OSSEC HIDSmultiplatformski sustav za otkrivanje i prevenciju napada

Autor: Ante JurjevićVoditeljica: Matea Tutić

24. listopada 2017.Obrazovni program za IT-specijaliste edu4IT, Sistemski administrator 1

> IDS, HIDS

> OSSEC

> Arhitektura

> Instalacija

> Analiza logova> Pre-decoding

> Decoding

> Rules

> Syscheck

> Rootcheck

> Active response

> Wazuh

> ...

/OSSEC-HIDS/sadržaj

> IDS (eng. Intrusion Detection System) je sustav za otkrivanje i prevenciju neovlaštenih aktivnosti na mrežnim ili računalnim sustavima

> NIDS (eng. Network-based IDS) i HIDS (eng. Host-based IDS)

> Pasivni i reaktivni

/OSSEC-HIDS/IDS

> HIDS prati i analizira stanje računala, te generira upozorenja i/ili reagira

> HIDS se može sadržavati jednu ili više funkcionalnosti:> Analiza logova

> Otkrivanje neovlaštenog pristupa

> Promjena sadržaja datoteka

/OSSEC-HIDS/HIDS

> OSSEC je besplatan program otvorenog koda namijenjen otkrivanju neovlaštenog pristupa

> OSSEC mogućnosti su:> Analiza logova

> Provjera integriteta datoteka (syscheck)

> Otkrivanje zlonamjernih programa (rootcheck)

> Obavijesti u realnom vremenu

> Reakcija na prijetnje (active response).

> Koristi se na većini aktualnih operacijskih sustava: Linux, OpenBSD, FreeBSD, Mac OS X, Solaris i Windows.

/OSSEC-HIDS/OSSEC

> OSSEC komponente:> Server

> Agent

> Agentless

/OSSEC-HIDS/arhitektura

server

agenti

> OSSEC se može instalirati na dva načina:> Lokalno

> Distribuirano

/OSSEC-HIDS/arhitektura/lokalna_i_distribuirana

server

agentiagent/server

/OSSEC-HIDS/arhitektura/lokalna/protok_logova

ossec-analysisd

Analizalogova

Obavijest

Reakcija

ossec-execd

ossec-maild

agent/server

Prikupljanje logova

ossec-logcollector

/OSSEC-HIDS/arhitektura/distribuirana/protok_logova

ossec-logcollector

Prikupljanje logova

serveragent

ossec-analysisd

ossec-execd

Analiza

Obavijest

Reakcija

ossec-maild

/OSSEC-HIDS/arhitektura/distribuirana/mrežna_komunikacija

syslog

Analiza

serveragent 1

agent 2

uređaj

ossec-agentd

ossec-remoted

UDP port1514

Obavijest

Reakcija

ossec agent

├─7943 /var/ossec/bin/ossec-logcollector - čita logove

├─7946 /var/ossec/bin/ossec-agentd - prosljeđuje logove ossec serveru

├─7950 /var/ossec/bin/ossec-execd - reagira na prijetnje

└─7955 /var/ossec/bin/ossec-syscheckd - provjerava integritet datoteka

ossec server

├─15907 /var/ossec/bin/ossec-remoted - prima agentove logove

├─15912 /var/ossec/bin/ossec-analysisd - analizira logove

├─15915 /var/ossec/bin/ossec-maild - šalje upozorenje za prijetnje

├─15920 /var/ossec/bin/ossec-monitord - nadzire stanje agenata

├─15927 /var/ossec/bin/ossec-logcollector - čita logove

├─15934 /var/ossec/bin/ossec-execd - reagira na prijetnje

└─15938 /var/ossec/bin/ossec-syscheckd - provjerava integritet datoteka

/OSSEC-HIDS/arhitektura/distribuirana/komponente

/OSSEC-HIDS/arhitektura/chroot_jail/1

/ (root)

