Simple Menu Driven Installation
OSSEC HIDS 2 4 I ll i S i h //
OSSEC HIDS v2.4 Installation Script - http://www.ossec.net
You are about to start the installation process of the OSSEC HIDS. You must have a C compiler pre-installed in your system.p p y y
If you have any questions or comments, please send an e-mail to [email protected] (or [email protected]).
System: Linux myserver mysite com 2 6 18 164 15 1 el5 - System: Linux myserver.mysite.com 2.6.18-164.15.1.el5 - User: root
- Host: myserver.mysite.com
--Log Analysis
I t
it Ch ki
Integrity Checking
Rootkit Detection
Rootkit Detection
Policy Monitoring
Alerting
Active Responses
Active Responses
LIDS
LIDS
Scalable
E
t I t ll
Easy to Install
Free
Free
Multiplatform
Secure by default
Loaded with rules & decoders
Loaded with rules & decoders
Alerts
C
l t
t
Correlates events
Takes Action
Host
VM VM VM VM VM
OSSEC OSSEC Server
OSSEC Server
OSSEC Server
<group name=“MyCustomApp,"> <rule id=“111100" level="0">
<category>web‐log</category>
<description>Access log messages grouped.</description> </rule>
<rule id=“111108" level="0"> <rule id 111108 level 0 >
<if_sid>111100</if_sid> <id>^2|^3</id>
<compiled_rule>is_simple_xyz_request</compiled_rule> <description>Ignored URLs (simple queries).</description>
/ l </rule>
<rule id=“111101" level="5"> <if_sid>111100</if_sid> <id>^4</id>
<description>Custom server 4014 error code.</description> </rule>
<rule id=“111102" level="0"> <if sid>111101</if sid> <if_sid>111101</if_sid>
<url>.jpg$|.gif$|favicon.ico$|.png$|rs.txt$|.cs$|.js$</url> <compiled_rule>is_simple_cutsom_request</compiled_rule>
<description>Ignored extensions on 4000 error codes.</description> </rule>
Logs
Fil Ch
File Changes
Registry Modifications
Registry Modifications
Stand-alone Client &
Acts as client & server Not very useful Testing scenarios only
Client-Server Install More secure
Centralized Management Greater taste
Syscheck
Syscheck
File Integrity Checking Registry Integrity Checking
Out of the Box Active Responses
Out
of
the
Box
Active
Responses
•
Disable
Disable account.sh
‐
account sh
•
Firewall
‐
drop.sh
d
h
•
Host
‐
deny.sh
•
Ipfw_mac.sh
Secure Architecture
Encr ption ke e change at installation
Encryption key exchange at installation
Integrity Checks performed at server
Multiple processes
Each process at lowest permissions
Multiple processes
Install.sh Questions
• For installation in English, choose [en]
( /b / /d / l/ /f /i /j / l/ l/ / / ) [ ] (en/br/cn/de/el/es/fr/it/jp/nl/pl/ru/sr/tr) [en]: en
• What kind of installation do you want (server, agent, local or help)? server
• Choose where to install the OSSEC HIDS [/var/ossec]: /var/ossec
• Do you want eDo you want e mail‐mail notification? (y/n) [y]: y notification? (y/n) [y]: y
– What's your e‐mail address? [email protected]
– We found your SMTP server as: mailserver.myfirm.com.
