« Nessus, PIX and DNS | Home | Cisco PIX Shun »
OSSEC HIDS
By klard | June 29, 2006
I installed OSSEC HIDS recently on a group of servers. There are a handful of BSD boxes and a single Windows 2003 Server box.
This set of tools obviously adds a ton of value to the security profile of the network. OSSEC reads through the snort logs and tries to correlate events between the snort logs, system logs, firewall logs etc……a ton of value to an overworked network admin who is supporting several different networks. However, the agent on the Windows server seems to crash constantly. I really don’t think the agent has run for more than an hour at a time. This creates a serious problem as I either need to uninstall the agent or figure out what the problem is or some combination.
I have to update this because well one of the developers actually posted here and was very generous with his time and the post deserves to be updated. The problem with the Windows 2003 server was very simple to resolve, the agent could not find the iis log file and crashed. Had I taken the proper time to review the log files I would have noticed this at the outset. It was simply a matter of updating the ossec.conf file and telling it exactly where the log file was located.
Secondly, I am getting a report that one of the boxes has a kernel rootkit installed…..not good. Here I am supposed to be a security professional and I might have a rootkit installed on a FreeBSD box. So off I go to take a look at this. First I try every way I can think of to discover the hidden processes that OSSEC is warning me about, I install lsof and chkrootkit on the box on find nothing….knowing of course if it is a kernel level rootkit these tools will be practically useless as the rootkit will hide it’s processes from these tools as well. I am now running tcpdump on a spanned port with this machine and will try to do a full analysis of the trace from it to see if there is any abnormal traffic coming from the box. In the mean time I will continue to try and determine if there is actually a rootkit on the box or if OSSEC is giving me a heart attack for nothing.
The point of course is that this tool was supposed to add security and value to my network…and at least for the time being, it has instead added to my workload.
Update: I have been monitoring the box that reports having a root kit periodically and as far as I can tell the only traffic leaving the box is traffic I would expect to see. I do not see any traffic going to any strange ports like IRC that would indicate a backchannel control of some kind. I think it would behoove me to block outbound traffic from this box except over the ports I expect and also to continue monitoring it for abnormalities.
Topics: Security |
July 10th, 2006 at 9:08 pm
Hi Klard,
Someone pointed out to me this blog entry. I am one of the ossec
developers and I would like to offer some help to fix these problems
with ossec. What kind of message are you getting regarding kernel
level rootkits? Ossec tries to detect anomalies using system calls
comparisons and since I am not a freebsd user, we may have some
problem in there. Same applies to your windows box, I have been
using ossec on my windows systems (2000 and XP) for weeks without
any problem, maybe we have something with 2003 that I am not aware
of.
Thanks!
Daniel
dcid @ ( at ) ossec.net
July 11th, 2006 at 8:58 am
I am impressed that you would care enough to write me and will gladly forward information regarding the problems I am having with both FreeBSD and Windows 2003.