OSSEC decoder and rules for Kippo?
113 views
Skip to first unread message
nbHd5
Jul 28, 2014, 7:23:17 PM7/28/14
to ossec...@googlegroups.com
Hi All,
Does anyone have working Kippo decoder and rules for ossec? I've been banging my head against this for the last few days with little success.
target log entries:
2014-07-27 23:53:17-0400 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: #.#.#.#:61953 (#.#.#.#:2222) [session: 19]
2014-07-27 23:53:24-0400 [SSHService ssh-userauth on HoneyPotTransport,19,#.#.#.#] root trying auth none
2014-07-27 23:53:32-0400 [SSHService ssh-userauth on HoneyPotTransport,19,#.#.#.#] login attempt [root/root] failed
2013-05-05 13:34:24-0400 [SSHService ssh-userauth on HoneyPotTransport,29,#.#.#.#] login attempt [root/root] succeeded
in short, I want an information notice that a connection was made, increased severity for failed attempt and very high severity for succeeded. But first I need to get decoders returning complete variable values before I move on to writing rules.
The closest I've gotten is equally as far as Paul Herring's posted results:
https://groups.google.com/forum/#!msg/ossec-list/uiK5NVrO5wU/d4vefILS4eYJ
where only the new connection decoder returns complete variable values srcip,srcport,dstip,dstport,extra_data
<decoder name="kippo">
<prematch>\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\p\d\d\d\d \p</prematch>
</decoder>
<decoder name="kippo-new-connection">
<parent>kippo</parent>
<regex offset="after_parent">^kippo.core.honeypot.HoneyPotSSHFactory\p New connection: (\d+.\d+.\d+.\d+):(\d+) \((\d+.\d+.\d+.\d+):(\d+)\) \psession: (\d+)\p</regex>
<order>srcip, srcport, dstip, dstport, extra_data</order>
</decoder>
returns:
2014-07-27 23:53:17-0400 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: #.#.#.#:61953 (#.#.#.#:2222) [session: 19]
**Phase 1: Completed pre-decoding.
full event: '2014-07-27 23:53:17-0400 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: #.#.#.#:61953 (#.#.#.#:2222) [session: 19]'
hostname: 'intelligence'
program_name: '(null)'
log: '2014-07-27 23:53:17-0400 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: #.#.#.#:61953 (#.#.#.#:2222) [session: 19]'
**Phase 2: Completed decoding.
decoder: 'kippo'
srcip: '113.161.0.114'
srcport: '61953'
dstip: '192.168.1.2'
dstport: '2222'
extra_data: '19'
Can anyone see what the next decoder returns no results?
<decoder name="kippo-login-fail">
<parent>kippo</parent>
<regex offset="after_parent">^SSHService ssh-userauth on HoneyPotTransport,\d+,(\d+.\d+.\d+.\d+)\p login attempt \p(\.*)\p failed</regex>
<order>srcip,extra_data</order>
</decoder>
returns:
2014-07-27 23:53:28-0400 [SSHService ssh-userauth on HoneyPotTransport,19,#.#.#.#] login attempt [root/root] failed
**Phase 1: Completed pre-decoding.
full event: '2014-07-27 23:53:28-0400 [SSHService ssh-userauth on HoneyPotTransport,19,#.#.#.#] login attempt [root/root] failed'
hostname: 'intelligence'
program_name: '(null)'
log: '2014-07-27 23:53:28-0400 [SSHService ssh-userauth on HoneyPotTransport,19,#.#.#.#] login attempt [root/root] failed'
**Phase 2: Completed decoding.
decoder: 'kippo'
no srcip or extra_data results
<regex offset="after_parent">^SSHService (\.*)</regex>
<order>extra_data</order>
didn't return anything either. From what I can see, this should have returned the extra_data variable with nearly the complete log entry. I can't see what in "SSHService ssh-userauth" the regex consistantly fails to recognize.