– Do you want to use it? (y/n) [y]: y
D t t th i t it h k d ? ( / ) [ ]
• Do you want to run the integrity check daemon? (y/n) [y]: y
• Do you want to run the rootkit detection engine? (y/n) [y]: y
• Do you want to enable active response? (y/n) [y]: y
D bl h fi ll d ? ( / ) [ ]
• Do you want to enable the firewall‐drop response? (y/n) [y]: y
Installation Locations
Installation
Locations
Default
installation
in
/var/ossec
●
Main configuration file is
/var/ossec/etc/ossec conf
●
Main
configuration
file
is
/var/ossec/etc/ossec.conf
●
Decoders
are
stored
at
/var/ossec/etc/decoders.xml
●
Binaries
inaries stored at
stored
at
/var/ossec/bin/
/var/ossec/bin/
●
Rules
stored
at
/var/ossec/rules/*.xml
chroot
Chroot definition: (from Wikipedia) Chroot definition: (from Wikipedia)
A program that is “chrooted “ is re-rooted to another directory and cannot access or name files outside that directory
OSSEC Processes
OSSEC
Processes
ossec‐analysisd – runs as user ossec (performs Analysis)
ossec‐remoted – runs as user ossecr (runs on server and collects logs from
agents)
ossec‐maild – runs as user ossecm (sends email alerts) ossec‐execd – runs as root (executes active responses)
ossec‐logcollec – runs as root, but only reads the logs, no analysis (collects
logs)
ossec‐syscheckd – runs as root (file integrity monitoring) ossec‐monitord – runs as user ossec (monitors agents status)
ossec‐agentd – runs as user ossec (runs on agents and forwards logs to
t d )
Add
the
clients
as
Agents
(on
the
server)
Add the Agent
{server}#/var/ossec/bin/manage_agents
Add
the
Agent
**************************************** * OSSEC HIDS v0.8 Agent manager. *
* The following options are available: * The following options are available:
**************************************** (A)dd an agent (A).
(E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R).
(Q)uit.
Choose your actions: A,E,R or Q: a
Provide the name and IP
‐ Adding a new agent (use ‘q’ to return to main menu).Provide
the
name
and
IP
g g ( q )
Please provide the following:
* A name for the new agent: linux1
* The IP Address for the new agent: 192.168.2.32
* An ID for the new agent[001]: Agent information:
ID:001
Name:linux1
IP Address:192.168.2.32
Confirm adding it?(y/n): y
Confirm adding it?(y/n): y
Extract the Encryption Key
****************************************
Extract
the
Encryption
Key
**************************************** * OSSEC HIDS v0.8 Agent manager. *
* The following options are available: *
**************************************** (A)dd an agent (A).
(E)xtract key for an agent (E). (L)ist already added agents (L). (R)emove an agent (R)
(R)emove an agent (R). (Q)uit.
Pick the client ID and copy the key
A il bl t
Pick
the
client
ID
and
copy
the
key
Available agents:
ID: 001, Name: linux1, IP: 192.168.2.32 ID: 002, Name: obsd1, IP: 192.168.2.10
Provide the ID of the agentg youy want to extract the key:y 001
Agent key information for ‘001' is:
CDAxIGxpbnX4MSAxOTIuMTY4LjAuMzIgOWM5MENlYzNXXXYYYZZZZZ==
Client Side Setup
(linux1)# /var/ossec/bin/manage_agents
**************************************** **************************************** * OSSEC HIDS v0.8 Agent manager. *
* The following options are available: *
**************************************** (I)mport key for the server (I).
(Q)uit.
Choose your actions: I or Q: I
Paste it here: CDAxIGxpbnX4MSAxOTIuMTY4LjAuMzIgOWM5MENlYzNXXXYYYZZZZZ==
* Provide the Key generated from the server. * The best approach is to cut and paste it The best approach is to cut and paste it.
Restart OSSEC on client and server
Restart
OSSEC
on
client
and
server
(server)#
/var/ossec/bin/osssec-control restart
(client)#
/var/ossec/bin/osssec control restart
What can the Windows Agent do?
What
can
the
Windows
Agent
do?
•
Monitors the Windows event log at real time
Monitors
the
Windows
event
log
at
real
time
•
Monitors
IIS
logs
(Web,
FTP,
SMTP)
and
any
other
logs
g p
present
on
your
y
system
y
(including
(
g y
Symantec
Anti
‐
Virus,
MySQL,
Apache,
etc)
at
near
real
time.
•
Periodically
y
checks
the
Windows
Registry
g
y
for
changes.
•
Periodically
checks
your
Windows
folders
for
changes.
