTPD l
11500–11599 MS‐FTP rules
12100–12299 named (BIND DNS) rules
13100–13299 Samba (smbd) rules
14100–14199 Racoon SSL rules
14200–14299
14200
14299 Cisco VPN Concentrator rul es
Cisco VPN Concentrator rul es
17100–17399 Policy rules
18100–18499 Windows system rules
20100–20299 IDS rules
20300–20499 IDS (Snort specifi c) rules
30100–30999 Apache HTTP server error log rules
31100–311199 Web access log rules
31200–31299 Zeus web server rules 35000–35999 Squid rules
401 00–40499 Attack pattern rules
40500–40599 Privilege escalation rules
40600–40999 Scan pattern rules
50100 50299 M SQL d t b
50100–50299 MySQL database rules
l
50500–50799 PostgreSQL database rules
100000–119999 User‐defined rules
Custom Rules
//var/ossec/rules/local
/
/
/
_rules.xml
Event
PreDecoding
Decodingg
Rules
Alerts
emails
Active
Responses
Logs
Event
PreDecoding
Decodingg
Rules
Alerts
emails
Active
Responses
Logs
Predecoding Fields
Predecoding Fields
Time
Date
Hostname
Program Name
Log message
Jun 13 13:13:03 cle-linx01 sshd[1205]: Accepted password for admin from
10.1.1.1 port 1618 ssh2
Event
PreDecoding
Decodingg
Rules
Alerts
emails
Active
Responses
Logs
Decoding Fields
Decoding Fields
Username
IP Address
Port
Version
Jun 13 13:13:03 cle-linx01 sshd[1205]: Accepted password for admin from
10.1.1.1 port 1618 ssh2
Accepted password for admin from 10.1.1.1 port 1618 ssh2
/var/ossec/etc/decoders.xml
decoder
<decoder name="sshd">
<program_name>^sshd</program_name>
</decoder> <decoder name=
name="sshd
sshd-success
success">
>
<parent>sshd</parent>
<prematch>^Accepted</prematch>
<regex offset="after_prematch">^ \S+ for (\S+) from (\S+) port </regex>
<order>user, srcip</order>
<fts>name, user, location</fts></decoder>
<decoder name="ssh-denied">
<parent>sshd</parent>
<prematch>^User
<prematch>
User \S+ from </prematch>
<regex offset="after_parent">^User (\S+) from (\S+) </regex>
<order>user, srcip</order></decoder>
….
Event
PreDecoding
Decodingg
Rules
Alerts
emails
Active
Responses
Logs
2 Types of Rules
Atomic
Atomic Rule Example
Atomic Rule Example
<group name="web,accesslog,">
" b
l "
<rule id="31100" level="0">
<category>web‐log</category>
<description>Access log messages grouped.</description>
</rule>
Composite
Composite Rule Example
Composite Rule Example
<rule id="31153" level="10" frequency="8" timeframe="120">
<if_matched_sid>31104</if_matched_sid>
<same_source_ip />
<description>Multiple common web attacks from same souce ip </description>
<description>Multiple common web attacks from same souce ip.</description>
<group>attack,</group>
</rule>
What log files get monitored?
ossec.conf log file entries
ossec.conf log file entries
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/error_log</location>
</localfile>
….
How do I shut this thing up?
