Friday, August 7, 2015

How to monitor running processes with OSSEC

In this post I am going to explain what are the steps to use OSSEC agents to monitor system processes, and alert when an important one is not running. This method should work both for Windows and Unix like Operating Systems. In my lab I've deployed the agent on a Windows Server 2012.

1.-Accepting remote commands

First step is to configure the agent logcollector option to accept remote commands from the manager. That can be done editing "internal_options.conf" file (usually located at "C:\Program Files(x86)\ossec-agent\internal_options.conf") and setting the variable logcollector.remote_commands to 1.
# Logcollector - If it should accept remote commands from the manager
logcollector.remote_commands=1 
Once we have save this change, we just need to restart the agent for it to be applied.

2.- Specifying the command to list running processes

This is a configuration that can be done both at the agent or at the manager (using the shared directory). It only depends on how many agents you want this command to be used. In my case I decided to edit "/var/ossec/etc/shared/agent.conf" configuration file, and have these settings pushed to my windows agents.
<agent_config os="windows">
    <localfile>
        <log_format>full_command</log_format>
        <command>tasklist</command>
        <frequency>60</frequency>
    </localfile>
</agent_config> 
The command I used to list processes in Windows like Operating Systems is "tasklist". There are other options like using wmic, but this one looked good enough to me. For Unix systems you might want to use "ps".
On the other hand, notice that under log_format I choiced "full_command". This is because I want my OSSEC rules to be able to parse the whole command output, instead of parsing the output one line at a time.
At last, the frequency defines how often, in seconds, will this command be run. Feel free to adjust this setting to whatever makes more sense in your environment, keeping in mind the added load that can be generated in the system by running commands too often.

3.- Creating local rules

In this step we edit our "/var/ossec/rules/local_rules.xml" file to add rules that will trigger an alert if our critical process is not running. For the purpose of this example I will use "wordpad.exe" but, of course, it could be any other name.
<rule id="100050" level="7">
  <if_sid>530</if_sid>
  <match>^ossec: output: 'tasklist'</match>
  <description>Critical process not found.</description>
  <group>process_monitor,</group>
</rule>
<rule id="100051" level="0">
  <if_sid>100050</if_sid>
  <match>wordpad.exe</match>
  <description>Processes running as expected</description>
  <group>process_monitor,</group>
</rule>
The first rule (id "100050") will trigger a level "7" alert every time tasklist command is executed, unless (as defined in rule "100051") the output matches the string "wordpad.exe". If this is the case the alert level is set to "0", meaning that that no alert would be triggered.
Now we just need to save these changes and restart the manager for them to be applied. We can do that running "ossec-control restart" command.

4.- Testing our configuration

In order to test the configuration it is good to enable OSSEC "logall" option, so we can see the output of tasklist in archives.log everytime it is executed. See below an example (I cut some lines for brevity).
2015 Aug 07 18:38:03 (vpc-agent-windows) 10.0.0.124->tasklist ossec: output: 'tasklist':
Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
System Idle Process              0 Services                   0          4 K
System                           4 Services                   0        284 K
smss.exe                       328 Services                   0      1,060 K
csrss.exe                      484 Services                   0      3,584 K
...
...
...
notepad.exe                   1596 RDP-Tcp#37                 2     14,500 K
win32ui.exe                    828 RDP-Tcp#37                 2      6,088 K
ossec-agent.exe               3060 Services                   0      5,576 K
notepad.exe                   2276 RDP-Tcp#37                 2     12,076 K
wordpad.exe                    368 RDP-Tcp#37                 2     27,780 K
cmd.exe                        780 Services                   0      2,692 K
conhost.exe                   1304 Services                   0      3,044 K
tasklist.exe                  1692 Services                   0      5,668 K
And, once wordpad.exe process is stopped. An alert like this is triggered as expected. We can see it in "/var/ossec/logs/alerts/alerts.log" file.
** Alert 1438997816.32112781: mail  - local,syslog,process_monitor,
2015 Aug 07 18:36:56 (vpc-agent-windows) 10.0.0.124->tasklist
Rule: 100050 (level 7) -> 'Critical process not found.'
ossec: output: 'tasklist':
Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
System Idle Process              0 Services                   0          4 K
System                           4 Services                   0        284 K
smss.exe                       328 Services                   0      1,060 K
csrss.exe                      484 Services                   0      3,584 K
...
...
Of course, using email alert option and the above configuration, you can automatically be notified if one of your critical processes stopped running.
And that is all. I hope you enjoyed the tutorial and found it useful.

17 comments:

  1. hi, thanks a lot for very nice article.
    But can you plz tell that how we can check immediately the output i.e. the list of running process

    ReplyDelete
    Replies
    1. with "logall" option enabled you should be able to see it in archives.log

      Delete
  2. hello, all is working fine but my mail is flooding with the list of running process ossec send me every 1-3 minutes a mail with tasklist
    OSSEC HIDS Notification.
    2015 Dec 01 23:07:48

    Received From: (Win7eng) xxx.xxx.xxx.xxx->tasklist
    Rule: 100050 fired (level 7) -> "Critical process not found."
    Portion of the log(s):

    ossec: output: 'tasklist':
    Image Name PID Session Name Session# Mem Usage
    ========================= ======== ================ =========== ============
    System Idle Process 0 Services 0 24 K
    System 4 Services 0 1,232 K
    smss.exe 264 Services 0 872 K
    csrss.exe 352 Services 0 3,740 K
    wininit.exe 412 Services 0 3,252 K
    services.exe 508 Services 0 7,180 K
    lsass.exe 516 Services 0 8,084 K
    lsm.exe 524 Services 0 3,328 K
    svchost.exe 624 Services 0 7,544 K
    vmacthlp.exe 688 Services 0 3,288 K
    svchost.exe 732 Services 0 6,200 K
    svchost.exe 824 Services 0 14,436 K
    svchost.exe 856 Services 0 8,216 K
    svchost.exe 880 Services 0 28,680



    --END OF NOTIFICATION

    ReplyDelete
  3. Check email_alert_level option in your ossec.conf file. I would actually suggest to disable email alerts completely and enable them on the rules you want/need.

    ReplyDelete
  4. I need some custom local rules and some active response scripts. If it is possibile to configure seperate log files for differnt client server?

    Need some rules which will automatically block IP if some malicious activity is happen in the server.

    ReplyDelete
    Replies
    1. Not sure I understood the question. If you mean to run different active responses on different servers, you can use "agent_id" option as specified in the documentation.

      Delete
    2. Thanks for the reply. I want to know how to configure ossec rules. There are 60 or more rules in the location /var/ossec/rules. How we can configure active response for the rule we want. Please help me.

      Delete
    3. I think this might be what you are looking for. Check further down in the document, they have some scripts that do just that.

      https://www.sans.org/reading-room/whitepapers/detection/practical-ossec-33699

      Delete
  5. Can we add some customized rule in the location /var/ossec/rules as test_rules.xml and mentioned test_rules.xml in the config file and it didn't work. Can you please check the possibilities of the above. If it is possible to add a file like that.

    ReplyDelete
    Replies
    1. Yes, that is possible and should work. Did you also create new decoders? If you have further questions please join our mailing lists at wazuh@googlegroups.com or ossec-list@googlegroups.com

      Delete
  6. 1)Is it possible to configure separate log files to each client server.
    2) How can we configure different ossec rules for clients.
    3)Could please provide us with the configuration of client server in ossec.conf

    ReplyDelete
    Replies
    1. Answering the questions above.
      1) No, although you might be able to script it.
      2) Best way of doing this is using the shared/agent.conf file
      3) Sorry, it was posted a long time ago and I don't have it. In any case, all relevant configuration settings are described in the post. Everything else was out-of-the-box

      Delete
  7. Thanks Santiago for your valuable answers. I still have some doubts regarding ossec. While trying to configuring syscheck i mentioned as follows.

    ----------------------------------
    /var/www/vhosts/*/httpdocs
    ------------------------------------

    After restarting ossec i got the following error.

    ----------------------------
    2016/02/08 20:30:49 ossec-config(1121): ERROR: Glob error. Invalid pattern: '/var/www/vhosts/*/httpdocs'.
    Started ossec-syscheckd...
    Started ossec-monitord...
    Completed.
    --------------------------------------

    and one more doubt after configuring agent in client server. How can we check the what are the things we configured. I mean ENTER for the integrity check daemon,ENTER for rootkit detection. So what we typed yes or no for the options. How can we review the agent configuration??

    ReplyDelete
    Replies
    1. As mentioned in the error message, the glob format is not supported for Syscheck. You can actually use some regular expression functionality to achieve similar results. See examples here:

      http://ossec-docs.readthedocs.org/en/latest/manual/syscheck/#configuration-examples

      Delete
  8. This is great! Thanks Santiago!

    ReplyDelete
  9. Thanks Santiago!! I need to configure ossec config for getting email alerts for multiple levels.

    ---------------------


    other_admin@example.com
    12



    -------------------

    I need email alerts for the levels 10,11,12,13,14,15

    Is it possible i am waiting for your response.

    ReplyDelete
  10. Do you have any tips for integrating Ossec with Suricata or Snort,

    ReplyDelete