We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback
00:00

Formal Metadata

Title
OSSEC
Subtitle
Know more, Protect better
Title of Series
Number of Parts
97
Author
License
CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
Expect an overview of the basic architecture as well as practical examples of how to customize OSSEC to manage logging from your infrastructure and applications. Log management, Intrusion detection/prevention and event correlation is a challenge we have been facing for decades. Most of us have been able to ignore it but with developments in regulatory compliance (PCI-DSS, HIPAA, SOX, ISO27K, ...) companies are required to investigate solutions. In this talk we will firstly touch upon the problems that will be faced during such a project and how log management will look in the future (new standards are on their way). After this boring introduction to the magical world that is log management and intrusion detection we will delve into the solution that is presented with OSSEC. While labeled as a Host-based Intrusion Detection System (HIDS), OSSEC provides you with a complete arsenal of functionalities that allow you to build a log management solution which will translate the most cryptic log message into a clear and actionable alert. Expect an overview of the basic architecture as well as practical examples of how to customize OSSEC to manage logging from your infrastructure and applications.
5
15
Thumbnail
48:33
41
Thumbnail
35:21
47
48
Thumbnail
1:03:30
50
75
Thumbnail
50:56
94
Information securityCombinational logicNumberInformationInformation technology consultingEvent horizonInternetworkingComputer animationXMLLecture/Conference
Computer architectureData managementData managementOpen sourcePhysical systemBitComputer architectureTheoryMereologyLocal ringRevision controlData storage deviceProduct (business)Information securityProjective planeMultiplication signSoftware developerInformationComputer iconWeb-DesignerMathematical analysisProcess (computing)Installation artCartesian coordinate systemOpen set2 (number)State of matterLecture/Conference
Data managementStandard deviationNumerical taxonomyRegulärer Ausdruck <Textverarbeitung>Event horizonMathematical analysisComputer architectureUDP <Protokoll>Server (computing)Physical systemEmailNational Institute of Standards and TechnologyPlastikkarteGroup actionServer (computing)Event horizonPasswordMultiplicationDemonAsynchronous Transfer ModeMessage passingData managementWeb 2.0Computer architectureCartesian coordinate systemIntrusion detection systemNumberStandard deviationConfiguration spaceElectronic signatureFile formatRootSet (mathematics)Software developerTelecommunicationRootkitIntegrated development environmentComputer fileMereologyProcess (computing)Client (computing)Dependent and independent variablesMathematical analysisDescriptive statisticsWebsiteCASE <Informatik>NeuroinformatikRevision controlMathematicsSource codeBlock (periodic table)Self-organizationIncidence algebraSystem administratorCross-correlationLoginFormal languageSlide ruleTheory of relativityGame controllerFlock (web browser)INTEGRALProper mapType theorySoftwareWindowInformation securityPhysical lawString (computer science)Multiplication sign2 (number)Product (business)ExpressionSinc functionKey (cryptography)Scripting languageLecture/Conference
UDP <Protokoll>Computer architectureRule of inferenceComputer programMathematical analysisQuadrilateralExecution unitLibrary (computing)Regulärer Ausdruck <Textverarbeitung>BuildingData integrityMenu (computing)Rule of inferenceString (computer science)Event horizonLibrary (computing)Codierung <Programmierung>Message passingIntrusion detection systemServer (computing)Configuration spaceComputer architectureMathematical analysisChainRegulärer Ausdruck <Textverarbeitung>Phase transitionGroup actionSoftwarePositional notationSource codeCartesian coordinate systemCodeInformationComputer programmingOrder (biology)Field (computer science)Computer fileLocal ringLatent heatIP addressExtension (kinesiology)Exception handlingDefault (computer science)Real-time operating systemINTEGRALLoginPhysical systemCentralizer and normalizerDatabaseMathematicsData loggerMultiplication signVirtualizationReading (process)Moment (mathematics)Set (mathematics)Arithmetic meanMereologyClient (computing)Pattern languageComplex (psychology)Revision controlDirectory serviceCohen's kappa2 (number)Router (computing)Firewall (computing)Sheaf (mathematics)Personal digital assistantCuboidHierarchyInformation securityCASE <Informatik>DemonMatching (graph theory)Network topologyRow (database)Information extractionSupersonic speedTraffic reportingState of matterLecture/Conference
Control flowPhysical systemData managementRule of inferenceCase moddingQuantumIntegrated development environmentOffice suiteInformation technology consultingView (database)Different (Kate Ryan album)Key (cryptography)Computer fileConfiguration spaceUser interfacePoint (geometry)DatabaseServer (computing)Web 2.0AlgorithmOperating systemIP addressIntrusion detection systemClient (computing)Centralizer and normalizerRootRevision controlWindowCASE <Informatik>BackupMessage passingBitService (economics)Data managementInformationWebsiteArithmetic meanMoment (mathematics)Electronic mailing listPhysical systemFunctional (mathematics)Hash functionGame controllerDatabase normalizationINTEGRALFlow separationGroup actionMathematicsRule of inferenceCartesian coordinate systemLoginMultiplication signRight angleSlide ruleRootkitProper mapBuildingLecture/Conference