├── mnt

├── usr

├── bin

├── etc

└── var

├── ossec

├── active-response

├── agentless

├── backup

├── bin

├── etc

├── integrations

├── logs

├── queue

├── ruleset

├── stats

├── tmp

└── var

├─15907 /var/ossec/bin/ossec-remoted

├─15912 /var/ossec/bin/ossec-analysisd

├─15915 /var/ossec/bin/ossec-maild

├─15927 /var/ossec/bin/ossec-logcollector

└─15934 /var/ossec/bin/ossec-agentd

> bez Chroot jail

/OSSEC-HIDS/arhitektura/chroot_jail/2

/

├── mnt

├── usr

├── bin

├── etc

└── var

├── ossec (root)

├── active-response

├── agentless

├── backup

├── bin

├── etc

├── integrations

├── logs

├── queue

├── ruleset

├── stats

├── tmp

└── var

├─15907 /var/ossec/bin/ossec-remoted

├─15912 /var/ossec/bin/ossec-analysisd

├─15915 /var/ossec/bin/ossec-maild

└─15934 /var/ossec/bin/ossec-agentd

└─15927 /var/ossec/bin/ossec-logcollector

> Chroot jail uključen

> Chroot jail izolira procese od ostatka sustava u svrhu zaštite sustava

1. Preuzimanje zadnje verzije i provjera kontrolnog zbroja (eng. checksum)

/OSSEC-HIDS/instalacija_agenta_i_servera

# wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.1.tar.gz

# wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.1-checksum.txt

# cat ossec-hids-2.8.1-checksum.txt

MD5(ossec-hids-2.8.1.tar.gz)= c2ffd25180f760e366ab16eeb82ae382

SHA1(ossec-hids-2.8.1.tar.gz)= 0ecf1df09558dc8bb4b6f65e1fb2ca7a7df9817c

# md5sum ossec-hids-2.8.1.tar.gz

MD5(ossec-hids-2.8.1.tar.gz)= c2ffd25180f760e366ab16eeb82ae382

# sha1sum ossec-hids-2.8.1.tar.gz

SHA1(ossec-hids-2.8.1.tar.gz)= 0ecf1df09558dc8bb4b6f65e1fb2ca7a7df9817c

2. Raspakiranje paketa i pokretanje skripte install.sh

# tar -zxvf ossec-hids-*.tar.gz

# cd ossec-hids-*

# ./install.sh

3. Na vatrozidu servera i agenta potrebno je propustiti UDP port 1514

4. Servere i agente potrebno je dodatno konfigurirati

5. Pokretanje OSSEC-a

# /var/ossec/bin/ossec-control start

> Za dodavanje novog agenta na OSSEC server potrebno je:> Pokretanje manage_agents na serveru

> Dodavanje agenta (ime i ip adresa)

> Dohvaćanje agentovog ključa: 5cb9ed2df91c72e905779fe6a2bca1c80d5a3c81e0131597bf868e7752dc1dc6

> Pokretanje manage_agents na agentu

> Upisivanje agentovog ključa

> Ponovo pokrenuti OSSEC server procese

> Pokrenuti OSSEC agenta

/OSSEC-HIDS/agenti/dodavanje

/var/ossec/bin/manage_agents

****************************************

* OSSEC HIDS v2.5-SNP-100809 Agent manager. *

* The following options are available: *

****************************************

(A)dd an agent (A).

(E)xtract key for an agent (E).

(L)ist already added agents (L).

(R)emove an agent (R).

(Q)uit.

Choose your action: A,E,L,R or Q:

/OSSEC-HIDS/agenti/lista

$ /var/ossec/bin/agent_control -l

Ossec agent_control. List of available agents:

