Host Based Intrusion Detection

Transcription

1

2

3 Host Based Intrusion Detection

4 Simple Menu Driven Installation OSSEC HIDS v2.4 Installation Script - You are about to start the installation process of the OSSEC HIDS. You must have a C compiler pre-installed in your system. If you have any questions or comments, please send an to dcid@ossec.net (or daniel.cid@gmail.com). - System: Linux myserver.mysite.com mysite el User: root - Host: myserver.mysite.com -- Press ENTER to continue or Ctrl-C to abort. --

5 Log Analysis Integrity Checking Rootkit Detection Policy Monitoring Alerting Active Responses

6

7 LIDS Log based Intrusion Detection System

8 Scalable Easy to Install Free Multiplatform Secure by default Loaded with rules & decoders

9 Log Management

10 Alerts Correlates events Takes Action

11

12

13 Host VM VM VM VM

14 OSSEC Server OSSEC Agent OSSEC Agent OSSEC Agent

15 OSSEC Server OSSEC Server OSSEC Agent OSSEC Agent OSSEC Agent

16 <group name= MyCustomApp,"> <rule id= " level="0"> <category>web log</category> <description>access log messages grouped.</description> </rule> <rule id= " level="0"> <if_sid>111100</if_sid> <id>^2 ^3</id> <compiled_rule>is_simple_xyz_request</compiled_rule> <description>ignored URLs (simple queries).</description> </rule> <rule id= " level="5"> <if_sid>111100</if_sid> <id>^4</id> <description>custom server 4014 error code.</description> </rule> <rule id= " level="0"> <if_sid>111101</if_sid> <url>.jpg$.gif$ favicon.ico$.png$ rs.txt$.cs$.js$</url> <compiled_rule>is_simple_cutsom_request</compiled_rule> <description>ignored extensions on 4000 error codes.</description> </rule>

17

18 Logs File Changes Registry Modifications

19 Precoding & Decoding

20 So how does it work?

21 Stand-alone Client-Server

22 Stand-alone Client Acts as client & server Not very useful Testing scenarios only

23 Client-Server Install More secure Centralized Management Greater taste Less Filling

24 UNIX

25

26

27

28 Integrity Checking

29 Syscheck File Integrity Checking MD 5 SHA 1 Registry Integrity Checking

30 Active Responses

31 Out of the Box Active Responses Disable account account.sh Firewall drop.sh Host deny.sh Ipfw_mac.sh Ipfw.sh

32 Secure Architecture Encryption key exchange at installation Integrity Checks performed at server Each process at lowest permissions Multiple processes Components run in chrooted jail

33 So how do you install OSSEC?

34 OSSEC Server Installation

35

36

37

38 Install.sh Questions For installation in English, choose [en] (en/br/cn/de/el/es/fr/it/jp/nl/pl/ru/sr/tr) / /d / /f /i /j / / / [en]: en What kind of installation do you want (server, agent, local or help)? server Choose where to install the OSSEC HIDS [/var/ossec]: /var/ossec Do you want e mail notification? (y/n) [y]:yy What's your e mail address? guru@myfirm.com We found your SMTP server as: mailserver.myfirm.com. Do you want to use it? (y/n) [y]: y Do you want to run the integrity it check kd daemon??(/)[] (y/n) [y]: y Do you want to run the rootkit detection engine? (y/n) [y]: y Do you want to enable active response? (y/n) [y]: y Do you want to enable the firewall drop response? (/)[] (y/n) [y]: y Do you want to add more IPs to the white list? (y/n)? [n]: n

39

40

41 That s it!

42 Installation Locations Default installation in /var/ossec Main configuration file is /var/ossec/etc/ossec.confconf Decoders are stored at /var/ossec/etc/decoders.xml Binaries stored at /var/ossec/bin/ Rules stored at /var/ossec/rules/*.xml Alerts are stored at /var/ossec/logs/alerts.log

43 Why aren t the OSSEC logs in /var/log?

44

45

46 OSSEC Processes

47 Secure

48 chroot Chroot definition: (from Wikipedia) Chroot definition: (from Wikipedia) A program that is chrooted is re-rooted to another directory and cannot access or name files outside that directory

49 Processes are limited in privilege

50 Processes run as different users

51 OSSEC Processes ossec analysisd runs as user ossec (performs Analysis) ossec remoted runs as user ossecr (runs on server and collects logs from agents) ossec maild runs as user ossecm (sends alerts) ossec execd runs as root (executes active responses) ossec logcollec runs as root, but only reads the logs, no analysis (collects logs) ossec syscheckd runs as root (file integrity monitoring) ossec monitord runs as user ossec (monitors agents status) ossec agentd runs as user ossec (runs on agents and forwards logs to remoted td on server)

