As part of the second edition of the OSSEC week, I’d like to give some information about my daily usage of OSSEC. This week is an initiative from Michael Starks of Immutable Security and aim to promote OSSEC to the security community. I’m fully supporting such great initiatives.
What about my OSSEC background? I always heard some good feedbacks about OSSEC but I’m not a very old user. My friend, Wim Remes, presented OSSEC during an ISSA Belgium chapter in the early beginning of 2010. This was a trigger for me and I started to investigate what could OSSEC bring to me. Today, I’m using OSSEC for two main purposes:
- Servers Monitoring (surprised? 😉
- Research
During my spare time, I’m maintaining a small infrastructure composed of a few servers spread over the world. Those servers are used, amongst personal stuffs, to host web sites like this blog, the EuroTrashSecurity podcast, the BruCON sites and some others. Due to their public visibility, those servers generate an amount of events per day which became quickly unmanageable using manual review or simple scripts. At the moment, my OSSEC server processes ~10 EPS (“Events Per Second“). Furthermore, there’s nothing more annoying than processing logs. Worse, without a proper tool, you could miss important events (which must be flagged and investigated depending on their criticality). That’s why OSSEC became a must-have for me. Which features are implemented in my infrastructure?
- Log collection and parsing (using OSSEC agents)
- UNIX, Apache, ProFTPd, WordPress
- E-mail alerts for most critical events
- For events which need to be investigated
- File integrity checking
- Rootkit detection
- Active response
OSSEC can be managed via a Web User Interface but I prefer to use the remote logging facility (via Syslog) and forward my events to a Splunk server.
I’m also using OSSEC for research purposes. Log management solutions, investigations and incident management are hot topics. OSSEC is a great tool to implement specific controls. Here is a summary of my contributions based on OSSEC:
- Importing Secunia advisories into a SIEM/OSSEC
Services like Secunia or OSVDB are a great source of information. They can help you to generate valuable alerts based on vulnerabilities. - Detecting USB storage usage with OSSEC
USB storage devices are a pain for system administrators (risks of data leakage, malware infections, etc). It’s possible to detect the insertion of USB devices in Windows computer using OSSEC. - Detecting fraud with OSSEC
How to correlate events received from multiple sources to detect suspicious activity like a session opened on a web site from an IP address located in a foreign country. I also presented this solution during the BruCON lightning talks session (my slides are available here). - Splitting OSSEC events in Splunk
By default, events forwarded from OSSEC to Splunk are all originated from the same source. It is possible to extract the original host name and split the events in the Splunk DB across multiple devices (OSSEC agents). - PaloAlto firewall threat monitoring using OSSEC
OSSEC is able to parse lot of log formats with its default configuration. But new decoders can be added to parse “unsupported” logs. This example shows how to report threat events generated by a PaloAlto firewall.
That’s my contribution to the OSSEC week for today. More to come!