If you’re familiar with SEIM tools or OSSEC, then you know syscheck. Syscheck is the integrity checking daemon within OSSEC. It’s purpose is simple, identify and report on changes within the system files. Once the baseline is set, syscheck is able to perform change detection by comparing all the checksums on each scan. If it’s not a 1 for 1 ...
There is agent in the system with IP, 192.168.80.22. Email is to be send to server admins whenever this agent disconnect and reconnect to SEIM server. Below is the sample event Here is event ID and data source ID that are interested when agent start to communicate with SEIM server. Event Name: AlienVault HIDS- HIDS agent started. Event Type Id: ...
We need to have extra user data field on our security event. We need to know event occurred time Host Server IP Editing particular event on ‘/etc/ossim/agent/plugins/ossec-single-line.cfg’. We can achieve it. We are interest on Web group and ID 0030. We added below line as our need.userdata3={normalize_date($date)}userdata4={resolv($hostname)} After Editing it will be as below [0030 - Web - group - ...
Pre request Test OSSEC new log from ‘ossec-logtest’ Here is the custom created rules. This rule is mainly looking on url with word with ‘payment’ <rule id="31181" level="6"> <if_sid>31100</if_sid> <url>payment|paid|pay|pays|bar</url> <description>Customer payment attempt.</description> <group>attack,</group> </rule> 1. Update the OSSIM plugins OSSIM plugin need to update to map OSSEC rule to OSSIM agent plugin etc/ossim/agent/plugins/ossec-single-l
In here I am using well known decoder in OSSEC if you need new OSSEC decoder you can write new decoder also [1]. Add new file to rules directory in OSSEC. Creating new OSSEC rule set $ vi var/ossec/rules/custom_access_rules.xml In here I am interest to monitor web user behavior model. So I only need 200 http status code and I ...
Introductions In OSSEC, the rules are classified in multiple levels from the lowest (00) to the maximum level 16. But some levels are not used right now and below explain level details.00 - Ignored01 – None05 – Error is generated by user06 - Low relevance attack08 - First time seen12 - High important event 15 - Severe attack ( There ...
A brute-force attack consists of an attacker trying many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. Alternatively, the attacker can attempt to guess the key which is typically created from the password using a key derivation function. This is known as an ...
Unfortunately Windows does not support Fdisk anymore. But there is another good command line tool to solve this problem. DiskPart in windows is useful format unallocated spaces in USB pen. 1. Enter ‘diskpart’ in cmd Then disk part will start 2. List down storage in PC by list disk 3. Select the disk to fix by (my case it is ...
The Linux kernel in Ubuntu provides a packet filtering system called netfilter, and the traditional interface for manipulating netfilter are the iptables suite of commands. The Uncomplicated Firewall (ufw) is a frontend for iptables and is particularly well-suited for host-based firewalls. Allowing port from any$ sudo ufw allow 122/tcp Listing the app and app infor$ sudo ufw app list$ ufw ...
Count line when words has been matched $ grep -c 'word' /path/to/file Pass the -n option to precede each line of output with the number of the line in the text file$ grep -n 'root' /etc/passwd Ignore word case$ grep -i 'word' /path/to/file Use grep recursively under each directory $ grep -r 'word' /path/to/file Use grep to search 2 different ...
Each application contains it's own log record format.eg: web.madhuka.lk 123.231.120.128 - - [27/Dec/2015:03:44:16 +0530] "POST /lksearch.php HTTP/1.1" 200 35765 "http://madhuka.lk/" "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0" Here we add new ossec decoder called “custom-apache-access-log”# /var/ossec/etc/decoder.xml <decoder name="custom-apache-access-log"> <program_name>custom-apache-access-log</program_name></decoder> Then test it # /var/ossec/bin/oss
Access log moves to sensor / data source then I mapping to event id with considering the rules in ossim. Data sources can be found in “ossim ->configuration –> threat_intelligence –> data_source” and search for source as below. Pick “AlienVault HIDS-accesslog” and it reads the access log. Browser the data source from the UI. Events are map to OSSEC event ...
It provides the SSH authentication to the host you want to access. For Cisco devices (PIX, routers, etc), you need to provide an additional parameter for the enable password. The same thing applies if you want to add support for “su”, it must be the additional parameter. 1. Log into AlienVault USM.2. Navigate to environment -> detection -> hids -> ...
1. Download the image file of OSSIM 2. Make bootable pen with OSSIM ISO file 3. Boot drive Make sure you have internet connection 4. Select OSSIM server to install 5. Just follow the the wizard 6. Add the net work details correctly with unique new IP for OSSIM server. 7. After install is completed and go through web interface to setup configuration of the OSSIM
Finding the logs in my server. I generally use lsof to list what is my server. lsof | grep log I check which log are reading by OSSEC Check cat /var/ossec/etc/ossec.conf |grep "<location>/" Add new access log to OSSCE. /var/ossec/bin/util.sh addfile /var/log/httpd/nic.access_log OR Just update “/var/ossec/etc/ossec.conf” Then add some log or run your server to get some log echo "123.231.120.128 ...
OSSEC client and server is connected using UDP port 1514. Need to testing message passing over UDP. To see ossec network connections is there by below command # netstat -putan | grep ossec There must to be results in both server and client Here it in server Here it is client (agent) To check if ossec-server is receiving data on ...
Linux comes with a host based firewall called Netfilter. 'iptables' is program linux based firewall and it handles filtering for IPv4, and ip6tables. This post lists most simple iptables solutions required by a new Linux user to secure his or her Linux operating system from intruders. Displaying the Status of Your Firewall iptables -L -n -v -L : List rules-v ...
For this you will need two machine, one for OSSEC server and other one for OSSEC client. Post contains mainly two components OSSEC server OSSEC agent (client) 1. Install the server and steps are explain in previous article. and same way install OSSEC agent in other machine. 2. In server add new agent by # /var/ossec/bin/manage_agents (Enter you client IP ...
The goal of a correlation analysis is to see whether two measurement variables co vary, and to quantify the strength of the relationship between the variables. Correlation is important to make sense out of all that information in the system. Correlation to the rescue and increase evidence of the event and the business impact and the event a false positiveness. ...
Following Event in OSSIM In server if there is flow of above we will need trigger (alert) in our ossim. User make ‘QUIT’ event with following ‘DATA’ event <directive id="500002" name="Exceeding the email count" priority="4"> <rule type="detector" name="Exceeding the mail count" from="ANY" to="ANY" port_from="ANY" port_to="ANY" reliability="1" occurrence="1" plugin_id="9002" plugin_sid="4"> <rules> <rule type="detector" name="Test" from="ANY" to="ANY" port_from="ANY" port_to="ANY" reliab
