User: Password:
Subscribe / Log in / New account


OSSEC for host-based intrusion detection

By Jake Edge
April 21, 2010

A free software entrant into the host-based intrusion detection system (HIDS) arena, OSSEC, released version 2.4 earlier this month, with a number of upgrades and bug fixes. OSSEC may not be as well-known as other free software HIDS, like Samhain, AIDE, Osiris, or Open Source Tripwire, but they are all trying to do a similar job: detect changes to a running system that may have been caused by malicious activity. The techniques used by HIDS varies considerably, from simply hashing file contents and comparing them periodically to more sophisticated log file and behavioral analysis.

Conceptually, a HIDS should monitor everything about the system's state, such that it can detect changes in behavior that stem from some kind of host intrusion. Unlike network intrusion detections systems, which look at the network traffic to try to detect intrusion attempts, HIDS will only see problems after the fact. It is, in some sense, a second line of defense that is generally deployed behind a NIDS, at least in those installations with high security needs.

Most HIDS implementations only bite off some portion of the job. The simplest look for changes to system files and binaries by using hashes of their contents. Taking that a step further, and storing the hashes of "important" files on a separate system or read-only media provides defense against an intrusion that targets the files which store the hashes. OSSEC takes that idea even further by moving most of the monitoring and analysis to separate, presumably strongly hardened systems.

The basic architecture is intended to be client-server, with a "manager" running on a central server and "agents" running on each of the systems to be monitored. The agent is a small program that runs with low privileges and forwards information to the manager. There is also a "logcollector" process that runs as root on a client, and does just what its name would imply. Configuration information is mostly stored by the manager with some being locally cached. For obvious reasons, that configuration cache is monitored and changes to it will cause an alert.

OSSEC can be run in standalone mode, where the analysis and gathering are on the same host. The manager can also gather information from various devices, such as routers, firewalls, and other IDS systems without using an agent. There are agentless solutions for some devices, while others can use remote syslog to send their log information to the manager system. OSSEC is cross-platform, running on most major Unix systems as well as various flavors of Windows.

There are four main features to OSSEC, starting with file integrity monitoring. For logs, the monitoring rules are fairly extensive, covering a wide range of free and proprietary applications like apache, asterisk, Cisco IOS, McAfee anti-virus, MySQL, PostgreSQL, and so on. Much of what OSSEC does with log files is similar to what logwatch or syslog-ng can do, but the analysis can be done site-wide, and actions can be performed based on what OSSEC finds. New rules can be added for additional services or site-specific logging using an XML rule syntax.

As would be expected, system administrators can be alerted by email if some class of problem is detected. In addition, OSSEC has the ability to perform "active responses" based on certain kinds of attacks. OSSEC comes with a handful of pre-defined responses for things like adding an IP address to /etc/hosts.deny or to various firewalls' deny lists. Adding additional active responses is done by creating an XML chunk that specifies what to run and another to describe when to run it.

The fourth main feature of OSSEC is rootkit detection that runs periodically on client systems. For Windows clients, there is an additional feature that checks the registry for changes, and alerts the administrator of any it finds.

OSSEC was originally written by Daniel Cid and released as free software in 2004. Since that time, the code has been acquired twice, most recently by Trend Micro, which offers commercial support for OSSEC. It is licensed under the GPLv3, and is available as a tarball (along with SHA1/MD5 hashes for verification) from the installation page.

As with any HIDS solution, it will require some tweaking for specific environments to reduce false-positives to a manageable level. OSSEC has a number of useful features and looks to be a solution that is growing in popularity. It would seem to be a good candidate for one or more distributions to pick up and configure for their specific needs, which would make it easier for their users to start monitoring with OSSEC. For anyone considering HIDS for security at their site, OSSEC is worth a look.

