Santi 'Log

Introduction

I am posting for the first time at my recently opened blog. Hope issues discussed here will be interesting for OSSIM users and probably for some other people.

First thing I will try to explain is how to test OSSIM generating real time attacks, such as exploiting a buffer overflow against a non patched host. For this purpose we will use Micrososft ASN.1 library buffer overflow vulnerability, whose details can be found at http://www.phreedom.org/solar/exploits/msasn1-bitstring/ We can even find here an exploit called kill-bill to take advantage of the mentioned vulnerability ;-)

Now lets see steps in order to get an alarm with OSSIM and execute an action-response policy...

OSSIM configuration

1.- Detecting the intrusion with snort rules. In this case it's done by the rule "NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt". I paste it here, copied from the /etc/snort/rules/netbios.rules file:

2.- Next step is to create a simple directive to feed the correlation engine. It can be done at /etc/ossim/server/generic.xml. The one I have created is:

<directive id="24" name="Buffer overflow attempt against DST_IP" priority="9">
   <rule type="detector" name="Buffer overflow rule matched" reliability="9"
   occurrence="1" from="ANY" to="ANY" port_from="ANY" port_to="ANY"
   plugin_id="1001"
   plugin_sid="2383"/>
</directive>

This is the simplest form of a directive, but if we want, we can use different levels to detect more complex attacks (i.e. we can add rules matching port scans or session duration...). Here is an example of a port scan with an open port found directive (I also use it for the video demo you will find below):

<directive id="25" name="TCP Portscan against DST_IP" priority="6">
   <rule type="detector" name="TCP Portscan" reliability="5"
   occurrence="1" from="ANY" to="ANY" port_from="ANY" port_to="ANY"
   plugin_id="1122"
   plugin_sid="1">
      <rules>
         <rule type="detector" name="portscan: Open Port" reliability="+3"
         occurrence="1" from="1:SRC_IP" to="1:DST_IP" port_from="ANY" port_to="ANY"
         plugin_id="1122"
         plugin_sid="27"/>
      </rules>
   </rule>
</directive>

3.- Last thing is to configure an action (for example sending a mail) to execute when the alarm is generated. We can use the web framework to do it in a easy way.

Video demo

Well, at the end, I have decided to upload a video demo which has been made as a proof of concept of all I have been talking before. Its duration is 10:33, it has no sound but I think it's quite self explanatory. Hope you will enjoy it.

This article tries to be a small how-to about OSSIM events collection using rsyslog. For example lets try to configure OSSIM to collect events from a Netscreen firewall.

OSSIM agent

1. First of all we need to active the plugin at /etc/ossim/agent/config.cfg adding a new line to our plugins list. This line could be like the following:
   netscreen=/etc/ossim/agent/plugins/netscreen-firewall.cfg
2. Then we will set the "location" variable at the config file of the plugin we want to use. In our case this file will be at /etc/ossim/agent/plugins/netscreen-firewall.cfg (other config files can be found here too). For example lets set it this way:
   location=/var/log/netscreen-firewall.log
3. Once finished other two steps don't forget to restart the ossim-agent daemon, so it will load the new configuration.
   /etc/init.d/ossim-agent restart

Rsyslog

Then it's time to go through rsyslogd configuration.

1. To enable logging from remote machines we have to edit /etc/default/syslogd and set SYSLOGD variable to "-r". This line should be enough:
   SYSLOGD="-r"
2. Then, to use rsyslog v3 native interface (I am not sure if this is needed, but just in case), we will need to set RSYSLOGD_OPTIONS variable to "-c3" at /etc/default/rsyslog file.
   RSYSLOGD_OPTIONS="-c3"
3. Now lets edit the /etc/rsyslog.conf file. For our example I will add this lines at the beginning of the logging rules. Be aware of the comments to know what does they do.
   # Line 1: Discard logs with "action=Permit" string
   # This is just tuning, as this kind of logs are useless for our security system (as they are accepted by the firewall policy)
   :msg, contains, "action=Permit" ~
   
   # Line 2: If coming from "netscreen_hostname" (at /etc/hosts) send logs to /var/log/netscreen-firewall.log
   # The symbol "-" means that it wont sync every log (faster)
   :fromhost, isequal, "netscreen_hostname" -/var/log/netscreen-firewall.log
   
   # Line 3: Then discard all logs coming from "netscreen_hostname" so they wont be written at system log files.
   :fromhost, isequal, "netscreen_hostname" ~
   
   #... standard logging rules should go right here ...
   

   If you need more help with rsyslog.conf possibilities you can find it at: http://www.rsyslog.com/doc-rsyslog_conf_filter.html



4. At last we just need to restart rsyslogd daemon
/etc/init.d/rsyslogd restart

At this point it should be listening at port 514 (the default one), you can check it with netstat command. So, once we configure our device to send logs to our OSSIM sensor, they should be collected and correlated.

As you can see this how-to is quite simple, but I hope it can help you with your configurations or help me to remember it if needed.

Regards.