OSSEC in the Enterprise

Transcription

1 OSSEC in the Enterprise Open Source Log Management, Analysis and Intrusion Detection Rochester Security Summit October 29, 2009 Michael Starks, CISSP, CISA, GSNA

2 Agenda What is OSSEC? Log Analysis Integrity Monitoring Rootkit Detection Policy Monitoring Alerting Active Response OSSEC WebUI Why OSSEC? Risks & Countermeasures Enterprise Considerations Demo Questions

3 What is OSSEC? OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. Source:

4 What is OSSEC? Put another way... OSSEC is security software that looks for bad stuff on the actual host

5 Multi-Platform Works on Windows and most Unix-like systems

6 Centrally Managed Client/server architecture Almost everything can be managed from the OSSEC manager Restart agents Start integrity checks Tune rules Block attacks

7 Single Installation Manager and agent on one machine

8 Distributed Centralized manager and distributed agents

9 Distributed Multiple managers and multiple agents

10 Redundant Fail over to one or more managers

11 Flexible and Extensible Easily add support for custom applications Integrate with commercial SIEMs Analyze logs on existing syslog servers

12 Secure by Default Privilege separated processes Chroot where possible Secure programming practices Encrypted message transport using IP restrictions and replay prevention

13 Supported Community IRC: #OSSEC on Freenode Mailing lists: ossec-list Commercial Trend Micro OSSEC Host-Based Intrusion Detection Guide ossec-dev

14 Fast and Efficient Analyze millions of events per day...in real-time...using commodity hardware

15 Extensive Application Support Dozens of decoders and hundreds of rules out of the box Unix Pam, sshd (OpenSSH), Solaris telnetd, Samba, Su, Sudo, Proftpd, Pure-ftpd, vsftpd, Microsoft FTP server, Solaris ftpd, Imapd, Postfix, Sendmail, vpopmail, Microsoft Exchange, Apache, IIS5, IIS6, Horde IMP, Iptables, IPF. PF, Netscreen, Cisco PIX/ASA/FWSM, Snort, Cisco IOS, Nmap, Symantec AV, Arpwatch, Named, Squid, Windows event logs, VMWare

16 Free Open source Budget friendly

17 Log Analysis The heart of OSSEC

18 LIDS Log-based Intrusion Detection Not a log management tool Analyzes (but does not store) every log

19 A Slight Detour What if the attacker deletes the logs? Will you have all the pieces of the puzzle? Robust log management strategies help OSSEC do its job

20 Log Management Corporate policy should define the need for logging

21 Log Management Corporate standards should define system audit settings, such as: What to audit Frequency of log rotation Log format Method of communication

22 Log Management Logs should, wherever possible, be converted from a proprietary format to a standardized and normalized format (e.g. syslog)

23 Log Management Logs should be centralized and stored on a hardened, purpose-specific server, with no unnecessary or unrelated services running

24 Log Management Systems should be synchronized with a common, trusted time source

25 Log Management Logs contain sensitive information and should be encrypted in transit wherever possible

26 Log Management A copy of each log should be available both locally and centrally In the event of a compromise, the trusted log server can be compared with the local logs

27 Log Management Logs should be maintained online and archived offline according to regulatory or policy requirements

28 Log Management Access to logs should be on a need-to-know and least-privileged basis

29 Log Management Access to logs should always be read-only

30 Log Flow Through OSSEC Tree-like structure Alert Analysis Decode Pre-decode Log enters system

31 Log Enters System Secure (encrypted) Insecure (syslog) Localhost

32 Pre-Decoding and Decoding Extracts individual parts of the log and places them into buckets Useful later on when writing rules b o B user src_ip id ns v o g. a url

33 SSHd Log Pre-Decoded Extracts known fields from logs (e.g. time) Compiled in for efficiency Log comes in as: Apr 14 17:32:06 hostname sshd[1025]: OSSEC pre-decodes it as: time/date -> Apr 14 17:32:06 hostname -> hostname program_name -> sshd Pre-decoded

34 SSHd Log Fully Decoded Log comes in as: Apr 14 17:32:06 hostname sshd[1025]: Accepted password for root from port 1618 ssh2 OSSEC decodes it as: time/date -> Apr 14 17:32:06 hostname -> hostname program_name -> sshd log -> Accepted password for root from port... srcip -> user -> root Pre-decoded Decoded

35 SSHd Log Decoder Will there be a test? <decoder name="sshd"> <program_name>^sshd</program_name> </decoder> <decoder name="sshd-success"> <parent>sshd</parent> <prematch>^accepted</prematch> <regex offset="after_prematch">^ \S+ for (\S+) from (\S+) port </regex> <order>user, srcip</order> </decoder>

36 Analysis (Rules) Rules are also called signatures Simple XML files on the manager Independent of original log format

37 Two Types of Rules Atomic: single event Bob mistyped his password once Composite: multiple events across logs Bob mistyped his password 3,561 times in 3 minutes on 16 different systems

38 That Looks Suspicious I know Bob forgets his password, but...

39 Rules Rules pick up where decoders leave off Instead of writing rules for raw logs, they can be written to normalized data (e.g. Bob is a user ) Data flows through the tree until a rule matches or doesn't match

40 Rules Severity-based: levels 0 (low) to 15 (high) Nest multiple rules for granular control Rule groups further normalize data web_scan firewall_drop account_changed...

