3

As far as I know, OSSEC is a Open Source HIDS. It's a "Detection System". I read in journals, it collect logs and flag any anomaly that had been found in a system ( e.g. Debian Server ) and do some action with it.

Some of the OSSEC's rules, there's like a possible way for prevent the anomaly for doing it action like, prevent brute force by blocking an IP for 600 seconds if the authentication failed 2 times.

Is there any rules, or some active-response command that would stop some virus or anomaly from spreading, infect and crushing our system. Is there ever any demostration regarding those condition ? where could i find it ?

what i have tried is like blocking an ip for brute force attack (FTP, SSH), but what about if the hacker are in some condition could prevent the ossec rules blocking ip, and he started to spread some unwanted files/document as known as virus ? Is there any footage or demonstration about that ?

My question, How can OSSEC handle a virus that already spreading ? OSSEC is just like detect the anomaly and do some action. Is it possible ?

gagantous
  • 193
  • 12
  • Are they claiming to be a HIPS (Host Intrusion Prevention System)? Most of the Antivirus products who prevent contamination has a network level hook installed on Host which simply isolates the Host from rest of the Network. – Krishna Pandey Nov 01 '17 at 05:15
  • @KrishnaPandey no, they claimed to be HIDS only... – gagantous Nov 01 '17 at 05:22
  • any suggestion HIPS apps ? first time i heard "HIPS" , i just only know NIPS – gagantous Nov 01 '17 at 05:23
  • @KrishnaPandey i read this article, OSSEC in indeed a HIPS... https://www.ibm.com/developerworks/community/blogs/6e6f6d1b-95c3-46df-8a26-b7efd8ee4b57/entry/ossec_the_open_source_intrusion_prevention_system49?lang=en – gagantous Nov 01 '17 at 07:10
  • .@gagantous It's about a product fitting some definition. Many products flirt with it having some prevention capabilities as add-on, however not providing complete end-point security. You need to find out capabilities of OSSEC by reading documentation. If feature is supported, you can use it. – Krishna Pandey Nov 02 '17 at 05:59
  • 1
    By "spreads to the deepest systems" do you mean a rootkit? – forest Apr 03 '18 at 19:39
  • @forest yes, i mean like that – gagantous Apr 03 '18 at 21:44
  • 1
    OSSEC cannot protect from that in any way. A rootkit is able to modify the memory of any HIDS at will and hook any interface they use for monitoring the system. – forest Apr 03 '18 at 21:46
  • @forest i have edited my question, please check it out :). Are the answer still "no" ? – gagantous Apr 03 '18 at 21:50
  • 1
    If a (kernel) rootkit is on the system, aka "spread to the deepest levels", then no, no HIDS can protect from that. – forest Apr 03 '18 at 21:58
  • so do you know what kind of app for handle that kind of condition ? @forest – gagantous Apr 03 '18 at 21:59
  • 2
    No program can solve that issue. If the kernel is owned, you are owned. – forest Apr 03 '18 at 22:05
  • @forest if so, is there at least one we could do before the virus spread into our depesst system ? like when some strange files/document were fount in server, and at that time , OSSEC would block that file, or quarantine that file, and such as.. ? maybe like that ? or am i wrong ? – gagantous Apr 03 '18 at 22:13
  • 1
    It sounds like you want _mandatory access controls_, not a HIDS. – forest Apr 03 '18 at 22:19
  • @forest i am interested OSSEC because it has some features, like "active-response", and "rootkit detection" where if some anomaly/strange behaiour, triggered some ossec rules, it will "immediately" took some action – gagantous Apr 03 '18 at 22:27
  • It's been a while since I used OSSEC, I remember that the agents are operating as monitors that collect evidence (i.e. Windows logs) and transmit them to the server which aggregates the evidence. What you are trying to achieve here is to enforce a policy change on an agent - effectively the agent will receive a command from the server (i.e. delete file C:\X.virus) and run the command locally. Is that right? – jonna_983 Apr 05 '18 at 13:30
  • OSSEC is among the best, but as said if its a kernal-deep issue you're just done. Gotta wipe and start clean, else rightfully remain concerned. – Preston Bennett Apr 11 '18 at 04:20

2 Answers2

3

Yes, basically you've answered your own question. Active response allows you to run any commands. Since it accepts executables, start with shell scripts, chmod it and the script will run when the corresponding trigger comes. Then you can enhance it further with python scripting to do more things not possible by bash. You'll need some programming but because active-response allows any executable to handle the triggers, the possibilities are endless.

Start here:

  1. http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.active-response.html
  2. https://github.com/ossec/ossec-docs/blob/master/docs/syntax/example_ossec_config.active-response.trst
gagantous
  • 193
  • 12
Sangram Kesari Ray
  • 114
  • 4
  • Do you know some rules example with active-respobse configuration that can handle those sitution ? I mean like a tutorial about that on the internet.. – gagantous Apr 05 '18 at 22:11
  • The links i've shared should definitely get you started on this. – Sangram Kesari Ray Apr 05 '18 at 22:39
  • I am not quite sure how this (awesome by the way) feature will help in this situation at all. If the system is infected and the kernel is probably owned no script will ever be able to do anything. Once the virus is that deep inside the system ossec should not be relied on to secure everything again. – Nico Apr 10 '18 at 12:23
  • @SangramKesariRay but i could find any active-response that delete any malicious file, it just like blocking, shutdown server, and i am not quite familiar with phyton language – gagantous Apr 11 '18 at 12:02
  • any bash script should work, try in a VM, trigger an alert, which runs a bash script that creates a log file, start small, create just an empty file. Since we know which directory we're looking at, we can then parse those /var/logs files to find the file-name to delete. If found we can delete it. These all tasks shall be easier with Python, but can be done in Bash and grep and utilities like $rm -fr. First try to create a file, next delete file will come easy. Hope this helps! – Sangram Kesari Ray Apr 11 '18 at 18:28
2

Suppose the exploit was from someone skilled, there might have been some skilled workarounds involving your IDS. Even then you may still not find what you are looking for, I would suggest a fresh restart. Otherwise, I, for one, wouldn't feel entirely sure all implementations were gone, given that it's a deep virus.

I believe that finding the source of exploit or catching an intruder in the act becomes unworthy of your time and attention at a certain point. However, that's just my personal experience and a voice speaking to how difficult perpetrators, in general, can be caught.

You might also start to use VMs with offsite backups. That way, you are further compartmentalized from the root system and functions while retaining the ability to recover from a hit with a few clicks.

On to the next. See @forest comments.

Preston Bennett
  • 613
  • 1
  • 5
  • 10