Best ways to test OSSEC in an environment

[Tahir Hafiz]

Dear All,

Is there a test suite available which can be used to test a fully functioning OSSEC server/client installation?
I am looking to test the rule sets systematically, I know I can modify a system file and it will alert etc, but I am looking for a more automated test suite and methods across the rule sets.

Thank you,
Tahir

[dan (ddp)]

In the source tarball, there is contrib/ossec-testing. The
run-tests.py file uses the information in tests/*.ini to check rules.
It'll require some setup, and plenty of log samples. There aren't a
lot of tests in there currently, but I try to keep it updated when I
see interesting log samples.
It's not perfect, but it can help find some issues.

> Thank you,
> Tahir
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Tahir Hafiz]

Hi Dan,

Is there any documentation as to how to set-up and run the tests?
Where can I find said documentation?

Cheers,
Tahir

[dan (ddp)]

On Tue, May 24, 2016 at 11:33 AM, Tahir Hafiz <tahir...@gmail.com> wrote:
> Hi Dan,
>
> Is there any documentation as to how to set-up and run the tests?
> Where can I find said documentation?
>

https://ossec.github.io/docs/development/build/test-rules.html?highlight=runtests

[Tahir Hafiz]

Thanks I found the link earlier on.

I have read through the document but I am not sure how to do the tests (using Ubuntu 14.04 LTS).
I have downloaded the OSSEC version that we are using (2.8.2):
wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.2.tar.gz

I have unpacked the tarball, moved the ossec-testing directory that was in the tarball to /var/ossec/contrib, and then changed my working directory to that directory.
I have started the tests by executing as root:
python runtests.py

I looked in /var/ossec/alerts/alerts.log, but I did not see the alerts going off there.

Also, in my ossec-testing/tests directory I can only see two test files:
named.ini
sshd.ini

Should there not be more? As in as many as the number of rules files.
I am just not sure how to run the runtests.py and have more .ini test files and have the alerts showing in /var/ossec/logs/alerts/alerts.log.

[dan (ddp)]

On Tue, May 24, 2016 at 12:44 PM, Tahir Hafiz <tahir...@gmail.com> wrote:
> Thanks I found the link earlier on.
>
> I have read through the document but I am not sure how to do the tests
> (using Ubuntu 14.04 LTS).
> I have downloaded the OSSEC version that we are using (2.8.2):
> wget -U ossec http://www.ossec.net/files/ossec-hids-2.8.2.tar.gz
>
> I have unpacked the tarball, moved the ossec-testing directory that was in
> the tarball to /var/ossec/contrib, and then changed my working directory to
> that directory.
> I have started the tests by executing as root:
> python runtests.py
>
> I looked in /var/ossec/alerts/alerts.log, but I did not see the alerts going
> off there.
>

It does not create alerts. It uses ossec-logtest to see if the log
messages produce the expected result.
If you do not see ossec-logtest output, everything is working as expected.

> Also, in my ossec-testing/tests directory I can only see two test files:
> named.ini
> sshd.ini
>
> Should there not be more? As in as many as the number of rules files.
> I am just not sure how to run the runtests.py and have more .ini test files
> and have the alerts showing in /var/ossec/logs/alerts/alerts.log.
>

Should there be more? Of course. But these tests aren't free.They take
time and effort.

Looks like there's 25 in the current development source, but they're
underpopulated.
I'm guessing I just hadn't done much with them back when 2.8.2 was
finalized. It's a semi-new feature
that I only recently began to properly appreciate.

If you want more tests, I can think of 3 options:
1. Do the work yourself. (and consider contributing back if you do)
2. Provide me with log samples.
3. Provide me with time.

[Tahir Hafiz]

Thanks but I think this is not quite what I am after as this seems more like a log parser tool.
I think what I am looking for is an "automated intruder" tool, like a script that can be run which will cause alerts to happen at the various OSSEC alert levels from 0 to 16.

I will see if a google search or two can find me an automated intruder tool.

Cheers,
Tahir

[dan (ddp)]

On Wed, May 25, 2016 at 4:59 AM, Tahir Hafiz <tahir...@gmail.com> wrote:
> Thanks but I think this is not quite what I am after as this seems more like
> a log parser tool.
> I think what I am looking for is an "automated intruder" tool, like a script
> that can be run which will cause alerts to happen at the various OSSEC alert
> levels from 0 to 16.
>
> I will see if a google search or two can find me an automated intruder tool.
>

Like nessus, nmap, or nexpose?

[Tahir Hafiz]

Not really, I am just looking for a script that I can run on a box (could be the OSSEC server box itself, could be a box where the OSSEC agents are installed) and the script runs and triggers alerts at various levels, this is just to demo that OSSEC works basically for the high level alerts.
What I will do is code a python script (I am not a coder but can do a few basic things) that does that and let you guys know when it's done and if you want to incorporate it into the OSSEC code repo itself you are more than welcome to it.

Every tool I have found is completely over-specced and over-laboured for the basic task I need to do (Pytbull comes close I think), such as:
https://www.reddit.com/r/sysadmin/comments/xi13l/what_are_good_ids_testing_tools/

 

[Tahir Hafiz]

Scratch that, pytbull was good enough and easy to set-up for a bit of basic testing.