ID: 000, Name: ossec-manager (server), IP: 127.0.0.1, Active/Local

ID: 1040, Name: ip-10-0-0-76, IP: 10.0.0.76, Active

ID: 003, Name: agent-debian, IP: 10.0.0.121, Active

ID: 005, Name: agent-ubuntu-public, IP: 10.0.0.126, Active

ID: 006, Name: agent-windows, IP: 10.0.0.124, Active

ID: 1024, Name: ip-10-0-0-252, IP: 10.0.0.252, Never connected

ID: 1028, Name: debian-it, IP: any, Never connected

ID: 1030, Name: diamorphine-POC, IP: 10.0.0.59, Active

ID: 015, Name: agent-centos, IP: 10.0.0.123, Disconnected

ID: 1031, Name: WIN-UENN0U6R5SF, IP: 10.0.0.124, Never connected

ID: 1032, Name: agent-ubuntu, IP: 10.0.0.122, Active

ID: 1033, Name: agent-debian8, IP: 10.0.0.128, Active

ID: 1034, Name: agent-redhat, IP: 10.0.0.127, Active

ID: 1035, Name: agent-centos7, IP: 10.0.0.101, Never connected

ID: 1041, Name: agent-centos-public, IP: 10.0.0.125, Active

> Konfiguracijama svih agenata može se upravljati sa servera

> Nekoliko sati nakon spremanja server će propagirati konfiguracije na sve agente. Ako se ponovno pokrene OSSEC servis, propagacija će biti brža

/OSSEC-HIDS/agenti/centralizirana_konfiguracija

vim /var/ossec/etc/shared/agent.conf

<agent_config name="agent1">

<localfile>

<location>/var/log/my.log</location>

<log_format>syslog</log_format>

</localfile>

</agent_config>

<agent_config os="Linux">

<localfile>

<location>/var/log/my.log2</location>

<log_format>syslog</log_format>

</localfile>

</agent_config>

<agent_config os="Windows">

<localfile>

<location>C:\myapp\my.log</location>

<log_format>syslog</log_format>

</localfile>

</agent_config>

> Izvori logova koje OSSEC analizira su:> Datoteke logova

/OSSEC-HIDS/prikupljanje_logova

vim /var/ossec/etc/shared/agent.conf

# Linux

<localfile>

<location>/var/log/example.log</location>

<log_format>syslog</log_format>

</localfile>

# Windows

<localfile>

<location>C:\myapp\example.log</location>

<log_format>syslog</log_format>

</localfile>

vim /var/ossec/etc/shared/agent.conf

# event log

<localfile>

<location>Security</location>

<log_format>eventlog</log_format>

</localfile>

# event channel

<localfile>

<location>Microsoft-Windows-PrintService/Operational</location>

<log_format>eventchannel</log_format>

</localfile>

vim /var/ossec/etc/ossec.conf

<ossec_config>

<remote>

<connection>syslog</connection>

<allowed-ips>192.168.2.0/24</allowed-ips>

</remote>

<ossec_config>

> Windows zapisnik događaja

> Agentless syslog

/OSSEC-HIDS/analiza_logova/tijek

ossec-analysisd

Prikupljanje logova

Pre-decoding Decoding Rule matching

Obavijest

Reakcija

> Razne vrste operacijskih sustava, uređaja i programa koriste različitu sintaksu loga

> Većina logova ima svoj dekoder i rule koji se aktiviraju sa instalacijom

> Za nestandardne ili nove logove potrebno je napraviti novi dekoder i rule

> Logovi moraju biti rangirana po kritičnosti

> Obavijest može biti poslana odgovornoj osobi koja rješava incident

/OSSEC-HIDS/analiza_logova/uvod

/OSSEC-HIDS/analiza_logova/razne_sintakse_logova

sshd[8813]: Accepted password for root from 192.168.10.1 port 1066 ssh2

sshd[2404]: Accepted password for root from 192.168.11.1 port 2011 ssh2

sshd[21405]: Accepted password for root from 192.1.1.1 port 6023 ssh2

sshd[21487]: Failed password for root from 192.168.1.1 port 1045 ssh2

sshd[8813]: Failed none for root from 192.168.10.161 port 1066 ssh2

sshd[12675]: Failed password for invalid user lala11 from x.x.x.x ..

sshd[12914]: Failed password for invalid user lala6 from ...

