Using OSSEC HIDS to spot rogue software
71 views
Skip to first unread message
ian diddams
May 16, 2017, 12:36:36 PM5/16/17
to ossec-list
Apologies in advance if this is a FAQ - Ive googled a bit but can;t see anything obvious returned.
Ive been asked to find out of OSSEC HIDS (which we use already for other monitoring) can be used on linux variations (Centos mainly) to spot "rogue software". Now there's a ambiguous description top start with and I'm trying to ascertain exactly what "rogue software" really means form those that asked me to investigate this!
In its widest description I suppose it could be something like taking a baseline of running processes, and reflecting that against future process lists, and alerting for anything running that isn;t in the baseline. Does OSSEC HIDS provide any such or similar facility?
Ive been asked to find out of OSSEC HIDS (which we use already for other monitoring) can be used on linux variations (Centos mainly) to spot "rogue software". Now there's a ambiguous description top start with and I'm trying to ascertain exactly what "rogue software" really means form those that asked me to investigate this!
In its widest description I suppose it could be something like taking a baseline of running processes, and reflecting that against future process lists, and alerting for anything running that isn;t in the baseline. Does OSSEC HIDS provide any such or similar facility?
cheers
ian
Pedro Sanchez
May 17, 2017, 4:40:44 AM5/17/17
to ossec...@googlegroups.com
Hi,
OSSEC has the capability to detect running processes as well as look for existing registry keys or folders present on the system, you could use that to detect the rogue software.
Example of getting running processes in Windows and trigger an alert when needed (using localfiles / logcollector / remote_commands): http://santi-bassett.blogspot.com.es/2015/08/how-to-monitor-running-processes-with-ossec.html
Detecting present folder / executable (we have different ways, in this case, using Rootcheck): https://github.com/wazuh/wazuh-ruleset/blob/master/rootchecks/win_applications_rcl.txt#L59
Regards,
Pedro Sanchez.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
ian diddams
May 17, 2017, 7:45:15 PM5/17/17
to ossec-list
Thanks Pedro - just to check as per my OP, does it do this for LINUX systems also, aside from Windows?
ian
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
Pedro Sanchez
May 18, 2017, 3:48:04 PM5/18/17
to ossec...@googlegroups.com
Yes, it does.
Rootcheck works for Linux as well, we have different rootcheck policies: https://github.com/wazuh/wazuh-ruleset/tree/master/rootchecks
Cheers,
Pedro.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.
dan (ddp)
May 19, 2017, 9:07:47 PM5/19/17
to ossec...@googlegroups.com
On Thu, May 18, 2017 at 3:47 PM, Pedro Sanchez <pe...@wazuh.com> wrote:
> Yes, it does.
> Rootcheck works for Linux as well, we have different rootcheck policies:
> https://github.com/wazuh/wazuh-ruleset/tree/master/rootchecks
>
OSSEC has rootcheck as well.
> Yes, it does.
> Rootcheck works for Linux as well, we have different rootcheck policies:
> https://github.com/wazuh/wazuh-ruleset/tree/master/rootchecks
>
ian diddams
May 31, 2017, 6:23:20 AM5/31/17
to ossec-list
Hi All,
many thanks for the info so far.
Some further googling has given me some extra info too.
* it seems that the basic rootcheck configuration already exists via the existing ossec client install
Some further googling has given me some extra info too.
* it seems that the basic rootcheck configuration already exists via the existing ossec client install
* I found this link
https://www.hivelocity.net/kb/how-to-install-rootcheck-on-the-server/
This suggests that a binary (amongst others) "rootcheck" needs installing.
Is the second part ie rootcheck etc actually install needed, or is this some further step that isn't needed in order for OSSEC to be doing its stuff.
And is there some "safe" test that can be performed to check that ossec rootcheck is doing what it is supposed to do. id rather not deliberately install a well dodgy rootkit just to test that ossec does what it says it does. Or is this just a leap of faith?
This suggests that a binary (amongst others) "rootcheck" needs installing.
Is the second part ie rootcheck etc actually install needed, or is this some further step that isn't needed in order for OSSEC to be doing its stuff.
And is there some "safe" test that can be performed to check that ossec rootcheck is doing what it is supposed to do. id rather not deliberately install a well dodgy rootkit just to test that ossec does what it says it does. Or is this just a leap of faith?
cheers
ian
Pedro Sanchez
May 31, 2017, 1:28:17 PM5/31/17
to ossec...@googlegroups.com
Hi,
The URL you sent here contains files dated for 2010 year, I am not sure what is "rootcheck 2.4" but I think it is OSSEC version 2.4.1, currently the stable version is 2.9.
Rootcheck is included on the standard OSSEC Agent installation, you don't need to install it as a "separate component".
You can check if rootcheck is running by checking ossec.log file, you will find "Rootcheck scan started" and "ended".
At the manager you could check for Rootcheck database:
/var/ossec/bin/rootcheck_control -i 001
Best regards,
Pedro.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages