OSSIM hands-on 1: Setting up OSSEC and SSH plugins

This is the first of a series of hands-on practical exercises on how to configure OSSIM components. In this case we will just enable both OSSEC and SSH plugins and test that those work as expected.

Enabling plugins

These steps work for an all-in-one profile system. For distributed deployments with several sensors, we would need to edit sensors configuration and set the profile variable to "sensor".

1.- Check configuration variables at /etc/ossim/ossim_setup.conf

• Global variables
• admin_gateway=10.0.0.200 (set it to your system gateway)
• admin_ip=10.0.0.30 (set it to your system ip)
• admin_netmask=255.255.255.0 (use your network mask)
• profile=Database, Server, Framework, Sensor
• framework_ip=127.0.0.1
• server_ip=127.0.0.1
• Under sensor settings
• detectors=ossec, ssh

2.- After saving changes, apply those running ossim-reconfig

  # ossim-reconfig -c -v -d

3.- Check with lsof that ossim-agent process is reading the log files

  # lsof +d /var/log/ | grep auth.log

  # lsof +d /var/ossec/logs/alerts/ | grep alerts.log

Both auth.log and alerts.log are the files where SSH and OSSEC write their logs. The plugins configuration files (located in /etc/ossim/agents/plugins) point to those locations.

Checking that plugins work

First of all try to log into the system with a non existent user.

#Eagle:~ santiago$ ssh test@10.0.0.30
test@10.0.0.30's password:
Permission denied, please try again.
test@10.0.0.30's password:
Permission denied, please try again.
test@10.0.0.30's password:
Permission denied (publickey,password).

#tail -f /var/log/auth.log
siem:/var/ossec/logs/alerts# tail -f /var/log/auth.log

 siem:/var/ossec/logs/alerts# tail -f /var/log/auth.log  
 Sep 14 23:53:25 siem sshd[8162]: pam_unix(sshd:auth): check pass; user unknown  
 Sep 14 23:53:25 siem sshd[8162]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.200  
 Sep 14 23:53:27 siem sshd[8162]: Failed password for invalid user test from 10.0.0.200 port 63952 ssh2  
 Sep 14 23:53:28 siem sshd[8162]: pam_unix(sshd:auth): check pass; user unknown  
 Sep 14 23:53:31 siem sshd[8162]: Failed password for invalid user test from 10.0.0.200 port 63952 ssh2  
 Sep 14 23:53:32 siem sshd[8162]: pam_unix(sshd:auth): check pass; user unknown  
 Sep 14 23:53:35 siem sshd[8162]: Failed password for invalid user test from 10.0.0.200 port 63952 ssh2  
 Sep 14 23:53:35 siem sshd[8162]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.200  
 Sep 14 23:54:01 siem CRON[8263]: pam_unix(cron:session): session opened for user root by (uid=0)  
 Sep 14 23:54:03 siem CRON[8263]: pam_unix(cron:session): session closed for user root  

#tail -f /var/ossec/logs/alerts/alerts.log

 ** Alert 1347692016.425295: - syslog,sshd,invalid_login,authentication_failed,  
 2012 Sep 14 23:53:36 siem->/var/log/auth.log  
 Rule: 5710 (level 5) -> 'Attempt to login using a non-existent user'  
 Src IP: 10.0.0.200  
 User: (none)  
 Sep 14 23:53:35 siem sshd[8162]: Failed password for invalid user test from 10.0.0.200 port 63952  
 ssh2  

Visualizing events in OSSIM GUI

1.- Log into https://your_system_ip (if it is your first login, create the Admin user)

2.- In case the sensor is not configured, add it at Configuration -> Alienvault Components

3.- Browse to Analysis -> SIEM and search for your username (in our case "test")

The new SSH and OSSEC events have been collected and processed by the SIEM as expected. 

Troubleshooting

If the events don't appear in the interface, try looking at OSSIM components logs:

# tail -f /var/log/ossim/agent.log

# tail -f /var/log/ossim/server.log

As well check your policies and default server behavior (at Confuration -> Alienvault Components -> Servers).

Finally mention that OSSIM software version used for this hands-on exercise is 4.0.2, both for ossim-agent and ossim-server packages.

References

http://alienvault.com
http://communities.alienvault.com