0

I have the OSSEC HIDS software version 2.8.3 running on a RHEL 6 server. We have been testing this in the lab with a DNS server to track queries that come into our RPZ and Malware zones. The DNS server has the OSSEC agent installed. In order for this to work we had to use a custom written decoder. Has anyone else had any experience with OSSEC and custom decoders besides those that are installed "out of the box". I am mainly looking to get creative ideas on what other system administrators are doing with OSSEC that could also be useful in our production environment.

For instance, has anyone had success in writing/using a custom decoder to detect USB storage for Linux?

UPDATE: I have been working on a custom decoder and rule for detection of when a USB device is inserted into a server. Here is what the line of the log looks like that I want to match on:

Feb  3 10:23:08 testsys kernel: usb 1-1.2: New USB device found, idVendor=0781, idProduct=5575

My decoder rules in OSSCE:

<decoder name="usb-storage">
<program_name>kernel</program_name>
</decoder>

<decoder name="usb-storage-attached">
<parent>usb-storage</parent>
<regex offset="after_parent">^USB \S+: New</regex>
<order>extra_data</order>
</decoder>

My rules in OSSEC:

<group name="syslog,">
<!-- USB Storage Detection Log Types -->
<!-- level=0 for not generating alerts by default -->
<rule id="310201" level="0">
<decoded_as>usb-storage</decoded_as>
<description>Looking for unknown USB attached storage</description>
</rule>

<!-- USB Storage Detection Event Chains -->
<!-- Fire an alert (level=8) if the log line contains "New USB   device found" -->
<rule id="310202" level="8">
<if_sid>310201</if_sid>
<match>^New USB device found</match>
<description>Attached USB Storage</description>
</rule>
</group>
user53029
  • 619
  • 2
  • 14
  • 34

2 Answers2

2

iptables is using kernel as program_name:

<decoder name="iptables">
   <program_name>^kernel</program_name>
</decoder>

We can use iptables as parent (intead of kernel). Also, id field is used to facilitate the creation of rules. So, you need this decoder:

<decoder name="usb-storage-attached">
    <parent>iptables</parent>
    <regex offset="after_parent">^(usb) </regex>
    <order>id</order>
</decoder>

The rules could be:

<rule id="310201" level="0">
    <decoded_as>iptables</decoded_as>
    <id>usb</id>
    <description>USB messages grouped.</description>
</rule>

<rule id="310202" level="1">
    <if_sid>310201</if_sid>
    <match>New USB device found</match>
    <description>Attached USB Storage</description>
</rule>

Now, you can use rule 310201 for everything related with USB. And the rule 310202 is the rule what you want:

Feb  3 10:23:08 testsys kernel: usb 1-1.2: New USB device found, idVendor=0781, idProduct=5575


**Phase 1: Completed pre-decoding.
       full event: 'Feb  3 10:23:08 testsys kernel: usb 1-1.2: New USB device found, idVendor=0781, idProduct=5575'
       hostname: 'testsys'
       program_name: 'kernel'
       log: 'usb 1-1.2: New USB device found, idVendor=0781, idProduct=5575'

**Phase 2: Completed decoding.
       decoder: 'iptables'
       id: 'usb'

**Phase 3: Completed filtering (rules).
       Rule id: '310202'
       Level: '1'
       Description: 'Attached USB Storage'
**Alert to be generated.

I just added to our ruleset repository: Decoder and Rules.

jesuslinares
  • 36
  • 2
  • Yes, this is what I had to do. I thought it was my regex, but then after I did a logtest I saw that everything was hitting on the iptables kernel name. I had a similar setup that I placed in a local_decoder xml which I also use for DNS malware lookups, but the iptables in the straight decoder file was taking precedence. Once I moved all of my decoders into the built in decoder file it all came together. Thanks! – user53029 Feb 04 '16 at 14:12
0

You can give a try to our OSSEC ruleset. It is updated periodically with new decoders and rules.

It can be found here:

https://github.com/wazuh/ossec-rules

And instructions are here (including a script to run the updates automatically):

http://documentation.wazuh.com/en/latest/ossec_ruleset.html

Regarding the USB storage detection, I've done it for Windows, with a configuration like this:

<localfile>  
  <frequency>10</frequency>
  <log_format>full_command</log_format>
  <command>reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</command>
</localfile>

And rule like this:

<rule id="140125" level="7">
  <if_sid>530</if_sid>
  <match>ossec: output: 'reg QUERY</match>
  <check_diff />
  <description>New USB device connected</description>
</rule>

For Linux I think it would be even easier. Do you have an example of a log message? Most likely you only need to create the rule for it.

Santiago Bassett
  • 1
  • 1
  • Feb 3 10:23:08 testsys kernel: usb 1-1.2: New USB device found, idVendor=0781, idProduct=5575 -- is what I am trying to match on. And I do have rules already created but they are not generating alerts. I will update my question to include what I have. – user53029 Feb 03 '16 at 16:26