Comments (6 posted)

New vulnerabilities

apache-mod_auth_shadow: restriction bypass

Package(s):apache-mod_auth_shadow CVE #(s):CVE-2010-1151
Created:April 19, 2010 Updated:May 28, 2010
Description: From the Mandriva advisory:

A race condition was found in the way mod_auth_shadow used an external helper binary to validate user credentials (username / password pairs). A remote attacker could use this flaw to bypass intended access restrictions, resulting in ability to view and potentially alter resources, which should be otherwise protected by authentication

Fedora FEDORA-2010-6290 mod_auth_shadow 2010-04-09
Fedora FEDORA-2010-6359 mod_auth_shadow 2010-04-10
Fedora FEDORA-2010-6323 mod_auth_shadow 2010-04-10
Mandriva MDVSA-2010:081 apache-mod_auth_shadow 2010-04-18

Comments (none posted)

clamav: denial of service

Package(s):clamav CVE #(s):CVE-2010-1311
Created:April 19, 2010 Updated:September 8, 2010
Description: From the Mandriva advisory:

The qtm_decompress function in libclamav/mspack.c in ClamAV before 0.96 allows remote attackers to cause a denial of service (memory corruption and application crash) via a crafted CAB archive that uses the Quantum (aka .Q) compression format. NOTE: some of these details are obtained from third party information.

Gentoo 201009-06 clamav 2010-09-07
Mandriva MDVSA-2010:082-1 clamav 2010-05-20
SuSE SUSE-SR:2010:010 krb5, clamav, systemtap, apache2, glib2, mediawiki, apache 2010-04-27
Pardus 2010-55 clamav 2010-04-20
Mandriva MDVSA-2010:082 clamav 2010-04-18

Comments (none posted)

gource: predictable temporary filename

Package(s):gource CVE #(s):
Created:April 20, 2010 Updated:April 21, 2010
Description: From the Red Hat bugzilla:

A Debian bug report notes that Gource creates its log file with a predictable name (/tmp/gource-$(UID).tmp), which a malicious user could use to overwrite arbitrary files via a symlink attack, with the privileges of the user running Gource.

Fedora FEDORA-2010-6766 gource 2010-04-16

Comments (none posted)

irssi: multiple vulnerabilities

Package(s):irssi CVE #(s):CVE-2010-1155 CVE-2010-1156
Created:April 16, 2010 Updated:June 21, 2010
Description: From the Ubuntu advisory:

It was discovered that irssi did not perform certificate host validation when using SSL connections. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. (CVE-2010-1155)

Aurelien Delaitre discovered that irssi could be made to dereference a NULL pointer when a user left the channel. A remote attacker could cause a denial of service via application crash. (CVE-2010-1156)

Fedora FEDORA-2010-6618 irssi 2010-04-15
Fedora FEDORA-2010-6612 irssi 2010-04-15
Fedora FEDORA-2010-6629 irssi 2010-04-15
SuSE SUSE-SR:2010:011 dovecot12, cacti, java-1_6_0-openjdk, irssi, tar, fuse, apache2, libmysqlclient-devel, cpio, moodle, libmikmod, libicecore, evolution-data-server, libpng/libpng-devel, libesmtp 2010-05-10
Slackware SSA:2010-116-01 irssi 2010-04-26
Ubuntu USN-929-2 irssi 2010-04-20
Mandriva MDVSA-2010:079 irssi 2010-04-17
Ubuntu USN-929-1 irssi 2010-04-16

Comments (none posted)

java: information disclosure

Package(s):java-1.6.0-sun CVE #(s):CVE-2010-0886 CVE-2010-0887
Created:April 20, 2010 Updated:July 21, 2010
Description: From the Oracle advisory:

This Security Alert addresses security issues CVE-2010-0886 and CVE-2010-0887, which are vulnerabilities in desktop Java running in web browsers only; these vulnerabilities are not present in Java running on servers or standalone Java desktop applications and do not impact any Oracle server based software. The desktop vulnerabilities are in the Java Deployment Toolkit and the new Java Plug-in that are included in various Oracle Java SE and Java for Business releases. They only affect Java when running in a 32-bit web browser. These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. For a successful exploit, a user running an affected release in their browser will need to visit a malicious web page that exploits this vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user's system.