•
Periodically
does
policy
verifications
to
make
sure
your
system
is
configured
properly.
OSSEC
Alert
Levels
00 – Ignored
01 ‐
None
02 S t
l
i it
tifi ti
02 ‐
System low priority notification
03 ‐
Successful/Authorized events
04 ‐
System low priority error
05 User generated error
05 ‐
User generated error
06 ‐
Low relevance attack
07 ‐
"Bad word" matching
08
‐
First time seen
08
First time seen
09 ‐
Error from invalid source
10 ‐
Multiple user generated errors.
11 ‐
Integrity checking warning
12 ‐
High importance event
13 ‐
Unusual error (high importance)
14 ‐
High importance security event
15 ‐
Severe attack
/var/ossec/rules
apache_rules.xml firewall_rules.xml ms_dhcp_rules.xml pam_rules.xml roundcube_rules.xml symantec-av_rules.xml vpopmail_rules.xml arpwatch_rules.xml ftpd_rules.xml
ms exchange rules xml php rules xml rules config xml ms-exchange_rules.xml php_rules.xml rules_config.xml symantec-ws_rules.xml vsftpd_rules.xml asterisk_rules.xml hordeimp_rules.xml ms_ftpd_rules.xml pix_rules.xml sendmail_rules.xml syslog_rules.xml web_rules.xml
attack_rules.xml ids_rules.xml ms-se_rules.xml policy_rules.xml smbd_rules.xml telnetd_rules.xml wordpress_rules.xml backup-rules.24026 imapd_rules.xml mysql_rules.xml postfix_rules.xml solaris_bsm_rules.xml translatedzeus_rules.xml cimserver_rules.xml local_rules.xml named rules.xml postgresql rules.xml sonicwall rules.xml named_rules.xml postgresql_rules.xml sonicwall_rules.xml trend-osce_rules.xml cisco-ios_rules.xml mailscanner_rules.xml netscreenfw_rules.xml proftpd_rules.xml spamd_rules.xml vmpop3d_rules.xml courier_rules.xml mcafee_av_rules.xml nginx_rules.xml pure-ftpd_rules.xml squid_rules.xml
l l d t l l th l l
vmware_rules.xml dovecot_rules.xml msauth_rules.xml ossec_rules.xml racoon_rules.xml sshd_rules.xml vpn_concentrator_rules.xml
OSSEC RULES
07300–07399 Symantec Antivirus rules 07400–07499 Symantec Web Security rules
091 00–09199 Point‐to‐point tunneling protocol (PPTP) rules 09200–09299 Squid syslog ru les
09300–09399 Horde IMP rules
00000–00999 Reserved for internal OSSEC HIDS rules 01000–01999 General syslog rules
02100–02299 Network File System (NFS) rules 02300–02499 xinetd rules
02500–02699 Access control rules
09900–09999 vpopmail rules 10100–101 99 FTS rules 11100–111 99 ftpd rules 11200–11299 ProFTPD rules 11300–11399 Pure‐FTPD rules 11400 11499 FTPD l
02700–02729 mail /procmail rules 02800–02829 smartd rules
02830–02859 crond rules
02860–02899 Mount/Automount rules 03100–03299 Sendmail mail server rules
03300 03499 P tfi il l 11400–11499 vs‐FTPD rules 11500–11599 MS‐FTP rules
12100–12299 named (BIND DNS) rules 13100–13299 Samba (smbd) rules 14100–14199 Racoon SSL rules
14200–14299 Cisco VPN Concentrator rul es
03300–03499 Postfi x mail server rules 03500–03599 spamd fi lter rules
03600–03699 imapd mail server rules 03700–03799 Mail scanner rules
03800–03899 Microsoft Exchange mail server rules
03900–03999 Courier mail rules (imapd/pop3d/pop3-ssl) 14200 14299 Cisco VPN Concentrator rul es 17100–17399 Policy rules
18100–18499 Windows system rules 20100–20299 IDS rules
20300–20499 IDS (Snort specifi c) rules
30100–30999 Apache HTTP server error log rules
03900–03999 Courier mail rules (imapd/pop3d/pop3-ssl) 04100–04299 Generic fi rewall rul es
04300–04499 Cisco PIX/FWSM/ASA fi rewall rules 04500–04699 Juniper Netscreen fi rewall rules 04700–04799 Cisco IOS rules
04800–04899 SonicWall fi rewall rules
31100–311199 Web access log rules
31200–31299 Zeus web server rules 35000–35999 Squid rules 401 00–40499 Attack pattern rules
40500–40599 Privilege escalation rules 40600–40999 Scan pattern rules 50100 50299 M SQL d t b l
05100–05299 Linux, UNIX, BSD kernel rules 05300–05399 Switch user (su) rules
05400–05499 Super user do (sudo) rules
05500–05599 Unix pluggable authentication mod (PAM) 05600–05699 telnetd rules
05700 05899 hd l 50100–50299 MySQL database rules 50500–50799 PostgreSQL database rules 100000–119999 User‐defined rules
05700–05899 sshd rules
05900–05999 Add user or user deletion rules 07100–07199 Tripwire rules
Custom
Rules
/var/ossec/rules/local rules.xml
Event PreDecoding PreDecoding Decodingg Rules Alerts Alerts Active emails Active Responses Logs
Event PreDecoding PreDecoding Decodingg Rules Alerts Alerts Active emails Active Responses Logs
Predecoding Fields
Predecoding
Fields
Time
Date
Hostname
Program Name
Program Name
Log message
Jun 13 13:13:03 cle-linx01 sshd[1205]: Accepted password for admin from 10.1.1.1 port 1618 ssh2
Event PreDecoding PreDecoding Decodingg Rules Alerts Alerts Active emails Active Responses Logs
Decoding Fields
Decoding
Fields
Username
IP Address
Port
Version
Version
Jun 13 13:13:03 cle-linx01 sshd[1205]: Accepted password for admin from 10.1.1.1 port 1618 ssh2
decoder
decoder
<decoder name="sshd">
<program_name>^sshd</program_name> </decoder> <decoder name="sshd success"> </decoder> <decoder name= sshd-success >
<parent>sshd</parent>
<prematch>^Accepted</prematch>
<regex offset="after_prematch">^ \S+ for (\S+) from (\S+) port </regex> <order>user, srcip</order>
<fts>name, user, location</fts></decoder> <decoder name="ssh-denied">
<parent>sshd</parent>
<prematch>^User \S+ from </prematch> <prematch> User \S+ from </prematch>
<regex offset="after_parent">^User (\S+) from (\S+) </regex> <order>user, srcip</order></decoder>
Event PreDecoding PreDecoding Decodingg Rules Alerts Alerts Active emails Active Responses Logs
Atomic Rule Example
Atomic
Rule
Example
"
b
l
"
<group name="web,accesslog,">
<rule id="31100" level="0">
<category>web‐log</category>
<description>Access log messages grouped.</description>
</rule>
Composite Rule Example
Composite
Rule
Example
<rule id="31153" level="10" frequency="8" timeframe="120"> <if_matched_sid>31104</if_matched_sid>
<same_source_ip />
<description>Multiple common web attacks from same souce ip </description> <description>Multiple common web attacks from same souce ip.</description> <group>attack,</group>
ossec.conf log file entries
ossec.conf
log
file
entries
<!-- Files to monitor (localfiles) --> <localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/messages</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/secure</location> </localfile> <localfile> <log_format>syslog</log_format> <location>/var/log/maillog</location> </localfile> <localfile> <log_format>apache</log_format> <location>/var/log/httpd/error_log</location> </localfile> ….