52 Add the clients as Agents (on the server) (server)# /var/ossec/bin/manage_agents

53 Add the Agent {server}#/var/ossec/bin/manage_agents **************************************** * OSSEC HIDS v0.8 Agent manager. * * The following options areavailable: available: * **************************************** (A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R). (Q)uit. Choose your actions: A,E,Ror Q:a

54 Provide the name and IP Adding a new agent (use q to return to main menu). Please provide the following: * A name for the new agent: linux1 * The IP Address for the new agent: * An ID for the new agent[001]: Agent information: ID:001 Name:linux1 IP Address: Confirm adding it?(y/n): y Confirm adding it?(y/n): y Added.

55 Extract the Encryption Key **************************************** * OSSEC HIDS v0.8 Agent manager. * * The following options are available: * **************************************** (A)dd an agent (A). (E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove anagent agent (R). (Q)uit. Choose your actions: A,E,R or Q: e

56 Pick the client ID and copy the key Available agents: ID: 001, Name: linux1, IP: ID: 002, Name: obsd1, IP: Provide the ID of the agent you want to extract the key: 001 Agent key information for 001' is: CDAxIGxpbnX4MSAxOTIuMTY4LjAuMzIgOWM5MENlYzNXXXYYYZZZZZ== ** Press ENTER to continue

57 Client Side Setup (linux1)# /var/ossec/bin/manage_agents **************************************** * OSSEC HIDS v0.8 Agent manager. * * The following options are available: * **************************************** (I)mport key for the server (I). (Q)uit. Choose your actions: I or Q: I Paste it here: CDAxIGxpbnX4MSAxOTIuMTY4LjAuMzIgOWM5MENlYzNXXXYYYZZZZZ== * Provide the Key generated from the server. * The best approach is to cut and paste it. * Do not include spaces or new line characters.

58 Restart OSSEC on client and server (server)# /var/ossec/bin/osssec-control restart (client)# /var/ossec/bin/osssec-control control restart

59 Repeat that process for all clients/agents.

60 Windows Agent is a GUI

61

62

63

64

65

66

67

68

69

70

71

72 What can the Windows Agent do? Monitors the Windows event log at real time Monitors IIS logs (Web, FTP, SMTP) and any other logs present on your system (including Symantec Anti Virus, MySQL, Apache, etc) at near real time. Periodically checks the Windows Registry for changes. Periodically checks your Windows folders for changes. Periodically does policy verifications to make sure your system is configured properly. Looks for alternate NTFS File Streams.

73 Installation Issue

74 OSSEC Server no likey SELINUX

75 What does OSSEC look like?

76

77

78 OSSEC Alert Levels 00 Ignored 01 None 02 System low priority it notification 03 Successful/Authorized events 04 System low priority error 05 Usergenerated error 06 Low relevance attack 07 "Bad word" matching 08 First time seen 09 Error from invalid source 10 Multiple user generated errors. 11 Integrity checking warning 12 High importance event 13 Unusual error (high importance) 14 High importance security event 15 Severe attack

79

80

81

82

83

84 Rules

85 /var/ossec/rules apache_rules.xml firewall_rules.xml ms_dhcp_rules.xml pam_rules.xml roundcube_rules.xml symantec-av_rules.xml vpopmail_rules.xml arpwatch_rules.xml ftpd_rules.xml ms-exchange_rules.xml xml php_rules.xml rules_config.xml symantec-ws_rules.xml vsftpd_rules.xml asterisk_rules.xml hordeimp_rules.xml ms_ftpd_rules.xml pix_rules.xml sendmail_rules.xml syslog_rules.xml web_rules.xml attack_rules.xml ids_rules.xml ms-se_rules.xml policy_rules.xml smbd_rules.xml telnetd_rules.xml wordpress_rules.xml backup-rules imapd_rules.xml mysql_rules.xml postfix_rules.xml solaris_bsm_rules.xml translatedzeus_rules.xml cimserver_rules.xml local_rules.xml named_rules.xml postgresql_rules.xml rules.xml sonicwall_rules.xml trend-osce_rules.xml cisco-ios_rules.xml mailscanner_rules.xml netscreenfw_rules.xml proftpd_rules.xml spamd_rules.xml vmpop3d_rules.xml courier_rules.xml mcafee_av_rules.xml nginx_rules.xml pure-ftpd_rules.xml squid_rules.xml vmware_rules.xml l dovecot_rules.xml l msauth_rules.xml l ossec_rules.xml racoon_rules.xml sshd_rules.xml vpn_concentrator_rules.xml