sshd[8267]: Failed password for illegal user test from 62.67.45.4 port 39141 ssh2

sshd[11259]: Invalid user abc from 127.0.0.1

"" Failed keyboard-interactive for root from 192.1.1.1 port 1066 ssh2

sshd[23857]: [ID 702911 auth.notice] User xxx, coming from zzzz,

authenticated.

sshd[23578]: reverse mapping checking getaddrinfo for pib4.catv-bauer.at failed - POSSIBLE BREAKIN ATTEMPT!

sshd[61834]: reverse mapping checking getaddrinfo for sv.tvcm.ch

failed - POSSIBLE BREAKIN ATTEMPT!

sshd[3251]: User root not allowed because listed in DenyUsers

[Time 2006.12.28 15:53:55 UTC] [Facility auth] [Sender sshd] [PID 483] [Message error: PAM: Authentication failure for username from 192.168.0.2] [Level 3]

[UID -2] [GID -2] [Host Hostname]

[Time 2006.11.02 11:41:44 UTC] [Facility auth] [Sender sshd] [PID 800] [Message refused connect from 51.124.44.34] [Level 4] [UID -2] [GID -2] [Host test2-

emac]

Apr 23 07:03:53 machinename sshd[29961]: User root from 12.3.4.5

not allowed because not listed in AllowUsers

sshd[9815]: scanned from 127.0.0.1 with SSH-1.99-AKASSH_Version_Mapper1. Don't panic.

Sep 4 23:58:33 junction sshd[9351]: fatal: Write failed: Broken pipe

Sep 18 14:58:47 ix sshd[11816]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key

Sep 23 10:32:25 server sshd[25209]: pam_ldap: error trying to bind as user "uid=user123,ou=People,dc=domain,dc=com" (Invalid credentials)

Aug 10 08:38:40 junction sshd[20013]: error: connect_to 192.168.179 port 8080: failed

Jun 9 00:00:01 ix sshd[9815]: scanned from 127.0.0.1 with SSH-1.99-AKASSH_Version_Mapper1. Don't panic.

Jan 26 11:57:26 ix sshd[14879]: error: connect to ix.example.com port 7777 failed: Connection refused

Oct 8 10:07:27 y sshd[7644]: debug1: attempt 2 failures 2

Oct 8 08:58:37 y sshd[6956]: fatal: PAM: pam_setcred(): Authentication service cannot retrieve user credentials

Oct 8 08:48:33 y sshd[6856]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.

Oct 8 11:18:26 172.16.51.132 sshd[7618]: error: PAM: Module is unknown for ddp from 172.16.51.1

Jun 19 20:56:00 tiny sshd[11605]: fatal: Write failed: Host is down

Jun 11 06:32:17 gorilla sshd[28293]: fatal: buffer_get_bignum2: buffer error

Jun 11 06:32:17 gorilla sshd[28293]: error: buffer_get_bignum2_ret: negative numbers not supported

Apr 14 19:28:21 gorilla sshd[31274]: Connection closed by 192.168.1.33

Jun 22 12:01:13 junction sshd[11283]: Received disconnect from 212.14.228.46: 11: Bye Bye

Nov 9 07:40:25 ginaz sshd[5973]: error: setsockopt SO_KEEPALIVE: Connection reset by peer

Nov 2 12:08:27 192.168.17.7 sshd[9665]: fatal: Cannot bind any address.

Nov 2 12:11:40 192.168.17.7 sshd[9814]: pam_loginuid(sshd:session): set_loginuid failed opening loginuid

Nov 6 09:53:38 hagal sshd[697]: error: accept: Software caused connection abort

/OSSEC-HIDS/analiza_logova/primjer

time/date: 'Feb 14 12:19:04'

hostname: 'localhost'

program_name: 'sshd'

log: 'Accepted password for mario from 192.168.1.133 port 49765 ssh2'

> Pre-decoding> Izdvajaju se generički podaci iz dobro poznatih dijelova loga

decoder: 'sshd'

dstuser: ‘mario'

srcip: '192.168.1.133'

> Decoding> Identificira se tip loga, tj. koji će se dekoder koristiti za izdvajanje podataka

Rule id: '5715'

Level: '3'

Description: 'sshd: authentication success.'

