Santi 'Log

I want to share a new graph I have done for OSSIM "Executive Panel". It shows most generated alarms in a radar. I hope you will find it useful.

To create it just edit a graph, go to "Category -> Config Import" and paste the following:

And, on the other hand, if you are curious about the SQL query, here it is:

Introduction

I am posting for the first time at my recently opened blog. Hope issues discussed here will be interesting for OSSIM users and probably for some other people.

First thing I will try to explain is how to test OSSIM generating real time attacks, such as exploiting a buffer overflow against a non patched host. For this purpose we will use Micrososft ASN.1 library buffer overflow vulnerability, whose details can be found at http://www.phreedom.org/solar/exploits/msasn1-bitstring/ We can even find here an exploit called kill-bill to take advantage of the mentioned vulnerability ;-)

Now lets see steps in order to get an alarm with OSSIM and execute an action-response policy...

OSSIM configuration

1.- Detecting the intrusion with snort rules. In this case it's done by the rule "NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt". I paste it here, copied from the /etc/snort/rules/netbios.rules file:

2.- Next step is to create a simple directive to feed the correlation engine. It can be done at /etc/ossim/server/generic.xml. The one I have created is:

<directive id="24" name="Buffer overflow attempt against DST_IP" priority="9">
   <rule type="detector" name="Buffer overflow rule matched" reliability="9"
   occurrence="1" from="ANY" to="ANY" port_from="ANY" port_to="ANY"
   plugin_id="1001"
   plugin_sid="2383"/>
</directive>

This is the simplest form of a directive, but if we want, we can use different levels to detect more complex attacks (i.e. we can add rules matching port scans or session duration...). Here is an example of a port scan with an open port found directive (I also use it for the video demo you will find below):

<directive id="25" name="TCP Portscan against DST_IP" priority="6">
   <rule type="detector" name="TCP Portscan" reliability="5"
   occurrence="1" from="ANY" to="ANY" port_from="ANY" port_to="ANY"
   plugin_id="1122"
   plugin_sid="1">
      <rules>
         <rule type="detector" name="portscan: Open Port" reliability="+3"
         occurrence="1" from="1:SRC_IP" to="1:DST_IP" port_from="ANY" port_to="ANY"
         plugin_id="1122"
         plugin_sid="27"/>
      </rules>
   </rule>
</directive>

3.- Last thing is to configure an action (for example sending a mail) to execute when the alarm is generated. We can use the web framework to do it in a easy way.

Video demo

Well, at the end, I have decided to upload a video demo which has been made as a proof of concept of all I have been talking before. Its duration is 10:33, it has no sound but I think it's quite self explanatory. Hope you will enjoy it.

This article tries to be a small how-to about OSSIM events collection using rsyslog. For example lets try to configure OSSIM to collect events from a Netscreen firewall.

OSSIM agent

1. First of all we need to active the plugin at /etc/ossim/agent/config.cfg adding a new line to our plugins list. This line could be like the following:
   netscreen=/etc/ossim/agent/plugins/netscreen-firewall.cfg
2. Then we will set the "location" variable at the config file of the plugin we want to use. In our case this file will be at /etc/ossim/agent/plugins/netscreen-firewall.cfg (other config files can be found here too). For example lets set it this way:
   location=/var/log/netscreen-firewall.log
3. Once finished other two steps don't forget to restart the ossim-agent daemon, so it will load the new configuration.
   /etc/init.d/ossim-agent restart

Rsyslog

Then it's time to go through rsyslogd configuration.

1. To enable logging from remote machines we have to edit /etc/default/syslogd and set SYSLOGD variable to "-r". This line should be enough:
   SYSLOGD="-r"
2. Then, to use rsyslog v3 native interface (I am not sure if this is needed, but just in case), we will need to set RSYSLOGD_OPTIONS variable to "-c3" at /etc/default/rsyslog file.
   RSYSLOGD_OPTIONS="-c3"
3. Now lets edit the /etc/rsyslog.conf file. For our example I will add this lines at the beginning of the logging rules. Be aware of the comments to know what does they do.
   # Line 1: Discard logs with "action=Permit" string
   # This is just tuning, as this kind of logs are useless for our security system (as they are accepted by the firewall policy)
   :msg, contains, "action=Permit" ~
   
   # Line 2: If coming from "netscreen_hostname" (at /etc/hosts) send logs to /var/log/netscreen-firewall.log
   # The symbol "-" means that it wont sync every log (faster)
   :fromhost, isequal, "netscreen_hostname" -/var/log/netscreen-firewall.log
   
   # Line 3: Then discard all logs coming from "netscreen_hostname" so they wont be written at system log files.
   :fromhost, isequal, "netscreen_hostname" ~
   
   #... standard logging rules should go right here ...
   

   If you need more help with rsyslog.conf possibilities you can find it at: http://www.rsyslog.com/doc-rsyslog_conf_filter.html



4. At last we just need to restart rsyslogd daemon
/etc/init.d/rsyslogd restart

At this point it should be listening at port 514 (the default one), you can check it with netstat command. So, once we configure our device to send logs to our OSSIM sensor, they should be collected and correlated.

As you can see this how-to is quite simple, but I hope it can help you with your configurations or help me to remember it if needed.

Regards.

Introduction

I want to announce that there is a proposal I have done for an OSSIM workshop at the Open Source Convention this year in San Jose, California. This event will take place on 20-24 July. As it is still under review I am not completely sure about our presence there, nevertheless I am glad to share with you the submittal I have done.

OSCON website: http://en.oreilly.com/oscon2009/

On the other hand, if anybody has an interesting event going on anywhere regarding infosec, where OSSIM would fit, please drop me a letter at santiago@ossim.com, we can study a talk there.

OSSIM workshop proposal for OSCON '09

OSSIM stands for Open Source Security Information Management. It is a security system made up by the compilation of more than 15 well known tools at the Open Source field. Its goal is, based on data correlation, to provide a centralized console with all necessary information for attacks and anomalies detection, forensic analysis, policies definition and risks assessment. It also has a high level visualization interface as well as reporting and incidents managing tools.

The main idea is to do a 3 hours technical tutorial explaining the system architecture and functionalities and see it working in real time with different usage cases. To achieve this goal, I propose to follow this small index:

1.- Brief introduction of the tutorial (10 minutes).

2.- OSSIM explanation:

• System architecture (10 min)
• Components and their functionalities (10 min)
• Data collection, correlation engine and policies definition (10 min)

3.- Usage cases: In order to test OSSIM features we will launch some common attacks in a virtual scenario using VMware. This way we will see real time detection, based on the correlation engine, and perform low level forensics analysis to understand as much as possible about the attack method used and its behavior.

• Brute force attacks against Unix and Microsoft environments (10 min)
• Buffer overflow exploits using metasploit and shellcode analysis (15 min)
• Detecting network scans based on anomalies preprocessor (10 min)
• Worm propagation attempt (15 min)
• Denial of Service attack (10 min)
• Security policies violation (10 min)
• Network behavior real time visualization (15 min)

4.- OSSIM deployment in real networks (15 min)

5.- Honeypots data collection and correlation (20 min)

6.- Questions and others (20 min)

Tools we are going to use:

• VMware Server
• OSSIM (virtual machine)
• Backtrack 3 Linux distribution (virtual machine)
• Windows XP Pro (virtual machine)
• Nepenthes (virtual machine)

Example: If you want to see an attack (detected with OSSIM) example video, you can check it at my blog at http://www.alienvault.com/blog/santiago/ossim/tests/index. At the conference we will explain in depth similar usage cases, so attenders will understand how to take advantage of this security system.

More info about OSSIM at: http://www.ossim.net

Confirmation

When I get an answer from OSCON people I will update this post to confirm that this workshop will really take place. And, by the way, if there is OSSIM presence in some other event please feel free to post your comments to let us know.

At last we won't be at OSCON '09

I am sorry to say that we won't be at the OSCON as they are at full capacity this year. Quoting them: "The response to our Call for Proposals was overwhelming, and we received far more than we can possibly accomodate in the program."

Nevertheless we have planned some other conferences during next months so there will be new entries at the blog announcing them :-)