Has anyone had success with this or seen decoder/rules that work. Any ideas what I'm missing?
nbHd5
Jul 28, 2014, 8:04:58 PM7/28/14
to ossec...@googlegroups.com
haha.. "New Connection", notificaiton rule is a success.
<group name="syslog,kippo,">
<rule id="110000" level="0">
<decoded_as>kippo</decoded_as>
<description>Group for Kippo rules.</description>
</rule>
<rule id="110001" level="14">
<if_sid>110000</if_sid>
<match>New connection</match>
<description>Kippo New Connection.</description>
<group>connection_attempt,</group>
</rule>
</group>
works like a charm though I may reduce the level value and am open to any fine tuning suggestions.
<group name="syslog,kippo,">
<rule id="110000" level="0">
<decoded_as>kippo</decoded_as>
<description>Group for Kippo rules.</description>
</rule>
<rule id="110001" level="14">
<if_sid>110000</if_sid>
<match>New connection</match>
<description>Kippo New Connection.</description>
<group>connection_attempt,</group>
</rule>
</group>
works like a charm though I may reduce the level value and am open to any fine tuning suggestions.
2014-07-27 23:53:24-0400 [SSHService ssh-userauth on HoneyPotTransport,19,#.#.#.#] root trying auth none
2014-07-27 23:53:32-0400 [SSHService ssh-userauth on HoneyPotTransport,19,#.#.#.#] login attempt [root/root] failed
2013-05-05 13:34:24-0400 [SSHService ssh-userauth on HoneyPotTransport,29,#.#.#.#] login attempt [root/root] succeeded
Drat.. no more reasons to procrastinate about getting regex for these working. At minimum, the first tells me that a connection tried to authenticate rather since "new connection" could be any random port scanner going past. Solve the first and it should be easy enough to develop it for the second and third.
<regex offset="after_parent">^SSHService ssh-userauth on HoneyPotTransport,\d+, (\d+.\d+.\d+.\d+)\p (\.*)</regex>
<regex offset="after_parent">^SSHService ssh-userauth on HoneyPotTransport,\d+, (\d+.\d+.\d+.\d+)\p login attempt [(\.*)] failed</regex>
<regex offset="after_parent">^SSHService ssh-userauth on HoneyPotTransport,\d+, (\d+.\d+.\d+.\d+)\p login attempt [(\.*)] succeeded</regex>
<order>srcip,extra_data</order>
<regex offset="after_parent">^SSHService ssh-userauth on HoneyPotTransport,\d+, (\d+.\d+.\d+.\d+)\p (\.*)</regex>
<regex offset="after_parent">^SSHService ssh-userauth on HoneyPotTransport,\d+, (\d+.\d+.\d+.\d+)\p login attempt [(\.*)] failed</regex>
<regex offset="after_parent">^SSHService ssh-userauth on HoneyPotTransport,\d+, (\d+.\d+.\d+.\d+)\p login attempt [(\.*)] succeeded</regex>
<order>srcip,extra_data</order>
dan (ddp)
Jul 30, 2014, 8:10:26 AM7/30/14
to ossec...@googlegroups.com
<decoder name="kippo-new-connection">
<parent>kippo</parent>
New connection: </prematch>
<regex offset="after_prematch">^(\d+.\d+.\d+.\d+):(\d+)
\((\d+.\d+.\d+.\d+):(\d+)\) \psession: (\d+)\p</regex>
<order>srcip, srcport, dstip, dstport, extra_data</order>
<!--<regex offset="after_parent">^kippo.core.honeypot.HoneyPotSSHFactory\p
<order>srcip, srcport, dstip, dstport, extra_data</order>
New connection: (\d+.\d+.\d+.\d+)</regex>
<order>srcip</order>-->
</decoder>
<decoder name="kippo-login-fail">
<parent>kippo</parent>
HoneyPotTransport,\d+,</prematch>
<regex offset="after_prematch">^(\d+.\d+.\d+.\d+)\p login attempt
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Bran Runn
Jul 30, 2014, 9:15:33 AM7/30/14
to ossec...@googlegroups.com
Remove me from this list
dan (ddp)
Jul 30, 2014, 10:55:39 AM7/30/14
to ossec...@googlegroups.com
<decoder name="kippo-login-fail">
<parent>kippo</parent>
<prematch offset="after_parent">^SSHService ssh-userauth on
HoneyPotTransport,\d+,</prematch>
<regex offset="after_prematch">^(\d+.\d+.\d+.\d+)\p login attempt
\p(\.*)\p (\S+)</regex>
<parent>kippo</parent>
<prematch offset="after_parent">^SSHService ssh-userauth on
HoneyPotTransport,\d+,</prematch>
<regex offset="after_prematch">^(\d+.\d+.\d+.\d+)\p login attempt
<order>srcip,extra_data,status</order>
nbHd5
Jul 30, 2014, 9:11:51 PM7/30/14
to ossec...@googlegroups.com
I actually ended up writing two seporate decoders. While I'd like to see more variables pulled from the log line, I have enough to get connect, fail and succees rules.
In /var/ossec/etc/local_decoder.xml
<decoder name="kippo-connection">
<prematch>\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\p\d\d\d\d \pkippo.core.honeypot.HoneyPotSSHFactory\p </prematch>
</decoder>
<decoder name="kippo-new-connection">
<parent>kippo-connection</parent>
<regex offset="after_parent">^New connection: (\d+.\d+.\d+.\d+):(\d+) \((\d+.\d+.\d+.\d+):(\d+)\) \psession: (\d+)\p</regex>
<order>srcip, srcport, dstip, dstport, extra_data</order>
</decoder>
<decoder name="kippo-connected">
<prematch>\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\p\d\d\d\d \pSSHService ssh-userauth on HoneyPotTransport</prematch>
</decoder>
<decoder name="kippo-connected-login">
<parent>kippo-connected</parent>
<regex offset="after_parent">,\d+,(\d+.\d+.\d+.\d+)\p login attempt (\.+) (\w+)</regex>
<order>srcip, extra_data, status</order>
</decoder>
The first decoder matches the New Connection log line format with the child decoder matching the variables srcip, srcport, dstip, dstport and extra data.
The third decoder matches the connection attempt log line format with the child decoder matching srcip, extra data and status (was it failed or succeeded).
In /var/ossec/etc/ossec.conf insert kippo_rules.xml before local_rules.xml in the fules block
<rules>
...
...
<include>kippo_rules.xml</include>
<include>local_rules.xml</include>
</rules>
In /var/ossec/rules/kippo_rules.xml
<group name="syslog,kippo,">
<rule id="110010" level="0">
<decoded_as>kippo-connection</decoded_as>
<description>Kippo New Connection</description>
</rule>
<rule id="110011" level="5">
<if_sid>110010</if_sid>
<match>New connection</match>
<description>Kippo New Connection.</description>
<group>connection_attempt,</group>
</rule>
<rule id="110020" level="0">
<decoded_as>kippo-connected</decoded_as>
<description>Kippo Connected</description>
</rule>
<rule id="110021" level="5">
<if_sid>110020</if_sid>
<match>login attempt</match>
<regex>failed$</regex>
<description>Kippo Login Failed.</description>
<group>authentication_failed,</group>
</rule>
<rule id="110022" level="5">
<if_sid>110020</if_sid>
<match>login attempt</match>
<regex>succeeded$</regex>
<description>Kippo Login Succeeded.</description>
<group>authentication_success,</group>
</rule>
</group>
Rule 110010 catches the event from the kippo-connection decoder. Rule 110011 matches "New connection" from the log line and causes the level 5 alert so that Security Onion displays it in Sguil without causing an active response from Ossec. Additional rules for the kippo-connection log line could also be added.
Rule 110020 catches the event from the kippo-connected decoder. Rules 110021 and 110022 match failed and succeeded login attempts respectively. currently both also with a level 5 alert so Sguil displays them. Additional rules could also be added based on the connected log line format.
Really, I wasn't sure if decoded_as grouping had to be in the seporate grouping rule but it worked this way; catch the even off the decoder then activate the alert off a related child rule.
Posted here because I couldn't find compliete Kippo examples anywhere else.
In /var/ossec/etc/local_decoder.xml
<decoder name="kippo-connection">
<prematch>\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\p\d\d\d\d \pkippo.core.honeypot.HoneyPotSSHFactory\p </prematch>
</decoder>
<decoder name="kippo-new-connection">
<parent>kippo-connection</parent>
<regex offset="after_parent">^New connection: (\d+.\d+.\d+.\d+):(\d+) \((\d+.\d+.\d+.\d+):(\d+)\) \psession: (\d+)\p</regex>
<order>srcip, srcport, dstip, dstport, extra_data</order>
</decoder>
<prematch>\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\p\d\d\d\d \pSSHService ssh-userauth on HoneyPotTransport</prematch>
</decoder>
<decoder name="kippo-connected-login">
<parent>kippo-connected</parent>
<regex offset="after_parent">,\d+,(\d+.\d+.\d+.\d+)\p login attempt (\.+) (\w+)</regex>
<order>srcip, extra_data, status</order>
</decoder>
The first decoder matches the New Connection log line format with the child decoder matching the variables srcip, srcport, dstip, dstport and extra data.
The third decoder matches the connection attempt log line format with the child decoder matching srcip, extra data and status (was it failed or succeeded).
In /var/ossec/etc/ossec.conf insert kippo_rules.xml before local_rules.xml in the fules block
<rules>
...
...
<include>kippo_rules.xml</include>
<include>local_rules.xml</include>
</rules>
In /var/ossec/rules/kippo_rules.xml
<group name="syslog,kippo,">
<rule id="110010" level="0">
<decoded_as>kippo-connection</decoded_as>
<description>Kippo New Connection</description>
</rule>
<rule id="110011" level="5">
<if_sid>110010</if_sid>
<match>New connection</match>
<description>Kippo New Connection.</description>
<group>connection_attempt,</group>
</rule>
<decoded_as>kippo-connected</decoded_as>
<description>Kippo Connected</description>
</rule>
<rule id="110021" level="5">
<if_sid>110020</if_sid>
<match>login attempt</match>
<regex>failed$</regex>
<description>Kippo Login Failed.</description>
<group>authentication_failed,</group>
</rule>
<rule id="110022" level="5">
<if_sid>110020</if_sid>
<match>login attempt</match>
<regex>succeeded$</regex>
<description>Kippo Login Succeeded.</description>
<group>authentication_success,</group>
</rule>
</group>
Rule 110010 catches the event from the kippo-connection decoder. Rule 110011 matches "New connection" from the log line and causes the level 5 alert so that Security Onion displays it in Sguil without causing an active response from Ossec. Additional rules for the kippo-connection log line could also be added.
Rule 110020 catches the event from the kippo-connected decoder. Rules 110021 and 110022 match failed and succeeded login attempts respectively. currently both also with a level 5 alert so Sguil displays them. Additional rules could also be added based on the connected log line format.
Really, I wasn't sure if decoded_as grouping had to be in the seporate grouping rule but it worked this way; catch the even off the decoder then activate the alert off a related child rule.
Posted here because I couldn't find compliete Kippo examples anywhere else.
dan (ddp)
Jul 31, 2014, 7:50:43 AM7/31/14
to ossec...@googlegroups.com
nbHd5
Jul 31, 2014, 8:48:50 PM7/31/14
to ossec...@googlegroups.com
No issue at all. Please do. I look forward to seeing them refined further.
