How to monitor running processes with OSSEC

In this post I am going to explain what are the steps to use OSSEC agents to monitor system processes, and alert when an important one is not running. This method should work both for Windows and Unix like Operating Systems. In my lab I've deployed the agent on a Windows Server 2012.

1.-Accepting remote commands

First step is to configure the agent logcollector option to accept remote commands from the manager. That can be done editing "internal_options.conf" file (usually located at "C:\Program Files(x86)\ossec-agent\internal_options.conf") and setting the variable logcollector.remote_commands to 1.

# Logcollector - If it should accept remote commands from the manager
logcollector.remote_commands=1 

Once we have save this change, we just need to restart the agent for it to be applied.

2.- Specifying the command to list running processes

This is a configuration that can be done both at the agent or at the manager (using the shared directory). It only depends on how many agents you want this command to be used. In my case I decided to edit "/var/ossec/etc/shared/agent.conf" configuration file, and have these settings pushed to my windows agents.

<agent_config os="windows">
    <localfile>
        <log_format>full_command</log_format>
        <command>tasklist</command>
        <frequency>60</frequency>
    </localfile>
</agent_config> 

The command I used to list processes in Windows like Operating Systems is "tasklist". There are other options like using wmic, but this one looked good enough to me. For Unix systems you might want to use "ps".
On the other hand, notice that under log_format I choiced "full_command". This is because I want my OSSEC rules to be able to parse the whole command output, instead of parsing the output one line at a time.
At last, the frequency defines how often, in seconds, will this command be run. Feel free to adjust this setting to whatever makes more sense in your environment, keeping in mind the added load that can be generated in the system by running commands too often.

3.- Creating local rules

In this step we edit our "/var/ossec/rules/local_rules.xml" file to add rules that will trigger an alert if our critical process is not running. For the purpose of this example I will use "wordpad.exe" but, of course, it could be any other name.

<rule id="100050" level="7">
  <if_sid>530</if_sid>
  <match>^ossec: output: 'tasklist'</match>
  <description>Critical process not found.</description>
  <group>process_monitor,</group>
</rule>
<rule id="100051" level="0">
  <if_sid>100050</if_sid>
  <match>wordpad.exe</match>
  <description>Processes running as expected</description>
  <group>process_monitor,</group>
</rule>

The first rule (id "100050") will trigger a level "7" alert every time tasklist command is executed, unless (as defined in rule "100051") the output matches the string "wordpad.exe". If this is the case the alert level is set to "0", meaning that that no alert would be triggered.
Now we just need to save these changes and restart the manager for them to be applied. We can do that running "ossec-control restart" command.

4.- Testing our configuration

In order to test the configuration it is good to enable OSSEC "logall" option, so we can see the output of tasklist in archives.log everytime it is executed. See below an example (I cut some lines for brevity).

2015 Aug 07 18:38:03 (vpc-agent-windows) 10.0.0.124->tasklist ossec: output: 'tasklist':
Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
System Idle Process              0 Services                   0          4 K
System                           4 Services                   0        284 K
smss.exe                       328 Services                   0      1,060 K
csrss.exe                      484 Services                   0      3,584 K
...
...
...
notepad.exe                   1596 RDP-Tcp#37                 2     14,500 K
win32ui.exe                    828 RDP-Tcp#37                 2      6,088 K
ossec-agent.exe               3060 Services                   0      5,576 K
notepad.exe                   2276 RDP-Tcp#37                 2     12,076 K
wordpad.exe                    368 RDP-Tcp#37                 2     27,780 K
cmd.exe                        780 Services                   0      2,692 K
conhost.exe                   1304 Services                   0      3,044 K
tasklist.exe                  1692 Services                   0      5,668 K

And, once wordpad.exe process is stopped. An alert like this is triggered as expected. We can see it in "/var/ossec/logs/alerts/alerts.log" file.

** Alert 1438997816.32112781: mail  - local,syslog,process_monitor,
2015 Aug 07 18:36:56 (vpc-agent-windows) 10.0.0.124->tasklist
Rule: 100050 (level 7) -> 'Critical process not found.'
ossec: output: 'tasklist':
Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
System Idle Process              0 Services                   0          4 K
System                           4 Services                   0        284 K
smss.exe                       328 Services                   0      1,060 K
csrss.exe                      484 Services                   0      3,584 K
...
...

Of course, using email alert option and the above configuration, you can automatically be notified if one of your critical processes stopped running.
And that is all. I hope you enjoyed the tutorial and found it useful.

OSSEC CON 2014 - Malware Detection with OSSEC

Happy to share my presentation from the OSSEC CON, which took place on September 16th in Cork, Ireland. Here you can find a brief explanation of different malware collection and analysis techniques, as well as a good example of how to use some IOCs to create a rootcheck signature.