Red Hat RHSA-2010:0356-02 java-1.6.0-sun 2010-04-19
Red Hat RHSA-2010:0549-01 java-1.6.0-ibm 2010-07-21
Gentoo 201006-18 sun-jre-bin 2010-06-04

Comments (none posted)

libnids: denial of service

Package(s):libnids CVE #(s):CVE-2010-0751
Created:April 20, 2010 Updated:April 21, 2010
Description: From the Pardus advisory:

The ip_evictor function in ip_fragment.c in libnids, as used in dsniff and possibly other products, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via crafted fragmented packets.

Pardus 2010-56 libnids 2010-04-20

Comments (none posted)

memcached: denial of service

Package(s):memcached CVE #(s):CVE-2010-1152
Created:April 20, 2010 Updated:June 14, 2010
Description: From the Pardus advisory:

memcached.c in memcached allows remote attackers to cause a denial of service (daemon hang or crash) via a long line that triggers excessive memory allocation.

SuSE SUSE-SR:2010:012 evolution-data-server, python/libpython2_6-1_0, mozilla-nss, memcached, texlive/te_ams, mono/bytefx-data-mysql, libpng-devel, apache2-mod_php5, ncpfs, pango, libcmpiutil 2010-05-25
SuSE SUSE-SR:2010:013 apache2-mod_php5/php5, bytefx-data-mysql/mono, flash-player, fuse, java-1_4_2-ibm, krb5, libcmpiutil/libvirt, libmozhelper-1_0-0/mozilla-xulrunner190, libopenssl-devel, libpng12-0, libpython2_6-1_0, libtheora, memcached, ncpfs, pango, puppet, python, seamonkey, te_ams, texlive 2010-06-14
Pardus 2010-52 memcached 2010-04-20

Comments (none posted)

scsi-target-utils: format string vulnerability

Package(s):scsi-target-utils CVE #(s):CVE-2010-0743
Created:April 20, 2010 Updated:January 23, 2012
Description: From the Red Hat advisory:

A format string flaw was found in scsi-target-utils' tgtd daemon. A remote attacker could trigger this flaw by sending a carefully-crafted Internet Storage Name Service (iSNS) request, causing the tgtd daemon to crash.

Gentoo 201201-06 iscsitarget 2012-01-23
SUSE SUSE-SR:2010:017 java-1_4_2-ibm, sudo, libpng, php5, tgt, iscsitarget, aria2, pcsc-lite, tomcat5, tomcat6, lvm2, libvirt, rpm, libtiff, dovecot12 2010-09-21
openSUSE openSUSE-SU-2010:0608-1 iscsitarget/tgt 2010-09-14
openSUSE openSUSE-SU-2010:0604-1 iscsitarget/tgt 2010-09-13
CentOS CESA-2010:0362 scsi-target-utils 2010-05-28
Mandriva MDVSA-2010:131 iscsitarget 2010-07-12
Debian DSA-2042-1 iscsitarget 2010-05-05
Red Hat RHSA-2010:0362-01 scsi-target-utils 2010-04-20

Comments (none posted)

sudo: arbitrary command execution

Package(s):sudo CVE #(s):CVE-2010-1163
Created:April 19, 2010 Updated:January 25, 2011
Description: From the Mandriva advisory:

The command matching functionality in sudo 1.6.8 through 1.7.2p5 does not properly handle when a file in the current working directory has the same name as a pseudo-command in the sudoers file and the PATH contains an entry for ., which allows local users to execute arbitrary commands via a Trojan horse executable, as demonstrated using sudoedit, a different vulnerability than CVE-2010-0426.

SUSE SUSE-SR:2011:002 ed, evince, hplip, libopensc2/opensc, libsmi, libwebkit, perl, python, sssd, sudo, wireshark 2011-01-25
openSUSE openSUSE-SU-2011:0050-1 sudo 2011-01-19
rPath rPSA-2010-0075-1 sudo 2010-10-27
Gentoo 201006-09 sudo 2010-06-01
CentOS CESA-2010:0361 sudo 2010-05-28
Mandriva MDVSA-2010:078-1 sudo 2010-04-28
Ubuntu USN-928-1 sudo 2010-04-15
Slackware SSA:2010-110-01 sudo 2010-04-21
Red Hat RHSA-2010:0361-01 sudo 2010-04-20
Mandriva MDVSA-2010:078 sudo 2010-04-17

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds