Tikejhya: Ashish Nepal

Knowledgebase

Category: OSSEC

Integrating IDS [ossec] with custom log and skype alerting system

Your ads will be inserted here by

Easy Plugin for AdSense.

Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.

Logging is essential for all application and more log you digest more you create “error free application” …

well, ^^ above statement might not be true in all scenario 😀

First, lets get what we are trying to achieve..

1) Configure ossec to monitor application log.

1.1) configure ossec to monitor custom log [ossec client configuration]

      <localfile>
<log_format>syslog</log_format>
<location>/my/custom/logs/*/dddd-mm-yy*</location>
</localfile>

1.2) configure ossec to fire trigger if some exception caught. [i.e. if you see any error or any keyword].

<var name=”PANIC_WORDS”>error|bad|</var>

<group name=”syslogs,bidsys,”>
<rule id=”110000″ level=”2″>
<decoded_as>bidsys</decoded_as>
<description>my log alert Alert</description>
</rule>

<rule id=”110002″ level=”7″>
<if_sid>110000</if_sid>
<match>$PANIC_WORDS</match>
<description>Bad Log.</description>
</rule>

</group>

 

Note: you can always have nested triggers

1.3) create rule to complete 1.2 with decoder so that your logs are parsed correctly.

<decoder name=”mylog”>
<prematch>^dddd-dd-dd dd:dd:dd</prematch>
</decoder>

<decoder name=”php-app-alert”>
<parent>mylog</parent>
<regex>^</regex>
<order>srcip</order>
</decoder>

1.4) test with ossec-logtest.

2) Bind that with Active Response

2.1) create command for active response.

Your ads will be inserted here by

Easy Plugin for AdSense.

Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.

2.2) create trigger for active response.

this

 

<command>
<name>skypeMe</name>
<executable>skype.sh</executable>
<timeout_allowed>yes</timeout_allowed>
<expect />
</command>
<active-response>
<command>skypeMe</command>
<location>server2</location>
<rules_id>110002</rules_id>
</active-response>

 

2.3) write script that has to be executed.

#!/bin/sh

MAILADDRESS=”tikejhya”
ACTION=$1
USER=$2
IP=$3
ALERTID=$4
RULEID=$5

LOCAL=`dirname $0`;
cd $LOCAL
cd ../
PWD=`pwd`

ALERTTIME=`echo “$ALERTID” | cut -d “.” -f 1`
ALERTLAST=`echo “$ALERTID” | cut -d “.” -f 2`
grep -A 10 “$ALERTTIME” /var/ossec/logs/alerts/alerts.log | grep -v “.$ALERTLAST: ” -A 10 > /var/ossec/active-response/logs/next_message.log

/home/skype/sendim.sh tikejhya $(cat /var/ossec/active-response/logs/next_message.log | grep -v * )
exec “$@”

2.4 ) trigger skype messaging when certain trigger is triggered. ^^

3) Skype on linux

For this please visit my old post integrating zabbix with skype. [http://www.ashishnepal.com/installing-skype-on-linux-centos-5-6-and-sending-message-from-zabbix/]

 

 

 

 

 

OSSEC IPtables rules

Your ads will be inserted here by

Easy Plugin for AdSense.

Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.

#ossec
-A INPUT -i eth0 -p udp -m udp –sport 1514 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp –dport 1514 -j ACCEPT

As ossec uses UDP protocol so enable udp on firewall.

OSSEC – howto email

Ossec

If you configured ossec to send emails only for alerts with severity level 7 and higher then you will get those alerts.
Beside that you will also get emails for every alert that is triggered with rule that has “alert_by_email
tag specified regardless of rule level.

Add the following statement in your ossec.conf section next to the line:
1
This means that the global e-mail notification system will only send out one e-mail per hour, that means it collects all
alerts that would generate an e-mail until the end of the hour,
compiles them into one e-mail and then sends it.

Host-based intrusion detection system (HIDS)

E.g OSSEC

“OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis,
file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.” (www.ossec.net)

HIDS (OSSEC) is an intrusion detection system that monitors and analyzes the internal computing system.

Never the less in some cases the “Network packets on its network interface”.
Yes, Just like Network-Based Intrusion detection system (NIDS).

Monitors the dynamic behaviour and state of the Machine (Computer System).

e.g. /etc/passwd was modified

suddenly and inexplicably started modifying the system password database.

Can be taken as Monitoring agent, or system’s security Policy.

What has ossec to say about ossec itself:

OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS).
It has a powerful correlation and analysis engine, integrating log analysis, file integrity checking,
Windows registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting and active response.

How to Install Ossec WUI

::::::::::::::::::::::::::::::::::::::::
OSSECWUI Installation
wget http://www.ossec.net/files/ui/ossec-wui-0.3.tar.gz
Note:
Download latest from
http://www.ossec.net/wiki/OSSECWUI#Download

Powered by WordPress & Theme by Anders Norén