41 Simplest Rule If the log was decoded as SSHd, generate rule 111 Not very useful yet <rule id = "111" level = "5"> <decoded_as>sshd</decoded_as> <description>logging every decoded sshd message</description> </rule>

42 Dependent Rule If rule 111 matched and the log contains Failed Password set the severity (level) to 7 and the group to authentication_failed <rule id= 122 level= 7 > <if_sid>111</if_sid> <match>^failed password</match> <description>failed password attempt</description> <group>authentication_failed</group> </rule>

43 nd 2 Dependent Rule If rule 122 matched and it's that pesky Bob Raise the severity (level) to 12 <rule id= 133 level= 12 > <if_sid>122</if_sid> <user>bob</user> <description>that pesky Bob again</description> </rule>

44 In Other Words Put another way... Record all events decoded as SSHd Alert at level 7 on every authentication failure If the user is Bob, raise the alert level to 12

45 Wait a Minute What if Bob has 3,561 login failures again?

46 Wait a Minute What if his login failures aren't just through SSH?

47 Revised Rule Thoughts Alert me if Bob has a few authentication failures in a short time, from anywhere, but don't flood me with alerts

48 Revised Rule for Bob Let's try that last rule again <rule id= 133 level= 12 frequency= 10 timeframe= 300 ignore= 60 > <if_matched_group>authentication_failed</if_matched _group> <user>bob</user> <description>bob is acting up</description> </rule>

49 Rule Examples Other interesting rules

50 Attack Followed by Account <group name="syslog,elevation_of_privilege,"> <rule id="40501" level="15" timeframe="300" frequency="2"> <if_group>adduser</if_group> <if_matched_group>attacks</if_matched_group> <description>attacks followed by the addition of an user.</description> </rule> </group>

51 Really Long URL <rule id="31115" level="13" maxsize="2900"> <if_sid>31100</if_sid> <description>url too long. Higher than allowed on most browsers. Possible attack.</description> <group>invalid_access,</group> </rule>

52 Multiple Windows Errors <rule id="18154" level="10" frequency="$ms_freq" timeframe="240"> <if_matched_sid>18103</if_matched_sid> <description>multiple Windows error events.</description> </rule>

53 Windows Application Installed <rule id="18147" level="5"> <if_sid>18101</if_sid> <id>^11707</id> <options>alert_by_ </options> <description>application Installed.</description> </rule>

54 Windows Audit Policy Changed <rule id="18113" level="8"> <if_sid>18104</if_sid> <id>^612 ^643 ^4719 ^4907 ^4912</id> <description>windows Audit Policy changed.</description> <group>policy_changed,</group> </rule>

55 Virus Found, Not Removed <rule id="7504" level="12"> <if_sid>7500</if_sid> <regex>$mcafee_virus</regex> <group>virus</group> <description>mcafee Windows AV - Virus detected and not removed.</description> </rule>

56 Integrity Monitoring Keeping a Known Good State

57 File Integrity SHA-1 and MD5 of critical system files and registry keys Performed in real-time or on a schedule Auto-ignores files that change too often

58 File Integrity Also checks owner, group, permissions Hashes forwarded to manager for safe keeping (excellent for forensics) Use the full power of rules to manage alerts (e.g. alert only on changes outside patch window)

59 World Writable File OSSEC HIDS Notification Oct 21 12:02:27 Received From: hostname->syscheck Rule: fired (level 7) -> "World Writable File" Portion of the log(s): Integrity checksum changed for: '/etc/httpd/conf/httpd.conf' Permissions changed from 'rw ' to 'rw-r--rw-' --END OF NOTIFICATION

60 No Longer World Writable OSSEC HIDS Notification Oct 21 12:05:11 Received From: hostname->syscheck Rule: 552 fired (level 7) -> "Integrity checksum changed again (3rd time)." Portion of the log(s): Integrity checksum changed for: '/etc/httpd/conf/httpd.conf' Permissions changed from 'rw-r--rw-' to 'rw ' --END OF NOTIFICATION

61 Agentless Integrity Periodic diff of firewalls and routers Checksum and diff of remote 'nix systems It's nice to know something changed, but what? Agentless check of /etc/password shows what changed

62 Agentless Alerts OSSEC HIDS Notification May 14 16:32:20 Received From: (ssh_pixconfig_diff) Rule: 555 fired (level 7) -> "Integrity checksum for agentless device changed." Portion of the log(s): ossec: agentless: Change detected: 206a207 > port-object eq c557...