And, for those interested, here is the video as well:

Updated OSSEC debian packages

Just published new versions ossec-hids_2.8-2 and ossec-hids-agent_2.8-2, for the different Debian distributions. Those can be found here: http://ossec.alienvault.com/repos/apt/debian/pool/main/o/

Here are the changelogs:

 ossec-hids (2.8-2) stable; urgency=low  
  * Fixed Makefile to use ossec-hids-debian.init instead of ossec-hids.init (fixes LSB headers warning).  
  * Fixed CVE-2014-5284. Patch included.  
  * Included debconf and templates for initial package configuration (email_to, email_from and smtp).  

 ossec-hids-agent (2.8-2) stable; urgency=low  
  * Fixed Makefile to use ossec-hids-debian.init instead of ossec-hids.init (fixes LSB headers warning).  
  * Fixed CVE-2014-5284. Patch included.  
  * Included debconf and templates for initial package configuration (server_ip).  

And the link to the github repo: https://github.com/santiago-bassett/ossec-debian.git

I also took the opportunity to update generate_ossec.sh script, which now accepts a few different arguments:

 santiago@debian-package:~# ./generate_ossec.sh -h  
 USAGE: Command line arguments available:  
 -h | --help Displays this help.  
 -u | --update Updates chroot environments.  
 -b | --build Builds debian packages.  
 -s | --sync Synchronizes with the debian repository.  

Files to create OSSEC HIDS Debian packages

Just published, in Github, the files I used to create OSSEC-HIDS version 2.8 debian packages, the ones included both in ossec.net website and in AlienVault repository. 

https://github.com/santiago-bassett/ossec-debian

You can find these packages at: http://www.ossec.net/?page_id=19

or directly at: http://ossec.alienvault.com/repos/apt/debian/pool/main/o/

There are two different packages that can be built with these files:

• ossec-hids: Package that includes both the server and the agent.
• ossec-hids-agent: Package that includes just the agent.

Each one of the subdirectories includes:

• Makefile
• Debian control files: changelog, compat, control, copyright, lintian-overrides, postinst, postrm, preinst, rules

Additionally a script, generate_ossec.sh, is included to generate the Debian packages for Jessie, Sid and Wheezy Debian distributions, both for i386 and amd64 architectures. This script uses Pbuilder to build the packages, and uploads those to an APT repository, setup with Reprepro.

For more details on how to create Debian Packages and an APT repository you can check my post at:

http://santi-bassett.blogspot.com/2014/07/setting-up-apt-repository-with-reprepro.html

Please don't hesitate to contribute (preferably via pull requests) to improve these packages.

OSSIM hands-on 6: Reading a log file with OSSEC agent

In this guided exercise we are going to configure OSSEC agent, installed on a Windows system, to read logs from a file. This can be useful when we try to grab data from an application that logs directly into a file.

For this purpose we have created a sample file in "C:\Users/Administrator/Desktop/test.txt" with the following first log line: "ourapplication: This is a test line".

1.- Configuring agent to read a file

a) Edit C:\Program Files (x86)\ossec-agent\ossec.conf

b) Add the following settings

<localfile>

<location>Path to the file</location> (be careful with slashes, format "C:\directory/file")

<log_format>syslog</syslog>

</localfile>

c) Restart ossec-agent service

2.- Test that the log line is sent to the server

a) Write the log line in the file and save

b) Check in OSSEC server the file archives.log (logall option need to be set to "yes" in ossec.conf first)

3.- Create a new decoder at OSSEC server to parse the incoming log lines

a) At the server edit /var/ossec/etc/local_decoder.xml (same as decoder.xml but this one is not overwritten when updating the system)

b) Create a new decoder to parse first part of the log message

<decoder name="ourapplication">

<prematch>^ourapplication: </prematch>

</decoder>

c) Restart ossec

d) Run /var/ossec/bin/ossec-logtest and paste the log line

e) Check if it recognizes the decoder

4.- Create a new rule at ossec server to parse lines pre-parsed by the decoder

a) At the server edit /var/ossec/rules/local_rules.xml

<group name="ourapplication">

<rule id="99990" level="0">

<decoded_as>ourapplication</decoded_as>

<description>ourapplication is enabled</description>

</rule>

<rule id="99991" level="1">

<if_sid>99990</if_sid>

<match>Brian</match>

<description>Brian string found</description>

</rule>

</group>

b) Restart ossec

c) Run /var/ossec/bin/ossec-logtest and paste the log line (in our case "ourapplication: Brian says hello")

d) Check if it recognizes the rule

5.- Check that ossim-agent reads the alert.log file and the event is processed by OSSIM

a) Check /var/ossec/logs/alerts/alert.log

b) Check /var/log/ossim/agent.log

c) Check /var/log/ossim/server.log

d) Add 99991=7999 to the translation table of ossec.cfg (this is because that value is used for the plugin_id)

d) Insert new plugin_sid with value 99991 for ossec plugin:

INSERT IGNORE INTO plugin_sid(plugin_id, sid, category_id, class_id, reliability, priority, name) VALUES(7999, 99991, NULL, NULL, 1, 2, "ossec: our application_brian_rulematch");

e) Restart ossim-server

f) Generate new logs and look in the GUI for the results

6.- Optionally we can also enable file integrity checking

a) At the windows system edit ossec.conf file (C:\Program Files (x86)\ossec-agent\ossec.conf)

b) Under syscheck options change frequency to 30 seconds (how often the integrity check is going to run)

c) Include the log file we are monitoring

<directories check_all="yes">C:\Users/Administrator/Desktop/test.txt</directories>

d) Save and restart ossec-agent service

e) Check ossec-agent logs C:\Program Files (x86)\ossec-agent\ossec.log

f) Modify the file, delete it, create a new one with the same name

g) Check if new ossec alerts have been generated at ossec server

h) Check if there are new events related with this in the SIEM interface

References

http://alienvault.com
http://communities.alienvault.com

OSSIM hands-on 5: Installing OSSEC agent in a Windows server

Welcome to another OSSIM hands-on practical exercise. In this case we are going to collect Windows events using OSSEC HIDS agent.

1.- Download OSSEC agent into the windows system:

a) Open a browser and connect to the IP of OSSIM server (10.0.0.30)

b) Go to Configuration -> Collection -> Downloads

c) Download OSSEC agent for Windows

2.- Run the downloaded executable and install the agent following the wizard

a) For the server use the OSSIM server IP address

3.- Create a new OSSEC key for the agent

a) At GUI go to Analysis -> Detection -> HIDS

b) Go to agents (top right corner)

c) Add a new agent

d) Copy the key and use it at the agent

4.- Restart agent at the Windows server

 a) A new Windows service can be found named ossim-agent
 b) Restart the service

5.- Check that the agent is working

a) Logout and Login in the Windows system

b) See in the GUI that the events have been collected and processed

6.- Troubleshooting 

a) Check ossec agent logs at C:\Program Files (x86)\ossec-agent\ossec.log

b) Check ossec configuration file at C:\Program Files (x86)\ossec-agent\ossec.conf

References

http://alienvault.com
http://communities.alienvault.com

OSSIM hands-on 2: Configuring distributed profiles

This is the second hands-on exercise designed to help OSSIM users be able to distribute Server and Sensor profiles.

We will be using the current published release version (4.0.2) with IP 10.0.0.30 acting as the server, and IP 10.0.0.31 acting as a sensor.

Configuring server (10.0.0.30)

1.- Edit /etc/ossim/ossim_setup.conf and set these variables
server_ip= 10.0.0.30
framework_ip=10.0.0.30
hostname=server
vpn_infraestructure=yes
vpn_net=192.168.1 (defines vpn network range for server-sensor communications)

2.- Add new hostname to /etc/hosts and /etc/hostname

3.- Run ossim-reconfig and check server network socket
server:~# ossim-reconfig -c -v -d
server:~# netstat -nap | grep -i ossim-server
tcp        0      0 0.0.0.0:40001           0.0.0.0:*               LISTEN      16678/ossim-server

4.- Generate VPN configuration files for the new sensor
server:~# ossim-reconfig --add_vpnnode=10.0.0.31 (sensor IP)
server:~# scp /etc/openvpn/nodes/10.0.0.31.tar.gz root@10.0.0.31:/etc/openvpn/

Configuring sensor (10.0.0.31)

1.- Edit /etc/network/interfaces to use static IP 10.0.0.31
sensor:~# cat /etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 10.0.0.31
netmask 255.255.255.0
gateway 10.0.0.200
sensor:~#/etc/init.d/networking restart 

2.- Edit /etc/ossim/ossim_setup.conf (at the sensor)
admin_ip=10.0.0.31
admin_gateway=10.0.0.200
hostname=sensor
sensor:~# ossim-reconfig - c -v - d

3.- Add new hostname to /etc/hosts and /etc/hostname

4.- Uncompress VPN tar file and restart Openvpn
sensor:~# cd /etc/openvpn
sensor:~# tar -xvzf 10.0.0.31.tar.gz
sensor:~# /etc/init.d/openvpn restart

5.- Configure sensor settings at /etc/ossim/ossim_setup.conf
profile=Sensor
server_ip=192.168.1.1 (vpn server IP)
framework_ip=192.168.1.1 (framework server IP)
detectors=ossec, ssh (enabling ssh and ossec plugins)
sensor:~# ossim-reconfig -c -v -d

Check Sensor and Server communications

1.- Check log files

sensor:~# tail -f /var/log/ossim/agent.log
server:~# tail -f /var/log/ossim/server.log

2.- Insert sensor and check results

Go to Configuration -> Alienvault Components and insert sensor with ip 192.168.1.10 (sensor IP in the VPN). After that, try to log into the sensor through SSH to generate some new events. Then check the results in the GUI under Analysis -> SIEM.

