OSSEC 2.7.1 has been released and posted on our download page. You can check the release notes to find out what has been updated in this release. Note there have been not update to the OSSEC virtual appliance. We will bring that system inline with 2.7.1 before the end of the year.
OSSEC CON 2013 is in the books, as they say, and the team is happy to report that the event was a great success. We had twice as many attendees at this year's conference than we had the previous year. Many of the folks who attended the event last year brought their colleagues to learn more about OSSEC from our team of experts – Scott, Michael and Santiago.
Here's a brief summary of the presentations and where we are going with OSSEC in the months ahead. We've also included download links to slides for each presentation.
Keynote I – OSSEC Active Response and Self Healing – Scott Shin
Scott Shin is Co-Founder and CTO of AtomiCorp maker of the Atomic Secured Linux™ distribution which includes OSSEC as one of its many security tools. Scott has been active on the OSSEC project for over 7 years now. He has made many contribution to the project most notably RPMs for many Linux flavors, lots of rules and additional code features.
As most of you know OSSEC provides Active Response which enables admins to configure OSSEC to run scripts that take actions corresponding to specfic events. Scott showed us how to write basic active response rules to trigger response scripts. He went on to discuss how his company uses active response to make system changes in the OS to prevent malious applications from running.
3rd Party Integration – OSSIM an OSSEC – Santiago Gonzalez
Santiago Gonzalez is the Director of Professional Services at AlienVault, producers of OSSIM the open source security management system that uses OSSEC for host intrusion detection. AlienVault has been invloved with the OSSEC Project almost since the beginning, having integrated it into OSSIM very early on. Santiago is the newest member of the OSSEC core team. The conference was treated to the news that two days before OSSEC CON, Santiago became a father when his wife gave birth to their first child, a baby girl. Congratulations Santi!
OSSIM integrates several open source security tools that provide threat detection, behavior monitorning and vulnerability assessment. With OSSIM you can both deploy OSSEC agents and monitor OSSEC security events. OSSIM has a sophisticated security event corelation engine that enables you to create event rules that are comprised of specific OSSEC security event types.
OSSIM features a rich browser based console GUI that includes dashboards for status monitoring, viewing events, controlling OSSEC agent, configuring OSSEC, editing rules, viewing logs and producing PDF and HTML formatted reports.
Keynote II – Making the Most of OSSEC – Michael Starks
Michael Starks is another long time veteran of the OSSEC Project. He is a senior security analyst in the financial world and was our keynote speaker at last year's conference. Michael shared some his tried and true best OSSEC best practices with us. Here are just a few examples:
Make all changes in local_rules.xml. If you edit the built-in rules, your changes will be lost when you upgrade!
Make all decoder changes/additions in local_decoder.xml If you edit the built-in decoders.xml, your changes will be lost when you upgrade! If correcting a built-in decoder, you will need to first comment it out in decoders.xml.
Frequency in a composite rule doesn't mean what you think it does:
<rule id="100002" level="10" frequency="3" timeframe="160">
This rule matches on the fifth event.
The team is actually discussing this configuration issue highlighted in this third tip. Some of us see it as a bug, so we may "fix" it in a future release. At any rate, you can get all of Michaels tips in his presentation slides.
We had planned to divide up the attendees into separate break out discussion sections to talk about new deployment, intelligence and structural features for OSSEC 3.0. However, since everyone was interested in asking questions about and dicussing all these areas, we brought up each of these topics before the whole conference.
Generally speaking there were many questions about how people were using and deploying OSSEC. The experts in attendance gave us a lot of good information. Talk of new features for OSSEC 3.0 was driven largely by the OSSEC deveopment team. It was useful for us to put those ideas out there to get feedback from the rest of the conference participants.
Although the specific roadmap is still a work in progress, here is a summary of some important items that we are going to get working right away.
- yum repository for OSSEC RPM distribution
- apt-get repository for OSSEC DEB distribution
- Create a rules repository independent of the rules that come with OSSEC.
- Fix agent-authd to work properly on Windows
- Pass MD5 values for changed files in alerts.
- Add a generic active response handler that can be configured to send MD5s to file services like VirusTotal.
These are just a start. We have many more fixes to make and features to add that we are getting from our user and developer community. Stay tuned for more information about upcoming OSSEC releases, including 2.7.1 which is just around the corner.
Thanks to our loyal community of users and developers for making OSSEC and OSSEC CON 2013 a great success.
It's official, OSSEC CON 2013 is scheduled for Thursday July 25th at Trend Micro Cupertino. This is a one-day event – that is free of charge to all interested – where you will hear from noted security experts about OSSEC system applications and deployments as well as confer with your colleagues in the community to learn more about how to get the most out of OSSEC.
For more information and to register for the event please visit the conference announcement page.
See you all there!