Rewriting A Rule to Silence It
Rewriting A Rule to Silence It
Edit /var/ossec/rules/local_rules.xml
<rule id="100030" level="0">
<if_sid>31106</if_sid>
<description>List of rules to be ignored.</description>
/ ue
</rule>
<rule id="110002" level="0" >
<if_group>authentication_failures,</if_group>
<description>Changes ignored </description>
<description>Changes ignored.</description>
<if_sid>18152</if_sid>
</rule>
<<rule id="110003" level="0" >
l id "110003" l l "0" >
<if_group>system_error,</if_group>
<description>Changes ignored.</description>
<if_sid>31122</if_sid>
</rule>
Raise Alert Levels
Stupid OSSEC Tricks
Coding Daily Reports
Coding Daily Reports Add these lines to ossec.conf
Receive summary of all the authentication success:
<ossec_config>
<reports>
<category>authentication_success</category>
<user type=”relation”>srcip</user>
<title>Daily report: Successful logins</title>
<email_to>me@me .com</email_to>
</reports>
</ossec_config
Receive summary of all File integrity monitoring (syscheck) alerts:
<
<ossec_config>
fi >
<reports>
<category>syscheck</category>
<title>Daily report: File changes</title>
<email to>me@me com</email to>
<email_to>me@me .com</email_to>
</reports>
</ossec_config>
Authentication Daily Report
Authentication Daily Report
Report 'Daily report: Successful logins' completed.
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
‐>Processed alerts: 4388
‐>Post‐filtering alerts: 2
‐>First alert: 2010 Aug 6 13:25:04
‐>Last alert: 2010 Aug 6 13:25:04
Top entries for 'Source ip':
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
10 xx xx xx
10.xx.xx.xx |1 |
|1
|
Top entries for 'Username':
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
administrator |1 |
Top entries for 'Level':
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
Severity 3 |2 |
Top entries for 'Group':
-----------------------------------------------authentication_success
|2
|
syslog
|2
pam
|1
sshd
|1
|
|
|
Top entries for 'Location':
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
(dmz‐server) 192.168.x.x‐>/var/log/secure |2 |
Top entries for 'Rule':
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
5501 ‐ Login session opened. |1 |
5715 ‐ SSHD authentication success. |1 |
Related entries for 'Username':
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
administrator |1 |
srcip: '10.xx.xx.xx'
Forensic Analysis of Log Files
Forensic Analysis of Log Files
#cat /var/log/secure | /var/ossec/bin/ossec‐logtest –a
2010/08/18 08:37:32 ossec‐testrule: INFO: Started (pid: 25489).
** Alert 1282135052.1: mail ‐ syslog,fts,authentication_success
2010 Aug 18 08:37:32 MYSVR01‐>stdin
Rule: 10100 (level 4) ‐> 'First time user logged in.'
Src IP 192 168 14 147
Src IP: 192.168.14.147
User: root
Aug 16 08:31:30 MYSVR01 sshd[28191]: Accepted password for root from 192.168.14.147 port 56321
** Alert 1282135052.2: ‐ syslog,sshd,authentication_success,
2010 Aug 18 08:37:32 MYSRV01‐>stdin
g
Rule: 5715 (level 3) ‐> 'SSHD authentication success.'
Src IP: 192.168.0.5
User: root
Aug 16 16:24:37 MRSVR01 sshd[7089]: Accepted password for root from 192.168.0.5 port 35614 ssh2
** Alert 1282135052.3: mail ‐ syslog,errors,
2010 Aug 18 08:37:32 MYSVR01‐>stdin
Rule: 1002 (level 2) ‐> 'Unknown problem somewhere in the system.'
Src IP: (none)
User: (none)
Aug 17 09:32:20 MYSVR01 sshd[3176]: error: Bind to port 22 on 0 0 0 0 failed: Address already in use
Aug 17 09:32:20 MYSVR01 sshd[3176]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
…
Forensic Analysis Summary (1)
Forensic Analysis Summary (1)
# cat /var/log/secure | /var/ossec/bin/ossec‐logtest ‐a | /var/ossec/bin/ossec‐reportd
2010/08/18 08:42:53 ossec‐reportd: INFO: Started (pid: 32590).
2010/08/18 08:42:53 ossec‐testrule: INFO: Started (pid: 32589).
2010/08/18 08:42:58 ossec‐reportd: INFO: Report completed. Creating output...