63 Rootkit Detection Exposing the Hidden

64 Unix Rootkit Detection Signature and anomaly-based Signatures automatically sent to agents Can be run stand-alone

65 Signature Method Signatures for Adore, Knark, LOC, etc Attempt to stats, fopen and opendir each specified file Some rootkits don't fully hide themselves

66 Anomaly Method Detects known and unknown rootkits Files in /dev which aren't device files Unusual files (hidden directories, files owned by root which are world-writable)

67 Anomaly Method Running processes hidden from ps Listening ports hidden from netstat Promiscuous interfaces hidden from ifconfig

68 Rootcheck Alert OSSEC HIDS Notification Oct 06 17:45:17 Received From: XXXX->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): Rootkit 'Suspicious' detected by the presence of file '/var/www/vhosts/yyyy.com/httpdocs/language/lang_english/ /.log'. /... --END OF NOTIFICATION Source:

69 Windows Rootkit Detection Not as advanced as Unix-based detection Alternate data streams (Files hidden within files)

70 Policy Monitoring Detect Insecure Conditions

71 Policy Monitoring Is your system configured securely? Identify situation which can lead to a breach Benchmark system against CIS standard or create your own

72 Policy Monitoring File, registry setting, or process exists or does not exist Combine values with logical AND/OR Is anti-virus installed but not running?

73 Policy Monitoring Has the host firewall been disabled? Is LanMan authentication allowed? *Does not alert by default

74 Alerting Getting Notified

75 Alerting , syslog and database output Built-in flood protection Send alerts to different teams based on granular rules, severity or group

76 Alerting On second thought, maybe it wasn't Bob who tried to login to his account Someone should get a page if this happens again

77 Can't Miss the Game What if it's the weekend and I'm watching the game?

78 Alerting That someone should be Henry, the Jr. Security Analyst What a wonderful opportunity for professional development

79 Alerting Create another rule without restricting it to Bob, which will only fire on the weekends <rule id= 144 level= 12 frequency= 10 timeframe= 300 ignore= 60 > <if_matched_group>authentication_failed</if_matched _group> <weekday>saturday,sunday</weekday> <description>multiple Weekend Authentication Failures</description> </rule>

80 Alerting Followed by an alert configuration is ossec.conf < _alerts> <rule_id>144</rule_id> <format>sms</format> </ _alerts>

81 Alerting Syslog or database output easily integrated with commercial SIEMs Use OSSEC for the analysis Use the SIEM GUI for advanced correlation

82 Rule Examples Other interesting alerts

83 Excessive Events OSSEC HIDS Notification Oct 21 04:31:50 Received From: hostname->/var/log/httpd/error_log Rule: 11 fired (level 8) -> "Excessive number of events (above normal)." Portion of the log(s): The average number of logs between 4:00 and 5:00 is 936. We reached 1218.

84 First-Time Login OSSEC HIDS Notification Oct 22 11:24:34 Received From: hostname->/var/log/secure Rule: fired (level 4) -> "First time user logged in." Portion of the log(s): Oct 22 11:24:33 hostname sshd[2998]: Accepted password for kevin_mitnick from port ssh2

85 First Sudo Attempt OSSEC HIDS Notification Oct 22 11:27:49 Received From: hostname->/var/log/secure Rule: 5403 fired (level 4) -> "First time user executed sudo." Portion of the log(s): Oct 22 11:27:49 hostname sudo: kevin_mitnick : user NOT in sudoers ; TTY=pts/1 ; PWD=/ ; USER=root ; COMMAND=/bin/su -

86 Active Response Preventing Breaches

87 Active Response Attackers follow common patterns 1. Reconnaissance 2. Scan 3. Exploit OSSEC can often prevent breaches by detecting attacks in the early stages

88 Active Response Not an IPS, but effective

89 Active Response Time-based security implementation Protection time should be greater than the sum of detection time, plus reaction time (D+R)>P This is good!

90 Active Response If severity > 6, add the attacker's IP to the host firewall for 10 minutes Or the perimeter firewall... Or disable an account... Or shut down the system...

