OSSEC Open Source HIDS

1
OSSECOpen Source HIDS

• http//www.ossec.net
• 2007.02.28

2
OSSEC Overview

• Host-based Intrusion Detection System
• Open Source
• Current Version 1.0
• Web Version 0.1 beta 2
• Linux, OpenBSD, FreeBSD, OSX, Solaris and Windows
  XP/2000 (agent only)
• Daniel B. Cid - Lead Developer - dcid _at_ ( at )
  ossec.net
• http//www.q1labs.com
• http//www.sourcefire.com
• http//www.nih.gov

3
OSSEC Capabilities Overview

• Log Analysis and Correlation
• Flexible XML based rules
• Time Based Alerting
• Large Existing Rule Library
• Integrity Checking
• Root Kit Detection
• Active Response
• Windows Integration
• Nmap Integration

4
OSSEC Capabilities Log Analysis and Correlation

• Flexible XML based rules
• Time based alerting
• Large existing rule library

ltrule id"1608" level"13" timeframe"120"gt
ltregexgtsshd\d fatal Local crc32
compensation attacklt/regexgt
ltif_matched_regexgtsshd\d \.Corrupted check
by bytes onlt/if_matched_regexgt ltcommentgtSSH
CRC-32 Compensation attacklt/commentgt
ltinfogthttp//www.securityfocus.com/bid/2347/info/lt
/infogt lt/rulegt

• SSH
• PIX
• MS Exchange
• Apache
• OSSEC
• Mail Scan
• Sendmail
• Net Screen

• ARP Watch
• FTPD
• PAM
• VS-FTPD
• Policy
• Horde IMP
• IIS
• Squid

• IDS
• Attack
• PostFix
• Local
• MS-Auth
• Firewall
• ProFTPD
• Web

• IMAPD
• SMBD
• Syslog
• Decoder
• SpamD
• Pure-FTPD
• Bind
• TelnetD

5
OSSEC Capabilities Integrity Checking

• File / Directory Properties
• Permissions
• Size
• Ownership
• sha1sum
• md5sum
• Windows Registry Monitoring
• Exclude / Ignore files
• Configurable Periodic Scans
• Database stored on OSSEC Server - not on local
  machine

6
OSSEC Capabilities Root Kit Detection

• Agent Integrated
• Centrally Managed Signatures
• Files Database Searches for known root kit
  support files using stats, fopen and opendir
• Trojan Database Searches for trojaned binaries
  used by root kits
• File System Anomalies Permission problems, root
  owned files, hidden files, SUID files
• Scan for Hidden Processes getsid() vs. ps output
• Scan for Hidden Ports bind() vs. netstat
• Scan for promiscuous interfaces

7
OSSEC Capabilities Active Response

• Agent or Server Based Responses
• Flexible Responses
• React Based on Events
• Unlimited Responses
• White Lists
• Response Timeouts

8
OSSEC Capabilities Windows Integration

• Agent Installation Only (Requires OSSEC Server)
• Runs on XP and Windows 2000
• Monitor Event Log
• File Integrity Check
• Registry Integrity Check
• IIS Log Monitoring (NCSA Formatted)
• Web / FTP / SMTP Log Monitoring (W3C Extended
  Format)

9
OSSEC Capabilities Architecture Map

• Installation Types
• Server
• Agent
• Local
• Connection Types
• Secure
• Syslog
• Non-Monitored Machines via Syslog
• Communications Security (PSK)

Win32 Agent
Linux Local
OSSEC Server
Solaris Agent
Linux Agent
Syslog Server
10
OSSEC Example Logs

• SSH
• May 21 202228 slacker sshd21487 Failed
  password for root from 192.168.20.185 port 1045
  ssh2
• ProFTPD
• May 21 202121 slacker proftpd25530
  proftpd.lab.ossec.net (192.168.20.10192.168.20.10
  ) no such user 'dcid-inv
• Bind
• Aug 29 153313 ns3 named464 client
  217.148.39.432769 query (cache) denied
• Apache
• 127.0.0.1 - - 28/Jul/2006102732 -0300 "GET
  /hidden/ HTTP/1.0" 404 7218
• Windows
• Nov 2 172316 192.168.1.100 securityfailure
  529 NT AUTHORITY\SYSTEM Logon Failure
  ReasonUnknown
• user name or bad password User NameJeremy Lee
  DomainIBM17M Logon Type2 Logon ProcessUser32
  
• Authentication PackageNegotiate Workstation
  NameIBM17M
• Cisco IOS
• Sep 6 092044 RouterName 86 Sep 6
  142035.991 SYS-5-CONFIG_I Configured from
  console by admin

11
OSSEC Other Resources

• Home Page http//www.ossec.net
• Mailing List Archives http//marc.theaimsgroup.co
  m/?lossec-listr1w2
• IRC irc.freenode.net, OSSEC