download issue 24 here - Help Net Security
download issue 24 here - Help Net Security
download issue 24 here - Help Net Security
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Remoted (running on the server) receives the<br />
logs from Agentd (running on the client). Remoted<br />
is running on chroot (user = ossecr)<br />
and Agentd too (user = ossec). Remoted is<br />
responsible for all communications with the<br />
agents.<br />
Monitord is responsible for monitoring the<br />
agents and takes care of the centralized logfiles.<br />
The daily logs are compressed and<br />
signed by this process, too. We have one<br />
process doing analysis, one sending events<br />
and another receiving them. But, we also<br />
need a worker to collect the events, and this<br />
task is performed by the logcollector. This<br />
daemon is running as root, which is required<br />
because it obviously needs access to the logfiles<br />
it will monitor.<br />
The last two daemons are maild and execd.<br />
Maild, running on chroot (user = ossecm)<br />
sends mails on specific alerts if e-mail notification<br />
is enabled (weʼll see later that this is<br />
easily configurable). The final process, which<br />
coincidentally converts the HIDS into a HIPS,<br />
is execd - the process responsible for starting<br />
active responses.<br />
This sums up all the functionality offered by<br />
OSSEC: we collect logs (logcollector), send<br />
them to the server (agentd and remoted), decode<br />
and analyze them (analysisd) and we<br />
act upon the generated alerts (maild and<br />
execd) if so required.<br />
Analysis: when gibberish becomes<br />
language<br />
<br />
(pam_unix)$<br />
<br />
A log event can contain a lot of information,<br />
but we donʼt need all of it. We are interested<br />
in the parts that we can use to create actionable<br />
alerts. OSSEC does the analysis in three<br />
phases: pre-decoding, decoding and analysis.<br />
In the first phase - pre-decoding - the information<br />
provided by the event source is parsed<br />
and known fields are extracted. The time, the<br />
system name and the application name are of<br />
particular interest <strong>here</strong>, but the log message<br />
is left untouched and passes on to the next<br />
phase, decoding. Here, the log message is<br />
inspected in depth and information is further<br />
extracted. Usually we want to gather information<br />
like source IP, username, destination IP,<br />
etc.<br />
With a basic understanding of regular expressions<br />
you can create your own decoders.<br />
Letʼs take a look at the default PAM decoder.<br />
The first two decoder rules are:<br />
<br />
<br />
^pam_unix|^\(pam_unix\)<br />
<br />
The first one tells OSSEC to treat any log<br />
message for which the program name is<br />
(pam_unix) as a PAM message, applying<br />
subsequent decoder rules to it. The second<br />
rule is to catch those PAM messages that, for<br />
one reason or the other, get logged with an-<br />
other program name. Those messages that<br />
contain either the string pam_unix or (pam_unix)<br />
are still regarded as PAM messages.<br />
Now, we need to extract information we can<br />
work with from those messages.<br />
<br />
pam<br />
^session \w+ <br />
^for user (\S+)<br />
user<br />
<br />
www.insecuremag.com 59