> Rule matching> Provjerava se aktiviraju li prethodno dobiveni podaci određeni rule

Feb 14 12:19:04 localhost sshd[25474]: Accepted password for mario from 192.168.1.133 port 49765 ssh2

> Generički podaci izdvajaju se iz poznatih formata logova (Syslog ili Apple System Log)

> Logovi moraju biti dobro formatirani

/OSSEC-HIDS/analiza_logova/pre-decoding

Feb 14 12:19:04 localhost sshd[25474]: Accepted password for mario from 192.168.1.133 port 49765 ssh2

time/date: 'Feb 14 12:19:04'

hostname: 'localhost'

program_name: 'sshd'

log: 'Accepted password for mario from 192.168.1.133 port 49765 ssh2'

[Time 2006.12.28 15:53:55 UTC] [Facility auth] [Sender sshd] [PID 483] [Message error: PAM: Authentication

failure for username from 192.168.0.2] [Level 3] [UID −2] [GID −2] [Host mymac]

time/date: 'Dec 28, 2006 15:53:55'

hostname: 'mymac'

program_name: 'sshd'

log: 'error: PAM: Authentication failure for username from 192.168.0.2'

> Decoding uključuje proces izdvajanja ključnih informacija iz loga:> user> ip> port> protocol> event id> url> action (deny, drop, accept, itd.)> status (success, failure, itd.)> extra_data

> OSSEC ima stotine definiranih dekodera, koji se nadopunjuju

> /var/ossec/etc/decoder.xml

/OSSEC-HIDS/analiza_logova/decoding

> Korištenje pre-decoding podataka

> Regularni izrazi (eng. regex) se koristi za izdvajanje podataka

> Polje order određuje koji podaci i kojim redosljedom će se izdvojiti

> Preporučeno je dekoderu dati smisleno ime

/OSSEC-HIDS/analiza_logova/decoding/primjer_1

Feb 14 12:19:04 localhost sshd[25474]: Accepted password for mario from 192.168.1.133 port 49765 ssh2

<decoder name="sshd-success">

<program_name>sshd</program_name>

<regex>^Accepted \S+ for (\S+) from (\d+.\d+.\d+.\d+) port </regex>

<order>user, srcip</order>

</decoder>

time/date: 'Feb 14 12:19:04'

hostname: 'localhost'

program_name: 'sshd'

log: 'Accepted password for mario from

192.168.1.133 port 49765 ssh2'

decoder: ‘sshd-success'

dstuser: 'mario'

srcip: '192.168.1.133'

> Dekoder mora imati prematch ili program_name

/OSSEC-HIDS/analiza_logova/decoding/primjer_2

Sun Jun 4 22:08:39 2006 [pid 21611] [dcid] OK LOGIN: Client "192.168.2.10"

<decoder name="vsftpd">

<prematch>^\w\w\w \w\w\w\s+\d+ \S+ \d+ [pid \d+] </prematch>

<regex offset="after_prematch">Client "(\d+.\d+.\d+.\d+)"$</regex>

<order>srcip</order>

</decoder>

> Dekoderi se mogu grupirati pod jednim roditeljem

> Kreira se struktura stabla gdje se djeca dekoderi evaluiraju samo ako se dekoder roditelj aktivira

/OSSEC-HIDS/analiza_logova/decoding/primjer_3

<decoder name="sshd">

<program_name>^sshd</program_name>

</decoder>

<decoder name="sshd-success">

<parent>sshd</parent>

<prematch>^Accepted</prematch>

<regex offset="after_prematch">^ \S+ for (\S+) from (\S+) port </regex>

<order>user, srcip</order>

</decoder>

<decoder name="ssh-failed">

<parent>sshd</parent>

<prematch>^Failed \S+ </prematch>

<regex offset="after_prematch">^for (\S+) from (\S+) port </regex>

<order>user, srcip</order>

</decoder>

> Prema podacima iz dekodera kreiraju se rule-ovi

/OSSEC-HIDS/analiza_logova/rules/primjer_1

**Phase 1: Completed pre-decoding.full event: 'Feb 14 12:19:04 localhost sshd[25474]: Accepted password for mario from 192.168.1.133

port 49765 ssh2'hostname: 'localhost'program_name: 'sshd'log: 'Accepted password for mario from 192.168.1.133 port 49765 ssh2'

**Phase 2: Completed decoding.decoder: 'sshd'dstuser: 'mario'srcip: '192.168.1.133'

**Phase 3: Completed filtering (rules).Rule id: '5715'Level: '3'Description: 'sshd: authentication success.'

<rule id="5715" level="3">

<decoded_as>sshd</decoded_as>

<match>^Accepted</match>

<description>sshd: authentication success.</description>

</rule>

> XML format datoteka

> /var/ossec/etc/rules/*

> /var/ossec/etc/rules/local_rules.xml

/OSSEC-HIDS/analiza_logova/rules/primjer_2

<!-- SSHD messages -->

<group name="syslog,sshd,">

<rule id="5700" level="0" noalert="1">

<decoded_as>sshd</decoded_as>

<description>SSHD messages grouped.</description>

</rule>

<rule id="5701" level="8">

<if_sid>5700</if_sid>

<match>Bad protocol version identification</match>

<description>Possible attack on the ssh server </description>

<description>(or version gathering).</description>

</rule>

<rule id="5702" level="5">

<if_sid>5700</if_sid>

<match>^reverse mapping</match>

<regex>failed - POSSIBLE BREAK</regex>

<description>Reverse lookup error (bad ISP or attack).</description>

</rule>

<rule id="5703" level="10" frequency="4" timeframe="360">

<if_matched_sid>5702</if_matched_sid>

<description>Possible breakin attempt </description>

<description>(high number of reverse lookup errors).</description>

</rule>

...

> Za pisanje rule-ova potrebno je:> rule id

> level (0 - 15)

> uzorak (regex, srcip, id, user...)

> opis

/OSSEC-HIDS/analiza_logova/rules/primjer_3

<rule id="111" level="5">

<decoded_as>sshd</decoded_as>

<regex>^for (\S+) from (\S+) port </regex>

<description>Logging every decoded sshd message</description>

</rule>

> Grananje rule-ova

> Rule za neuspjele sshd veze

> Match je jednostavni uzorak koje se traži u logu

> Povećavavamo razinu levela na 7

/OSSEC-HIDS/analiza_logova/rules/primjer_4

<rule id="111" level="5">

<decoded_as>sshd</decoded_as>

<description>Logging every decoded sshd message</description>

</rule>

<rule id="122" level="7">

<if_sid>111</if_sid>

<match>^Failed password</match>

<description>Failed password attempt</description>

</rule>

> Dodatno grananje

/OSSEC-HIDS/analiza_logova/rules/primjer_5

<rule id="111" level="5">

<decoded_as>sshd</decoded_as>

<description>Logging every decoded sshd message</description>

</rule>

<rule id="122" level="7">

<if_sid>111</if_sid>

<match>^Failed password</match>

<description>Failed password attempt</description>

</rule>

<rule id="3133" level="13">

<if_sid>122</if_sid>

<hostname>^mainserver</hostname>

<srcip>!192.168.2.0/24</srcip>

<description>Higher severity! Failure on the main server</description>

</rule>

> Vremenski definirani rule-ovi

> Grupiranje rule-ova

/OSSEC-HIDS/analiza_logova/rules/primjer_6

<rule id="153" level="5">

<if_sid>111</if_sid>

<match>Accepted password </match>

<description>Successful login</description>

<group>login_ok</group>

</rule>

<rule id="154" level="10">

<if_sid>153</if_sid>

<time>4 pm - 8 am</time>

<description>Alert! Logins outside business hours!</description>

<group>login_ok,policy_violation</group>

</rule>

> autentikacija nakon radnog vremena

> authentication_success grupa

/OSSEC-HIDS/analiza_logova/rules/primjer_7

<rule id="100005" level="10">

<if_group>authentication_success</if_group>

<time>4 pm - 8 am</time>

<description>Login during non-business hours.</description>

</rule>

> Kompozitni rule-ovi:> if_matched_sid

> frekvencija i vremenski okvir

> same_source_ip.

/OSSEC-HIDS/analiza_logova/rules/primjer_8

<rule id="133" level="7">

<if_sid>111</if_sid>

<match>^Failed password</match>

<description>Failed password attempt</description>

</rule>

<rule id="1050" level="11" frequency="5" timeframe="120">

<if_matched_sid>133</if_matched_sid>

<same_source_ip />

<description>Multiple failed attempts from same IP!</description>

</rule>

> Promjene na postojećim rule-ovima> dodati u local_rules.xml

> overwrite="yes"

> moguće je promjeniti bilo koju vrijednost.

/OSSEC-HIDS/analiza_logova/rules/primjer_9

<rule id="5712" level="12" frequency="12" timeframe="60" overwrite="yes" >

<if_matched_sid>5710</if_matched_sid>

<description>sshd: brute force trying to get access to </description>

<description>the system.</description>

<same_source_ip />

<group>authentication_failures,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,</group>

</rule>

<rule id="5712" level="10" frequency="6" timeframe="120">

<if_matched_sid>5710</if_matched_sid>

<description>sshd: brute force trying to get access to </description>

<description>the system.</description>

<same_source_ip />

<group>authentication_failures,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,</group>

</rule>

/OSSEC-HIDS/analiza_logova/testiranje

/var/ossec/bin/ossec-logtest

**Phase 1: Completed pre-decoding.

full event: 'Feb 14 12:19:04 localhost sshd[25474]: Accepted password for mario from

192.168.1.133 port 49765 ssh2'

hostname: 'localhost'

program_name: 'sshd'

log: 'Accepted password for mario from 192.168.1.133 port 49765 ssh2'

**Phase 2: Completed decoding.

decoder: 'sshd'

dstuser: 'mario'

srcip: '192.168.1.133'

**Phase 3: Completed filtering (rules).

Rule id: '5715'

Level: '3'

Description: 'sshd: authentication success.'

> Napadač uvijek ostavlja trag ili promjeni dijelove sustava

> Provjera MD5/SHA1 kontrolnih zbrojeva ključnih datoteka

> Provjera promjena veličine, vlasnika i grupa kojima datoteke pripadaju te promjena ovlasti nad datotekama

> Frekvencija provjere

/OSSEC-HIDS/syscheck

> Rootcheck opcije:> da li je proces pokrenut

> da li postoji određena datoteka

> da li datoteka ima u sebi neki uzorak

> postojanje rootkit programa i trojanskih konja.

/OSSEC-HIDS/rootcheck

> Protumjera za aktivne prijetnje

/OSSEC-HIDS/reakcija_na_prijetnje

logcollector

agent

agentd

brute force

authentication failures

SQL injection attempts

web attacks

...

remoted

execd

ar-script.sh

analasisd

server

maild

> Slanje obavijesti putem sysloga

> Slanje obavijesti e-mailom > Jedan e-mail za jednu obavijest

> Jedan e-mail za više istovrsnih obavijesti

> E-mail sa dnevnim izvještajem

> Spremanje obavijesti u JSON formatu

> Spremanje obavijesti u bazu podataka

/OSSEC-HIDS/izlazni podaci i obavijesti

OSSEC Notification.

2017 Oct 23 13:57:20

Received From: (test.host.org) 161.53.2.204->/var/log/messages

Rule: 401101 fired (level 14) -> "possible DoS attack"

Portion of the log(s):

Oct 23 13:57:18 test mod_evasive[33664]: Blacklisting address 131.176.243.12: possible

DoS attack.

> Wazuh> Dodavanje mogućnosti na OSSEC 1.x

> Projekt koji je razvio svoju granu OSSEC-a, Wazuh 2.0

> Nove mogućnosti

/OSSEC-HIDS/Wazuh

Wazuh modules manager.