Physical systemData managementRule of inferenceMoment (mathematics)Computer fileData storage deviceAuthenticationServer (computing)Source codeClient (computing)Open sourceSemiconductor memoryDistribution (mathematics)CASE <Informatik>Configuration spacePlastikkarteSoftwareHash functionINTEGRALIntegrated development environmentProjective planeRule of inferenceDifferent (Kate Ryan album)Digital photographyHidden Markov modelCartesian coordinate systemReading (process)Arithmetic meanLecture/Conference
XML
Transcript: English(auto-generated)
Thank you Good my name is remember miss I'm a security consultant working in Belgium, and I'm gonna talk about OS X today
There's a lot of information about me on the internet, and there's a great tool that's called naltigo I don't know if ever everybody has ever used it, but if you find my phone number you can call me we can Go and have a beer. There's three things. I want to show you first before we go into OS X I was a volunteer at the Brooklyn conference in Brussels last year. I don't know if everybody
Anybody has visited Brooklyn? We're gonna have another event this year in September if you have something interesting to talk about the CFP will be open. I think somewhere this month or next month and Anyway, it's a it's a very good conference. It was awesome last year, and I'm sure it will be awesome this year also
Then I was lucky to be invited to Excalibur con which was a security conference in China who's gonna have another Edition this year also, I know it's a stupid picture, and I'm very happy that I'm not in it, but
Good if you ever want to combine security and China this is this is the place to be And then the third thing that I'm involved in is the Eurotrash security podcast It's me Craig balding Chris John Riley and Dale Pearson
we met at Brooklyn and We were all listening to two podcasts the problem was that all the podcasts that we listen to Were hosted by US people and there was no Eurocentric podcast So we we are trying really trying to make a European podcast Using very basic tools, and it's fun to do and I think we provide some information that you might find interesting
If there's something we're doing wrong after listening to the first episodes don't hesitate to give us feedback on that So on OS X I'm not a developer of OS X. I have to make that clear. I'm not a developer at all
I'm I started as a user of OS X and I've Talked with Danielle sit who is the lead developer of OS X a few times My Job is merely to to introduce OS X to the community and make people use it more To do their lock management and system protection
So the tool is developed by that Danielle sit Somewhere before 2005 yet. He was using tripwire, which you probably know on a lot of systems And he had a lot of problems managing those those locks. So he started developing Starting from a problem he had himself
And that developed into a syst check. It was a first name of OS X Then he started building tools around it and in 2005. He released the first open source version It slices under the GPL v3 Now The tool itself was very good But there was no support on it and Daniel sit was doing most of the development in his in his free time
Then he had the opportunity to join their brigade the brigade was a small company involved in security projects The project state open source and they provided support on it so you could get commercial support, but a product state open source and
in 2008 their brigade was Acquired by Trent micro which you know as a big security company and there have been doubts About the product staying open source But I've done a talk at ESA a few weeks ago And there was a guy from Trent micro in the in the audience there and he he vowed that it was
Still gonna be open store into it remain open source At the agenda for today first I have to introduce you in the into the boring parts of log management the theory behind it then we're going to dig into the OS X features a Little bit of the OS X architecture and then I'm going to introduce you how to do log analysis
How it works and how you can do your own log log analysis on any log that you have from any application from any system that you Might want to install OS second So log management, it's so easy that even the babies can do it It isn't okay
There's a lot of sources that logs can come from first biggest problem on all systems if it involves security There's users interacting with our applications if there weren't any users Wouldn't be any need to do log management there wouldn't be any need for applications either but good Then we have the applications databases behind it the systems and they all generate enormous amounts of logs
What I've learned is we look at logs Only when there's a problem to see what what has happened if we could could do that proactively it would be very nice The reasons why we do log management I think there's only two because we have to because there's requirements
regulatory requirements It can be an internal policy It can be some somebody requiring you to do log management Then you have to and then there's a very few because they want to I haven't met any yet
If you're going to look at locks, you know in any corporate system, you're not gonna have only things logging to syslog, but you're gonna have Your windows locks your network appliances will have their own proper format of locks It's a big mess
Then if we talk about lock standards the first law this first standard that comes up is is syslog I think you all know syslog The problem is that it has been abused a lot Which with abuse I mean there's the developers. I don't have anything against developers Otherwise, I wouldn't be here or I would be wearing armor