To make life easier for folks to get up and running with OSSEC, we have produced a VMware virtual appliance that includes OSSEC 2.7 and a new version of the OSSEC Web UI. The appliance runs on CentOS 6.4 and is bundled with the latest version of XAMPP to power the UI. When you boot up the system you'll find an OSSEC 2.7 tarball and OSSEC 2.7 Windows agent on the desktop which you can deploy to your target systems. To copy either of these packages to your host system, just drag them from the VM desktop onto your host desktop.
The appliance network interfgace is configured in bridged mode which means it will get its own IP address from your local DHCP server and look like a seprate host on your network. The iptables firewall has been turned off. You can also login to the appliance via ssh from an external host, if necessary.
To run the appliance you'll need VMware Fusion 4.x, VMware Workstation 8.x or VMware Player 4.x. The login account user name is user and the password is _0ssec_. The root password is also _0ssec_.
You can get the OSSEC virtual appliance from our Downloads page. Enjoy!
JB and I were invited to present at the Cornerstones of Trust Conference in Foster City, CA on June 18th. The theme of the conference was Securing Ubiquity – Protecting the Enterprise of Things. We spoke in the Hands On - Cyber Security in the Connected World track about OSSEC features and how it integrates with virtually any SIEM through syslog. OSSEC integrates nicely with Splunk using the Splunk for OSSEC application.
Presenting with us was Jimmy Sanders, Security Architect at Samsung USA and Santiago Gonzalez, Director of Professional Services at AlienVault – the maker of OSSIM.
Jimmy gave a brief introduction on open source security tools including commonaly avaialbe systems including OSSEC, AIDE (Advanced Intrusion Detection Environment) and Tripwire.
Next JB and I discussed OSSEC, its basic features and how it integrates with systems like Splunk and OSSIM.
The session concluded with an introduction to the OSSIM system and how it is used with OSSEC by Santiago. OSSIM is a great system that incorporates many other security tools to monitor and act upon security events in your networks. OSSIM has a long history with OSSEC integration going back to the ealry days when OSSEC was first created. OSSEC forms the backbone of OSSIM's HIDS capabilites.
If you are interested in finding out more details about our Cornerstones of Trust presentation your can download our PowerPoint slides. Both Jimmy and Santiago will be attending the upcoming OSSEC CON on July 25th at Trend Micro in Cupertino, so please consider attending so you can meet them and many others from the OSSEC Community.
We are putting the finishing touches on the 2.7.1 release. The Beta-1 version is avaialbe on our downloads page. There is a new version of the OSSEC WebUI 0.8 Beta-1 that has numerous bug fixes and a new install script that sets up all the permissions so that you should get a Web UI running right out of the box.
Please note, we strongly recommend that you use OSSEC Web UI with XAMPP which is a nice package that includes all the LAMPP tools you need – Apache, MySQL and PHP. Vic wrote blogs on how to set up XAMPP on Linux and Mac OS systems so it is very easy to get OSSEC Web UI working.
We've also redesigned the downloads section to make it easier to see and get right to the packages you want.
The OSSEC Project is going to have it's second symposium this summer at Trend Micro in Cupertino. We are calling this OSSEC CON 2013 and it will be held on July 25th, so mark you calendars. We will have Scott Shin and Michael Starks giving the keynotes and Santiago Gonzales from AlienVault talk about OSSEC management with OSSIM. We are also in the planning stages for OSSEC 3.0 the features for which we will be planning at the conference.
Look for an official schedule in the next few days.
It has been over a year since the release of OSSEC 2.6 in July 2011. Through all this time many developers have contributed patches and many users have tested several pre-release builds. A sincere THANKS to all of you.The key enhancements in v2.7 are:
- Add hybrid mode – allows the same host to be both a server and an agent, useful for multi-tier OSSEC deployment.
- Add manage_agents -f option for bulk generation of client keys from an input file.
- During Agent installation, allow the OSSEC server to be specified using hostname instead of IP.
- Add prelinking support – reduce confusion when a file change is the result of prelinking.
- Add fine-grained configuration control – allows you to turn ON/OFF individual rootcheck tasks for more efficiency and flexibility. The default is all ON.
- Log monitoring/analysis
- Add GeoIP lookup support – allows geographical city names to be associated with IP addresses in OSSEC alerts, for more intelligent correlation.
- Alert options and syslog output
- Add syscheck MD5/SHA1 sum to alerts for easier integration with third-party file signature checking.
- Support JSON and Splunk formats in syslog output.
- Rules and other notable changes/fixes
- Windows 2000 logs support has been deprecated (but will probably still work fine). Vista and Windows Server 2008 logs are now officially supported.
- Windows registry syscheck alert level has been reduced from 7 to 5 to reduce unnecessary noise from alerts which do not indicate a compromise.
- Update decoders include: PIX, auditd, apache, pam, php.
- Many updated rules, such as new checks for vulnerable web apps exploitation attempts.
- Update rootcheck rules.
- ossec-client.sh now allows for ‘reload’, in addition to ‘restart’
- Many bug fixes…
- LICENSE text updated by adding exception clause for OpenSSL, while OSSEC is still under GPLv2
Download OSSEC 2.7 package from here.
November 19, 2012