References

http://alienvault.com

http://communities.alienvault.com

OSSIM hands-on 1: Setting up OSSEC and SSH plugins

This is the first of a series of hands-on practical exercises on how to configure OSSIM components. In this case we will just enable both OSSEC and SSH plugins and test that those work as expected.

Enabling plugins

These steps work for an all-in-one profile system. For distributed deployments with several sensors, we would need to edit sensors configuration and set the profile variable to "sensor".

1.- Check configuration variables at /etc/ossim/ossim_setup.conf

• Global variables
• admin_gateway=10.0.0.200 (set it to your system gateway)
• admin_ip=10.0.0.30 (set it to your system ip)
• admin_netmask=255.255.255.0 (use your network mask)
• profile=Database, Server, Framework, Sensor
• framework_ip=127.0.0.1
• server_ip=127.0.0.1
• Under sensor settings
• detectors=ossec, ssh

2.- After saving changes, apply those running ossim-reconfig

  # ossim-reconfig -c -v -d

3.- Check with lsof that ossim-agent process is reading the log files

  # lsof +d /var/log/ | grep auth.log

  # lsof +d /var/ossec/logs/alerts/ | grep alerts.log

Both auth.log and alerts.log are the files where SSH and OSSEC write their logs. The plugins configuration files (located in /etc/ossim/agents/plugins) point to those locations.

Checking that plugins work

First of all try to log into the system with a non existent user.

#Eagle:~ santiago$ ssh test@10.0.0.30
test@10.0.0.30's password:
Permission denied, please try again.
test@10.0.0.30's password:
Permission denied, please try again.
test@10.0.0.30's password:
Permission denied (publickey,password).

#tail -f /var/log/auth.log
siem:/var/ossec/logs/alerts# tail -f /var/log/auth.log

 siem:/var/ossec/logs/alerts# tail -f /var/log/auth.log  
 Sep 14 23:53:25 siem sshd[8162]: pam_unix(sshd:auth): check pass; user unknown  
 Sep 14 23:53:25 siem sshd[8162]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.200  
 Sep 14 23:53:27 siem sshd[8162]: Failed password for invalid user test from 10.0.0.200 port 63952 ssh2  
 Sep 14 23:53:28 siem sshd[8162]: pam_unix(sshd:auth): check pass; user unknown  
 Sep 14 23:53:31 siem sshd[8162]: Failed password for invalid user test from 10.0.0.200 port 63952 ssh2  
 Sep 14 23:53:32 siem sshd[8162]: pam_unix(sshd:auth): check pass; user unknown  
 Sep 14 23:53:35 siem sshd[8162]: Failed password for invalid user test from 10.0.0.200 port 63952 ssh2  
 Sep 14 23:53:35 siem sshd[8162]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.200  
 Sep 14 23:54:01 siem CRON[8263]: pam_unix(cron:session): session opened for user root by (uid=0)  
 Sep 14 23:54:03 siem CRON[8263]: pam_unix(cron:session): session closed for user root  

#tail -f /var/ossec/logs/alerts/alerts.log

 ** Alert 1347692016.425295: - syslog,sshd,invalid_login,authentication_failed,  
 2012 Sep 14 23:53:36 siem->/var/log/auth.log  
 Rule: 5710 (level 5) -> 'Attempt to login using a non-existent user'  
 Src IP: 10.0.0.200  
 User: (none)  
 Sep 14 23:53:35 siem sshd[8162]: Failed password for invalid user test from 10.0.0.200 port 63952  
 ssh2  

Visualizing events in OSSIM GUI

1.- Log into https://your_system_ip (if it is your first login, create the Admin user)

2.- In case the sensor is not configured, add it at Configuration -> Alienvault Components

3.- Browse to Analysis -> SIEM and search for your username (in our case "test")

The new SSH and OSSEC events have been collected and processed by the SIEM as expected. 

Troubleshooting

If the events don't appear in the interface, try looking at OSSIM components logs:

# tail -f /var/log/ossim/agent.log

# tail -f /var/log/ossim/server.log

As well check your policies and default server behavior (at Confuration -> Alienvault Components -> Servers).

Finally mention that OSSIM software version used for this hands-on exercise is 4.0.2, both for ossim-agent and ossim-server packages.

References

http://alienvault.com
http://communities.alienvault.com