But we're we're dumping Chunks of source code in in a syslog. We're dumping usernames passwords even credit card numbers in syslog messages and If we're going to do proper application logging
Most of the times we only find Cryptic strings that don't mean nothing to somebody analyzing the law It might mean something to the developer behind the application, but if you're going to put it in production, it's gonna be a big problem Then there's a second type of locks which are the proprietary locks there's been efforts by
Web since by IBM and then the last one is CF is from ArcSight They they thought they were the if they were the biggest one everybody would be would be adopting their law standard It hasn't happened. There's some applications now moving to CF ArcSight is one of the big
seam security incident and event management solutions and Some applications are already moving to CF, but it's not too big So we know what happens when proprietary standard tries to be the big standard it never happens
And then we have IDMF which was an awesome initiative by some academics it was very complex And it wasn't in relation with what you see in a production environment. So it didn't materialize either
Most recently. Oh, that was the next slide good What do we need if we want to talk about lock management we need to have a language that everybody agrees upon We also need the syntax so that every lock message looks This looks the same
So everybody can understand it then we talked about Syslog first Syslog by standard in the RFC is UDP if you're gonna roll out Syslog in a production environment the first engineer that you're gonna meet is Gonna try to move you to Syslog-NG. Syslog-NG is an awesome tool
It's also very flexible to get your lock management and it supports TCP. The TCP is not in the standard You need to be able to to do your To use a transport according to the to the message that you want to send some messages might want to use UDP
But if you need more more logging in in case of an incident, you might want to move to TCP And then we need recommendations that guidelines that everybody can use to do to do their lock management And there isn't many of that either There is one one initiative from from NIST, which is a US organization
That you might might want to check out but it's about the only one that gives proper recommendations for lock management Then more recently there's become the common event expression that that is a
Standard that might make it because it's very flexible. You can do binary binary locks. You can do plain text locks You can use XML For locks depending on what locks you want and what what in which case a lock event happens
now for OSX OSX is Defined on the website as a host intrusion detection system, which means it's something you install on a on a system to detect intrusions, it's Much more flexible and just just that description The three main future features of OSX are lock analysis so you can have it consume locks
interpreted interpret them and have Thrown alerts or have reaction to to that lock Message or lock messages then the integrity control you can monitor several folders on your system and
When a file changes and alert can be thrown With the active response, which is a part of the of OS X you can have the original file put back So you remain your system remains the integrity is is controlled and then the root key detection. It's not
It's it's not a replacement for any anti malware solution, but it's a basic it's a basic set of signatures for for configurations That are interpreted as as rootkits
We dig into the architecture There is first I have to touch upon the install modes You can install or second three modes Which is standalone for a web server or server that you have in a DMZ that you want to have Intrusion detection on you can just install it in standalone mode once you have multiple servers Or multiple clients you're going to want to install the agent version on the on the clients and have a central server
For the for the for the lock management The good thing about that part is that the agent runs on the system, but it doesn't do any any analysis on the system itself it means it's very low footprint on your on your server and
All the computation is going to be done on the on the OS X server itself If you do it on the OS X server You're also going to be able to decorate the correlation of events if somebody's scanning multiple servers in your Your environment with nmap like we Learned before then you're going to be able to correlate those events
the two two main processes that are running on the clients are the lock collector and that is in fact the only Process that is running as root because you need root access to to access most of the system locks And there's the only reason the only thing that it does is read the system locks
And any new messages are forwarded to the agent the agent is responsible for community with this communicating with the server and all communication is encrypted and compressed The standard port for for OS X is UDP 15 14
You know 514 from from syslog so they just put a one in front of it Then the server receives all the communication from the agent and it's going to forward the messages to the analysis demon If there is an event room you can have two actions You can have a mail sent either to the system manager
Or you can configure to to have for a certain application a mail sent to the application owner or the application developer So you can act upon that message and then a very nifty feature for me is a exec D which allows you to run a script in reaction to an event a
Very good example is on a DEFCON. They you DEFCON is a security conference in the US They usually have a what they call a poem to own contest there's a box that they put there if you can hack it the box is yours and in 2007 there was a guy who
Do an our poisoning attack once somebody tried to Intrude into that system. It was never hacked and he used always seconds copy this copy libraries to to do that
so if you have a Complex architecture you can have all your clients running the OS X client and you're gonna sit have your central server That's interesting but you don't get a good overview of your complete infrastructure So you can have a good overview of what you're doing and then you can have a good overview of what you're doing Luckily your firewall you switch in your routers. You cannot install an agent on it because they are closed
But you can have them report using syslog to your state to your OS X server and you can interpret that those logs as well So we have servers we have our network infrastructure But
Maybe we have installed an intrusion detection system on our network as well. We can have that report into OS X as well Snort is by default supported so OS X already has a whole set of rules to to read OS X messages snort messages
Then of course we have applications we have databases We can monitor those laws as well. We just point the OS X agent because applications in the database are running on our servers We point agents to to those log files and the agent will consume those as well And then if we're going to do virtualization, you can install the agent on any
Linux or Unix based system. So even if you remember ESX you can install the OS X agent on and With that you have a complete Centralization of your of your infrastructure logs, these are the rules that are by default
included in the OS X package So you see there's Solaris rules. There is Sonic wall Cisco asterisk Apache And you can create using the local rules you can create exceptions or extensions on the
existing rules One thing to note if you're going to change a rule in one of the Application specific rules those are going to be overwritten during during upgrade but the local rules XML file will never be overwritten So how are we gonna do log analysis? I already told you that everything happens on the server
The first thing is going to do is pretty coding at that moment. He's gonna get basic information from the from the from the log message But not gonna do in-depth analysis on it
Then in the decoding part we're going to extract a lot more information like IP addresses usernames host names And specific strings in the analysis. We're gonna give meaning to that to that information. We're going to interpret it and We're gonna make it clear
so this is an example of a Pre decoding rule the only thing that we want it's a it's a default syslog message so we can extract the time and date the host name is there as well, and then we We extract The application name the program name
And we just record to the log message Now we might have a have a tool that is monitoring the same application And then the application name is not gonna match but we want to to have that log message For our application as well so we can use a basic
regular expression To extract the application name and still have it in the same rule set Then in the decoding phase, we're gonna have more more information extracted. So this is just a basic login message
And again, you see we use Regular expressions to define which fields we want and with the order tech we give Meaning to that to that information in the analysis phase We're gonna create rules
So we know it's a decoded in the pre decoding phase as a demon in this case And we're gonna look for a for a string called logged in and that means that user is correctly logged in And based on the on the first rule you see that every rule has a rule ID
and By reusing the the rule ID in the next rule you can Create a chain of rules. So here we have if the user is not John we will throw the through the message Okay, this was not John Based on the source IP we can match it to a cedar notation of the of the network
If in our current policy is not allowed to to access a certain host from a certain network We can throw an alert on that as well By building rules like that. You can really create a flexible rule tree and
Have actions taken on certain events and it really makes it a really flexible tool to To manage all the lock that is coming in instead of looking at edit When the event has already happened if you're gonna build rules you're gonna have
Regular expressions Problem with the The real regular expressions are in an IDS situation you may not want The extensive features you want to have speed because you want to have the the messages interpreted as as fast as possible
so The OS X team has decided to build a regular library For the decoders in the rules, there is two libraries. This is the first one which is a very extensive a more extensive one And you can build your rules very flexible that way
And there is a second one, which is actually Only used in the rules and it's the simplest that you can have you can just look for a string and then you can Have multiple strings chained with the with the pipe and this is the fastest one. It's the best to use
for integrity checking OSX.conf is the basic configuration file where you do all the configuration for your host In the in the sys checks section you just define which Which directories you want to include to have the integrity checking?
