SBM Labs

Cyber Security Collaboration Project

OSSEC. Use Cases.
15 Apr 2011

In this acticle we will review several use cases of OSSEC usage and create custom decoders and rules.

1. Unauthorized attempts of privileged access usage.

Let's try to create custom OSSEC correlation rule in order to monitor failed "sudo" attempts in Linux.

First of all we need to create custom decoder.

Edit file /var/ossec/etc/local_decoder.xml.
# vi /var/ossec/etc/local_decoder.xml

Add strings below to the file /var/ossec/etc/local_decoder.xml.
<decoder name="sudo">
<prematch>sudo<</prematch>
</decoder>

Then we need to create custom rules.

Edit file /var/ossec/rules/local_rules.xml.
# vi /var/ossec/rules/local_rules.xml.

Add strings below to the file /var/ossec/rules/local_rules.xml.

<group name="Incidents">

<rule id="100001" level="0" noalert="1">
<decoded_as>sudo</decoded_as>
<description>sudo messages grouped</description>
</rule>

<rule id="100002" level="7">
<if_sid>100001</if_sid>
<match>command not allowed</match>
<description>sudo command not allowed</description>
</rule>

</group>

And finaly restart OSSEC.
# cd /var/ossec/bin
# ./ossec-control restart

Level "7" in rule "100002" means that event have some security relevance and e-mail notification will be sent. For more details see configation file /var/ossec/etc/ossec.conf. In case of false positive alarms we can add some more rules. For example:

<rule id="100003" level="0">
<if_sid>100002</if_sid>
<match>COMMAND=[command name]</match>
<description>sudo command not allowed - False Positive</description>
</rule>

Level "0" in rule "100003" means that no action is required.

2. Brute-Force attack detection.

Let's create custom OSSEC correlation rule in order to monitor failed logon attempts to Oracle database.

Create custom decoder.
<decoder name="Oracle">
<prematch>Oracle Audit[\d+]:</prematch>
<regex offset="after_prematch">USERID:[\d+] "(\w+)"</regex>
<order>user</order>
</decoder>

Create custom rules.
<rule id="100004" level="0" noalert="1">
<decoded_as>Oracle</decoded_as>
<description>Oracle messages grouped</description>
</rule>

<rule id="100005" level="5">
<if_sid>100004</if_sid>
<match>RETURNCODE:[4] "1017"</match>
<description>failed logon attempt to Oracle database</description>
<group>invalid_login,authentication_failed,</group>
</rule>

Level "5" means that event has no security relevance. In this case we are interested in detection of multiples failed logon attempts by the same user.

<rule id="100006" level="10" frequency="3" timeframe="180">
<if_matched_sid>100005</if_matched_sid>
<same_user />
<description>multiple failed logon attempts to Oracle database by the same user</description>
<group>authentication_failures,</group>
</rule>

Level "10" means that event may indicate an attack and e-mail notification will be sent.

Restart OSSEC.
# /var/ossec/bin/ossec-control restart

You can use "ossec-logtest" utility for testing OSSEC rules. It's located in the folder /var/ossec/bin. Also I recommend you to read the book "OSSEC Host-Based Intrusion Detection Guide". There are o lot of examples of OSSEC usage and configuration in it.

Centralized logs collection and analysis. Elasticsearch indices management.
Centralized logs collection and analysis. Elasticsearch integration with correlation engine.
Centralized logs collection and analysis. Elasticsearch cluster configuration.
Centralized logs collection and analysis. Elasticsearch, Logstash and Kibana. Introduction.
OSSEC. Introduction.