Report completed. ==
Report
completed
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
‐>Processed alerts: 7
‐>Post‐filtering alerts: 7
‐>First alert: 2010 Aug 18 08:42:53
‐>Last alert: 2010 Aug 18 08:42:53
g
Top entries for 'Source ip':
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
192.168.14.147 |2 |
192.168.16.52 |1 |
192.168.0.5 |1 |
Top entries for 'Username':
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
root |4 |
Forensic Analysis Summary (2)
Forensic Analysis Summary (2)
Top entries for 'Level':
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
Severity 3 |5 |
Severity 2 |1 |
Severity 4 |1 |
Top entries for 'Group':
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
syslog |7 |
authentication_success |5 |
sshd |3 |
pam |2 |
errors
errors |1 |
|1
|
fts |1 |
Top entries for 'Location':
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
MYSVR01‐>stdin |7 |
|
|
Forensic Analysis Summary (3)
Forensic Analysis Summary (3)
Top entries for 'Rule':
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
5715 ‐ SSHD authentication success. |3 |
1002 ‐ Unknown problem somewhere in the syst.. |1 |
10100 ‐ First time user logged in. |1 |
5501 ‐ Login session opened. |1 |
5502 ‐ Login session closed. |1 |
Log dump:
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
2010 Aug 18 08:42:53 MYSVR01‐>stdin
Rule: 10100 (level 4) > 'First
Rule: 10100 (level 4) ‐> First time user logged in.
time user logged in '
Aug 16 08:31:30 MYSVR01 sshd[28191]: Accepted password for root from 192.168.14.147 port 56321
…
Brute Force Attack Report
Brute Force Attack Report
#cat /var/log/secure | /var/ossec/bin/ossec‐logtest ‐a | /var/ossec/bin/ossec‐reportd ‐f group authentication_failures
Report completed. ==
————————————————
‐>Processed alerts: 362
‐>Post‐filtering alerts: 21
Top entries for ‘Source ip’:
————————————————
87.123.106.142 |2 |
8 20 19 170 |2 |
8.20.19.170 |2 |
134.255.9.163 |1 |
17.15.13.13 |1 |
14.25.62.36 |1 |
73.45.18.20 |1 |
20.12.99.59 |1 |
102.63.145.50 |1 |
222.2.25.202 |1 |
Top entries for ‘Username’:
————————————————
root |22 |
Top entries for ‘Level’:
————————————————
Severity 10 |21 |
Top entries for ‘Group’:
p
p
————————————————
authentication_failures |21 |
sshd |21 |
syslog |21 |
Top entries for ‘Location’:
————————————————
enigma‐>stdin |21 |
Top entries for ‘Rule’:
Top entries for Rule :
————————————————
5720 ‐ Multiple SSHD authentication failures. |19 |
5712 ‐ SSHD brute force trying to get access.. |1 |
…
Lessons Learned
Lessons Learned
• It’s
It s simple. Use it.
simple Use it
• Lots of noise on upgrades.
• Windows 2008 R2 whines….and whines…and i d
2008 2 hi
d hi
d
whines….
• Agentless monitoring allows you to monitor many appliances (routers, switches, firewalls, etc.)
Questions?
Image Credits
Image Credits
•
•
•
•
•
•
•
•
•
•
http://mrg.bz/wrcjRr
Log File
http://www.sxc.hu/photo/1094329
Tired guy
http://mrg.bz/rpccdD
wine and beer glasses
http://upload.wikimedia.org/wikipedia/commons/3/3e/Tux‐G2.png Tux
http://mrg.bz/OQ3I7U
Lock
Hulk
http://mrg.bz/lUCAfo
Kid at Computer
http://mrg.bz/nXxLey
http://www.sxc.hu/photo/569804
Direction sign
http://www.sxc.hu/photo/1255864
Wormhole
http://www.sxc.hu/photo/1267612
Fire
The following images were used under fair use provisions of US
copyright
and
d ttrademark
d
k llaw:
Logos: Windows, Tux, FreeBSD, VMWare, MAC OSx, OSSEC and AIX
OSSEC WebUI screenshots