Rewriting A Rule to Silence It
Rewriting
A
Rule
to
Silence
It
Edit /var/ossec/rules/local_rules.xml
<rule id="100030" level="0"> <if_sid>31106</if_sid>
<description>List of rules to be ignored.</description> </rule>/ u e
<rule id="110002" level="0" >
<if_group>authentication_failures,</if_group> <description>Changes ignored </description> <description>Changes ignored.</description> <if_sid>18152</if_sid>
</rule>
< l id "110003" l l "0" > <rule id="110003" level="0" >
<if_group>system_error,</if_group>
<description>Changes ignored.</description> <if_sid>31122</if_sid>
Coding Daily Reports
Coding
Daily
Reports
Add these lines to ossec.conf
Receive summary of all the authentication success:
<ossec_config> <reports>
<category>authentication_success</category> <user type=”relation”>srcip</user>
<title>Daily report: Successful logins</title> <email_to>me@me .com</email_to>
</reports> </ossec_config
Receive summary of all File integrity monitoring (syscheck) alerts:
< fi > <ossec_config> <reports>
<category>syscheck</category>
<title>Daily report: File changes</title> <email to>me@me com</email to> <email_to>me@me .com</email_to> </reports>
Authentication Daily Report
Authentication
Daily
Report
Report 'Daily report: Successful logins' completed. Top entries for 'Group':
---‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐>Processed alerts: 4388
‐>Post‐filtering alerts: 2
‐>First alert: 2010 Aug 6 13:25:04
‐>Last alert: 2010 Aug 6 13:25:04
authentication_success |2 | syslog |2 | pam |1 | sshd |1 |
Top entries for 'Source ip':
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
10 xx xx xx |1 |
Top entries for 'Location':
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
(dmz‐server) 192.168.x.x‐>/var/log/secure |2 | 10.xx.xx.xx |1 |
Top entries for 'Username':
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
Top entries for 'Rule':
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
5501 ‐Login session opened. |1 | administrator |1 |
Top entries for 'Level':
5715 ‐SSHD authentication success. |1 |
Related entries for 'Username':
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
Severity 3 |2 |
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
administrator |1 | srcip: '10.xx.xx.xx'
Forensic Analysis of Log Files
Forensic
Analysis
of
Log
Files
#cat /var/log/secure | /var/ossec/bin/ossec‐logtest –a
2010/08/18 08:37:32 ossec‐testrule: INFO: Started (pid: 25489). ** Alert 1282135052.1: mail ‐syslog,fts,authentication_success 2010 Aug 18 08:37:32 MYSVR01‐>stdin
Rule: 10100 (level 4) ‐> 'First time user logged in.' Src IP 192 168 14 147
Src IP: 192.168.14.147 User: root
Aug 16 08:31:30 MYSVR01 sshd[28191]: Accepted password for root from 192.168.14.147 port 56321
** Alert 1282135052.2: ‐syslog,sshd,authentication_success, 2010 Augg 18 08:37:32 MYSRV01‐>stdin
Rule: 5715 (level 3) ‐> 'SSHD authentication success.' Src IP: 192.168.0.5
User: root
Aug 16 16:24:37 MRSVR01 sshd[7089]: Accepted password for root from 192.168.0.5 port 35614 ssh2
** Alert 1282135052.3: mail ‐syslog,errors, 2010 Aug 18 08:37:32 MYSVR01‐>stdin
Rule: 1002 (level 2) ‐> 'Unknown problem somewhere in the system.' Src IP: (none)
User: (none)
Aug 17 09:32:20 MYSVR01 sshd[3176]: error: Bind to port 22 on 0 0 0 0 failed: Address already in use Aug 17 09:32:20 MYSVR01 sshd[3176]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
Forensic Analysis Summary (1)
Forensic
Analysis
Summary
(1)
# cat /var/log/secure | /var/ossec/bin/ossec‐logtest ‐a | /var/ossec/bin/ossec‐reportd
2010/08/18 08:42:53 ossec‐reportd: INFO: Started (pid: 32590). 2010/08/18 08:42:53 ossec‐testrule: INFO: Started (pid: 32589).
2010/08/18 08:42:58 ossec‐reportd: INFO: Report completed. Creating output...