91 Active Response Execute responses on the manager, one particular agent, a firewall or everywhere Worldwide?

92 OSSEC WebUI A Face to OSSEC

93 Benefits of GUIs GUI interfaces allow you to see trends and patterns over time FTP account gets locked out every day at 4:15 AM What alerts does OSSEC think aren't worthy of an ?

94 OSSEC WebUI

95 OSSEC WebUI

96 OSSEC WebUI

97 Other GUI Options Other options include: Splunk OSSIM Picviz

98 Why OSSEC?

99 PCI DSS Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).

100 PCI DSS Review logs for all system components at least daily......note: Log harvesting, parsing, and alerting tools may be used to meet compliance with Requirement 10.6

101 Closing the NIDs Circle Network-based IDS Only half the picture

102 Closing the NIDs Circle Host-based IDS The other half

103 Closing the NIDs Circle Network and Host-based IDS A new level of insight into your environment

104 Closing the NIDs Circle Of course, OSSEC reads NIDs logs

105 Forensics Everything is forwarded to the manager for analysis and possible storage Attackers like to delete logs

106 Policy Compliance How do you know your systems are still hardened? Are admins logging in with unique accounts? Is anti-virus running?

107 Keep Employees Honest Insider threats cost companies millions per year Employees who know their activities are monitored tend to be more honest

108 Budget OSSEC can be used for free

109 Risks & Countermeasures

110 Mass Deployment Deploying large amounts of agents is challenging Each agent uses a unique key How can a single package be created?

111 Active Response Attackers who know Active Response is in use may try to use that to their advantage IPs can be spoofed, thereby triggering an incorrect response

112 Alert Flooding You have 6,972 new messages! Will you read them all?

113 Log Injection Attacker uses poorly written regular expressions to bypass rules ftp Welcome to labs ossec candy FTP service. Name ( :root): lala] FAIL LOGIN: Client Normal Log Mon Jun 2 21:05: [pid 1448] [myuser] FAIL LOGIN: Client Log Injection Mon Jun 2 21:06: [pid 1452] [lala] FAIL LOGIN: Client ] FAIL LOGIN: Client

114 Risk Countermeasures flooding By default, OSSEC will only send 12 alerts per hour, queuing the rest until the next hour Active Response Response timeout IP whitelists Log Injection Tight regular expressions

115 Enterprise Considerations

116 Define the Problem What problem are you trying to solve? What are your primary drivers? What are the obstacles?

117 Codify in Policy Explicitly state the need in policy

118 Set Requirements Requirements are a measure of success

119 Define the Scope Will you monitor all systems? What is the budget? What is the time-frame?

120 Make a Desicion Is OSSEC a good fit? Don't design a solution looking for a problem!

121 Plan, Do, Check, Act Plan your OSSEC rollout Do the actual rollout Check the requirements against the rollout Act on the lessons learned

122 Demo

123 Summary OSSEC can add a new level of insight into your environment Only use OSSEC if it fits a need If you do use OSSEC, contribute your decoders, rules and lessons learned back to the community!

124 Questions?

125 Acknowledgements Daniel B. Cid, OSSEC creator Trend Micro Rochester Security Summit OSSEC Aucert presentation

126 Image Credits Agenda: Question mark: Tree: Vintage Mac: Rubber band ball: Padlock: Fast car: Cardboard box: Jumping man: Camera lid: Buckets: Ruler: Bob: OSSEC WUI: Road sign: The following images were used under fair use provisions of US copyright and trademark law: Logos: Windows, Tux, FreeBSD, PCI and AIX OSSEC WebUI screenshots

127 Image Credits Files in basket: Potato: Paper stack: Old phone: Little guy and stop sign: Fence: Clock: Retro TV: Sunglasses: Happy face: Thumb print: Fist: Money symbol: Crowd: Red cross:

128 Text Credits Attacking Log Analysis Tools, Daniel B. Cid: OSSEC at AusCERT, Daniel B Cid:

129 Presentation License This presentation is licensed under the Creative Commons AttributionNoncommercial-Share Alike 3.0 license. The license does not extend to images, which hold their own copyrights attributed to various authors. You are free: to Share to copy, distribute and transmit the work to Remix to adapt the work Under the following conditions: Attribution You must attribute the work in the manner specified by the author or licensor (but not in any way that suggests that they endorse you or your use of the work). Noncommercial You may not use this work for commercial purposes. Share Alike If you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one. With the understanding that: Waiver Any of the above conditions can be waived if you get permission from the copyright holder. Other Rights In no way are any of the following rights affected by the license: Your fair dealing or fair use rights; Apart from the remix rights granted under this license, the author's moral rights; Rights other persons may have either in the work itself or in how the work is used, such as publicity or privacy rights. Notice For any reuse or distribution, you must make clear to others the license terms of this work.