It's very important For me if I configure it on systems, I always take the Lowest in the hierarchy or the highest in the hierarchy and then you're going to exclude lower in the hierarchy, but if you
Do the monitoring too high you might miss something while you can still exclude Files or directories that you don't want to monitor and those are mainly files and directories that you know change a lot You don't want to have alerts thrown on those Since version 2.2. There's also a real-time check in the past. It was run like you see on top
In a defined pattern so every every few hours you could have it run Now you can have certain directories that are high risk also monitored in real time
Then in the in the rules, you're going to configure rules for your for your applications For your for your files and these are the basic rules that are in the OS X configuration to to monitor file changes on your systems Like I said before you can use and those
To create actions maybe to block a user if he has create created the file or or change the file Or just put the original file back. So you maintain integrate integrity There's a lot of commands that you can use on the on the server to check the integrity
The SIS check update is just updating the database That's not that's done automatically But every every few hours if you want to have the situation updated now, you can use that command With the sister control minus L. You're gonna get a list of the
of the agents Minus I is just going to give you from a certain Clients all the files that have changed after after a short while. It will already be along a very long list If you're looking for a specific file, you can use that last command then the management of OS X
At this moment it all happens from the command line there have been There is a basic web user interface that you can use If you're gonna have a lot of a lot of server, it's not very It's not very very well developed at this moment
I Mainly use OS X to create meaning to the to the messages, but then they're gonna be forwarded to something like Splunk to really create in dashboards or information Make it visual so on the command line you have
Manage agents and there's two versions on it if you compile it in the in the server version You're gonna be able to create the central keys And you're gonna have a central database of keys then on the agent side The basic functionality is there to import a key and that that's it Agent control, that's your main tool to control all the behavior of the agents
Minus LC is going to give you the the list of the clients that are currently connected And minus I agent ID is going to give you the information on the client which is The OS version IP address and if you're going to use central configuration, which I will explain a little later
you will also see the MD 5 hash of the central configuration file so you can compare it and see that it's up to date Minus small r a is gonna
do the System check and the ID integrity check and the root key detection check on the on all the agents minus R and then provided with the agent ID is going to restart an agent and minus R minus you
With the agent ID is going to do the system check on a specific agent. I Didn't include central configuration in my slides, but I want to explain it a little bit You have the possibility to create a central configuration file for all your agents and that's going to be pushed to the agents
every two or three hours now In in that configuration file, you can either specify Specific configurations based on the on the ID of the agents So if you have three web servers you include in the specific rules for those clients The IDs of those of those agents or you can create a configuration file based on the operating system
so for Solaris or Linux or AIX you can create different different rule sets basic conclusion
If you're gonna do log management from corporate point of view you're gonna get a reseller coming in with a with a Consultants at your At your office for a few months. The problem is they don't know your applications. They don't know your environment
The only one that knows your environment and your applications is yourself if we're gonna start with OS sec, you will have the time to Create rules based on your environment and not on what the proprietary solution Offers OS sec being developed since before
2005 is very mature solution to use It's it's very stable and it offers a lot of functionality for you to to start your log management As I said log management is something that has become Necessary due to regular compliance if you're going to do log management
You better start By understanding your logs yourself one thing to remember Is that tuning the rules of any log management solution will never stop So You can create your rules now in a few months. You will have to redo them and see
Whether it still fits your solution It's a lot of work, but it's worth it. I think so That was my overview of OS sec I thought I hope you found it a little bit interesting and if there's any questions. Mm-hmm. Yes. I
Understand that the problem with UDP is the reliability because you have no confirmation
The intelligence is built in the agent in the server So when your agent when your server fails your agent will will queue the messages and send them in the service available again
I'm gonna walk up to you So So you're asking if there's a redundancy building, yeah
That that is that is not possible what you can do. You can have multiple servers. You can have one agent With keys for several servers. It needs some extensive configuration and in my
Does this still work not from here wait better I think there's two main courses for Reliability for Redundance you can have Two servers and have the agent point to the two different servers, then you will have to synchronize the keys between the two servers
That's one one solution the problem is since there is already a Reliability in the agent agent sites if your service gonna going down the the agent will keep the messages until the service available available again and
Build building a server is really a it's really very easy. So I Basically, you have a server installed in about 20 minutes It's better to have a backup of your keys and rebuild then have one server running doing nothing in case
Maybe the server will crash But you have that you have the possibility to make redundant servers, I haven't used that possibility yet Either you yell or I come to you
Yeah, the agent is currently supported on Windows from 95 to Windows 7 it's supported on AIX on Solaris and on most flavors of
Linux Excuse me. Yes Yes, one second there is the MS
Regarding authentication There is the DSP rules at this moment For the installation of the of the agent. Basically, it's a simple install the
for the configuration In no in in most cases there isn't a distribution package for for all for all
Oasis so it's a it's a basic install and normally I create a package For the for the customer when based on the OS that he's using right now I'm busy with a project involving Solaris and AIX so I created basic basic packages for those
We have 50 minutes left No more question 20 minutes. Oh, yeah, I talked too fast
Yes One one OS X server can have about 250 clients Yeah
It depends on on the memory you have on the storage that you have and on your on your network card and the speed Of your network, so that's that's different in every environment
Excuse me. Yeah for for the file integrity It records the MD 5 and the SHA-1 hash of the of the file
No at this moment no, but it's open source application, so if you want to contribute you can do that
No, you're you're gonna have a tiered approach if you have that that many that many sir Many clients or that many log sources You're gonna have a tiered approach. You're gonna have your basic OS X layer. Then you're gonna have another layer of Syslog servers and in the end you're gonna for your storage you're gonna have a
Central storage. Thank you