OSSEC and OpenLDAP logs

[Doug Burks]

Has anybody used OSSEC to monitor OpenLDAP logs? Specifically, I'd
like to monitor for auth failures (err=49 in the sanitized log sample
below). As you can see, one LDAP connection (conn=999999) creates
multiple log entries. Further complicating the matter is the fact
that there are two instances of the err=49 error in this LDAP
connection.

Here's what I'd like to do.
1. Write a decoder that would:
-process all of these lines together
-pull out the source IP address from the "ACCEPT from
IP=10.10.248.27:33957" entry
-pull out the username from the "BIND
dn="uid=username,ou=Department,ou=Business
Unit,ou=People,dc=example,dc=com"" entry
2. Write an "Invalid credentials" rule that would look for
"err=49".

Would this be possible? Would it require the multi-line log reader
support added in OSSEC v2.5? If so, I haven't found any documentation
on this feature.

Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 fd=64 ACCEPT
from IP=10.10.248.27:33957 (IP=10.10.241.77:389)
Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=0 STARTTLS
Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=0 RESULT oid=
err=0 text=
Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 fd=64 TLS
established tls_ssf=256 ssf=256
Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=1 BIND
dn="cn=Host,ou=Personal Accounts,dc=example,dc=com" method=128
Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=1 BIND
dn="cn=Host,ou=Personal Accounts,dc=example,dc=com" mech=SIMPLE ssf=0
Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=1 RESULT
tag=97 err=0 text=
Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=2 SRCH
base="ou=People,dc=example,dc=com" scope=2 deref=0
filter="(uid=username)"
Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=2 ENTRY
dn="uid=username,ou=Department,ou=Business
Unit,ou=people,dc=example,dc=com"
Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=2 SEARCH
RESULT tag=101 err=0 nentries=1 text=
Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=3 BIND
anonymous mech=implicit ssf=0
Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=3 BIND
dn="uid=username,ou=Department,ou=Business
Unit,ou=People,dc=example,dc=com" method=128
Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=3 RESULT
tag=97 err=49 text=
Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=4 BIND
dn="cn=Host,ou=Personal Accounts,dc=example,dc=com" method=128
Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=4 BIND
dn="cn=Host,ou=Personal Accounts,dc=example,dc=com" mech=SIMPLE ssf=0
Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=4 RESULT
tag=97 err=0 text=
Jan 11 09:26:59 hostname slapd2.4[20872]: conn=999999 op=5 BIND
anonymous mech=implicit ssf=0
Jan 11 09:26:59 hostname slapd2.4[20872]: conn=999999 op=5 BIND
dn="uid=username,ou=Department,ou=Business
Unit,ou=People,dc=example,dc=com" method=128
Jan 11 09:26:59 hostname slapd2.4[20872]: conn=999999 op=5 RESULT
tag=97 err=49 text=
Jan 11 09:26:59 hostname slapd2.4[20872]: conn=999999 op=6 BIND
dn="cn=Host,ou=Personal Accounts,dc=example,dc=com" method=128
Jan 11 09:26:59 hostname slapd2.4[20872]: conn=999999 op=6 BIND
dn="cn=Host,ou=Personal Accounts,dc=example,dc=com" mech=SIMPLE ssf=0
Jan 11 09:26:59 hostname slapd2.4[20872]: conn=999999 op=6 RESULT
tag=97 err=0 text=
Jan 11 09:27:01 hostname slapd2.4[20872]: conn=999999 op=7 UNBIND
Jan 11 09:27:01 hostname slapd2.4[20872]: conn=999999 fd=64 closed

Thanks,
Doug Burks

[dan (ddp)]

Gross.

I was going to look into OpenLDAP at some point, now I think I see why
it wasn't done before.

Out of curiosiry, can connection logs from different conn's be mixed
together? For example:
Jan 11 09:27:34 blah slapd: conn=99997 blahblah
Jan 11 09:27:35 blah slapd: conn=99998 blahblah
Jan 11 09:27:36 blah slapd: conn=99999 blahblah
Jan 11 09:27:36 blah slapd: conn=99997 More blahblah

Unfortunately I haven't seem much about the multi-line log option.
Here's the source in logcollector that should be handling it:
http://bitbucket.org/dcid/ossec-hids/src/tip/src/logcollector/read_multiline.c

I'm going to try and get an idea of how do use it tonight, and ask
about it on IRC tomrrow. I'm just not sure how it'll handle multiple
connection logs getting mixed together.
It's almost like we need a log format where we can specify an
identifier that groups logs together (conn=ID)...

[Chris Decker]

I'm interested in such a decoder as well, so any effort expended to help Doug would also help me and countless others I'm sure.

[dan (ddp)]

What happens on the list stays on the list. ;)

[Doug Burks]

Any ideas on this one?