86 OSSEC RULES Reserved for internal OSSEC HIDS rules General syslog rules Network File System (NFS) rules xinetd rules Access control rules mail /procmail rules smartd rules crond rules Mount/Automount rules Sendmail mail server rules Symantec Antivirus rules Symantec Web Security rules Point to point tunneling protocol (PPTP) rules Squid syslog ru les Horde IMP rules vpopmail rules FTS rules ftpd rules ProFTPD rules Pure FTPD rules Postfi x mail server rules vs FTPD rules spamd fi lter rules MS FTP rules imapd mail server rules named (BIND DNS) rules Mail scanner rules Samba (smbd) rules Microsoft Exchange mail server rules Racoon SSL rules Courier mail rules (imapd/pop3d/pop3-ssl) Cisco VPN Concentrator rul es Generic fi rewall rul es Cisco PIX/FWSM/ASA fi rewall rules Juniper Netscreen fi rewall rules Cisco IOS rules SonicWall fi rewall rules Policy rules Windows system rules IDS rules IDS (Snort specifi c) rules Apache HTTP server error log rules Web access log rules Zeus web server rules Squid rules Attack pattern rules Privilege escalation rules Scan pattern rules Linux, UNIX, BSD kernel rules Switch user (su) rules Super user do (sudo) rules Unix pluggable authentication mod (PAM) telnetd rules sshd rules MySQL MSQLdtb database rules Add user or user deletion rules Tripwire rules arpwatch rules PostgreSQL database rules User defined rules

87 Custom Rules /var/ossec/rules/local / / / _ rules.xml

88 Event PreDecoding Decoding Rules Alerts s Active Responses Logs

89 Event PreDecoding Decoding Rules Alerts s Active Responses Logs

90 Time Date Hostname Program Name Log message Predecoding Fields Jun 13 13:13:03 cle-linx01 sshd[1205]: Accepted password for admin from port 1618 ssh2

91 Event PreDecoding Decoding Rules Alerts s Active Responses Logs

92 Decoding Fields Username IP Address Port Version Jun 13 13:13:03 cle-linx01 sshd[1205]: Accepted password for admin from port 1618 ssh2 Accepted password for admin from port 1618 ssh2

93 /var/ossec/etc/decoders.xml

94 decoder <decoder name="sshd"> <program_name>^sshd</program_name> </decoder> <decoder name="sshd-success success"> <parent>sshd</parent> <prematch>^accepted</prematch> <regex offset="after_prematch">^ \S+ for (\S+) from (\S+) port </regex> <order>user, srcip</order> <fts>name, user, location</fts></decoder> <decoder name="ssh-denied"> <parent>sshd</parent> <prematch>^user \S+ from </prematch> <regex offset="after_parent">^user (\S+) from (\S+) </regex> <order>user, srcip</order></decoder>.

95 Event PreDecoding Decoding Rules Alerts s Active Responses Logs

96 2 Types of Rules

97 Atomic

98 Atomic Rule Example " b l " <group name="web,accesslog,"> <rule id="31100" level="0"> <category>web log</category> <description>access log messages grouped.</description> </rule>

99 Composite

100 Composite Rule Example <rule id="31153" level="10" frequency="8" timeframe="120"> <if_matched_sid>31104</if_matched_sid> <same_source_ip /> <description>multiple common web attacks from same souce ip.</description> <group>attack,</group> </rule>

101 What log files get monitored?

102 ossec.conf log file entries <!-- Files to monitor (localfiles) --> <localfile> <log_format>syslog</log_format> <location>/var/log/messages</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/secure</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/maillog</location> </localfile> <localfile> <log_format>apache</log_format> <location>/var/log/httpd/error_log</location> </localfile>.

103 How do I shut this thing up?

104 Rewriting A Rule to Silence It Edit /var/ossec/rules/local_rules.xml <rule id="100030" level="0"> <if_sid>31106</if_sid> <description>list of rules to be ignored.</description> </rule> /ue <rule id="110002" level="0" > <if_group>authentication_failures,</if_group> <description>changes ignored.</description> <if_sid>18152</if_sid> </rule> <rule id="110003" level="0" l "0"> <if_group>system_error,</if_group> <description>changes ignored.</description> <if_sid>31122</if_sid> </rule>

105 Raise Alert Levels

106 Stupid OSSEC Tricks

107 Coding Daily Reports Add these lines to ossec.conf Receive summary of all the authentication success: <ossec_config> <reports> <category>authentication_success</category> <user type= relation >srcip</user> <title>daily report: Successful logins</title> </reports> </ossec_config Receive summary of all File integrity monitoring (syscheck) alerts: <ossec_config> <reports> <category>syscheck</category> <title>daily report: File changes</title> </reports> </ossec_config>

108 Authentication Daily Report Report 'Daily report: Successful logins' completed. >Processed alerts: 4388 >Post filtering alerts: 2 >First alert: 2010 Aug 6 13:25:04 >Last alert: 2010 Aug 6 13:25:04 Top entries for 'Source ip': 10.xx.xx.xx 1 Top entries for 'Username': administrator 1 Top entries for 'Group': authentication_success 2 syslog 2 pam 1 sshd 1 Top entries for 'Location': (dmz server) x.x >/var/log/secure 2 Top entries for 'Rule': 5501 Login session opened SSHD authentication success. 1 Top entries for 'Level': Severity 3 2 Related entries for 'Username': administrator 1 srcip: '10.xx.xx.xx'

109 Forensic Analysis of Log Files #cat /var/log/secure /var/ossec/bin/ossec logtest a 2010/08/18 08:37:32 ossec testrule: INFO: Started (pid: 25489). ** Alert : mail syslog,fts,authentication_success 2010 Aug 18 08:37:32 MYSVR01 >stdin Rule: (level 4) > 'First time user logged in.' Src IP: User: root Aug 16 08:31:30 MYSVR01 sshd[28191]: Accepted password for root from port ** Alert : syslog,sshd,authentication_success, 2010 Aug 18 08:37:32 MYSRV01 >stdin Rule: 5715 (level 3) > 'SSHD authentication success.' Src IP: User: root Aug 16 16:24:37 MRSVR01 sshd[7089]: Accepted password for root from port ssh2 ** Alert : mail syslog,errors, 2010 Aug 18 08:37:32 MYSVR01 >stdin Rule: 1002 (level 2) > 'Unknown problem somewhere in the system.' Src IP: (none) User: (none) Aug 17 09:32:20 MYSVR01 sshd[3176]: error: Bind to port 22 on 0000failed: Address already in use.

110 Forensic Analysis Summary (1) # cat /var/log/secure /var/ossec/bin/ossec logtest a /var/ossec/bin/ossec reportd 2010/08/18 08:42:53 ossec reportd: INFO: Started (pid: 32590). 2010/08/18 08:42:53 ossec testrule: INFO: Started (pid: 32589). 2010/08/18 08:42:58 ossec reportd: INFO: Report completed. Creating output... Report completed. == >Processed alerts: 7 >Post filtering alerts: 7 >First alert: 2010 Aug 18 08:42:53 >Last alert: 2010 Aug 18 08:42:53 Top entries for 'Source ip': Top entries for 'Username': root 4

111 Forensic Analysis Summary (2) Top entries for 'Level': Severity 3 5 Severity 2 1 Severity 4 1 Top entries for 'Group': syslog 7 authentication_success 5 sshd 3 pam 2 errors 1 fts 1 Top entries for 'Location': MYSVR01 >stdin 7

112 Forensic Analysis Summary (3) Top entries for 'Rule': 5715 SSHD authentication success Unknown problem somewhere in the syst First time user logged in Login session opened Login session closed. 1 Log dump: 2010 Aug 18 08:42:53 MYSVR01 >stdin Rule: (level 4) > > 'First time user logged in. ' Aug 16 08:31:30 MYSVR01 sshd[28191]: Accepted password for root from port 56321

113 Brute Force Attack Report #cat /var/log/secure /var/ossec/bin/ossec logtest a /var/ossec/bin/ossec reportd f group authentication_failures Report completed. == >Processed alerts: 362 >Post filtering alerts: 21 Top entries for Source ip : Top entries for Username : root 22 Top entries for Level : Severity Top entries for Group : authentication_failures 21 sshd 21 syslog 21 Top entries for Location : enigma >stdin 21 Top entries for Rule : 5720 Multiple SSHD authentication failures SSHD brute force trying to get access.. 1

114 Lessons Learned It s simple. Use it. Lots of noise on upgrades. Windows 2008 R2 whines.and whines and whines. Agentless monitoring allows you to monitor many appliances (routers, switches, firewalls, etc.)

115

116 Questions?

117 Image Credits Log File Tired guy wine and beer glasses G2.png Tux Lock Hulk Kid at Computer Direction sign Wormhole Fire The following images were used under fair use provisions of US copyright and dtrademark klaw: Logos: Windows, Tux, FreeBSD, VMWare, MAC OSx, OSSEC and AIX OSSEC WebUI screenshots