Report completed Report completed. ==
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐>Processed alerts: 7
‐>Post‐filtering alerts: 7
‐>First alert: 2010 Aug 18 08:42:53
‐>Last alert: 2010 Augg 18 08:42:53
Top entries for 'Source ip':
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
192.168.14.147 |2 | 192.168.16.52 |1 | 192.168.0.5 |1 |
Top entries for 'Username':
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
Forensic Analysis Summary (2)
Forensic
Analysis
Summary
(2)
Top entries for 'Level':
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
Severity 3 |5 |
Severity 2 |1 |
Severity 4 |1 |
Top entries for 'Group': ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ syslog |7 | authentication_success |5 | sshd |3 | pam |2 | errors |1 | errors |1 | fts |1 |
Top entries for 'Location': ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ MYSVR01‐>stdin |7| ||
Forensic Analysis Summary (3)
Forensic
Analysis
Summary
(3)
Top entries for 'Rule':
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
5715 ‐SSHD authentication success. |3 | 1002 ‐Unknown problem somewhere in the syst.. |1 | 10100 ‐First time user logged in. |1 |
5501 ‐Login session opened. |1 | 5502 ‐Login session closed. |1 |
Log dump:
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
2010 Aug 18 08:42:53 MYSVR01‐>stdin
Rule: 10100 (level 4) > 'First time user logged in ' Rule: 10100 (level 4) ‐> First time user logged in.
Aug 16 08:31:30 MYSVR01 sshd[28191]: Accepted password for root from 192.168.14.147 port 56321
Brute Force Attack Report
Brute
Force
Attack
Report
#cat /var/log/secure | /var/ossec/bin/ossec‐logtest ‐a | /var/ossec/bin/ossec‐reportd ‐f group authentication_failures
Report completed. ==
————————————————
‐>Processed alerts: 362
‐>Post‐filtering alerts: 21 Top entries for ‘Source ip’:
———————————————— 87.123.106.142 |2 | 8 20 19 170 |2 | 8.20.19.170 |2 | 134.255.9.163 |1 | 17.15.13.13 |1 | 14.25.62.36 |1 | 73.45.18.20 |1 | 20.12.99.59 |1 | 102.63.145.50 |1 | 222.2.25.202 |1 | Top entries for ‘Username’:
———————————————— root |22 |
Top entries for ‘Level’:
———————————————— Severity 10 |21 |
Topp entries for ‘Group’:p
———————————————— authentication_failures |21 | sshd |21 |
syslog |21 | Top entries for ‘Location’:
———————————————— enigma‐>stdin |21 |
Top entries for ‘Rule’: Top entries for Rule :
————————————————
5720 ‐Multiple SSHD authentication failures. |19 | 5712 ‐SSHD brute force trying to get access.. |1 |
Lessons Learned
Lessons
Learned
•
It’s simple Use it
It s
simple.
Use
it.
•
Lots
of
noise
on
upgrades.
i d
2008 2 hi
d hi
d
•
Windows
2008
R2
whines….and
whines…and
whines….
•
Agentless
monitoring
allows
you
to
monitor
many
appliances
(routers,
switches,
firewalls,
etc.)
Image Credits
Image
Credits
• http://mrg.bz/wrcjRr Log File
• http://www.sxc.hu/photo/1094329 Tired guy
• http://mrg.bz/rpccdD wine and beer glasses
• http://upload.wikimedia.org/wikipedia/commons/3/3e/Tux‐G2.png Tux
• http://mrg.bz/OQ3I7U Lock
• http://mrg.bz/lUCAfo Hulk
• http://mrg.bz/nXxLey Kid at Computer
• http://www.sxc.hu/photo/569804 Direction sign
• http://www.sxc.hu/photo/1255864 Wormhole
• http://www.sxc.hu/photo/1267612 Fire
The following images were used under fair use provisions of US copyright
d t d k l
and trademark law:
Logos: Windows, Tux, FreeBSD, VMWare, MAC OSx, OSSEC and AIX OSSEC WebUI screenshots
