And, for those interested, here is the video as well:
Tuesday, September 23, 2014
OSSEC CON 2014 - Malware Detection with OSSEC
Happy to share my presentation from the OSSEC CON, which took place on September 16th in Cork, Ireland. Here you can find a brief explanation of different malware collection and analysis techniques, as well as a good example of how to use some IOCs to create a rootcheck signature.
And, for those interested, here is the video as well:
And, for those interested, here is the video as well:
Labels:
cuckoo,
malware,
ossec,
virustotal,
volatility,
yara
Updated OSSEC debian packages
Just published new versions ossec-hids_2.8-2 and ossec-hids-agent_2.8-2, for the different Debian distributions. Those can be found here: http://ossec.alienvault.com/repos/apt/debian/pool/main/o/
Here are the changelogs:
I also took the opportunity to update generate_ossec.sh script, which now accepts a few different arguments:
Here are the changelogs:
ossec-hids (2.8-2) stable; urgency=low
* Fixed Makefile to use ossec-hids-debian.init instead of ossec-hids.init (fixes LSB headers warning).
* Fixed CVE-2014-5284. Patch included.
* Included debconf and templates for initial package configuration (email_to, email_from and smtp). ossec-hids-agent (2.8-2) stable; urgency=low
* Fixed Makefile to use ossec-hids-debian.init instead of ossec-hids.init (fixes LSB headers warning).
* Fixed CVE-2014-5284. Patch included.
* Included debconf and templates for initial package configuration (server_ip). I also took the opportunity to update generate_ossec.sh script, which now accepts a few different arguments:
santiago@debian-package:~# ./generate_ossec.sh -h
USAGE: Command line arguments available:
-h | --help Displays this help.
-u | --update Updates chroot environments.
-b | --build Builds debian packages.
-s | --sync Synchronizes with the debian repository.
Friday, July 25, 2014
Files to create OSSEC HIDS Debian packages
Just published, in Github, the files I used to create OSSEC-HIDS version 2.8 debian packages, the ones included both in ossec.net website and in AlienVault repository.
You can find these packages at: http://www.ossec.net/?page_id=19
or directly at: http://ossec.alienvault.com/repos/apt/debian/pool/main/o/
There are two different packages that can be built with these files:
- ossec-hids: Package that includes both the server and the agent.
- ossec-hids-agent: Package that includes just the agent.
Each one of the subdirectories includes:
- Makefile
- Debian control files: changelog, compat, control, copyright, lintian-overrides, postinst, postrm, preinst, rules
Additionally a script,
generate_ossec.sh, is included to generate the Debian packages for Jessie, Sid and Wheezy Debian distributions, both for i386 and amd64 architectures. This script uses Pbuilder to build the packages, and uploads those to an APT repository, setup with Reprepro.
For more details on how to create Debian Packages and an APT repository you can check my post at:
Please don't hesitate to contribute (preferably via pull requests) to improve these packages.
Saturday, July 19, 2014
Scripts to inject sample data to AlienVault / OSSIM SIEM
I just published a few scripts I wrote to inject sample data to AlienVault or OSSIM (Open Source Version) Unified SIEM. Those can be found in Github:
https://github.com/santiago-bassett/Alienvault-Demo_scripts
The scripts are ready to emulate Syslog data coming from these sources: Aruba Wireless, Cisco ASA, Cisco PIX, ClamAV, Oracle Database, OSSEC HIDS, Sonicwall and SSH.
As well, the scripts are ready to inject malicious network traffic in a dummy interface so it can be analyzed by Snort NIDS. Some of the traffic injected is related to: botnets, C&C communications, Zeus, spambot or spyware. The pcap files can be found in this directory:
https://github.com/santiago-bassett/Alienvault-Demo_scripts/tree/master/pcaps
https://github.com/santiago-bassett/Alienvault-Demo_scripts
The scripts are ready to emulate Syslog data coming from these sources: Aruba Wireless, Cisco ASA, Cisco PIX, ClamAV, Oracle Database, OSSEC HIDS, Sonicwall and SSH.
As well, the scripts are ready to inject malicious network traffic in a dummy interface so it can be analyzed by Snort NIDS. Some of the traffic injected is related to: botnets, C&C communications, Zeus, spambot or spyware. The pcap files can be found in this directory:
https://github.com/santiago-bassett/Alienvault-Demo_scripts/tree/master/pcaps
Wednesday, July 16, 2014
Setting up an APT repository with Reprepro and Apache
This post can be considered a continuation of my previous ones:
Following next steps we will set up a signed Debian repository, using Reprepro and Apache2.
Following next steps we will set up a signed Debian repository, using Reprepro and Apache2.
1.- Installing the tools
root@server:~# apt-get install apache2 dpkg-sig reprepro
2.- Configuring Apache2 with reprepro
root@server:~# mkdir -p /var/www/repos/apt/debian
Then we need to edit /etc/apache2/apache2.conf file, adding the following line:
ServerName localhost
Now we need to create /etc/apache2/conf-availabe/repos.conf with this content:
<Directory /var/www/repos/ >
# We want the user to be able to browse the directory manually
Options Indexes FollowSymLinks Multiviews
Order allow,deny
Allow from all
</Directory>
# This syntax supports several repositories, e.g. one for Debian, one for Ubuntu.
# Replace * with debian, if you intend to support one distribution only.
<Directory "/var/www/repos/apt/*/db/">
Order allow,deny
Deny from all
</Directory>
<Directory "/var/www/repos/apt/*/conf/">
Order allow,deny
Deny from all
</Directory>
<Directory "/var/www/repos/apt/*/incoming/">
Order allow,deny
Deny from all
</Directory>
root@server:/etc/apache2/conf-available# a2enconf repos
root@server:/etc/apache2/conf-enabled# apache2ctl configtest
Syntax OK
root@server:/etc/apache2/conf-enabled# service apache2 restart
3.- Configuring Reprepro
root@server:~# mkdir -p /var/www/repos/apt/debian/conf
Origin: Debian
Label: Sid apt repository
Codename: sid
Architectures: i386 amd64
Components: main
Description: Apt repository for Debian unstable - Sid
DebOverride: override.sid
DscOverride: override.sid
SignWith: 870B8E2D
Origin: Debian
Label: Jessie apt repository
Codename: jessie
Architectures: i386 amd64
Components: main
Description: Apt repository for Debian testing - Jessie
DebOverride: override.jessie
DscOverride: override.jessie
SignWith: 870B8E2D
Origin: Debian
Label: Wheezy apt repository
Codename: wheezy
Architectures: i386 amd64
Components: main
Description: Apt repository for Debian stable - Wheezy
DebOverride: override.wheezy
DscOverride: override.wheezy
SignWith: 870B8E2D
root@server:~# gpg --list-keys
pub 2048R/489CD644 2014-07-15
uid Your Name <your_email_address@domain.com>
sub 2048R/870B8E2D 2014-07-15
verbose
basedir /var/www/repos/apt/debian
ask-passphrase
hello Priority extra
hello Section admin 4.- Adding a package to the repository
root@server:/var/www/repos/apt/debian# reprepro includedeb jessie /opt/hello_0.1-1_i386.deb
root@server:/var/www/repos/apt/debian# reprepro remove jessie hello
5.- Providing the public key to repository users
We need to export our public GPG key to a file, and make it available at the web server so users can download it: root@server:~# gpg --armor --output public.gpg.key --export Your Name
root@server:~# mkdir /var/www/repos/apt/conf
root@server:~# cp public.gpg.key /var/www/repos/apt/conf/ 6.- Installing packages using the repository
wget -O - http://YOUR_REPO_SERVER/repos/apt/conf/public.gpg.key | apt-key add -
echo "deb http://YOUR_REPO_SERVER/repos/apt/debian jessie main" >> /etc/apt/sources.list
apt-get update && apt-get install YOUR_PACKAGE
7.- Useful commands
- List packages of a specific distribution: reprepro list DISTRIBUTION_CODENAME
- List packages matching a specific name: reprepro ls PACKAGE_NAME
- Remove it from /var/www/repos/apt/debian/conf/distributions
- Run reprepro delete clearvanished