Wazuh module for OpenSCAP.

Ruleset for OpenSCAP alerts.

Kibana dashboards for OpenSCAP.

Option at agent_control to restart all agents.

Dynamic fields to rules and decoders.

Dynamic fields to JSON in alerts/archives.

CDB list lookup with dynamic fields.

FTS for dynamic fields.

Logcollector option to set the frequency of file

checking.

GeoIP support in Alerts (by Scott R Shinn).

Internal option to output GeoIP data on JSON

alerts.

Matching pattern negation (by Daniel Cid).

Syscheck and Rootcheck events on SQLite

databases.

Data migration tool to SQLite databases.

Jenkins QA.

64-bit Windows registry keys support.

Complete FIM data output to JSON and alerts.

Username, date and inode attributes to FIM events

on Unix.

Username attribute to FIM events on Windows.

Report changes (FIM file diffs) to Windows agent.

File diffs to JSON output.

Elastic mapping updated for new FIM events.

Title and file fields extracted at Rootcheck

alerts.

Rule description formatting with dynamic field

referencing.

Multithreaded design for Authd server for fast

and reliable client dispatching, with key caching

and write scheduling.

Auth registration client for Windows (by Gael

Muller).

Auth password authentication for Windows client.

New local decoder file by default.

Show server certificate and key paths at Authd

help.

New option for Authd to verify agent's address.

Added support for new format at predecoder (by

Brad Lhotsky).

Agentless passlist encoding to Base64.

New Auditd-specific log format for Logcollector.

Option for Authd to auto-choose TLS/SSL method.

Compile option for Authd to make it compatible

with legacy OSs.

Added new templates layout to auto-compose

configuration file.

New wodle for SQLite database syncing (agent

information and fim/pm data).

Added XML settings options to exclude some rules

or decoders files.

Option for agent_control to broadcast AR on all

agents.

Extended FIM event information forwarded by

csyslogd (by Sivakumar Nellurandi).

Report Syscheck's new file events on real time.

/OSSEC-HIDS/Wazuh/Kibana

> Besplatan

> Aktivna zajednica

> Brza analiza koja ne troši puno resursa

> Lagana instalacija

> Lagana modifikacija (konfiguracije u xml formatu)

> Skalabilan (agent/server arhitektura)

> Radi na više platformi (Windows, Solaris, Linux, *BSD, ...)

> Napravljen kao siguran

> Dolazi sa stotinama dekodera i rule-ova (Unix Pam, sshd (OpenSSH), Solaris telnetd,

Samba, Su, Sudo, Proftpd, Pure-ftpd, vsftpd, Microsoft FTP server, Solaris ftpd, Imapd, Postfix, Sendmail, vpopmail, Microsoft Exchange, Apache, IIS5, IIS6, Horde IMP, Iptables, IPF. PF, Netscreen, Cisco PIX/ASA/FWSM, Snort, Cisco IOS, Nmap, Symantec AV, Arpwatch, Named, Squid, Windows event logs, ...)

/OSSEC-HIDS/Sažetak

> ossec.github.io

> ossec-docs.readthedocs.io

> groups.google.com/d/forum/ossec-list

> wazuh.com

> documentation.wazuh.com

> groups.google.com/d/forum/wazuh

> Andrew Hay, Daniel Cid, Rory Bray-OSSEC Host-Based IntrusionDetection Guide - Syngress (2008)

/OSSEC-HIDS/Resursi

Srce politikom otvorenog pristupa široj javnosti

osigurava dostupnost i korištenje svih rezultata rada

Srca, a prvenstveno obrazovnih i stručnih informacija

i sadržaja nastalih djelovanjem i radom Srca.

Ovo djelo je dano na korištenje pod licencom Creative

Commons Imenovanje-Nekomercijalno-Bez prerada

4.0 međunarodna.

www.srce.unizg.hr creativecommons.org/licenses/by-nc-nd/4.0/deed.hr www.srce.unizg.hr/otvoreni-pristup

Zahvaljujemo!