Remote log injection

I love a good, clever hack. In the past, I've espoused the virtues of OSSEC, and I use it in more interesting and creative ways on almost a daily basis. Recently, OSSEC author Daniel Cid posted a great paper on remote log injection entitled "Attacking Log Analysis Tools." I just finished reading the paper and found it very interesting and a little disturbing. I've tinkered with one of the vulnerable tools he mentions, DenyHosts, and thought it was actually a fairly handy tool. After reading Daniel's paper, though, I'll have no choice but to make sure that it isn't running on any of my systems until after a patch is released.

Nice paper, Daniel.

Well Said

Let me begin by saying that I've be a big fan of Richard Bejtlich's TaoSecurity blog for quite a while. If you've never visited his site, go there now. Truly excellent information from a man who clearly knows what he's talking about.

I started this morning as I do every morning: by reading about 2 dozen security related RSS feeds. After glancing at the latest crop of exploits and vulnerabilities, I saw that there was a new post on TaoSecurity. Bejtlich does a fantastic job of responding to a number of posts made on the DailyDave list. In short, he responds to a number of assertions that traditional IDS (particularly Snort) is of no value.

<rant>
My feeling is that if you think it is of no value, it is probably because you aren't using it correctly, aren't using it in the proper manner, and/or aren't using it in the correct location. It reminds me of when I was a kid and used to try to help my dad when he was working on the car or the lawnmower or whatever. I remeber him telling me that "a lot of it boils down to using the right tool for the right job." Can you just throw a Snort sensor any ol' place on your network and expect it to do everything? Of course not. You place them strategically, significantly modifying the rules policy based on where you're placing them and what you intend the primary purpose of the sensor to be. Should you use Snort or Bro or SHADOW exclusively? Again, of course not. The key here is an integrated approach, using a number of different tools that cover a lot of different potential attack vectors and have all of the logs and alerts sent back to a central aggregation point for detailed analysis. Event correlation using something like OSSEC (see my previous post) can go an awfully long way toward providing accurate detection of anomolies.
</rant>

Thanks, Richard, for a great, thought-provoking post on your blog.

Link

OSSEC Host-based Intrusion Detection

I've used a lot of different file integrity monitoring programs (Samhain, Osiris, and Tripwire just to name a few), and I've messed with a number of different programs for log parsing and event correlation. Then I found OSSEC, which takes all of these things to an entirely new level. Now instead of having to manage multiple different softare packages, I can do it in one. But that's not the coolest thing. OSSEC will allow you to monitor syslog and Windows event logs as well as Apache, IIS, Snort, and numerous other logs from a single location, and it has a very robust set of rules to do event correlation. If you are so inclined, you can even take advantage of the Active Response option and have OSSEC disable accounts, drop in firewall rules, etc., etc. Plus it does file integrity monitoring on top of it all.

The server must be installed on a Linux or UNIX box, but the agent installs on just about anything, including the ubiquitous Windows platform. The agents can be configured to encrypt all of their communication with the server, or for systems that you can't install the agent (networking gear, for example), you can configure syslog on these devices to forward their syslog entries to the OSSEC server. OSSEC then seemlessly integrates all of these and creates a single, cohesive alerts file as well as breaking down alerts into daily files for easy review. Overall, very impressive. My only complaint is the reporting. The alerts file is fairly straight forward, but it is a flat text file. OSSEC comes with a few contrib scripts that will generate some text reports for you, but again, just flat text files. Ideally, I'd like to see a way to generate HTML reports (both summary and detailed reports) that are much better for sending to management and/or those who are less technically inclined. I suspect I'll probably end up writing such a tool myself as I have been unable to find one.

At any rate, OSSEC is very powerful and very cool. It does a lot of stuff very effectively, very thoroughly, and relatively easily. Check it out.

Link

SnortSam, where have you been all my life?

I have been using Snort for years and years. A couple years ago I started messing with Snort_inline. Great concept, works beautifully. The downside is that Snort only works in inline mode when used in conjunction with iptables. Recently I was tinkering with a Linux box in VMware's Virtual Server and I was trying to get Snort_inline to work, alas to no avail. (Side note: if you haven't played with Virtual Server, you don't know what you're missing. Go get it now and download some of the Virtual Appliances. You won't be disappointed.) So I decided to take a look at SnortSam, a tool that I've had on my list of things to mess with for ages, but I just never got around to it. One word: wow. The possibilities for things you can do with Snort and SnortSam are nearly endless. It took a few minutes to get configured correctly and there were a couple of failed attempts on my part before I finally got it configured the way I wanted. All told about 20 minutes. It affords the opportunity to leverage just about any existing infrastructure and quickly create a full-blown IPS network. SnortSam is now on my short list of invaluable tools.