The one thing I couldn't do is pull apart [uname/passwd] into the respective OSSEC variables. Matching the square brackets with \p gave me a bit of grief and I couldn't figure out how to seporate the username and password since "/" could be part of a username or a password; how would (\p+)/(\p+) know if that "/" was part of the username or the middle seporator or if a square bracket was included in a username or password.
The OSSEC alert shows the full log line so one can read them out of Sguil/Squert but dumping a username and password list would have to be scripted against Kippo directly (or at least that's where my bash scripts for stats and users passwords lists pull it).
One note: anyone using these OSSEC rules with Security Onion. I had to increase the Active Response settings to level 8 so that I could have connections and attempts set to level 6 and level 7 else my Squert didn't seem to display them. If one is having issues getting them to display, try that.
Also, I couldn't figure out a way to exclude rules from active responses. If_SID would have meant a long list of every rule level 6'ish or up that justifies a response. It'd be nice if the developers could drop something like IF_SID_NOT or a "does not match" character like <if_sid>!1234</if_sid>.
But, by all means.. refine these and push them into the OSSEC build tree. I'm happy to contribute.
The one thing I couldn't do is pull apart [uname/passwd] into the respective OSSEC variables. Matching the square brackets with \p gave me a bit of grief and I couldn't figure out how to seporate the username and password since "/" could be part of a username or a password; how would (\p+)/(\p+) know if that "/" was part of the username or the middle seporator or if a square bracket was included in a username or password.
The OSSEC alert shows the full log line so one can read them out of Sguil/Squert but dumping a username and password list would have to be scripted against Kippo directly (or at least that's where my bash scripts for stats and users passwords lists pull it).
One note: anyone using these OSSEC rules with Security Onion. I had to increase the Active Response settings to level 8 so that I could have connections and attempts set to level 6 and level 7 else my Squert didn't seem to display them. If one is having issues getting them to display, try that.
Also, I couldn't figure out a way to exclude rules from active responses. If_SID would have meant a long list of every rule level 6'ish or up that justifies a response. It'd be nice if the developers could drop something like IF_SID_NOT or a "does not match" character like <if_sid>!1234</if_sid>.
But, by all means.. refine these and push them into the OSSEC build tree. I'm happy to contribute.
dan (ddp)
Aug 1, 2014, 9:13:09 AM8/1/14
to ossec...@googlegroups.com
On Thu, Jul 31, 2014 at 8:48 PM, nbHd5 <abbo...@gmail.com> wrote:
> No issue at all. Please do. I look forward to seeing them refined further.
>
That would rely on kippo users really.
> No issue at all. Please do. I look forward to seeing them refined further.
>
> The one thing I couldn't do is pull apart [uname/passwd] into the respective
> OSSEC variables. Matching the square brackets with \p gave me a bit of grief
> and I couldn't figure out how to seporate the username and password since
> "/" could be part of a username or a password; how would (\p+)/(\p+) know if
> that "/" was part of the username or the middle seporator or if a square
> bracket was included in a username or password.
>
been used (no idea what that would be) it would be a lot easier.
> The OSSEC alert shows the full log line so one can read them out of
> Sguil/Squert but dumping a username and password list would have to be
> scripted against Kippo directly (or at least that's where my bash scripts
> for stats and users passwords lists pull it).
>
> One note: anyone using these OSSEC rules with Security Onion. I had to
> increase the Active Response settings to level 8 so that I could have
> connections and attempts set to level 6 and level 7 else my Squert didn't
> seem to display them. If one is having issues getting them to display, try
> that.
>
> Also, I couldn't figure out a way to exclude rules from active responses.
> If_SID would have meant a long list of every rule level 6'ish or up that
> justifies a response. It'd be nice if the developers could drop something
> like IF_SID_NOT or a "does not match" character like <if_sid>!1234</if_sid>.
>
> But, by all means.. refine these and push them into the OSSEC build tree.
> I'm happy to contribute.
>
nbHd5
Aug 21, 2014, 9:35:18 PM8/21/14
to ossec...@googlegroups.com
my rule update though not sure how much it differs from rule chain posted above:
in local_decoder.xml
<decoder name="kippo-connection">
<prematch>\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\p\d\d\d\d \pkippo.core.honeypot.HoneyPotSSHFactory\p </prematch>
</decoder>
<decoder name="kippo-new-connection">
<parent>kippo-connection</parent>
<regex offset="after_parent">^New connection: (\d+.\d+.\d+.\d+):(\d+) \((\d+.\d+.\d+.\d+):(\d+)\) \psession: (\d+)\p</regex>
<order>srcip, srcport, dstip, dstport, extra_data</order>
</decoder>
<decoder name="kippo-connected">
<prematch>\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\p\d\d\d\d \pSSHService ssh-userauth on HoneyPotTransport</prematch>
</decoder>
<decoder name="kippo-connected-login">
<parent>kippo-connected</parent>
<regex offset="after_parent">,\d+,(\d+.\d+.\d+.\d+)\p login attempt (\.+) (\w+)</regex>
<order>srcip, extra_data, status</order>
</decoder>
in /var/ossec/rules/kippo_rules.xml
<group name="syslog,kippo,">
<!-- Kippo Log Types -->
<rule id="110101" level="0">
<decoded_as>kippo-connection</decoded_as>
<description>Kippo group new connection</description>
</rule>
<rule id="110102" level="0">
<decoded_as>kippo-connected</decoded_as>
<description>Kippo group connected</description>
</rule>
<!-- Kippo Event Chains -->
<rule id="110121" level="6">
<if_sid>110101</if_sid>
<match>New connection</match>
<description>Kippo New Connection.</description>
<group>connection_attempt,</group>
</rule>
<rule id="110122" level="7">
<if_sid>110102</if_sid>
<match>login attempt</match>
<regex>failed$</regex>
<description>Kippo Login Failed.</description>
<group>authentication_failed,</group>
</rule>
<rule id="110123" level="7">
<if_sid>110102</if_sid>
in local_decoder.xml
<decoder name="kippo-connection">
<prematch>\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\p\d\d\d\d \pkippo.core.honeypot.HoneyPotSSHFactory\p </prematch>
</decoder>
<decoder name="kippo-new-connection">
<parent>kippo-connection</parent>
<regex offset="after_parent">^New connection: (\d+.\d+.\d+.\d+):(\d+) \((\d+.\d+.\d+.\d+):(\d+)\) \psession: (\d+)\p</regex>
<order>srcip, srcport, dstip, dstport, extra_data</order>
</decoder>
<decoder name="kippo-connected">
<prematch>\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\p\d\d\d\d \pSSHService ssh-userauth on HoneyPotTransport</prematch>
</decoder>
<decoder name="kippo-connected-login">
<parent>kippo-connected</parent>
<regex offset="after_parent">,\d+,(\d+.\d+.\d+.\d+)\p login attempt (\.+) (\w+)</regex>
<order>srcip, extra_data, status</order>
</decoder>
<group name="syslog,kippo,">
<!-- Kippo Log Types -->
<rule id="110101" level="0">
<description>Kippo group new connection</description>
</rule>
<rule id="110102" level="0">
<decoded_as>kippo-connected</decoded_as>
<description>Kippo group connected</description>
</rule>
<!-- Kippo Event Chains -->
<rule id="110121" level="6">
<if_sid>110101</if_sid>
<match>New connection</match>
<description>Kippo New Connection.</description>
<group>connection_attempt,</group>
</rule>
<if_sid>110102</if_sid>
<match>login attempt</match>
<regex>failed$</regex>
<description>Kippo Login Failed.</description>
<group>authentication_failed,</group>
</rule>
<if_sid>110102</if_sid>
Reply all
Reply to author
Forward
0 new messages