Connecting to OSSEC rule from OSSIM

Madhuka
Pre request Test OSSEC new log from ‘ossec-logtest’ Here is the custom created rules. This rule is mainly looking on url with word with ‘payment’ <rule id="31181" level="6"> <if_sid>31100</if_sid> <url>payment|paid|pay|pays|bar</url> <description>Customer payment attempt.</description> <group>attack,</group> </rule> 1. Update the OSSIM plugins OSSIM plugin need to update to map OSSEC rule to OSSIM agent plugin etc/ossim/agent/plugins/ossec-single-l

Creating New Rule set for OSSEC Server

Madhuka
In here I am using well known decoder in OSSEC if you need new OSSEC decoder you can write new decoder also [1]. Add new file to rules directory in OSSEC. Creating new OSSEC rule set $ vi var/ossec/rules/custom_access_rules.xml In here I am interest to monitor web user behavior model. So I only need 200 http status code and I ...

OSSEC Rule Testing

Madhuka
Introductions In OSSEC, the rules are classified in multiple levels from the lowest (00) to the maximum level 16. But some levels are not used right now and below explain level details.00 - Ignored01 – None05 – Error is generated by user06 - Low relevance attack08 - First time seen12 - High important event 15 - Severe attack ( There ...

Sending Brute force attack

Madhuka
A brute-force attack consists of an attacker trying many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. Alternatively, the attacker can attempt to guess the key which is typically created from the password using a key derivation function. This is known as an ...

DiskPart in window (Fdisk in windows 8)

Madhuka
Unfortunately Windows does not support Fdisk anymore. But there is another good command line tool to solve this problem. DiskPart in windows is useful format unallocated spaces in USB pen. 1. Enter ‘diskpart’ in cmd Then disk part will start 2. List down storage in PC by list disk 3. Select the disk to fix by (my case it is ...

Uncomplicated Firewall

Madhuka
The Linux kernel in Ubuntu provides a packet filtering system called netfilter, and the traditional interface for manipulating netfilter are the iptables suite of commands. The Uncomplicated Firewall (ufw) is a frontend for iptables and is particularly well-suited for host-based firewalls. Allowing port from any$ sudo ufw allow 122/tcp Listing the app and app infor$ sudo ufw app list$ ufw ...

Grep quotes in Linux

Madhuka
Count line when words has been matched $ grep -c 'word' /path/to/file Pass the -n option to precede each line of output with the number of the line in the text file$ grep -n 'root' /etc/passwd Ignore word case$ grep -i 'word' /path/to/file Use grep recursively under each directory $ grep -r 'word' /path/to/file Use grep to search 2 different ...

OSSEC Decoder

Madhuka
Each application contains it's own log record format.eg: web.madhuka.lk 123.231.120.128 - - [27/Dec/2015:03:44:16 +0530] "POST /lksearch.php HTTP/1.1" 200 35765 "http://madhuka.lk/" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0" Here we add new ossec decoder called “custom-apache-access-log”# /var/ossec/etc/decoder.xml <decoder name="custom-apache-access-log"> <program_name>custom-apache-access-log</program_name></decoder> Then test it # /var/ossec/bin/oss

How access log work with OSSIM

Madhuka
Access log moves to sensor / data source then I mapping to event id with considering the rules in ossim. Data sources can be found in “ossim ->configuration –> threat_intelligence –> data_source” and search for source as below. Pick “AlienVault HIDS-accesslog” and it reads the access log. Browser the data source from the UI. Events are map to OSSEC event ...

HIDS Agentless in AlienVault USM

Madhuka
It provides the SSH authentication to the host you want to access. For Cisco devices (PIX, routers, etc), you need to provide an additional parameter for the enable password. The same thing applies if you want to add support for “su”, it must be the additional parameter. 1. Log into AlienVault USM.2. Navigate to environment -> detection -> hids -> ...

Install OSSIM

Madhuka
1. Download the image file of OSSIM 2. Make bootable pen with OSSIM ISO file 3. Boot drive Make sure you have internet connection 4. Select OSSIM server to install 5. Just follow the the wizard 6. Add the net work details correctly with unique new IP for OSSIM server. 7. After install is completed and go through web interface to setup configuration of the OSSIM

OSSEC configure to new log file

Madhuka
Finding the logs in my server. I generally use lsof to list what is my server. lsof | grep log I check which log are reading by OSSEC Check cat /var/ossec/etc/ossec.conf |grep "<location>/" Add new access log to OSSCE. /var/ossec/bin/util.sh addfile /var/log/httpd/nic.access_log OR Just update “/var/ossec/etc/ossec.conf” Then add some log or run your server to get some log echo "123.231.120.128 ...

Testing Log forwarding in OSSEC

Madhuka
OSSEC client and server is connected using UDP port 1514. Need to testing message passing over UDP. To see ossec network connections is there by below command # netstat -putan | grep ossec There must to be results in both server and client Here it in server Here it is client (agent) To check if ossec-server is receiving data on ...

Host based firewall in Linux

Madhuka
Linux comes with a host based firewall called Netfilter. 'iptables' is program linux based firewall and it handles filtering for IPv4, and ip6tables. This post lists most simple iptables solutions required by a new Linux user to secure his or her Linux operating system from intruders. Displaying the Status of Your Firewall iptables -L -n -v -L : List rules-v ...

Adding OSSEC client to OSSEC Server

Madhuka
For this you will need two machine, one for OSSEC server and other one for OSSEC client. Post contains mainly two components OSSEC server OSSEC agent (client) 1. Install the server and steps are explain in previous article. and same way install OSSEC agent in other machine. 2. In server add new agent by # /var/ossec/bin/manage_agents (Enter you client IP ...

Creating Correlation Rules and Alarms in AlienVault

Madhuka
The goal of a correlation analysis is to see whether two measurement variables co vary, and to quantify the strength of the relationship between the variables. Correlation is important to make sense out of all that information in the system. Correlation to the rescue and increase evidence of the event and the business impact and the event a false positiveness. ...

Advance Tutorial in OSSIM Directive

Madhuka
Following Event in OSSIM In server if there is flow of above we will need trigger (alert) in our ossim. User make ‘QUIT’ event with following ‘DATA’ event <directive id="500002" name="Exceeding the email count" priority="4"> <rule type="detector" name="Exceeding the mail count" from="ANY" to="ANY" port_from="ANY" port_to="ANY" reliability="1" occurrence="1" plugin_id="9002" plugin_sid="4"> <rules> <rule type="detector" name="Test" from="ANY" to="ANY" port_from="ANY" port_to="ANY" reliab

OSSIM Correlation

Madhuka
Correlation is a process performed by the correlation engine on OSSIM. The correlation engine reads all the directives on startup in order to match individual rules or events. OSSIM’s directives are defined using xml 1.0. Rules are build as logical tree consisting of 'if' and 'or' statements, joined them to provide reliable means of identifying attacks or network misbehavior. A ...

Making OSSIM Alarm from Event

Madhuka
This post we will going to genrate alarm from ossim when custom event (attack or interested event) is occurred in our system. I will be using custom plug that we built. 1. Go to the “Data source”configuration -> threat_intelligence -> data_source 2. Then pick our custom data source (hello) which we created. (How to create OSSIM custom data source) 3. ...

Reading a custom log file from OSSIM

Madhuka
Let write OSSIM plugin read hello log (which is my custom log file for this post). For this post I will call my plugin as ‘hello’ and it read log file called ‘hello. log’. Creating the plugin configuration file – hello.cfg CFG file contains fields called 'DEFAULT', 'config', translation and rules Plugins can be found in below location. we have ...