Thanks,
Doug Burks

On Nov 12, 2:29 pm, "dan (ddp)" <ddp...@gmail.com> wrote:
> What happens on the list stays on the list. ;)
>
>
>
> On Thu, Nov 11, 2010 at 9:15 PM, Chris Decker <deckmo...@gmail.com> wrote:
> > I'm interested in such a decoder as well, so any effort expended to help
> > Doug would also help me and countless others I'm sure.
>
> > On Wed, Nov 10, 2010 at 3:55 PM, dan (ddp) <ddp...@gmail.com> wrote:
>

> >>http://bitbucket.org/dcid/ossec-hids/src/tip/src/logcollector/read_mu...

[dan (ddp)]

I haven't had a chance to ask dcid about the multi line log support.
I'm not convinced it would work the way we're hoping, because I'm
guessing the logs from multiple ldap sessions (conn=\d+) could be
mixed together (unlike multi-line logs from snort, which keep multiple
log entries separate from each other).

The "best" idea I've come up with so far is write support into
logcollector for these logs and make sure slapd is writing its logs to
a file specific to those logs. I'm not a programmer, but I'm looking
at the snort_full code right now to see if that can spark some
inspiration for how to do this.

[Jeremy Rossi]

This is not a solution to your log monitoring question, but might be able to get close to what you want with a little scripting: http://www.mail-archive.com/ossec...@googlegroups.com/msg07466.html

Sent from my iPhone

[Michael Starks]

On 11/10/2010 02:12 PM, Doug Burks wrote:
> Has anybody used OSSEC to monitor OpenLDAP logs? Specifically, I'd
> like to monitor for auth failures (err=49 in the sanitized log sample
> below). As you can see, one LDAP connection (conn=999999) creates
> multiple log entries. Further complicating the matter is the fact
> that there are two instances of the err=49 error in this LDAP
> connection.

Would configuring OpenLDAP to use syslog be the path of least resistance
here?

--
Michael Starks
[I] Immutable Security
http://www.immutablesecurity.com

[Doug Burks]

We *do* have OpenLDAP configured to use syslog. This multi-line mess
is as good as it gets :)

Thanks,
Doug Burks

On Nov 20, 7:05 pm, Michael Starks <ossec-l...@michaelstarks.com>
wrote:

[loyd.darby]

Problem is that there is nothing to interpret the ldap log entries.
If the thing you want to watch isn't syslog or in the decoder (see
below) it won't generate any SIDs, and therefore no alerts.
To add a new application, you have to build the decoder to extract the
data, or modify (clone) an existing one.
As far as picking entries out of syslog, look at syslog_rules.xml. If
an event occurs that doesn't match the searches, it is invisible to OSSEC.
It doesn't have any string filters for LDAP so it won't "see" any of the
entries unless they happen to match the badword list.
I don't run LDAP any more but I think if I were going to tackle this,
Idon't think I would log ldap to syslog directly becasue it is so chatty.
I would preprocess the actual LDAP logs, eliminate things not security
related, reformat/concatenate the relevant lines with regex and use
logger to add them to syslog.
Then a simpler rule set in local_rules.xml could be defined to generate
alerts.

To get a list of predefined application decoders
# cat /var/ossec/etc/decoder.xml|grep decoder\ name|sort

--
R. Loyd Darby, OSSIM-OCSE
Project Manager DOC/NOAA/NMFS
Infrastructure coordinator
Southeast Fisheries Science Center
305-361-4297

[dan (ddp)]

Does anyone have a useful and working guide to setting up ldap for
user auth? Pretty much everything I've found while trying to get this
thing running doesn't work.

[dan (ddp)]

Heh, of course shortly after I sent that I think I found one that
makes more sense. :P

[Daniel Cid]

I added a testing decoder/rules for it in the latest snapshot:
http://www.ossec.net/files/snapshots/ossec-hids-101125.tar.gz

Diff here: http://bitbucket.org/dcid/ossec-hids/changeset/0db70d4431e2

It should fire alerts like that now:

** Alert 1290703467.17021198: - syslog,access_control,
2010 Nov 25 12:44:27 hostname->/var/log/messages
Rule: 2509 (level 5) -> 'OpenLDAP authentication failed.'

Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 op=3 RESULT
tag=97 err=49 text=

Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 fd=64 ACCEPT
from IP=10.10.248.27:33957 (IP=10.10.241.77:389)

Basically I extracted the conn=(\d+) and set that as the id, so we can
correlate connections. After that, I used if_match_sid to get
the ACCEPT events... What we need now is to fix the decoder to extract
the IP, user, etc and put it all together. At least
a start :)

Thanks,

--
Daniel B.Cid
dcid ( at ) ossec.net