├── README.md
├── active-response
    ├── add_to_cdb.sh
    ├── alert2chat.sh
    ├── bhr.sh
    ├── cif.sh
    ├── command_search.sh
    ├── cymru_lookup.sh
    ├── deb_lookup.sh
    ├── ldap_lookup.sh
    ├── makelists.sh
    ├── puppetdb_lookup.sh
    ├── rpm_lookup.sh
    ├── rule-all.sh
    ├── syscheck-all.sh
    ├── syscheck2chat.sh
    ├── time_lookup.sh
    ├── virus_total.py
    └── virustotal_lookup.sh
├── decoders
    ├── active_response.xml
    ├── kerberos_decoder.xml
    └── sudo.xml
├── munin
    ├── ossec_ar_stats
    ├── ossec_munin.png
    ├── ossec_stats
    ├── ossec_top_groups
    └── ossec_top_rules
├── nagios
    ├── check_ossec.py
    └── check_ossec.sh
└── rules
    ├── kerberos_rules.xml
    ├── organization_ar_rules.xml
    ├── organization_rules.xml
    ├── organization_syscheck_rules.xml
    └── overwrite_rules.xml


/README.md:
--------------------------------------------------------------------------------
  1 | # ossec-tools
  2 | Scripts and integrations for OSSEC. With the following code and configurations
  3 | we transformed our OSSEC deployment from an overwhelming mess of alerts to a
  4 | manageable and useful system where most of the alerts we actually care about.
  5 | 
  6 | It includes things like code to block hosts at our perimeter, create intelligence feeds from
  7 | the logs, and only e-mail alerts when a file has changed that is not managed by Puppet and is different from
  8 | what's reported by the package manager's checksums - meaning no alerts for files changed after package updates :)
  9 | 
 10 | ## Active Response
 11 | Custom AR scripts
 12 | 
 13 | * active-response/virustotal_lookup.sh/virus_total.py - Look up hash from syscheck alerts in VT database
 14 | * active-response/cymru_lookup.sh - Look up hash from sysheck alerts in Team Cymru Malware Hash Registery
 15 | * active-response/puppetdb_lookup.sh - Look up managed files in PuppetDB
 16 | * active-response/rpm_lookup.sh - Look up files that changed from RPM install (must be present on agents)
 17 | * active-response/deb_lookup.sh - Lookup file that changes from DEB install (must be present on agents)
 18 | * active-response/time_lookup.sh - Check if system clock is off or time zone differs for analyzed logs
 19 | * active-response/ldap_lookup.sh - Lookup employee usernames in LDAP database
 20 | * active-response/command_search.sh - Search for malicious commands across logs
 21 | * active-response/cif.sh - Create intelligence feed from alerts
 22 | * active-response/bhr.sh - Block hosts at perimeter using Black Hole Router by Justin Azoff
 23 | * active-response/add_to_cdb.sh - Add entries from alerts to CDB database (only collect system users at this time)
 24 | * active-response/rule-all.sh - Run many of the above scripts
 25 | * active-response/syscheck-all.sh - Run many of the syscheck scripts
 26 | 
 27 | Many of the scripts generate logs which are fed into OSSEC, decoded, and analyzed. 
 28 | The decoders and rules are in the respective sections below. Don't include anything you don't need.
 29 | For example, if you don't use puppet for configuration management or run Debian system don't include
 30 | the puppetdb_lookup or rpm_lookup configurations.
 31 | 
 32 | 1. Server: copy all the files above to `$OSSEC/active-response/bin/` directory.
 33 | 2. Server: edit `$OSSEC/etc/ossec.conf` with the AR and localfile configuration.
 34 | ```
 35 |   <command>
 36 |     <name>syscheck_all</name>
 37 |     <executable>syscheck-all.sh</executable>
 38 |     <expect>filename</expect>
 39 |   </command>
 40 | 
 41 |   <command>
 42 |     <name>ip_all</name>
 43 |     <executable>rule-all.sh</executable>
 44 |     <expect>srcip</expect>
 45 |   </command>
 46 | 
 47 |   <command>
 48 |     <name>rule_all</name>
 49 |     <executable>rule-all.sh</executable>
 50 |     <expect></expect>
 51 |   </command>
 52 | 
 53 |   <command>
 54 |     <name>rpm_lookup</name>
 55 |     <executable>rpm_lookup.sh</executable>
 56 |     <expect>filename</expect>
 57 |   </command>
 58 | 
 59 |   <command>
 60 |     <name>deb_lookup</name>
 61 |     <executable>deb_lookup.sh</executable>
 62 |     <expect>filename</expect>
 63 |   </command>
 64 | 
 65 |   <command>
 66 |     <name>restart-ossec</name>
 67 |     <executable>restart-ossec.sh</executable>
 68 |     <expect></expect>
 69 |   </command>
 70 | 
 71 |  <active-response>
 72 |     <command>syscheck_all</command>
 73 |     <rules_group>syscheck,,</rules_group>
 74 |     <level>5</level>
 75 |     <location>server</location>
 76 |   </active-response>
 77 | 
 78 |   <active-response>
 79 |     <command>rpm_lookup</command>
 80 |     <rules_group>syscheck,,</rules_group>
 81 |     <level>5</level>
 82 |     <location>local</location>
 83 |   </active-response>
 84 | 
 85 |   <active-response>
 86 |     <command>deb_lookup</command>
 87 |     <rules_group>syscheck,,</rules_group>
 88 |     <level>5</level>
 89 |     <location>local</location>
 90 |   </active-response>
 91 | 
 92 |   <active-response>
 93 |     <command>ip_all</command>
 94 |     <level>4</level>
 95 |     <location>server</location>
 96 |   </active-response>
 97 | 
 98 |   <active-response>
 99 |     <command>rule_all</command>
100 |     <level>4</level>
101 |     <location>server</location>
102 |   </active-response>
103 | 
104 |   <active-response>
105 |     <command>restart-ossec</command>
106 |     <location>local</location>
107 |     <rules_id>110003</rules_id>
108 |   </active-response>
109 | 
110 |   <localfile>
111 |     <log_format>syslog</log_format>
112 |     <location>/var/ossec/logs/puppetdb_lookup.log</location>
113 |   </localfile>
114 | 
115 |   <localfile>
116 |     <log_format>syslog</log_format>
117 |     <location>/var/ossec/logs/virustotal_lookup.log</location>
118 |   </localfile>
119 | 
120 |   <localfile>
121 |     <log_format>syslog</log_format>
122 |     <location>/var/ossec/logs/cymru_lookup.log</location>
123 |   </localfile>
124 | 
125 |   <localfile>
126 |     <log_format>syslog</log_format>
127 |     <location>/var/ossec/logs/rpm_lookup.log</location>
128 |   </localfile>
129 | 
130 |   <localfile>
131 |     <log_format>syslog</log_format>
132 |     <location>/var/ossec/logs/deb_lookup.log</location>
133 |   </localfile>
134 | 
135 |   <localfile>
136 |     <log_format>syslog</log_format>
137 |     <location>/var/ossec/logs/command_search.log</location>
138 |   </localfile>
139 | 
140 |   <localfile>
141 |     <log_format>syslog</log_format>
142 |     <location>/var/ossec/logs/time_lookup.log</location>
143 |   </localfile>
144 | ```
145 | 3. Agent: copy `rpm_lookup.sh` and `deb_lookup.sh` to `$OSSEC/active-response/bin/` and localfile config to `$OSSEC/etc/ossec.conf`.
146 | ```
147 |   <localfile>
148 |     <log_format>syslog</log_format>
149 |     <location>/var/ossec/logs/rpm_lookup.log</location>
150 |   </localfile>
151 | 
152 |   <localfile>
153 |     <log_format>syslog</log_format>
154 |     <location>/var/ossec/logs/deb_lookup.log</location>
155 |   </localfile>
156 | ```
157 | 
158 | 4. Server: Add `organization_ar_rules.xml` to `$OSSEC/rules/` and include the rules in `$OSSEC/etc/ossec.conf`.
159 | 5. Server: Add `active_response.xml` decoder to `$OSSEC/etc/` and include the decoder in `$OSSEC/etc/ossec.conf`.
160 | 6. Agent/Server: Before restarting create the log files so OSSEC begins reading them e.g. `touch $OSSEC/logs/{deb,rpm}_lookup.sh`
161 | 7. Restart the server and agent OSSEC software
162 | 
163 | ## Decoders
164 | Custom decoders
165 | 
166 | * decoders/kerberos.xml - Decoder for ksu and kadmind logs
167 | * decoders/active_response.xml - Decoder for logs generated from our active response scripts
168 | * decoders/sudo.xml - Improved sudo decoder 
169 | 
170 | ## Rules
171 | Custom rules
172 | 
173 | * rules/kerberos_rules.xml - Kerberos rules
174 | * rules/organization_ar_rules.xml - Active response rules for our AR scripts
175 | * rules/organization_syscheck_rules.xml - Examples of syscheck rules
176 | * rules/organization_rules.xml - Examples of standard log rules
177 | * rules/overwrite_rules.xml - Existing rules that contain modifications
178 | 
179 | ## Munin
180 | Plugins to graph OSSEC stats for Munin
181 | 
182 | * munin/ossec_ar_stats - Graph active response script usage
183 | * munin/ossec_stats - Graph alert counts by 3 major types of alerts: rules, syscheck, or rootcheck
184 | * munin/ossec_top_groups - Graph alert counts by top 10 rule categories
185 | * munin/ossec_top_rules - Graph alert counts by top 10 rule descriptions
186 | 
187 | Location
188 | ```
189 | $ ls /etc/munin/plugins/ossec_*
190 | /etc/munin/plugins/ossec_ar_stats /etc/munin/plugins/ossec_stats  /etc/munin/plugins/ossec_top_groups /etc/munin/plugins/ossec_top_rules
191 | ```
192 | 
193 | Configuration
194 | ```
195 | $ cat /etc/munin/plugin-conf.d/ossec_*
196 | [ossec_ar_stats]
197 | user root
198 | [ossec_stats]
199 | user root
200 | [ossec_top_groups]
201 | user root
202 | [ossec_top_rules]
203 | user root
204 | ```
205 | 
206 | ![Munin Graphs](https://raw.githubusercontent.com/ncsa/ossec-tools/master/munin/ossec_munin.png)
207 | 
208 | ## Nagios
209 | Plugins to check OSSEC services. There's two scripts but the python script `check_ossec.py` is newer and has more features.
210 | Examples of both are listed below.
211 | 
212 | * Check status of OSSEC services excluding active response service (execd)
213 |   * `./check_ossec.py -T status`
214 | * Check that all agents are connected except host1
215 |   * `./check_ossec.py -T connected --skip host1.blah.org`
216 | * Check that syscheck has been completed for all agents in the last 12 hours
217 |   * `./check_ossec.py -T syscheck -c 12 -w 6`
218 | * Check that rootkit checks have been completed for all agents in the last 3 hours
219 |   * `./check_ossec.py -T rootcheck -c 12 -w 6`
220 | * Check status of OSSEC services excluding active response i.e. execd
221 |   * `./check_ossec.sh -s execd`
222 | * Check status of OSSEC agent
223 |   * `./check_ossec.sh -a server1`
224 | * Check status of multiple OSSEC agents
225 |   * `./check_ossec.sh -a "server1,server2,station3"`
226 | * Report critical if more than 3 agents are offline and warning if at least 1 is offline.
227 |   * `./check_ossec.sh -c 3 -w 1`
228 | 


--------------------------------------------------------------------------------
/active-response/add_to_cdb.sh:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env bash
  2 | # Author: Jon Schipp
  3 | PRE="$(date +"%Y-%m-%dT%T.%6N%:z") $(hostname -s) $(basename $0):"
  4 | LOG="../logs/add_to_cdb.log"
  5 | AR_LOG="${PWD}/../logs/active-responses.log"
  6 | CDB="/var/ossec/lists/system_users.list"
  7 | ACTION=$1
  8 | USER=$2
  9 | IP=$3
 10 | ALERTID=$4
 11 | RULEID=$5
 12 | AGENT=$6
 13 | SERVICE=$7
 14 | FILENAME=$8
 15 | 
 16 | die(){
 17 |   [[ -d $(dirname $LOG) ]] && printf "$PRE $*\n" | tee -a $LOG
 18 |   exit 1
 19 | }
 20 | 
 21 | log(){
 22 |   [[ -d $(dirname $LOG) ]] && printf "$PRE $*\n" | tee -a $LOG
 23 |   exit 0
 24 | }
 25 | 
 26 | check_args(){
 27 |   local argc
 28 |   argc="$1"
 29 |   [[ $argc -ge 5 ]] || die "ERROR: Not enough arguments given"
 30 | }
 31 | 
 32 | get_alert(){
 33 |   local alert
 34 |   alert=$(awk -v ts=$ALERTID 'BEGIN { RS=""; ORS="\n" } $0 ~ ts { print }' ${PWD}/../logs/alerts/alerts.log)
 35 |   [[ "$alert" ]] || return 1
 36 |   printf "$alert\n"
 37 | }
 38 | 
 39 | is_system_uid(){
 40 |   local uid="$1"
 41 |   [[ "$uid" ]] || die "ERROR: ${uid:-uid} was not found"
 42 |   [[ $uid -le 500 && $uid -gt 0 ]] || return 1
 43 |   return 0
 44 | }
 45 | 
 46 | get_uid_from_alert(){
 47 |   local alert="$@"
 48 |   local uid_field
 49 |   local uid
 50 |   uid_field=$(printf "$alert\n" | grep -o 'UID=[0-9]\+')
 51 |   uid=${uid_field#*=}
 52 |   printf "$uid\n"
 53 | }
 54 | 
 55 | get_username_from_alert(){
 56 |   local alert="$@"
 57 |   local name_field
 58 |   local username
 59 |   name_field=$(printf "$alert\n" | grep -o 'name=[a-zA-Z0-9_]\+')
 60 |   name=${name_field#*=}
 61 |   printf "$name\n"
 62 | }
 63 | 
 64 | send_cdb(){
 65 |   local username="$1"
 66 |   if [[ -w "$CDB" ]]; then
 67 |     printf "${username}:system\n" >> $CDB
 68 |   fi
 69 | }
 70 | 
 71 | check_cdb(){
 72 |   local username="$1"
 73 |   if [[ -r "$CDB" ]]; then
 74 |     grep -q "${username}:system" $CDB || return 1
 75 |   fi
 76 |   exit 0
 77 | }
 78 | 
 79 | # Check for arguments
 80 | check_args $#
 81 | 
 82 | LOCAL=$(dirname $0);
 83 | cd $LOCAL
 84 | cd ../
 85 | PWD=$(pwd)
 86 | 
 87 | # Logging the call
 88 | [[ -f "$AR_LOG" ]] && printf "$(date) $0 $1 $2 $3 $4 $5 $6 $7 $8\n" >> $AR_LOG
 89 | 
 90 | # Only work on rule 5902 'new user'
 91 | [[ $RULEID -eq 5902 ]] || die "ERROR: ${RULEID:-ruleid} did not match"
 92 | 
 93 | # Getting full alert
 94 | ALERT=$(get_alert) || die "ERROR: get_alert: No alert found matching timestamp $ALERTID"
 95 | 
 96 | # Extract info from alert
 97 | USERID="$(get_uid_from_alert "$ALERT")"
 98 | is_system_uid "$USERID" || die "ERROR: UID $USERID is not in the system range"
 99 | USER="$(get_username_from_alert "$ALERT")"
100 | 
101 | # Check if we've looked up this user previously
102 | check_cdb "$USER" || send_cdb "$USER"
103 | 
104 | # Enable
105 | /var/ossec/bin/ossec-makelists -c /var/ossec/etc/ossec.conf
106 | 
107 | # Log
108 | log "OK: Added system user $USER to $CDB"
109 | 


--------------------------------------------------------------------------------
/active-response/alert2chat.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | # Author: Jon Schipp <jonschipp@gmail.com>
 3 | CHAT=/usr/local/bin/ircsay
 4 | CHANNEL="#ossec-alerts"
 5 | ACTION=$1
 6 | USER=$2
 7 | IP=$3
 8 | ALERTID=$4
 9 | RULEID=$5
10 | 
11 | # Check for chat program
12 | [[ -f $CHAT ]] || exit 1
13 | 
14 | # Skip rules to avoid flooding of alerts of less importance
15 |   # Syscheck
16 | [[ "$*" =~ syscheck ]] && exit
17 |   # Login & SSH attempts
18 | [[ $RULEID =~ ^(570[1-3]|5710)$ ]] && exit
19 |   # System
20 | [[ $RULEID =~ ^(2933|5113)$ ]] && exit
21 | 
22 | LOCAL=$(dirname $0);
23 | cd $LOCAL
24 | cd ../
25 | PWD=$(pwd)
26 | 
27 | # Logging the call
28 | printf "$(date) $0 $1 $2 $3 $4 $5 $6 $7 $8\n" >> ${PWD}/../logs/active-responses.log
29 | 
30 | # Getting full alert
31 | awk -v ts=$ALERTID 'BEGIN { RS=""; ORS="\n" } $0 ~ ts { print }' ${PWD}/../logs/alerts/alerts.log | $CHAT "$CHANNEL" -
32 | 


--------------------------------------------------------------------------------
/active-response/bhr.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | TOKEN="<put BHR token here>"
 3 | URL="https://bhr.org.tld/bhr/api/block"
 4 | CHAT=/usr/local/bin/ircsay
 5 | CHANNEL="#host-blocks"
 6 | IP=$3
 7 | RULEID=$5
 8 | MESSAGE='OSSEC Rule '$RULEID''
 9 | 
10 | TIMEOUT=900
11 | 
12 | # Requires IP
13 | [[ $IP ]] || exit
14 | 
15 | # Don't block your nets
16 | [[ $IP =~ ^10\.1\.[0-9]{1,3}\.[0-9]{1,3}$ ]] && exit
17 | 
18 | # Skip RFC 1918 addresses
19 | [[ $IP =~ ^10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]] && exit
20 | [[ $IP =~ ^172\.16\.[0-9]{1,3}\.[0-9]{1,3}$ ]] && exit
21 | [[ $IP =~ ^192\.168\.[0-9]{1,3}\.[0-9]{1,3}$ ]] && exit
22 | 
23 | # Only block for these rules
24 | [[ $RULEID =~ ^(5703|5712|31153|100022)$ ]] || exit
25 | 
26 | # Logging the call
27 | printf "$(date) $0 $1 $2 $3 $4 $5 $6 $7 $8\n" >> ${PWD}/../logs/active-responses.log
28 | 
29 | curl -X POST -H "Authorization: Token ${TOKEN}" $URL \
30 |         --data-urlencode source="ossec" \
31 |         --data-urlencode duration="${TIMEOUT}" \
32 |         --data-urlencode why="${MESSAGE}" \
33 |         --data-urlencode cidr="${IP}/32" \
34 |         --data-urlencode autoscale="1"
35 | 
36 | [[ -f $CHAT ]] && printf "$(date) $0 $1 $2 $3 $4 $5 $6 $7 $8\n" | $CHAT "$CHANNEL" -
37 | 


--------------------------------------------------------------------------------
/active-response/cif.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # Generates intel feed entries for CIF
 3 | # Author: Jon Schipp
 4 | CHAT=/usr/local/bin/ircsay
 5 | CHANNEL="#feeds"
 6 | ACTION=$1
 7 | USER=$2
 8 | IP=$3
 9 | ALERTID=$4
10 | RULEID=$5
11 | DESCRIPTION=$(grep -h -A 10 '<rule id="'"$RULEID"'"' /var/ossec/rules/*.xml | awk -F '[<>]' '/description/ { printf("%s", $3) } END { printf("\n") }')
12 | FILE=/var/www/html/ossec.csv
13 | 
14 | # Logging the call
15 | echo "$(date) $0 $1 $2 $3 $4 $5 $6 $7 $8" >> ${PWD}/../logs/active-responses.log
16 | 
17 | [[ $IP ]] || exit
18 | 
19 | # RFC 1918
20 | [[ $IP =~ ^10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]] && exit
21 | [[ $IP =~ ^172\.16\.[0-9]{1,3}\.[0-9]{1,3}$ ]] && exit
22 | [[ $IP =~ ^192\.168\.[0-9]{1,3}\.[0-9]{1,3}$ ]] && exit
23 | # Add other networks to skip
24 | 
25 | printf "${IP},OSSEC,${RULEID},${DESCRIPTION}\n" >> $FILE
26 | [[ -f $CHAT ]] && printf "${IP},OSSEC,${RULEID},${DESCRIPTION}\n" | $CHAT "$CHANNEL" -
27 | 


--------------------------------------------------------------------------------
/active-response/command_search.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | # Author: Jon Schipp
 3 | PRE="$(date +"%Y-%m-%dT%T.%6N%:z") $(hostname -s) $(basename $0):"
 4 | LOG="../logs/command_search.log"
 5 | AR_LOG="${PWD}/../logs/active-responses.log"
 6 | ACTION=$1
 7 | USER=$2
 8 | IP=$3
 9 | ALERTID=$4
10 | RULEID=$5
11 | AGENT=$6
12 | SERVICE=$7
13 | FILENAME=$8
14 | 
15 | die(){
16 |   echo "$PRE $*" | tee -a -- "$LOG"
17 |   exit 1
18 | }
19 | 
20 | log(){
21 |   echo "$PRE $*" >> "$LOG"
22 |   exit 0
23 | }
24 | 
25 | check_args(){
26 |   local argc
27 |   argc="$1"
28 |   [[ $argc -ge 5 ]] || die "ERROR: Not enough arguments given"
29 | }
30 | 
31 | get_alert(){
32 |   local alert
33 |   local alertid="$1"
34 |   alert=$(awk -v ts=${alertid}: 'BEGIN { RS=""; ORS="\n" } $0 ~ ts { print }' ${PWD}/../logs/alerts/alerts.log)
35 |   [[ "$alert" ]] || return 1
36 |   echo "$alert"
37 | }
38 | 
39 | get_msg(){
40 |   local alert="$@"
41 |   msg=$(echo "$alert" | grep '^[A-Z][a-z]\+ [0-9]\+ ')
42 |   echo "$msg"
43 | }
44 | 
45 | is_skip(){
46 |   local msg="$@"
47 |   # If we find pattern return 1 to skip logging
48 |   echo "$msg" | egrep -q '\]: Updated: Bad protocol version identification|Bad protocol version identification| [iI]nvalid user |mess id 0x' && return 1
49 |   return 0
50 | }
51 | 
52 | search_commands(){
53 |   local alert="$@"
54 |   local p='[^a-zA-Z0-9\.=]'
55 |   local na='[^a-zA-Z]' # No alpha
56 |   local nan='[^a-zA-Z0-9]' # No alpha & numeric
57 |   local recon="${p}id${p}|uname -a |uname${na}|${p}last${na}|${p}w${nan}|whoami|${p}who${na}|wtmp|btmp|shadow"
58 |   local shells="${p}sh -i|bash -i |${p}bash |${p}sh -c |${p}sh "
59 |   local escalation="${p}wget|${p}ftp |${p}curl|${p}fetch |${p}john${na}|${p}hashcat|crack|sniff|tcpdump|shark "
60 |   local exploitation="msfpayload|msfcli|metasploit|meterpreter"
61 |   local hiding="shred|HIST|history -"
62 |   local commands="${recon}|${shells}|${escalation}|${hiding}"
63 |   msg=$(get_msg "$alert")
64 |   echo "$msg" | egrep -q -- "$commands" || return 1
65 |   is_skip "$msg" || return 1 # Skip logs that we cannot match easily with patterns
66 |   match="$(echo "$msg" | egrep -o -- "$commands")"
67 |   echo "Matched $match in $msg"
68 | }
69 | 
70 | # Check for arguments
71 | check_args $#
72 | 
73 | LOCAL=$(dirname $0);
74 | cd $LOCAL
75 | cd ../
76 | PWD=$(pwd)
77 | 
78 | # Logging the call
79 | [[ -f "$AR_LOG" ]] && echo "$(date) $0 $1 $2 $3 $4 $5 $6 $7 $8" >> $AR_LOG
80 | 
81 | # Getting full alert
82 | ALERT=$(get_alert "$ALERTID") || exit
83 | # Skip alerts with multiple log lines
84 | [[ "$ALERT" =~ [Mm]ultiple ]] && exit
85 | # Get log messages if found command
86 | MSG=$(search_commands "$ALERT") || exit
87 | 
88 | # Log
89 | log "WARNING: $MSG"
90 | 


--------------------------------------------------------------------------------
/active-response/cymru_lookup.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | # Author: Jon Schipp
 3 | PRE="$(date +"%Y-%m-%dT%T.%6N%:z") $(hostname -s) $(basename $0):"
 4 | LOG="../logs/cymru_lookup.log"
 5 | AR_LOG="${PWD}/../logs/active-responses.log"
 6 | CDB="/var/ossec/lists/hashes.list"
 7 | ACTION=$1
 8 | USER=$2
 9 | IP=$3
10 | ALERTID=$4
11 | RULEID=$5
12 | AGENT=$6
13 | SERVICE=$7
14 | FILENAME=$8
15 | 
16 | die(){
17 |   printf "$PRE $*\n" | tee -a $LOG
18 |   exit 1
19 | }
20 | 
21 | log(){
22 |   printf "$PRE $*\n" | tee -a $LOG
23 |   exit 0
24 | }
25 | 
26 | send_cdb(){
27 |   local checksum
28 |   local file
29 |   checksum="$1"
30 |   file="$2"
31 |   if [[ -w "$CDB" ]]; then
32 |     printf "${checksum}:${file:-empty}\n" >> $CDB
33 |   fi
34 | }
35 | 
36 | check_cdb(){
37 |   local checksum
38 |   checksum="$1"
39 |   if [[ -r "$CDB" ]]; then
40 |     grep -q "$checksum" $CDB && die "Hash $checksum has been looked up previously"
41 |   fi
42 | }
43 | 
44 | LOCAL=$(dirname $0);
45 | cd $LOCAL
46 | cd ../
47 | PWD=$(pwd)
48 | 
49 | # Logging the call
50 | [[ -f "$AR_LOG" ]] && printf "$(date) $0 $1 $2 $3 $4 $5 $6 $7 $8\n" >> $AR_LOG
51 | 
52 | # Getting full alert
53 | ALERT=$(awk -v ts=${ALERTID}: 'BEGIN { RS=""; ORS="\n" } $0 ~ ts { print }' ${PWD}/../logs/alerts/alerts.log)
54 | 
55 | # Obtain hash
56 | SHA1=$(printf "$ALERT\n" | grep -o '[a-zA-Z0-9]\{40\}' | tail -n 1)
57 | [[ $SHA1 ]] || die "ERROR: No hash found (${ALERTID:-empty})"
58 | 
59 | # Check if we've looked up this hash previously
60 | check_cdb "$SHA1"
61 | 
62 | # Obtain other info for logging
63 | [[ "$FILENAME" ]] || FILENAME=$(printf "$ALERT\n" | awk -F "['']" '/^File|changed for:/ { print $2 }')
64 | [[ "$AGENT" ]]    || AGENT=$(printf "$ALERT\n" | awk -F "[()]" '/syscheck/ { print $2 }' | tail -n 1)
65 | 
66 | # Lookup
67 | result=$(timeout 1s dig +short ${SHA1}.malware.hash.cymru.com A)
68 | 
69 | # Alert or exit
70 | [[ "$result" =~ '127.0.0.' ]] && log "WARNING: Malicious hash found for ${FILENAME:-(empty)} ($SHA1) on ${AGENT:-(empty)}"
71 | send_cdb "$SHA1" "$FILENAME"
72 | die "OK: No match found for ${FILENAME:-(empty)} ($SHA1) on ${AGENT:-(empty)}"
73 | 


--------------------------------------------------------------------------------
/active-response/deb_lookup.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | # Author: Jon Schipp
 3 | PRE="$(date +"%Y-%m-%dT%T.%6N%:z") $(hostname -s) $(basename $0):"
 4 | LOG="../logs/deb_lookup.log"
 5 | AR_LOG="${PWD}/../logs/active-responses.log"
 6 | ALERTS_LOG="${PWD}/../logs/alerts/alerts.log"
 7 | ACTION=$1
 8 | USER=$2
 9 | IP=$3
10 | ALERTID=$4
11 | RULEID=$5
12 | AGENT=$6
13 | [[ "$7" =~ syscheck ]] && FILENAME=$8 || FILENAME=$7
14 | 
15 | die(){
16 |   printf "$PRE $*\n" | tee -a $LOG
17 |   exit 1
18 | }
19 | 
20 | log(){
21 |   printf "$PRE $*\n" | tee -a $LOG
22 |   exit 0
23 | }
24 | 
25 | get_hash(){
26 |   # Obtain hash from lines e.g. "2eb1a3e346933962bdfbb7b118404b68  /bin/ls"
27 |   local line="$@"
28 |   printf "${line% *}\n"
29 | }
30 | 
31 | deb_lookup() {
32 |   local file="$1"
33 |   results="$(dpkg -S "$file" 2>/dev/null)"
34 |   [[ "$results" ]] || die "WARNING: $file not installed by package"
35 |   pkg="${results%%:*}"
36 |   hashfile="/var/lib/dpkg/info/$pkg.md5sums"
37 |   [[ -s "$hashfile" ]] || die "ERROR: db $hashfile not available or empty"
38 |   match="$(grep -w "${file#/}" "$hashfile")"
39 |   db_hash=$(get_hash "$match")
40 |   line="$(md5sum "$file")"
41 |   fs_hash="$(get_hash "$line")"
42 |   [[ "$db_hash" = "$fs_hash" ]] || return 1
43 |   return 0
44 | }
45 | 
46 | LOCAL=$(dirname $0);
47 | cd $LOCAL
48 | cd ../
49 | PWD=$(pwd)
50 | 
51 | # Logging the call
52 | printf "$(date) $0 $1 $2 $3 $4 $5 $6 $7 $8\n" >> $AR_LOG
53 | # System must be Debian based
54 | [[ -f /etc/debian_version ]] || exit 0
55 | 
56 | # We need a filename
57 | [[ "$FILENAME" ]] || die "No file given"
58 | 
59 | deb_lookup "$FILENAME" || die "WARNING: ${FILENAME:-(empty)} differs from DEB database"
60 | log "OK: ${FILENAME:-(empty)} DEB verification passed"
61 | exit 0
62 | 


--------------------------------------------------------------------------------
/active-response/ldap_lookup.sh:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env bash
  2 | # Author: Jon Schipp
  3 | PRE="$(date +"%Y-%m-%dT%T.%6N%:z") $(hostname -s) $(basename $0):"
  4 | LOG="../logs/ldap_lookup.log"
  5 | AR_LOG="${PWD}/../logs/active-responses.log"
  6 | ALERTS_LOG="${PWD}/../logs/alerts/alerts.log"
  7 | CDB="/var/ossec/lists/system_users.list"
  8 | ACTION=$1
  9 | USER=$2
 10 | IP=$3
 11 | ALERTID=$4
 12 | RULEID=$5
 13 | AGENT=$6
 14 | LDAP_SERVER='ldaps://ldap.company.com/' # Replace
 15 | OU='dc=blah,dc=company,dc=com'          # Replace
 16 | 
 17 | die(){
 18 |   printf "$PRE $*\n" | tee -a $LOG
 19 |   exit 1
 20 | }
 21 | 
 22 | log(){
 23 |   printf "$PRE $*\n" | tee -a $LOG
 24 |   exit 0
 25 | }
 26 | 
 27 | check_args(){
 28 |   local argc
 29 |   argc="$1"
 30 |   [[ $argc -ge 5 ]] || die "ERROR: Not enough arguments given"
 31 | }
 32 | 
 33 | ldap_lookup(){
 34 |   local user="$1"
 35 |   local server="$2"
 36 |   local ou="$3"
 37 |   ldap_info=$(ldapsearch -xLLL -b "$ou" -H "$server" "uid=$user" | awk '/uid: / { print $2 }')
 38 |   [[ "$ldap_info" ]] || return 1
 39 |   return 0
 40 | }
 41 | 
 42 | get_alert(){
 43 |   local alertid="$1"
 44 |   local alert
 45 |   alert=$(awk -v ts=${alertid}: 'BEGIN { RS=""; ORS="\n" } $0 ~ ts { print }' ${PWD}/../logs/alerts/alerts.log)
 46 |   [[ "$alert" ]] || return 1
 47 |   printf "$alert\n"
 48 | }
 49 | 
 50 | get_user(){
 51 |   local alert="$@"
 52 |   local user
 53 |   [[ "$alert" ]] || return 1
 54 |   user=$(echo "$alert"  | awk '/^User: / { print $2 }')
 55 |   # Kerberos events and maybe others contain a realm/domain, trim domain
 56 |   user=${user%%@*}
 57 |   [[ "$user" ]]         || return 1
 58 |   [[ "$user" == root ]] && return 1
 59 |   printf "$user\n"
 60 | }
 61 | 
 62 | get_ip(){
 63 |   local alert="$@"
 64 |   local ip
 65 |   [[ "$alert" ]] || return 1
 66 |   ip=$(echo "$alert" | awk '/^Src IP: / { print $3 }')
 67 |   [[ "$ip" ]] || return 1
 68 |   printf "$ip\n"
 69 | }
 70 | 
 71 | get_hostname(){
 72 |   local alert="$@"
 73 |   local host
 74 |   host=$(printf "$alert\n" | awk '/^20[0-9][0-9] [A-Z][a-z][a-z] [0-9][0-9]/ { print $5 }')
 75 |   # above returns strings as host->ip, we just want the IP
 76 |   host="${host##*>}"
 77 |   printf "$host\n"
 78 | }
 79 | 
 80 | check_cdb(){
 81 |   local username="$1"
 82 |   if [[ -r "$CDB" ]]; then
 83 |     grep -q "${username}:" $CDB || return 1
 84 |   fi
 85 | }
 86 | 
 87 | LOCAL=$(dirname $0);
 88 | cd $LOCAL
 89 | cd ../
 90 | PWD=$(pwd)
 91 | 
 92 | # Logging the call
 93 | printf "$(date) $0 $1 $2 $3 $4 $5 $6 $7 $8\n" >> $AR_LOG
 94 | 
 95 | # Check for arguments
 96 | check_args $#
 97 | 
 98 | # Getting full alert
 99 | ALERT=$(get_alert "$ALERTID") || { printf "Log for $ALERTID not found\n" && exit 1; }
100 | # Getting user
101 | USER=$(get_user "$ALERT") || { printf "User not found in $ALERTID\n" && exit 1; }
102 | # Check if system user and exit if true
103 | check_cdb "$USER" && { printf "User $USER found in $CDB\n" && exit 1; }
104 | # Getting source IP
105 | [[ "$IP" == - ]] && IP=$(get_ip "$ALERT")
106 | # Get hostname/ip for logs
107 | [[ "$AGENT" == - ]] && HOST=$(get_hostname "$ALERT") || HOST="$AGENT"
108 | 
109 | MSG1="Employee lookup for attempted user"
110 | MSG2="Host ${HOST}, Src IP ${IP:-(empty)}, Orig. Alert $ALERTID"
111 | ldap_lookup "$USER" "$LDAP_SERVER" "$OU" || die "WARNING: $MSG1 ${USER}: $MSG2"
112 | log "OK: $MSG1 ${USER}: $MSG2"
113 | exit 0
114 | 


--------------------------------------------------------------------------------
/active-response/makelists.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # Generates CDB lists from intel files
 3 | # Author: Jon Schipp
 4 | 
 5 | LOCAL=$(dirname $0);
 6 | cd $LOCAL
 7 | cd ../
 8 | PWD=$(pwd)
 9 | 
10 | # Logging the call
11 | printf "$(date) $0 $1 $2 $3 $4 $5 $6 $7 $8\n" >> ${PWD}/../logs/active-responses.log
12 | 
13 | # Build CDB databases
14 | /var/ossec/bin/ossec-makelists -c /var/ossec/etc/ossec.conf
15 | 


--------------------------------------------------------------------------------
/active-response/puppetdb_lookup.sh:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env bash
  2 | # Author: Jon Schipp
  3 | PUPPETDB_SOCKET=http://puppet-master:8080
  4 | PRE="$(date +"%Y-%m-%dT%T.%6N%:z") $(hostname -s) $(basename $0):"
  5 | LOG="../logs/puppetdb_lookup.log"
  6 | AR_LOG="${PWD}/../logs/active-responses.log"
  7 | ACTION=$1
  8 | USER=$2
  9 | IP=$3
 10 | ALERTID=$4
 11 | RULEID=$5
 12 | AGENT="$6"
 13 | SERVICE=$7
 14 | FILENAME=$8
 15 | 
 16 | LOCAL=$(dirname $0);
 17 | cd $LOCAL
 18 | cd ../
 19 | PWD=$(pwd)
 20 | 
 21 | die(){
 22 |   [[ -d $(dirname $LOG) ]] && printf "$PRE $*\n" | tee -a $LOG
 23 |   exit 1
 24 | }
 25 | 
 26 | log(){
 27 |   [[ -d $(dirname $LOG) ]] && printf "$PRE $*\n" | tee -a $LOG
 28 |   exit 0
 29 | }
 30 | 
 31 | check_args(){
 32 |   local argc
 33 |   [[ $1 ]] || die "ERROR: ${FUNCNAME}: no argument given"
 34 |   argc="$1"
 35 |   [[ $argc -ge 5 ]] || return 1
 36 | }
 37 | 
 38 | get_alert(){
 39 |   local id
 40 |   [[ $1 ]] || return 1
 41 |   id="$1"
 42 |   awk -v ts=${id}: 'BEGIN { RS=""; ORS="\n" } $0 ~ ts { print }' ${PWD}/../logs/alerts/alerts.log || return 1
 43 | }
 44 | 
 45 | get_host(){
 46 |   awk -F "[()]" '/syscheck/ { print $2 }' | tail -n 1
 47 | }
 48 | 
 49 | get_file(){
 50 |   awk -F "['']" '/^File|^New file|changed for:/ { print $2 }'
 51 | }
 52 | 
 53 | get_dns(){
 54 |   local host
 55 |   local fqdn
 56 |   [[ $1 ]] || return 1
 57 |   host="$1"
 58 |   #Add domains to search below 
 59 |   for name in $host ${host}.domain1.com ${host}.domain2.com
 60 |   do
 61 |     is_fqdn="$(dig $name +short)"
 62 |     [[ "$is_fqdn" ]] && fqdn="$name $fqdn"
 63 |   done
 64 |   if [[ "$fqdn" ]]; then
 65 |     printf "${fqdn}\n"
 66 |   else
 67 |    return 1
 68 |   fi
 69 | }
 70 | 
 71 | query_api_for_file(){
 72 |  local file
 73 |  local name
 74 |  [[ $# -eq 2 ]] || die "ERROR: ${FUNCNAME}: Not enough arguments given"
 75 |  file="$1"
 76 |  name="$2"
 77 |  CURL="curl --connect-timeout 1 -X GET ${PUPPETDB_SOCKET}/v4/resources/File"
 78 |  JSON=$($CURL --data-urlencode 'query=["and",["=", "title", '\""$file"\"'],["=", "certname",'\""$name\""']]' 2>/dev/null)
 79 |  [[ "$JSON" ]] || die "ERROR: Something went wrong for API query, empty: ${dir}, $name"
 80 |  [[ "$JSON" =~ "$file" ]] ||
 81 |  return 1
 82 | }
 83 | 
 84 | query_api_for_dir(){
 85 |  local file
 86 |  local name
 87 |  [[ $# -eq 2 ]] || die "ERROR: ${FUNCNAME}: Not enough arguments given"
 88 |  file="$1"
 89 |  name="$2"
 90 |  dir=$(dirname $file)
 91 |  CURL="curl --connect-timeout 1 -X GET ${PUPPETDB_SOCKET}/v4/resources/File"
 92 |  JSON=$($CURL --data-urlencode 'query=["and",["=", "title", '\""$dir"\"'],["=", "certname",'\""$name\""']]' 2>/dev/null)
 93 |  [[ "$JSON" ]] || die "ERROR: Something went wrong for API query, empty: ${dir}, $name"
 94 |  [[ "$JSON" =~ "$dir" ]] &&
 95 |  [[ "$JSON" =~ directory ]] &&
 96 |  [[ "$JSON" =~ '"recurse" : true' ]] ||
 97 |  return 1
 98 | }
 99 | 
100 | check_status(){
101 |  local code
102 |  [[ $1 ]] || die "ERROR: ${FUNCNAME}: No argument"
103 |  code="$1"
104 |  [[ $code -eq 0 ]] && log "OK: File $FILE managed by Puppet for $HOST_NAME" && return 0
105 |  return 1
106 | }
107 | 
108 | lookup_file(){
109 |   local file
110 |   [[ $1 ]] || return 1
111 |   file="$1"
112 |   printf "File: ${file}\nHost: ${HOST_NAME}\n"
113 |   for name in $DNS_NAMES
114 |   do
115 |     query_api_for_file "$file" "$name"; check_status $? && return 0
116 |     query_api_for_dir  "$file" "$name"; check_status $? && return 0
117 |   done
118 |   return 1
119 | }
120 | 
121 | # Logging the call
122 | [[ -f "$AR_LOG" ]] && printf "$(date) $0 $1 $2 $3 $4 $5 $6 $7 ${8}\n" >> $AR_LOG
123 | 
124 | # Getting full alert if we're passed arguments (by OSSEC), otherwise assume manual use
125 | if check_args $#
126 | then
127 |   ALERT=$(get_alert $ALERTID) || die "ERROR: Retrieving alert failed"
128 |   # Verify we have alert
129 |   [[ "$ALERT" ]] || die "ERROR: Alert not found by timestamp"
130 | fi
131 | 
132 | # Get information we need if not in environment
133 | if ! [[ "$HOST_NAME" ]]; then
134 |   HOST_NAME=$(printf "${ALERT}\n" | get_host) || die "ERROR: Retrieving hostname failed"
135 | fi
136 | 
137 | if ! [[ "$FILENAME" ]]; then
138 |   FILENAME=$(printf "${ALERT}\n" | get_file) || die "ERROR: Retreiving file failed for $HOST_NAME"
139 | fi
140 | 
141 | # Check for valid DNS names so we don't send more requests to puppet then we have to
142 | DNS_NAMES=$(get_dns $HOST_NAME) || die "ERROR: No matching FQDN found for $HOST_NAME"
143 | 
144 | # Lookup file in PuppetDB
145 | lookup_file $FILENAME || die "WARNING: File ${FILENAME:-($ALERTID)} not found for $HOST_NAME"
146 | 


--------------------------------------------------------------------------------
/active-response/rpm_lookup.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | # Author: Jon Schipp
 3 | PRE="$(date +"%Y-%m-%dT%T.%6N%:z") $(hostname -s) $(basename $0):"
 4 | LOG="../logs/rpm_lookup.log"
 5 | AR_LOG="${PWD}/../logs/active-responses.log"
 6 | ALERTS_LOG="${PWD}/../logs/alerts/alerts.log"
 7 | ACTION=$1
 8 | USER=$2
 9 | IP=$3
10 | ALERTID=$4
11 | RULEID=$5
12 | AGENT=$6
13 | [[ "$7" =~ syscheck ]] && FILENAME=$8 || FILENAME=$7
14 | 
15 | die(){
16 |   printf "$PRE $*\n" | tee -a $LOG
17 |   exit 1
18 | }
19 | 
20 | log(){
21 |   printf "$PRE $*\n" | tee -a $LOG
22 |   exit 0
23 | }
24 | 
25 | file_type_lookup(){
26 |   local rpm_info
27 |   rpm_info="$1"
28 |   info=$(printf "$rpm_info" | awk '{ print $2 }')
29 |   TYPE="Regular file"                      # Default to regular file, make changes after
30 |   [[ "$info" == "$FILENAME" ]] && return 0 # True if $2 in rpm_info was empty (no file type info)
31 |   [[ "$info" =~ c ]]           && TYPE="Config file"
32 |   [[ "$info" =~ d ]]           && TYPE="Documentation file"
33 |   [[ "$info" =~ g ]]           && TYPE="GHost file"
34 |   [[ "$info" =~ l ]]           && TYPE="License file"
35 |   [[ "$info" =~ r ]]           && TYPE="Readme file"
36 | }
37 | 
38 | file_status_lookup(){
39 |   local rpm_flags
40 |   rpm_flags="$1"
41 |   [[ "$rpm_flags" =~ missing ]] && STATUS="File is missing"
42 |   [[ "$STATUS" ]]               || STATUS="Size change"
43 | }
44 | 
45 | rpm_lookup(){
46 |   local file
47 |   file="$1"
48 |   rpm_info=$(rpm -Vvf "$1" 2>/dev/null | fgrep -w "$1")
49 |   [[ "$rpm_info" ]] || die "No flags output found for $file"
50 |   file_type_lookup "$rpm_info"
51 |   rpm_flags="$(printf "$rpm_info" | cut -d " " -f1)"
52 |   [[ "$rpm_flags" ]] || die "No flags found for $file"
53 |   file_status_lookup "$rpm_flags"
54 |   [[ "$rpm_flags" =~ S|5|missing ]] || return 0
55 |   return 1
56 | }
57 | 
58 | LOCAL=$(dirname $0);
59 | cd $LOCAL
60 | cd ../
61 | PWD=$(pwd)
62 | 
63 | # Logging the call
64 | printf "$(date) $0 $1 $2 $3 $4 $5 $6 $7 $8\n" >> $AR_LOG
65 | # System must be Red Hat based
66 | [[ -f /etc/redhat-release ]] || exit 0
67 | 
68 | # We need a filename
69 | [[ "$FILENAME" ]] || die "No file given"
70 | 
71 | rpm_lookup "$FILENAME" || die "WARNING: ${FILENAME:-(empty)} ($TYPE) differs from RPM database ($STATUS)"
72 | log "OK: ${FILENAME:-(empty)} ($TYPE) RPM verification passed"
73 | exit 0
74 | 


--------------------------------------------------------------------------------
/active-response/rule-all.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | # Author: Jon Schipp
 3 | CHAT=/usr/local/bin/ircsay
 4 | PROG=OSSEC
 5 | SCRIPT=$0
 6 | CHANNEL="#ossec-alerts"
 7 | MAIL=user@org
 8 | ACTION=$1
 9 | USER=$2
10 | IP=$3
11 | ALERTID=$4
12 | RULEID=$5
13 | 
14 | [[ "$*" =~ syscheck ]] && exit
15 | 
16 | # This scripts calls others because only one can be executed by OSSEC
17 | 
18 | die(){
19 |   if [ -f ${COWSAY:-none} ]; then
20 |     $COWSAY -d "$*"
21 |   else
22 |     printf "$*\n"
23 |   fi
24 |   exit 0
25 | }
26 | 
27 | is_ip(){
28 |   [[ $IP ]] || return 1
29 |   [[ $IP == '-' ]] && return 1
30 |   return 0
31 | }
32 | 
33 | LOCAL=$(dirname $0);
34 | cd $LOCAL
35 | cd ../
36 | PWD=$(pwd)
37 | CHAT="$PWD/bin/alert2chat.sh"
38 | CIF="$PWD/bin/cif.sh"
39 | BHR="$PWD/bin/bhr.sh"
40 | CDB="$PWD/bin/add_to_cdb.sh"
41 | CMDS="$PWD/bin/command_search.sh"
42 | TS="$PWD/bin/time_lookup.sh"
43 | LDAP="$PWD/bin/ldap_lookup.sh"
44 | 
45 | printf "$(date) $0 $1 $2 $3 $4 $5 $6 $7 $8\n" >> ${PWD}/../logs/active-responses.log
46 | 
47 | # Chat
48 | [[ -x $CHAT ]] && $CHAT $1 $2 $3 $4 $5
49 | 
50 | # Collect system user accounts from 'new user' events, only work on rule 5902
51 | [[ -x $CDB ]] && [[ $RULEID -eq 5902 ]] && $CDB $1 $2 $3 $4 $5
52 | 
53 | # Search for suspicious commands
54 | [[ -x $CMDS ]] && $CMDS $1 $2 $3 $4 $5
55 | 
56 | # Check if system's clock is off
57 | [[ -x $TS ]] && $TS $1 $2 $3 $4 $5
58 | 
59 | # Lookup user's in LDAP
60 | [[ -x $LDAP ]] && $LDAP $1 $2 $3 $4 $5 $6
61 | 
62 | # CIF Feed
63 | is_ip && [[ -x $CIF ]] && $CIF $1 $2 $3 $4 $5
64 | 
65 | # BHR Block
66 | is_ip && [[ -x $BHR ]] && $BHR $1 $2 $3 $4 $5
67 | 


--------------------------------------------------------------------------------
/active-response/syscheck-all.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | # Author: Jon Schipp <jonschipp@gmail.com>
 3 | SCRIPT=$0
 4 | ACTION=$1
 5 | USER=$2
 6 | IP=$3
 7 | ALERTID=$4
 8 | RULEID=$5
 9 | AGENT=$6
10 | SERVICE=$7
11 | FILENAME=$8
12 | 
13 | # This scripts calls others because only one can be executed by OSSEC
14 | 
15 | # Match syscheck rules
16 | [[ "$*" =~ syscheck ]] || exit
17 | [[ $RULEID =~ ^(51[069]|55[0-5]|580|59[5-8])$ ]] || exit
18 | 
19 | die(){
20 |   if [ -f ${COWSAY:-none} ]; then
21 |     $COWSAY -d "$*"
22 |   else
23 |     printf "$*\n"
24 |   fi
25 |   exit 0
26 | }
27 | 
28 | LOCAL=$(dirname $0);
29 | cd $LOCAL
30 | cd ../
31 | PWD=$(pwd)
32 | PUPPET="$PWD/bin/puppetdb_lookup.sh"
33 | CHAT="$PWD/bin/syscheck2chat.sh"
34 | CYMRU="$PWD/bin/cymru_lookup.sh"
35 | VT="$PWD/bin/virustotal_lookup.sh"
36 | 
37 | printf "$(date) $0 $1 $2 $3 $4 $5 $6 $7 $8\n" >> ${PWD}/../logs/active-responses.log
38 | 
39 | # Puppet
40 | [[ -x $PUPPET ]] && $PUPPET $1 $2 $3 $4 $5 $6 $7 $8; found="$?"
41 | [[ $found ]] && [[ $found -eq 0 ]] && exit 0 # If we made it here, file is managed by puppet and we no longer care
42 | 
43 | # Chat
44 | [[ -x $CHAT ]] && $CHAT $1 $2 $3 $4 $5 $6 $7 $8
45 | 
46 | # Cymru Hash Lookup
47 | [[ -x $CYMRU ]] && $CYMRU $1 $2 $3 $4 $5 $6 $7 $8
48 | 
49 | # Virus Total Hash Lookup
50 | [[ -x $VT ]] && $VT $1 $2 $3 $4 $5 $6 $7 $8
51 | 


--------------------------------------------------------------------------------
/active-response/syscheck2chat.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | # Author: Jon Schipp
 3 | 
 4 | CHAT=/usr/local/bin/ircsay
 5 | CHANNEL="#ossec-syscheck"
 6 | ACTION=$1
 7 | USER=$2
 8 | IP=$3
 9 | ALERTID=$4
10 | RULEID=$5
11 | 
12 | # Check for chat program
13 | [[ -f $CHAT ]] || exit 1
14 | 
15 | # Match syscheck rules
16 | [[ "$*" =~ syscheck ]] || exit
17 | [[ $RULEID =~ ^(51[069]|55[0-5]|580|59[5-8])$ ]] || exit
18 | 
19 | LOCAL=$(dirname $0);
20 | cd $LOCAL
21 | cd ../
22 | PWD=$(pwd)
23 | 
24 | # Logging the call
25 | printf "$(date) $0 $1 $2 $3 $4 $5 $6 $7 $8\n" >> ${PWD}/../logs/active-responses.log
26 | 
27 | # Getting full alert
28 | awk -v ts=$ALERTID 'BEGIN { RS=""; ORS="\n" } $0 ~ ts { print }' ${PWD}/../logs/alerts/alerts.log | $CHAT "$CHANNEL" -
29 | 


--------------------------------------------------------------------------------
/active-response/time_lookup.sh:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env bash
  2 | # Author: Jon Schipp
  3 | PRE="$(date +"%Y-%m-%dT%T.%6N%:z") $(hostname -s) $(basename $0):"
  4 | LOG="../logs/time_lookup.log"
  5 | AR_LOG="${PWD}/../logs/active-responses.log"
  6 | ACTION=$1
  7 | USER=$2
  8 | IP=$3
  9 | ALERTID=$4
 10 | RULEID=$5
 11 | AGENT=$6
 12 | SERVICE=$7
 13 | FILENAME=$8
 14 | MAX_TIME=300 # 5 min in seconds
 15 | 
 16 | die(){
 17 |   printf "$PRE $*\n" | tee -a -- "$LOG"
 18 |   exit 1
 19 | }
 20 | 
 21 | log(){
 22 |   printf "$PRE $*\n" >> "$LOG"
 23 |   exit 0
 24 | }
 25 | 
 26 | check_args(){
 27 |   local argc
 28 |   argc="$1"
 29 |   [[ $argc -ge 5 ]] || die "ERROR: Not enough arguments given"
 30 | }
 31 | 
 32 | get_alert(){
 33 |   local alert
 34 |   local alertid="$1"
 35 |   alert=$(awk -v ts=${alertid}: 'BEGIN { RS=""; ORS="\n" } $0 ~ ts { print }' ${PWD}/../logs/alerts/alerts.log)
 36 |   [[ "$alert" ]] || return 1
 37 |   printf "$alert\n"
 38 | }
 39 | 
 40 | convert_timestamp(){
 41 |   local ts="$@"
 42 |   ts=$(date --date="$ts" +%s)
 43 |   [[ "$ts" ]] || return 1
 44 |   if [[ ${#ts} -eq 10 ]]; then
 45 |     printf "$ts\n"
 46 |   else
 47 |     return 1
 48 |   fi
 49 | }
 50 | 
 51 | get_timestamp(){
 52 |   local alert="$@"
 53 | 
 54 |   # Attempt to get timestamp from log by format
 55 |   ts=$(printf "$alert\n" | grep -o '^20[1-9]\{2\}-[0-9]\{2\}-[0-9]\{2\}T[0-9]\{2\}:[0-9]\{2\}:[0-9]\{2\}\.[0-9]\{6\}')
 56 |   if [[ "$ts" ]]; then
 57 |     epoch=$(convert_timestamp "$ts")
 58 |     if [[ "$epoch" ]]; then
 59 |       printf "$epoch"
 60 |       return 0
 61 |     fi
 62 |   fi
 63 | 
 64 |   ts=$(printf "$alert\n" | grep -o '^[A-Z][a-z]\+ [0-9]\{2\} [0-9]\{2\}:[0-9]\{2\}:[0-9]\{2\}')
 65 |   if [[ "$ts" ]]; then
 66 |     epoch=$(convert_timestamp "$ts")
 67 |     if [[ "$epoch" ]]; then
 68 |       printf "$epoch"
 69 |       return 0
 70 |     fi
 71 |   fi
 72 |   # Add more patterns to extract your logs timestamp if they differ
 73 | 
 74 |   # If we made it here none of the timestamps matched
 75 |   return 1
 76 | }
 77 | 
 78 | get_utc_timestamp(){
 79 |   local alert="$@"
 80 |   local ossec_ts
 81 |   local year
 82 |   local datetime
 83 |   local ossec_ts
 84 |   local ossec_epoch
 85 |   # Attempt to get OSSEC alert timestamp (UTC)
 86 |   ossec_ts=$(printf "$alert\n" | grep -o '^20[1-9]\{2\} [A-Z][a-z]\+ [0-9]\{2\} [0-9]\{2\}:[0-9]\{2\}:[0-9]\{2\}')
 87 |   if [[ "$ossec_ts" ]]; then
 88 |     # date: invalid date `2016 Feb 25 00:00:17'
 89 |     # Format so year is at end
 90 |     year="${ossec_ts%% *}"
 91 |     datetime="${ossec_ts#* }"
 92 |     ossec_ts="${datetime} ${year}"
 93 |     ossec_epoch=$(convert_timestamp "$ossec_ts") || return 1
 94 |   fi
 95 |   printf "$ossec_epoch\n"
 96 | }
 97 | 
 98 | get_hostname(){
 99 |   local alert="$@"
100 |   local host
101 |   host=$(printf "$alert\n" | awk '/^2016 [A-Z][a-z][a-z] [0-9][0-9]/ { print $5 }')
102 |   printf "$host\n"
103 | }
104 | 
105 | check_existing_entry(){
106 |   local host="$1"
107 |   fgrep -q "$host" $LOG && return 1
108 |   return 0
109 | }
110 | 
111 | is_utc(){
112 |   local ossec_ts="$1"
113 |   local log_ts="$2"
114 |   local tz=0
115 |   utc=$((log_ts-3600*5))
116 |   dst1=$((log_ts-3600*6))
117 |   dst2=$((log_ts-3600*7))
118 |   for ts in $utc $dst1 $dst2; do
119 |     result=$((ossec_ts-ts))
120 |      [[ $result -eq 18000 ]] && tz=1
121 |      [[ $result -eq 21600 ]] && tz=1
122 |      [[ $result -eq 25200 ]] && tz=1
123 |   done
124 |   return $tz
125 | }
126 | 
127 | check_timestamp(){
128 |   local log_ts="$1"
129 |   local host="$2"
130 |   local current=$(date +"%s")
131 |   seconds="$((current-log_ts))"
132 |   [[ $seconds -lt 0 ]]   && die "WARNING: system clock is ahead by $seconds seconds for $host on ${ALERTID}, ${current}-${log_ts}"
133 |   [[ $seconds -lt $MAX_TIME ]] || die "WARNING: system clock is behind by $seconds seconds for $host on ${ALERTID}, ${current}-${log_ts}"
134 | }
135 | 
136 | # Check for arguments
137 | check_args $#
138 | 
139 | LOCAL=$(dirname $0);
140 | cd $LOCAL
141 | cd ../
142 | PWD=$(pwd)
143 | 
144 | # Logging the call
145 | [[ -f "$AR_LOG" ]] && printf "$(date) $0 $1 $2 $3 $4 $5 $6 $7 $8\n" >> $AR_LOG
146 | 
147 | # Getting full alert
148 | ALERT=$(get_alert "$ALERTID") || exit
149 | # Skip if alert has multiple logs
150 | [[ "$ALERT" =~ [Mm]ultiple ]] && exit
151 | # Get timestamp
152 | TS=$(get_timestamp "$ALERT") || die "ERROR: get_timestamp: No timestamp found for $ALERTID"
153 | # Get hostname for logs
154 | HOST=$(get_hostname "$ALERT")
155 | # Don't run on ossec logs
156 | [[ $HOST =~ ossec ]] && exit
157 | 
158 | # Skip writing warning logs if there's an entry for this host already
159 | # This will cut down on alerts
160 | check_existing_entry "$HOST" || exit 1
161 | 
162 | UTC_EPOCH=$(get_utc_timestamp "$ALERT") || die "ERROR: get_utc_timestamp: utc epoch not found in alert"
163 | is_utc "$UTC_EPOCH" "$TS" || die "WARNING: System clock for $HOST is not localtime on ${ALERTID}, Alert_UTC:${UTC_EPOCH} Log_Local:${TS}"
164 | check_timestamp "$TS" "$HOST"
165 | 


--------------------------------------------------------------------------------
/active-response/virus_total.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | import json
 3 | import urllib
 4 | import urllib2
 5 | import sys
 6 | 
 7 | apikey = '<insert_key_here>'
 8 | 
 9 | def usage():
10 |   print '''Submit hash to virtus-total
11 | (Place your VirusTotal apikey in this script)
12 | Usage: %s <hash>''' % sys.argv[0]
13 |   exit(1)
14 | 
15 | def collect(data):
16 |   retrieve             = data[0]
17 |   sha1                 = retrieve['sha1']
18 |   filenames            = retrieve['filenames']
19 |   first_seen           = retrieve['first-seen']
20 |   last_seen            = retrieve['last-seen']
21 |   last_scan_permalink  = retrieve['last-scan-permalink']
22 |   last_scan_report     = retrieve['last-scan-report']
23 |   return sha1, filenames, first_seen, last_seen, last_scan_permalink, last_scan_report
24 | 
25 | def msg(sha1, filenames, first_seen, last_seen, last_scan_permalink):
26 |   print '''===Suspected Malware Item===
27 |   SHA1: %s
28 |   Filenames: %s
29 |   First Seen: %s
30 |   Last Seen: %s
31 |   Link: %s''' % (sha1, filenames, first_seen, last_seen, last_scan_permalink)
32 | 
33 | def is_malware(last_scan_report):
34 |   for av, scan in last_scan_report.iteritems():
35 |     if scan[0] is not None:
36 |       return True
37 |   return False
38 | 
39 | def in_database(data, mhash):
40 |   result = data[0]['result']
41 |   if result == 0: 
42 |     return False
43 |   return True
44 | 
45 | def arguments():
46 |   if len(sys.argv) < 2:
47 |     usage()
48 |   if '-h' in sys.argv[1]:
49 |     usage()
50 |   if not apikey:
51 |     print "Set apikey in %s to value of your Virus Total key" % sys.argv[0]
52 |     exit(1)
53 | 
54 |   mhash = sys.argv[1]
55 |   return mhash
56 | 
57 | def query_api(mhash, apikey):
58 |   url = "http://api.vtapi.net/vtapi/get_file_infos.json"
59 |   parameters = {"resources": mhash, "apikey": apikey}
60 |   encoded = urllib.urlencode(parameters)
61 |   req = urllib2.Request(url, encoded)
62 |   response = urllib2.urlopen(req)
63 |   response_string = response.read()
64 |   data = json.loads(response_string)
65 |   return data
66 | 
67 | mhash = arguments()
68 | data = query_api(mhash, apikey)
69 | 
70 | if not in_database(data, mhash):
71 |   print 'No entry for %s in database' % mhash
72 |   exit(1)
73 | 
74 | # Positive match found
75 | sha1, filenames, first_seen, last_seen, last_scan_permalink, last_scan_report = collect(data)
76 | if is_malware(last_scan_report):
77 |   msg(sha1, filenames, first_seen, last_seen, last_scan_permalink)
78 |   exit(0)
79 | else:
80 |   print 'Entry %s is not malicious' % mhash
81 |   exit(1)
82 | 


--------------------------------------------------------------------------------
/active-response/virustotal_lookup.sh:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env bash
  2 | # Author: Jon Schipp
  3 | PRE="$(date +"%Y-%m-%dT%T.%6N%:z") $(hostname -s) $(basename $0):"
  4 | LOG="../logs/virustotal_lookup.log"
  5 | AR_LOG="${PWD}/../logs/active-responses.log"
  6 | CDB="/var/ossec/lists/hashes.list"
  7 | ACTION=$1
  8 | USER=$2
  9 | IP=$3
 10 | ALERTID=$4
 11 | RULEID=$5
 12 | AGENT=$6
 13 | SERVICE=$7
 14 | FILENAME=$8
 15 | 
 16 | die(){
 17 |   [[ -d $(dirname $LOG) ]] && printf "$PRE $*\n" | tee -a $LOG
 18 |   exit 1
 19 | }
 20 | 
 21 | log(){
 22 |   [[ -d $(dirname $LOG) ]] && printf "$PRE $*\n" | tee -a $LOG
 23 |   exit 0
 24 | }
 25 | 
 26 | check_args(){
 27 |   local argc
 28 |   argc="$1"
 29 |   [[ $argc -ge 5 ]] || die "ERROR: Not enough arguments given"
 30 | }
 31 | 
 32 | 
 33 | get_alert(){
 34 |   local alert
 35 |   alert=$(awk -v ts=${ALERTID}: 'BEGIN { RS=""; ORS="\n" } $0 ~ ts { print }' ${PWD}/../logs/alerts/alerts.log)
 36 |   [[ "$alert" ]] || return 1
 37 |   printf "$alert\n"
 38 | }
 39 | 
 40 | is_hash(){
 41 |   local sha1
 42 |   sha1="$1"
 43 |   [[ $sha1 ]] || die "ERROR: ${FUNCNAME}: Hash variable empty"
 44 |   [[ $sha1 =~ ^\ +$ ]] && die "ERROR: ${FUNCNAME}: Hash variable is only whitespace"
 45 |   len="${#sha1}"; [[ $len -eq 40 ]] || die "ERROR: ${FUNCNAME}: The Hash variable does not contain a SHA1 hash"
 46 | }
 47 | 
 48 | get_hash_from_alert(){
 49 |   local alert
 50 |   local sha1
 51 |   alert="$@"
 52 |   [[ "$FILENAME" ]] || FILENAME=$(printf "$alert\n" | awk -F "['']" '/^File|changed for:/ { print $2 }')
 53 |   sha1=$(printf "$alert\n" | grep -o '[a-zA-Z0-9]\{40\}' | tail -n 1)
 54 |   printf "$sha1\n"
 55 | }
 56 | 
 57 | get_hash_from_filename(){
 58 |   local alert
 59 |   local sha1
 60 |   alert="$@"
 61 |   [[ "$FILENAME" ]] || FILENAME=$(printf "$alert\n" | awk -F "['']" '/^File|changed for:/ { print $2 }')
 62 |   [[ -r "$FILENAME" ]]  || die "ERROR: ${FUNCNAME}: File not available on system"
 63 |   sha1=$(sha1sum $file | grep -o '[a-zA-Z0-9]\{40\}')
 64 |   printf "$sha1\n"
 65 | }
 66 | 
 67 | virus_lookup(){
 68 |    local sha1
 69 |    local results
 70 |    sha1="$1"
 71 |    results=$($PWD/bin/virus_total.py $sha1)
 72 |    status_code=$?
 73 |    printf "$results\n"
 74 |    return $status_code
 75 | }
 76 | 
 77 | is_executable(){
 78 |   local file
 79 |   file="$1"
 80 |   file -L "$file" 2>/dev/null | egrep -i -q 'script|exec|ELF|object|stripped|linked' || return 1
 81 |   return 0
 82 | }
 83 | 
 84 | send_cdb(){
 85 |   local checksum
 86 |   local file
 87 |   checksum="$1"
 88 |   file="$2"
 89 |   if [[ -w "$CDB" ]]; then
 90 |     printf "${checksum}:${file:-empty}\n" >> $CDB
 91 |   fi
 92 | }
 93 | 
 94 | check_cdb(){
 95 |   local checksum
 96 |   checksum="$1"
 97 |   if [[ -r "$CDB" ]]; then
 98 |     grep -q "$checksum" $CDB && exit 0
 99 |   fi
100 | }
101 | 
102 | # Check for arguments
103 | check_args $#
104 | 
105 | LOCAL=$(dirname $0);
106 | cd $LOCAL
107 | cd ../
108 | PWD=$(pwd)
109 | 
110 | # Logging the call
111 | [[ -f "$AR_LOG" ]] && printf "$(date) $0 $1 $2 $3 $4 $5 $6 $7 $8\n" >> $AR_LOG
112 | 
113 | # Getting full alert
114 | ALERT=$(get_alert) || die "ERROR: get_alert: No alert found matching timestamp $ALERTID"
115 | 
116 | # Obtain hash
117 | [[ $RULEID -eq 554 ]] && HASH=$(get_hash_from_filename "$ALERT") || HASH=$(get_hash_from_alert "$ALERT")
118 | # Grab host for logging
119 | [[ "$AGENT" ]] || AGENT=$(printf "$ALERT\n" | awk -F "[()]" '/syscheck/ { print $2 }' | tail -n 1)
120 | 
121 | # Only perform lookups for executable files
122 | is_executable "$FILENAME" || die "OK: ${FILENAME:-(empty)} is not an executable file"
123 | 
124 | # Verify we do indeed have a hash
125 | is_hash "$HASH"
126 | 
127 | # Check if we've looked up this hash previously
128 | check_cdb "$HASH"
129 | 
130 | # Lookup
131 | RESULTS=$(virus_lookup $HASH) || { send_cdb "$HASH" "$FILENAME" && die "OK: No malware found for ${FILENAME:-(empty)} ${HASH:-(empty)} on ${AGENT:-(empty)}"; }
132 | 
133 | # Log
134 | log "Malicious hash found for ${FILENAME:-(empty)} ($HASH) on ${AGENT:-(empty)}"
135 | 


--------------------------------------------------------------------------------
/decoders/active_response.xml:
--------------------------------------------------------------------------------
 1 | <!--
 2 |       - rpm_lookup decoder
 3 |  - Will extract the status and filename (as id)
 4 |  - Examples:
 5 |  - 2016-01-26T13:18:55.940806-06:00 ossec-sec rpm_lookup.sh: OK: /usr/bin/floppy (Regular file) RPM verification passed
 6 |  -->
 7 | <decoder name="rpm_lookup">
 8 |   <program_name>^rpm_lookup.sh$</program_name>
 9 | </decoder>
10 | 
11 | <decoder name="rpm_lookup_info">
12 |   <parent>rpm_lookup</parent>
13 |   <regex>^(\S+): (\S+)</regex>
14 |   <order>status, id</order>
15 | </decoder>
16 | 
17 | <!--
18 |       - deb_lookup decoder
19 |  - Will extract the status and filename (as id)
20 |  - Examples:
21 |  - 2016-01-26T13:18:55.940806-06:00 ossec-sec deb_lookup.sh: OK: /usr/bin/floppy DEB verification passed
22 |  -->
23 | <decoder name="deb_lookup">
24 |   <program_name>^deb_lookup.sh$</program_name>
25 | </decoder>
26 | 
27 | <decoder name="deb_lookup_info">
28 |   <parent>deb_lookup</parent>
29 |   <regex>^(\S+): (\S+)</regex>
30 |   <order>status, id</order>
31 | </decoder>
32 | 
33 | <!--
34 |       - puppetdb_lookup decoder
35 |  - Will extract the status and filename (as id)
36 |  - Examples:
37 |  - 2016-01-26T13:33:20.774122-06:00 ossec-sec puppetdb_lookup.sh: WARNING: File /usr/bin/javac not found for host1.blah.org
38 |  -->
39 | <decoder name="puppetdb_lookup">
40 |   <program_name>^puppetdb_lookup.sh$</program_name>
41 | </decoder>
42 | 
43 | <decoder name="puppetdb_lookup_info">
44 |   <parent>puppetdb_lookup</parent>
45 |   <regex>^(\S+): File (\S+)</regex>
46 |   <order>status, id</order>
47 | </decoder>
48 | 
49 | <!--
50 |       - cymru_lookup decoder
51 |  - Will extract the status and filename (as id)
52 |  - Examples:
53 |  - 2016-01-28T15:17:57.091010-06:00 ossec-sec cymru_lookup.sh: OK: No match found for /usr/bin/gpg2 (4db4cd6a6c007694409c8dfc3cca8017edb8be05) on (host1.blah.org)
54 |  - 2016-01-28T15:17:57.091010-06:00 ossec-sec cymru_lookup.sh: WARNING: Malicious hash found for /usr/bin/gpg2 (4db4cd6a6c007694409c8dfc3cca8017edb8be05) on (host1.blah.org)
55 |  -->
56 | <decoder name="cymru_lookup">
57 |   <program_name>^cymru_lookup.sh$</program_name>
58 | </decoder>
59 | 
60 | <decoder name="cymru_lookup_ok_info">
61 |   <parent>cymru_lookup</parent>
62 |   <regex>^(\S+): No match found for \S+ \((\S+)\)</regex>
63 |   <order>status, id</order>
64 | </decoder>
65 | 
66 | <decoder name="cymru_lookup_warning_info">
67 |   <parent>cymru_lookup</parent>
68 |   <regex>^(\S+): Malicious hash found for \S+ \((\S+)\)</regex>
69 |   <order>status, id</order>
70 | </decoder>
71 | 
72 | <!--
73 |       - ldap_lookup decoder
74 |  - Will extract the status, user, dstip (log source), and srcip (e.g. ssh scan source)
75 |  - Examples:
76 |  - 2016-03-17T10:59:03.331649-05:00 ossec-sec ldap_lookup.sh: OK: employee lookup for attempted user jschipp: Host 10.2.2.1, Src IP 10.13.32.34, Orig. Alert 1458229125.2049519
77 |  - 2016-03-17T10:59:03.331649-05:00 ossec-sec ldap_lookup.sh: WARNING: employee lookup for attempted user carltonbanks: Host 10.1.1.1, Src IP 23.234.54.32, Orig. Alert 1458229125.2049519
78 |  -->
79 | <decoder name="ldap_lookup">
80 |   <program_name>^ldap_lookup.sh$</program_name>
81 | </decoder>
82 | 
83 | <decoder name="ldap_lookup_info">
84 |   <parent>ldap_lookup</parent>
85 |   <regex>^(\S+): NCSA employee lookup for attempted user (\w+): Host (\d+.\d+.\d+.\d+), Src IP (\d+.\d+.\d+.\d+), </regex>
86 |   <order>status, user, dstip, srcip</order>
87 | </decoder>
88 | 


--------------------------------------------------------------------------------
/decoders/kerberos_decoder.xml:
--------------------------------------------------------------------------------
 1 | <!--
 2 |     - ksu decoder
 3 |  - Will extract the username and command
 4 |  - Examples:
 5 | 
 6 | 2016-02-01T10:34:58.431957-06:00 ossec-sec ksu[11061]: 'ksu root' authentication failed for vladg on /dev/pts/1
 7 | 2016-02-01T10:37:39.372873-06:00 ossec-sec ksu[14243]: 'ksu root' authenticated vladg@ORG.COM for vladg on /dev/pts/1
 8 | 2016-02-01T10:36:33.682170-06:00 ossec-sec ksu[13199]: Account root: authorization for vladg@ORG.COM successful
 9 | 2016-02-01T10:37:39.377808-06:00 ossec-sec ksu[14243]: Account root: authorization for vladg@ORG.COM for execution of /bin/ls successful
10 | 
11 | -->
12 | <decoder name="kerberos_ksu">
13 |   <program_name>^ksu</program_name>
14 | </decoder>
15 | 
16 | <decoder name="ksu_authn_fail">
17 |   <parent>kerberos_ksu</parent>
18 |   <prematch>^'ksu \S+' authentication failed</prematch>
19 |   <regex>^'ksu (\S+)' authentication failed for (\S+) on \S+$</regex>
20 |   <order>dstuser, id</order>
21 | </decoder>
22 | 
23 | <decoder name="ksu_authn_success">
24 |   <parent>kerberos_ksu</parent>
25 |   <prematch>^'ksu \S+' authenticated </prematch>
26 |   <regex>^'ksu (\S+)' authenticated (\S+) for (\S+) on \S+$</regex>
27 |   <order>dstuser, id, extra_data</order>
28 | </decoder>
29 | 
30 | <decoder name="ksu_authz_success">
31 |   <parent>kerberos_ksu</parent>
32 |   <prematch>^Account \S+: authorization for \S+ successful</prematch>
33 |   <regex>^Account (\S+): authorization for (\S+) successful$</regex>
34 |   <order>dstuser, id</order>
35 | </decoder>
36 | 
37 | <decoder name="ksu_authz_success_command">
38 |   <parent>kerberos_ksu</parent>
39 |   <prematch>^Account \S+: authorization for \S+ for execution of \S+ successful</prematch>
40 |   <regex>^Account (\S+): authorization for (\S+) for execution of (\S+) successful$</regex>
41 |   <order>dstuser, id, extra_data</order>
42 | </decoder>
43 | 
44 | <!--
45 |     - kadmin decoder
46 |  - Will extract the dstuser, status, id (srcuser), and srcip
47 |  - Examples:
48 | Oct  6 08:35:48 brick kadmind[1508]: Request: kadm5_create_principal, arik@ORG.COM, success, client=vdvadmin@ORG.COM, service=kadmin/admin@ORG.COM, addr=141.142.2.28
49 | Oct  6 08:35:49 brick kadmind[1508]: Request: kadm5_get_principal, arik@ORG.COM, success, client=vdvadmin@ORG.COM, service=kadmin/admin@ORG.COM, addr=141.142.2.28
50 | May 18 13:36:02 brick kadmind[3072]: Request: kadm5_get_principal, root@ORG.COM, Principal does not exist, client=jbarlow/admin@ORG.COM, service=kadmin/admin@ORG.COM, addr=141.142.2.19
51 | Oct  6 08:35:49 brick kadmind[1508]: Request: kadm5_modify_principal, arik@ORG.COM, success, client=vdvadmin@ORG.COM, service=kadmin/admin@ORG.COM, addr=141.142.2.28
52 | -->
53 | 
54 | <decoder name="kerberos_kadmin">
55 |   <program_name>^kadmind</program_name>
56 | </decoder>
57 | 
58 | <decoder name="kadmin_create_principal">
59 |   <parent>kerberos_kadmin</parent>
60 |   <prematch>^Request: kadm5_create_principal,</prematch>
61 |   <regex>^Request: kadm5_create_principal, (\S+), (\S+), client=(\S+), service=\S+, addr=(\S+)$</regex>
62 |   <order>dstuser, status, id, srcip</order>
63 | </decoder>
64 | 
65 | <decoder name="kadmin_get_principal">
66 |   <parent>kerberos_kadmin</parent>
67 |   <prematch>^Request: kadm5_get_principal,</prematch>
68 |   <regex>^Request: kadm5_get_principal, (\S+), (\S+), client=(\S+), service=\S+, addr=(\S+)$|</regex>
69 |   <regex>^Request: kadm5_get_principal, (\S+), (Principal does not exist), client=(\S+), service=\S+, addr=(\S+)$</regex>
70 |   <order>dstuser, status, id, srcip</order>
71 | </decoder>
72 | 
73 | <decoder name="kadmin_modify_principal">
74 |   <parent>kerberos_kadmin</parent>
75 |   <prematch>^Request: kadm5_modify_principal,</prematch>
76 |   <regex>^Request: kadm5_modify_principal, (\S+), (\S+), client=(\S+), service=\S+, addr=(\S+)$|</regex>
77 |   <regex>^Request: kadm5_modify_principal, (\S+), (Principal does not exist), client=(\S+), service=\S+, addr=(\S+)$</regex>
78 |   <order>dstuser, status, id, srcip</order>
79 | </decoder>
80 | 


--------------------------------------------------------------------------------
/decoders/sudo.xml:
--------------------------------------------------------------------------------
 1 | <!-- We made some changes to the default decoder.xml file -->
 2 | 
 3 | <!--
 4 |    - Allowed fields:
 5 |    - location - where the log came from (only on FTS)
 6 |    - srcuser  - extracts the source username
 7 |    - dstuser  - extracts the destination (target) username
 8 |    - user     - an alias to dstuser (only one of the two can be used)
 9 |    - srcip    - source ip
10 |    - dstip    - dst ip
11 |    - srcport  - source port
12 |    - dstport  - destination port
13 |    - protocol - protocol
14 |    - id       - event id
15 |    - url      - url of the event
16 |    - action   - event action (deny, drop, accept, etc)
17 |    - status   - event status (success, failure, etc)
18 |    - extra_data     - Any extra data
19 |   -->
20 | 
21 | <!-- Sudo decoder.
22 |   -  Will extract the username
23 |   -  Examples:
24 |   -  Apr 27 15:22:23 niban sudo:     dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/tail /var/log/snort/alert.fast
25 |   -  Apr 27 15:25:08 niban sudo:     dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/tail /var/log/snort/alert.fast
26 |   -  Apr 14 10:59:01 enigma sudo:     dcid : TTY=ttyp3 ; PWD=/home/dcid/ossec-hids.0.1a/src/analysisd ; USER=root ; COMMAND=/bin/cp -pr ../../bin/addagent ../../bin/osaudit-logaudi
27 | t ../../bin/ossec-execd ../../bin/ossec-logcollector ../../bin/ossec-maild ../../bin/ossec-remoted /var/ossec/bin
28 |   -  Apr 19 14:52:02 enigma sudo:     dcid : TTY=ttyp3 ; PWD=/var/www/alex ; USER=root ; COMMAND=/sbin/chown dcid.dcid .
29 |   # Additios to default sudo decoder
30 |   -  2016-02-08T10:35:35.266214-06:00 ossec-sec sudo:  jschipp : TTY=pts/0 ; PWD=/var/ossec/bin ; USER=jschipp ; COMMAND=/bin/bash -c echo balls
31 |   -  2016-02-08T10:36:10.588567-06:00 ossec-sec sudo:  jschipp : TTY=pts/0 ; PWD=/var/ossec/bin ; USER=root ; COMMAND=/bin/bash -c echo balls
32 |   -->
33 | <decoder name="sudo">
34 |   <program_name>^sudo</program_name>
35 |   <regex>^\s+(\S+)\s:\sTTY=\S+\s;\sPWD=(\S+)\s;\sUSER=(\S+)\s;\sCOMMAND=(\.+)$</regex>
36 |   <order>id,url,dstuser,status</order>
37 |   <fts>name,user,location</fts>
38 |   <ftscomment>First time user executed the sudo command</ftscomment>
39 | </decoder>
40 | 


--------------------------------------------------------------------------------
/munin/ossec_ar_stats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | FILE=/var/ossec/logs/active-responses.log
 3 | DIR=/var/ossec/active-response/bin
 4 | config(){
 5 | cat <<EOF
 6 | graph_title OSSEC Active Response Stats
 7 | graph_category process
 8 | graph_vlabel Response Counters
 9 | graph_info Stats
10 | graph_period minute
11 | EOF
12 | }
13 | 
14 | [[ -d $DIR ]] || exit
15 | 
16 | strip(){
17 |  local msg
18 |  msg="$@"
19 |  msg=$(basename $msg)
20 |  msg=${msg%%.*}
21 |  msg=${msg/-/_}
22 |  msg=${msg// }
23 |  s="$msg"
24 | }
25 | 
26 | if [[ "$1" == "config" ]]; then
27 |   config
28 |   for s in $DIR/*; do
29 |     strip $s
30 |     printf "${s}.label ${s}\n"
31 |     printf "${s}.min 0\n"
32 |     printf "${s}.type GAUGE\n"
33 |     printf "${s}.info Count ${Q}\n"
34 |   done
35 | else
36 |     date="$(date +"%a %b %e")"
37 |     for s in $DIR/*; do
38 |       ar="$s"
39 |       strip $s
40 |       count=$(grep "$date" $FILE | grep -c "$ar")
41 |       printf "${s}.value ${count}\n"
42 |     done
43 | fi
44 | 


--------------------------------------------------------------------------------
/munin/ossec_munin.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ncsa/ossec-tools/03279edb0cf6e3853a299321dbf6cf7acf1e8721/munin/ossec_munin.png


--------------------------------------------------------------------------------
/munin/ossec_stats:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | FILE=/var/ossec/logs/alerts/alerts.log
 3 | config(){
 4 | cat <<EOF
 5 | graph_title OSSEC Stats
 6 | graph_category process
 7 | graph_vlabel Alert Counters
 8 | graph_info Stats
 9 | graph_period minute
10 | EOF
11 | }
12 | 
13 | if [[ "$1" == "config" ]]; then
14 |   config
15 |   for s in all syscheck rootcheck
16 |   do
17 |     printf "${s}.label ${s}\n"
18 |     printf "${s}.min 0\n"
19 |     printf "${s}.type GAUGE\n"
20 |     printf "${s}.info Count ${Q}\n"
21 |   done
22 | else
23 |   if [[ -f $FILE ]] && [[ -r $FILE ]]; then
24 |     syscheck=$(grep -c '\*\* Alert.*syscheck' /var/ossec/logs/alerts/alerts.log)
25 |     rootcheck=$(grep -c '\*\* Alert.*rootcheck' /var/ossec/logs/alerts/alerts.log)
26 |     all=$(grep -c '\*\* Alert' /var/ossec/logs/alerts/alerts.log)
27 | 
28 |     printf "all.value ${all}\n"
29 |     printf "syscheck.value ${syscheck}\n"
30 |     printf "rootcheck.value ${rootcheck}\n"
31 |   else
32 |     printf "File not found!\n"
33 |     exit 1
34 |   fi
35 | fi
36 | 


--------------------------------------------------------------------------------
/munin/ossec_top_groups:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | FILE=/var/ossec/logs/alerts/alerts.log
 3 | OPTION="$1"
 4 | 
 5 | config(){
 6 | cat <<EOF
 7 | graph_title OSSEC Top Groups
 8 | graph_category process
 9 | graph_vlabel Groups by Name
10 | graph_info Count
11 | graph_period minute
12 | EOF
13 | }
14 | 
15 | top_10(){
16 |   grep '\*\* Alert' /var/ossec/logs/alerts/alerts.log | cut -d '-' -f 2 | sed -e 's/,/\n/g' -e 's/\s//' | grep . | sort | uniq -c | sort -nr | head
17 | }
18 | 
19 | values(){
20 |   top="$(top_10)"
21 |   IFS=$'\n'
22 |   for i in $top;
23 |   do
24 |     line=$(echo $i | xargs)
25 |     count="${line%% *}"
26 |     group="${line#* }"
27 |     if [[ "$OPTION" == "config" ]]; then
28 |       printf "${group}\n"
29 |     else
30 |       printf "${group}.value ${count}\n"
31 |     fi
32 |   done
33 | }
34 | 
35 | [[ -r $FILE ]] || { printf "File not found!\n"; exit 1; }
36 | 
37 | if [[ "$OPTION" == "config" ]]; then
38 |   config
39 |   messages="$(values)"
40 |   IFS=$'\n'
41 |   for s in $messages
42 |   do
43 |     printf "${s}.label ${s}\n"
44 |     printf "${s}.min 0\n"
45 |     printf "${s}.type GAUGE\n"
46 |     printf "${s}.info Count ${Q}\n"
47 |   done
48 | else
49 |   values
50 | fi
51 | 


--------------------------------------------------------------------------------
/munin/ossec_top_rules:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | FILE=/var/ossec/logs/alerts/alerts.log
 3 | OPTION="$1"
 4 | 
 5 | config(){
 6 | cat <<EOF
 7 | graph_title OSSEC Top Rules
 8 | graph_category process
 9 | graph_vlabel Alerts Name
10 | graph_info Count
11 | graph_period minute
12 | EOF
13 | }
14 | 
15 | top_10(){
16 |   fgrep Rule: /var/ossec/logs/alerts/alerts.log | cut -d " " -f 6- | sort | uniq -c | sort -nr | head
17 | }
18 | 
19 | strip(){
20 |  local msg
21 |  msg="$@"
22 |  msg=${msg// }
23 |  msg=${msg//-}
24 |  msg=${msg//(}
25 |  name=${msg//)}
26 | }
27 | 
28 | values(){
29 |   top="$(top_10)"
30 |   IFS=$'\n'
31 |   for i in $top;
32 |   do
33 |     line=$(echo $i | xargs)
34 |     count="${line%% *}"
35 |     rule="${line#* }"
36 |     msg=${rule%%.}
37 |     if [[ "$OPTION" == "config" ]]; then
38 |       printf "${msg}\n"
39 |     else
40 |       strip $msg
41 |       printf "${name}.value ${count}\n"
42 |    fi
43 |   done
44 | }
45 | 
46 | if [[ "$OPTION" == "config" ]]; then
47 |   config
48 |   messages="$(values)"
49 |   IFS=$'\n'
50 |   for s in $messages
51 |   do
52 |     strip $s
53 |     printf "${name}.label ${s}\n"
54 |     printf "${name}.min 0\n"
55 |     printf "${name}.type GAUGE\n"
56 |     printf "${name}.info Count ${Q}\n"
57 |   done
58 | else
59 |   if [[ -f $FILE ]] && [[ -r $FILE ]]; then
60 |     values
61 |   else
62 |     printf "File not found!\n"
63 |     exit 1
64 |   fi
65 | fi
66 | 


--------------------------------------------------------------------------------
/nagios/check_ossec.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | # Author: Jon Schipp
  3 | 
  4 | 
  5 | # 1.) Check status of OSSEC services excluding active response i.e. execd
  6 | # $ ./check_ossec.py -T status
  7 | 
  8 | # 2.) Check that all agents are connected except host1
  9 | # $ ./check_ossec.py -T connected --skip host1.blah.org
 10 | 
 11 | # 3.) Check that syscheck has been completed for all agents in the last 12 hours
 12 | # $ ./check_ossec.py -T syscheck -c 12 -w 6
 13 | 
 14 | # 4.) Check that rootkit checks have been completed for all agents in the last 3 hours
 15 | # $ ./check_ossec.py -T rootcheck -c 12 -w 6
 16 | 
 17 | import sys
 18 | import argparse
 19 | import os
 20 | import subprocess
 21 | import datetime
 22 | import time
 23 | 
 24 | # Nagios exit codes
 25 | NAGIOS_OK       = 0
 26 | NAGIOS_WARNING  = 1
 27 | NAGIOS_CRITICAL = 2
 28 | NAGIOS_UNKNOWN  = 3
 29 | 
 30 | STATUS_MSG = {
 31 |   0:  'OK',
 32 |   1:  'WARNING',
 33 |   2:  'CRITICAL',
 34 |   3:  'UNKNOWN',
 35 | }
 36 | 
 37 | status_checks=['connected', 'syscheck', 'rootcheck', 'status']
 38 | 
 39 | def arguments():
 40 |   global path
 41 |   # Defaults
 42 |   crit = 1
 43 |   warn = 1
 44 |   path = '/var/ossec'
 45 | 
 46 |   parser = argparse.ArgumentParser(description='Check OSSEC Configuration')
 47 |   parser.add_argument("-s", "--skip",     type=str, help="Items to skip from check")
 48 |   parser.add_argument("-a", "--agents",   type=str, help="Check status of agents (def: all) (sep:,) e.g. www1,www2")
 49 |   parser.add_argument("-T", "--type",     type=str, help="Type of check", choices=status_checks)
 50 |   parser.add_argument("-p", "--path",     type=str, help="Path of OSSEC directory (def: /var/ossec)")
 51 |   parser.add_argument("-c", "--critical", type=int, help="Critical value in count for checks")
 52 |   parser.add_argument("-w", "--warning",  type=int, help="Warning value in count for checks")
 53 |   args = parser.parse_args()
 54 | 
 55 |   option = args.type
 56 |   if args.critical:
 57 |     crit = args.critical
 58 |   if args.warning:
 59 |     warn = args.warning
 60 | 
 61 |   if args.skip:
 62 |     skip = args.skip.split(",")
 63 |   else:
 64 |     skip = "None"
 65 |   if args.agents:
 66 |     agents = args.agents.split(",")
 67 |   else:
 68 |     agents = False
 69 |   if args.path: 
 70 |     path = args.path
 71 | 
 72 |   return option, agents, skip, crit, warn
 73 | 
 74 | def threshold(inactive_agents, crit, warn):
 75 |   if inactive_agents >= crit:
 76 |     return NAGIOS_CRITICAL
 77 |   if inactive_agents >= warn:
 78 |     return NAGIOS_WARNING
 79 |   return NAGIOS_OK
 80 | 
 81 | def is_ossec(path):
 82 |  if os.path.isdir(path):
 83 |    files = [ 
 84 |      'etc/ossec.conf', 
 85 |      'etc/shared/agent.conf', 
 86 |      'bin/syscheck_control',
 87 |      'bin/rootcheck_control',
 88 |      'bin/agent_control'
 89 |     ]
 90 |    for f in files:
 91 |      fp = path + '/' + f
 92 |      if not os.path.isfile(fp):
 93 |        print "Error: Installation missing file %s" % fp
 94 |        return False
 95 |  return True
 96 | 
 97 | def get_output_dict(cmd, arg):
 98 |   c=0
 99 |   data={}
100 |   command = path + '/' + cmd
101 |   result = subprocess.Popen([command,arg],stdout=subprocess.PIPE,stderr=subprocess.PIPE)
102 |   set_result = set(result.stdout)
103 |   for i in set_result:
104 |     data[c]= [i.split(',')]
105 |     c += 1
106 |   return data
107 | 
108 | def get_output_set(cmd, arg):
109 |   command = path + '/' + cmd
110 |   result = subprocess.Popen([command,arg],stdout=subprocess.PIPE,stderr=subprocess.PIPE)
111 |   data = set(result.stdout)
112 |   return data
113 | 
114 | def is_server():
115 |   filename = '/etc/ossec-init.conf'
116 |   try:
117 |     with open(filename, 'r') as f:
118 |       contents = f.readlines()
119 |       install_type = contents[3].strip().split('=')[1]
120 |     if install_type == '"server"':
121 |       return True
122 |     else:
123 |       print "ERROR: Unable to detect OSSEC server: %s" % install_type
124 |       return False
125 |     
126 |   except IOError:
127 |     print "ERROR: Cannot open file %s. Is OSSEC installed?" % filename
128 |     exit(NAGIOS_UNKNOWN)
129 | 
130 | def open_queue(filename, service):
131 |   try:
132 |     with open(filename, 'r') as f:
133 |       for i in f.readlines():
134 |         if service == 'syscheck':
135 |           if 'Starting syscheck scan.' in i:
136 |             syscheck_start_ts = i[1:11]
137 |             return syscheck_start_ts
138 |         if service == 'rootcheck':
139 |           if 'Starting rootcheck scan.' in i:
140 |             rootcheck_start_ts = i[1:11]
141 |             return rootcheck_start_ts
142 |       else:
143 |             return False
144 |   except IOError:
145 |     print "ERROR: Cannot read queue file %s" % filename
146 |     exit(NAGIOS_UNKNOWN)
147 | 
148 | def older_than(ts, name, crit_ts, warn_ts):
149 |   if not ts:
150 |       print "%s: %s: LastCheckTime: Unknown" % (STATUS_MSG[NAGIOS_UNKNOWN], name)
151 |       return NAGIOS_UNKNOWN
152 |   service_timestamp = datetime.datetime.fromtimestamp(float(ts))
153 |   if service_timestamp < crit_ts:
154 |       print "%s: %s: LastCheckTime: %s" % (STATUS_MSG[NAGIOS_CRITICAL], name, service_timestamp)
155 |       return NAGIOS_CRITICAL
156 |   elif service_timestamp < warn_ts:
157 |           print "%s: %s: LastCheckTime: %s" % (STATUS_MSG[NAGIOS_WARNING], name, service_timestamp)
158 |           return NAGIOS_WARNING
159 |   else:
160 |           return NAGIOS_OK
161 | 
162 | def check_connected(agents, skip, crit, warn):
163 |   data = get_output_dict('bin/agent_control', '-l')
164 |   c=0
165 |   inactive_agents = 0
166 |   active = [ 'Active', 'Active/Local' ]
167 |   notactive = {}
168 | 
169 |   for i in data:
170 |     line =  data[c][0]
171 |     c += 1
172 |     # Check for lines with fields we need
173 |     # Extract agent name and status message
174 |     if len(line) == 4:
175 |       name=line[1][6:].lstrip()
176 |       status=line[3].lstrip().rstrip()
177 | 
178 |       # If --agents is specified only check for specified agents
179 |       if agents:
180 |         if name not in agents:
181 |           continue
182 |       else:
183 |         # If --agents is not specified check all except in skip
184 |         if name in skip:
185 |           continue
186 | 
187 |       if status not in active:
188 |         notactive[name] = status
189 |         inactive_agents += 1
190 | 
191 |   # Check if inactive agents were fonud 
192 |   if notactive:
193 |     exit_code = threshold(inactive_agents, crit, warn)
194 |     print "%s: %d agents not connected" % (STATUS_MSG[exit_code], len(notactive))
195 |     for k,v in notactive.items():
196 |       print "Name: %s, Status: %s" % (k,v)
197 |     return exit_code
198 |   else:
199 |     print "%s: All agents connected" % STATUS_MSG[NAGIOS_OK]
200 |     return NAGIOS_OK
201 |       
202 | def check_service(service, agents, skip, crit, warn):
203 |   dir = os.path.join(path,'queue/rootcheck')
204 |   crit_ts = datetime.datetime.now() - datetime.timedelta(hours=crit)
205 |   warn_ts = datetime.datetime.now() - datetime.timedelta(hours=warn)
206 |   status_list = []
207 |   for queue in os.listdir(dir):
208 |      name = queue.strip('()').split()[0].rstrip(')')
209 |      if agents:
210 |        if name not in agents:
211 |          continue
212 |      else:
213 |        if name == 'rootcheck':
214 |          continue
215 |        if name in skip:
216 |          continue
217 |      f = os.path.join(dir, queue)
218 |      if os.path.isfile(f):
219 |        ts = open_queue(f, service)
220 |        status = older_than(ts, name, crit_ts, warn_ts)
221 |      status_list.append(status)
222 |      exit_code = max(status_list)
223 |   if exit_code == NAGIOS_OK:
224 |     print "%s: Agent %s runtimes are up to date" % (STATUS_MSG[NAGIOS_OK],service)
225 |   return exit_code
226 | 
227 | def check_status(agents, skip):
228 |   data = get_output_set('bin/ossec-control', 'status')
229 |   not_running=[]
230 |   for i in data:
231 |     # If --skip is used skip these
232 |     if i in skip:
233 |       continue
234 |     # Add names of services not running to list
235 |     if 'not running' in i:
236 |       not_running.append(i)
237 |       continue
238 |   # Test for entries in list. Entries mean something wasn't running
239 |   if not_running:
240 |     print "%s: Some services running" % STATUS_MSG[NAGIOS_CRITICAL]
241 |     for i in not_running:
242 |       print i.rstrip()
243 |     return NAGIOS_CRITICAL
244 |   else:
245 |     print "%s: All services running" % STATUS_MSG[NAGIOS_OK]
246 |     return NAGIOS_OK
247 | 
248 | def main():
249 |   option, agents, skip, crit, warn = arguments()
250 | 
251 |   if not is_ossec(path):
252 |     exit(NAGIOS_UNKNOWN)
253 |   if not is_server():
254 |     exit(NAGIOS_UNKNOWN)
255 | 
256 |   if option == "connected":
257 |     exit(check_connected(agents, skip, crit, warn))
258 |   elif option == "syscheck":
259 |     exit(check_service(option, agents, skip, crit, warn))
260 |   elif option == "rootcheck":
261 |     exit(check_service(option, agents, skip, crit, warn))
262 |   elif option == "status":
263 |     exit(check_status(agents, skip))
264 |   else:
265 |     print "Invalid type option"
266 |     exit(NAGIOS_UNKNOWN)
267 | 
268 | if __name__ == "__main__":
269 |   main()
270 | 


--------------------------------------------------------------------------------
/nagios/check_ossec.sh:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env bash
  2 | 
  3 | # Author: Jon Schipp
  4 | # Date: 11-07-2013
  5 | ########
  6 | # Examples:
  7 | 
  8 | # 1.) Check status of OSSEC services excluding active response i.e. execd
  9 | # $ ./check_ossec.sh -s execd
 10 | 
 11 | # 2.) Check status of OSSEC agent
 12 | # $ ./check_ossec.sh -a server1
 13 | 
 14 | # 3.) Check status of multiple OSSEC agents
 15 | # $ ./check_ossec.sh -a "server1,server2,station3"
 16 | 
 17 | # 4.) Report critical if more than 3 agents are offline and warning if at least 1 is offline.
 18 | # $ ./check_ossec.sh -c 3 -w 1
 19 | 
 20 | # Nagios Exit Codes
 21 | OK=0
 22 | WARNING=1
 23 | CRITICAL=2
 24 | UNKNOWN=3
 25 | 
 26 | # Default Location of the binaries
 27 | # Set these to the proper location if your installation differs
 28 | CONF=/var/ossec/etc/ossec.conf
 29 | AGENT_CONF=/var/ossec/etc/shared/agent.conf
 30 | AGENT_CONTROL=/var/ossec/bin/agent_control
 31 | OSSEC_CONTROL=/var/ossec/bin/ossec-control
 32 | SYSCHECK_CONTROL=/var/ossec/bin/syscheck-control
 33 | ROOTKIT_CONTROL=/var/ossec/bin/rootkit-control
 34 | 
 35 | if [ ! -f $AGENT_CONTROL ] && [ ! -f $OSSEC_CONTROL ];
 36 | then
 37 |   echo "ERROR: OSSEC binaries not found. If you installed OSSEC in a location other than the default update the AGENT_CONTROL and OSSEC_CONTROL variables in $0."
 38 |   exit 1
 39 | fi
 40 | 
 41 | usage()
 42 | {
 43 | cat <<EOF
 44 | 
 45 | Check for status of OSSEC agents and server.
 46 | This script should be run on the OSSEC server.
 47 | 
 48 |      Options:
 49 |         -a <name>       Check status of agent or list of comma separated agents, "agent1,agent2".
 50 |         -c <int>        Critical threshold for number of inactive agents
 51 |         -l              List all agents
 52 |         -s <service>    Check status of OSSEC server processes. Use ``-s all'' to check all.
 53 |                         To exclude a service e.g execd pass as argument i.e. ``-s execd''
 54 |         -w              Warning threshold for number of inactive agents
 55 |         -S              Syscheck last scan check
 56 |         -R              Rootkit last scan check
 57 | 
 58 | Usage: $0 -a "server1,server2,station3"
 59 | EOF
 60 | }
 61 | 
 62 | argcheck() {
 63 | # if less than n argument
 64 | if [ $ARGC -lt $1 ]; then
 65 |         echo "Missing arguments! Use \`\`-h'' for help."
 66 |         exit 1
 67 | fi
 68 | }
 69 | 
 70 | # Initialize variables
 71 | CRIT=0
 72 | WARN=0
 73 | CHECK_AGENT=0
 74 | CHECK_THRESHOLD=0
 75 | CHECK_SYSCHECK=0
 76 | CHECK_ROOTCHECK=0
 77 | LIST_AGENTS=0
 78 | SERVER_CHECK=0
 79 | EXCLUDE=all
 80 | ACTIVE=0
 81 | INACTIVE=0
 82 | NEVER=0
 83 | TOTAL=0
 84 | DISCONNECTED=0
 85 | CONNECTED=0
 86 | NEVERCONNECTED=0
 87 | UNKNOWN=0
 88 | ARGC=$#
 89 | 
 90 | argcheck 1
 91 | 
 92 | while getopts "ha:c:ls:v:w:SR" OPTION
 93 | do
 94 |   case $OPTION in
 95 |     h)
 96 |       usage;;
 97 |     a)
 98 |       CHECK_AGENT=1
 99 |       AGENT="$OPTARG"
100 |       ;;
101 |     c)
102 |       CHECK_THRESHOLD=1
103 |       CRIT="$OPTARG"
104 |       ;;
105 |     l)
106 |       LIST_AGENTS=1
107 |       ;;
108 |     s)
109 |       SERVER_CHECK=1
110 |       EXCLUDE="$OPTARG"
111 |       ;;
112 |     v)
113 |       CHECK_THRESHOLD=1
114 |       VOL="$OPTARG"
115 |       ;;
116 |     w) 
117 |       WARN="$OPTARG";;
118 |     S) 
119 |       CHECK_SYSCHECK=1;;
120 |     R) 
121 |       CHECK_ROOTCHECK=1;;
122 |     \?)
123 |       exit 1;;
124 |   esac
125 | done
126 | 
127 | if [ $LIST_AGENTS -eq 1 ]; then
128 |   $AGENT_CONTROL -l
129 |   exit 0
130 | fi
131 | 
132 | if [ $SERVER_CHECK -eq 1 ]; then
133 |   
134 |   $OSSEC_CONTROL status | grep -v $EXCLUDE | grep "not running"
135 | 
136 |   if [ $? -eq 0 ]; then
137 |     echo "An OSSEC service is not running!"
138 |     exit $CRITICAL
139 |   else
140 |     echo "All OSSEC services running"
141 |     exit $OK
142 |   fi
143 | fi
144 | 
145 | if [ $CHECK_AGENT -eq 1 ]; then
146 | 
147 |   for host in $(echo $AGENT | sed 's/,/ /g'); 
148 |   do
149 |     RESULT=$($AGENT_CONTROL -l | grep ${host},)
150 |     case $RESULT in
151 |     *Disconnected)
152 |       echo "Agent $host is not connected!"
153 |       DISCONNECTED=$((DISCONNECTED+1))
154 |       ;; 
155 |     *Active)
156 |       echo "Agent $host is connected"
157 |       CONNECTED=$((CONNECTED+1))
158 |       ;;
159 |     *Never*) 
160 |       echo "Agent $host has never connected to the server: $RESULT"
161 |       NEVERCONNECTED=$((NEVERCONNECTED+1))
162 |       ;;
163 |     *)
164 |       echo "Unknown status or agent: $host"
165 |       UNKNOWN=$((UNKNOWN+1))
166 |       ;;
167 |     esac
168 |   done
169 |   
170 |   if [ $DISCONNECTED -gt 0 ] || [ $NEVERCONNECTED -gt 0 ] || [ $UNKNOWN -gt 0 ]; then
171 |     echo "-> $DISCONNECTED disconnected agent(s), $NEVERCONNECTED never connected agent(s), and $UNKNOWN agent(s) with unknown status (possible agent name typo?)."
172 |     exit $CRITICAL
173 |   else 
174 |     echo "All requested ($CONNECTED) agents are connected to the server!"
175 |     exit $OK
176 |   fi
177 | fi
178 | 
179 | 
180 | if [ $CHECK_THRESHOLD -eq 1 ]; then
181 |   
182 |   ACTIVE=$($AGENT_CONTROL -l | grep Active | wc -l)
183 |   INACTIVE=$($AGENT_CONTROL -l | grep Disconnected | wc -l)
184 |   NEVER=$($AGENT_CONTROL -l | grep Never | wc -l)
185 |   TOTAL=$($AGENT_CONTROL -l | wc -l)
186 | 
187 |   if [ $INACTIVE -gt $CRIT ]; then
188 |     echo "$INACTIVE of $TOTAL agents inactive! Active: $ACTIVE"
189 |     exit $CRITICAL
190 |   elif [ $INACTIVE -gt $WARN ]; then
191 |     echo "$INACTIVE of $TOTAL agents inactive! Active: $ACTIVE"
192 |     exit $WARNING
193 |   else
194 |     echo "Active: $ACTIVE - Inactive: $INACTIVE - Never connected:$NEVER - Total: $TOTAL"
195 |     exit $OK
196 |   fi
197 | fi
198 | 
199 | [[ '' ]]
200 | 
201 | if [ $CHECK_SYSCHECK -eq 1 ]; then
202 | 
203 | 
204 | fi
205 | 
206 | if [ $CHECK_ROOTCHECK -eq 1 ]; then
207 | fi
208 | 


--------------------------------------------------------------------------------
/rules/kerberos_rules.xml:
--------------------------------------------------------------------------------
  1 | <!-- Rules for Kerberos -->
  2 | 
  3 | <group name="syslog,kerberos,">
  4 |   <rule id="15000" level="0">
  5 |     <decoded_as>kerberos_ksu</decoded_as>
  6 |     <description>Kerberos messages grouped.</description>
  7 |   </rule>
  8 | 
  9 |   <!-- Auth success -->
 10 |   
 11 |   <rule id="15001" level="3">
 12 |     <if_sid>15000</if_sid>
 13 |     <decoded_as>kerberos_ksu</decoded_as>
 14 |     <regex>authenticated</regex>
 15 |     <description>ksu authentication succeeded.</description>
 16 |     <group>authentication_success,</group>
 17 |   </rule>
 18 | 
 19 |   <rule id="15002" level="5">
 20 |     <if_sid>15001</if_sid>
 21 |     <user>root</user>
 22 |     <description>ksu root authentication succeeded.</description>
 23 |     <group>authentication_success,</group>
 24 |   </rule>
 25 |   
 26 |   <!-- Auth failed -->
 27 | 
 28 |   <rule id="15003" level="3">
 29 |     <if_sid>15000</if_sid>
 30 |     <decoded_as>kerberos_ksu</decoded_as>
 31 |     <regex>authentication failed</regex>
 32 |     <description>ksu authentication failed.</description>
 33 |     <group>authentication_failed,</group>
 34 |   </rule>
 35 | 
 36 |   <rule id="15004" level="10">
 37 |     <if_sid>15003</if_sid>
 38 |     <user>root</user>
 39 |     <description>ksu authentication to root failed.</description>
 40 |     <group>authentication_failed,</group>
 41 |   </rule>
 42 | 
 43 |   <!-- AuthZ succeeded -->
 44 | 
 45 |   <rule id="15005" level="3">
 46 |     <if_sid>15000</if_sid>
 47 |     <decoded_as>kerberos_ksu</decoded_as>
 48 |     <regex>authorization for \S+ successful</regex>
 49 |     <description>ksu authorization succeeded.</description>
 50 |     <group>authentication_success,</group>
 51 |   </rule>
 52 |   
 53 |   <rule id="15006" level="3">
 54 |     <if_sid>15000</if_sid>
 55 |     <decoded_as>kerberos_ksu</decoded_as>
 56 |     <regex>authorization for \S+ for execution of \S+ successful</regex>
 57 |     <description>ksu authorization succeeded to run command.</description>
 58 |     <group>authentication_success,</group>
 59 |   </rule>
 60 | 
 61 |   <rule id="15007" level="5">
 62 |     <if_sid>15005, 15006</if_sid>
 63 |     <user>root</user>
 64 |     <description>ksu authorization to root succeeded.</description>
 65 |     <group>authentication_success,</group>
 66 |   </rule>
 67 | 
 68 |   <rule id="15008" level="5">
 69 |     <if_sid>15007</if_sid>
 70 |     <if_fts></if_fts>
 71 |     <options>alert_by_email</options>
 72 |     <description>First time (ksu) is executed by user.</description>
 73 |   </rule>
 74 | 
 75 | <!-- Rules for Kadmin -->
 76 | 
 77 |   <rule id="15100" level="0">
 78 |     <decoded_as>kerberos_kadmin</decoded_as>
 79 |     <description>Kerberos messages grouped.</description>
 80 |   </rule>
 81 | 
 82 |   <!-- Principal successes -->
 83 | 
 84 |   <rule id="15101" level="11">
 85 |     <if_sid>15100</if_sid>
 86 |     <match>create_principal</match>
 87 |     <status>success</status>
 88 |     <description>Kerberus principal created</description>
 89 |     <group>adduser,account_changed</group>
 90 |   </rule>
 91 | 
 92 |   <rule id="15102" level="5">
 93 |     <if_sid>15100</if_sid>
 94 |     <match>get_principal</match>
 95 |     <status>success</status>
 96 |     <description>Kerberus principal successfully requested</description>
 97 |     <group>authentication_success,</group>
 98 |   </rule>
 99 | 
100 |   <rule id="15103" level="11">
101 |     <if_sid>15100</if_sid>
102 |     <match>modify_principal</match>
103 |     <status>success</status>
104 |     <description>Kerberus principal successfully modified</description>
105 |     <group>adduser,account_changed</group>
106 |   </rule>
107 | 
108 |   <!-- Principal failures -->
109 | 
110 |   <rule id="15104" level="11">
111 |     <if_sid>15100</if_sid>
112 |     <match>get_principal</match>
113 |     <status>Principal does not exist</status>
114 |     <description>Invalid Kerberus principal requested</description>
115 |     <group>invalid_login</group>
116 |   </rule>
117 | 
118 | </group>
119 | 


--------------------------------------------------------------------------------
/rules/organization_ar_rules.xml:
--------------------------------------------------------------------------------
  1 | <!-- organization Active Response custom rules -->
  2 | 
  3 | <group name="org,org_ar,">
  4 | 
  5 |   <rule id="120001" level="14">
  6 |     <program_name>virustotal_lookup.sh</program_name>
  7 |     <match>Malicious hash found</match>
  8 |     <description>Malware hash found in Virus Total</description>
  9 |   </rule>
 10 | 
 11 |   <rule id="120002" level="14">
 12 |     <program_name>cymru_lookup.sh</program_name>
 13 |     <match>WARNING</match>
 14 |     <description>Malware hash found in Team Cymru Malware Hash Registry</description>
 15 |   </rule>
 16 | 
 17 | 
 18 |    <rule id="120003" level="0">
 19 |      <decoded_as>rpm_lookup</decoded_as>
 20 |      <description>Custom RPM Lookup Alert</description>
 21 |      <group>rpm_lookup</group>
 22 |    </rule>
 23 | 
 24 |    <rule id="120004" level="11">
 25 |      <if_sid>120003</if_sid>
 26 |      <program_name>rpm_lookup.sh</program_name>
 27 |      <match>WARNING</match>
 28 |      <description>File has been modified, entry in RPM database differs</description>
 29 |      <options>no_email_alert</options>
 30 |      <group>rpm_lookup</group>
 31 |    </rule>
 32 | 
 33 |    <rule id="120005" level="0">
 34 |      <decoded_as>puppetdb_lookup</decoded_as>
 35 |      <description>Custom PuppetDB Lookup Alert</description>
 36 |      <group>puppetdb_lookup</group>
 37 |    </rule>
 38 | 
 39 |    <rule id="120006" level="11">
 40 |      <if_sid>120005</if_sid>
 41 |      <program_name>puppetdb_lookup.sh</program_name>
 42 |      <match>WARNING</match>
 43 |      <description>Modified file not managed by Puppet</description>
 44 |      <options>no_email_alert</options>
 45 |      <group>puppetdb_lookup</group>
 46 |    </rule>
 47 | 
 48 |   <rule id="120007" level="12" timeframe="1">
 49 |     <if_matched_sid>120006</if_matched_sid>
 50 |     <if_sid>120004</if_sid>
 51 |     <same_id />
 52 |     <description>File has been modified and is not in PuppetDB or RPM database</description>
 53 |   </rule>
 54 | 
 55 |    <rule id="120008" level="0">
 56 |      <decoded_as>cymru_lookup</decoded_as>
 57 |      <description>Custom Cymru Lookup Alert</description>
 58 |      <group>cymru_lookup</group>
 59 |    </rule>
 60 | 
 61 |   <rule id="120009" level="12">
 62 |     <if_sid>120008</if_sid>
 63 |     <list field="id" lookup="address_match_key" >lists/mal.list</list>
 64 |     <description>Malware hash match found from intelligence data</description>
 65 |   </rule>
 66 | 
 67 |    <rule id="120010" level="0">
 68 |      <decoded_as>deb_lookup</decoded_as>
 69 |      <description>Custom DEB Lookup Alert</description>
 70 |      <group>deb_lookup</group>
 71 |    </rule>
 72 | 
 73 |    <rule id="120011" level="11">
 74 |      <if_sid>120010</if_sid>
 75 |      <program_name>deb_lookup.sh</program_name>
 76 |      <match>WARNING</match>
 77 |      <description>File has been modified, entry in DEB database differs</description>
 78 |      <options>no_email_alert</options>
 79 |      <group>deb_lookup</group>
 80 |    </rule>
 81 | 
 82 |    <rule id="120012" level="11">
 83 |      <if_sid>5902</if_sid>
 84 |      <match>UID=\d\d\d,</match>
 85 |      <description>System account created</description>
 86 |    </rule>
 87 | 
 88 |   <rule id="120013" level="12">
 89 |     <program_name>command_search.sh</program_name>
 90 |     <match>WARNING</match>
 91 |     <description>Possible suspicious command identified</description>
 92 |   </rule>
 93 | 
 94 |   <rule id="120014" level="11">
 95 |     <program_name>time_lookup.sh</program_name>
 96 |     <match>WARNING</match>
 97 |     <description>System clock is off</description>
 98 |   </rule>
 99 | 
100 |   <!-- Ignore messags from ossec server -->
101 |   <rule id="120015" level="0">
102 |     <if_sid>120014</if_sid>
103 |     <match>ossec-sec</match>
104 |     <description>Ignore clock messages from OSSEC server</description>
105 |   </rule>
106 | 
107 |   <rule id="120020" level="0">
108 |     <decoded_as>ldap_lookup</decoded_as>
109 |     <description>Custom LDAP Lookup Alert</description>
110 |     <group>ldap_lookup</group>
111 |   </rule>
112 | 
113 |   <rule id="120021" level="0">
114 |     <if_sid>120020</if_sid>
115 |     <program_name>ldap_lookup.sh</program_name>
116 |     <match>OK</match>
117 |     <description>Attempted user is an employee</description>
118 |     <group>ldap_lookup</group>
119 |   </rule>
120 | 
121 |   <rule id="120022" level="5">
122 |     <if_sid>120020</if_sid>
123 |     <program_name>ldap_lookup.sh</program_name>
124 |     <match>WARNING</match>
125 |     <description>Attempted user is not an employee</description>
126 |     <group>ldap_lookup</group>
127 |   </rule>
128 | 
129 | </group>
130 | 


--------------------------------------------------------------------------------
/rules/organization_rules.xml:
--------------------------------------------------------------------------------
  1 | <!-- organization custom rules --> 
  2 | 
  3 | <var name="SECOPS_NETS">1.1.1.|1.2.2.</var>
  4 | <var name="SECOPS_USERS">team1|team2</var>
  5 | <var name="SECOPS_ALL_USERS">$SECOPS_USERS|blah1|blah2</var>
  6 | <var name="SECOPS_ADMIN_USERS">blah3|blah4jh</var>
  7 | <var name="NAGIOS_USERS">nagios|nrpe</var>
  8 | <var name="PROGRAM_USERS">$NAGIOS_USERS|git|qualys|cabackup|zimbra|postgres|gitwriter</var>
  9 | <var name="BAD_SMTP">owencampbell@lawyer.com|DAS@sydenham.lewisham.sch.uk|upgradeteam@admin.in.th|techservice@discuz.org|manager.verificationdepartment@googlemail.com|webaccount@zbavitu.net|info@adimin.com|systemadmniteam@gmail.com|account-supporteam-verification@live.com|tech.dpart@info.lt|hlpdesk7@yahoo.co.uk|webservices@gala.net|admin@coyspu.com.ar|notice@mail2webmaster.com|merijnkatrien@zonnet.nl|notice@mail2webmaster.com|update-check@live.nl|helpweb13@yahoo.com.hk|accountverification@8u8.com|desk.loginupdate@yahoo.com.hk|email.upgrades@gmail.com|helpdeskict1@yahoo.com.hk|edu-accountupdate2008@live.com|webmailteam001@gmail.com|customerhelp_desk@email.com|upgrade.suppteam2008@sanook.com|supp.team2008@ymail.com|s.eamilupgrade@ymail.com|customer.careservice@live.com|abuse-itservice@live.com|upgreatunit@yahoo.com.hk|ldorow@utica.edu|suppteam@mail2webmaster.com|computer.desk@live.com|tech.service18@live.com|customercareunite111@mail2consultant.com|verification_01@live.com</var>
 10 | 
 11 | <!-- Note that <hostname> matches agent name, not hostname field in log line -->
 12 | 
 13 | <group name="organization">
 14 | 
 15 |   <rule id="10002" level="0">
 16 |     <if_sid>5402,5403,5501,5502,5715</if_sid>
 17 |     <match>$NAGIOS_USERS</match>
 18 |     <description>Ignore nagios/nrpe log</description>
 19 |   </rule>
 20 | 
 21 |   <rule id="10003" level="0">
 22 |     <program_name>ossec</program_name>
 23 |     <hostname>ossec-sec</hostname>
 24 |     <description>Ignore matching on ossec logs that are fed back in</description>
 25 |   </rule>
 26 | 
 27 |   <rule id="10006" level="0">
 28 |     <if_sid>4721</if_sid>
 29 |     <match>$SECOPS_NETS</match>
 30 |     <description>Supress router changes from organization nets</description>
 31 |   </rule>
 32 | 
 33 |   <rule id="100016" level="11">
 34 |     <if_sid>5400</if_sid>
 35 |     <hostname>blah1|blah2|blah3|blah4</hostname>
 36 |     <description>sudo use on bastions</description>
 37 |   </rule>
 38 | 
 39 |   <rule id="100020" level="8" timeframe="120" frequency="2">
 40 |     <if_matched_sid>5715</if_matched_sid>
 41 |     <same_source_ip />
 42 |     <same_location />
 43 |     <description>Multiple SSH logins from same source IP</description>
 44 |     <group>authentication_success,</group>
 45 |   </rule>
 46 | 
 47 |   <rule id="100021" level="0">
 48 |     <if_sid>100020</if_sid>
 49 |     <match>$SECOPS_NETS</match>
 50 |     <description>Ignore multiple SSH logins from same source SECOPS networks</description>
 51 |     <group>authentication_success,</group>
 52 |   </rule>
 53 | 
 54 |   <rule id="100022" level="10" timeframe="300" frequency="8">
 55 |     <if_matched_sid>5710</if_matched_sid>
 56 |     <same_source_ip />
 57 |     <description>Multiple attempt to login using a non-existent user</description>
 58 |   </rule>
 59 | 
 60 |   <rule id="100023" level="10">
 61 |     <match>WARN: Syscheck disabled.|WARN: Rootcheck disabled.</match>
 62 |     <description>OSSEC service disabled</description>
 63 |   </rule>
 64 | 
 65 |   <rule id="100024" level="0">
 66 |     <if_sid>100020</if_sid>
 67 |     <user>garvey</user>
 68 |     <match>gssapi-with-mic</match>
 69 |     <regex>130.126.3.77</regex>
 70 |     <description>Ignore multiple SSH logins from garvey by same source IP</description>
 71 |   </rule>
 72 | 
 73 |   <rule id="100026" level="12">
 74 |     <if_group>authentication_success</if_group>
 75 |     <list field="srcip" lookup="address_match_key" >lists/ip.list</list>
 76 |     <description>Successful authentication from bad IP</description>
 77 |   </rule>
 78 | 
 79 |   <rule id="100027" level="13">
 80 |     <if_group>authentication_success</if_group>
 81 |     <list field="srcip" lookup="match_key" >lists/bhr.list</list>
 82 |     <description>Successful authentication from previously BHR'd IP</description>
 83 |   </rule>
 84 | 
 85 |    <rule id="100028" level="12">
 86 |     <if_group>web_scan|recon|sqlinjection|attack</if_group>
 87 |     <list field="url" lookup="match_key" >lists/url.list</list>
 88 |     <description>URL Intel list match</description>
 89 |   </rule>
 90 | 
 91 |   <rule id="100031" level="12" timeframe="120">
 92 |     <if_sid>5712</if_sid>
 93 |     <if_matched_sid>5715</if_matched_sid>
 94 |     <same_location />
 95 |     <same_source_ip />
 96 |     <same_user />
 97 |     <list field="srcip" lookup="not_address_match_key" >lists/networks.list</list>
 98 |     <description>Success after multiple failed SSH authentications from outside</description>
 99 |   </rule>
100 | 
101 |   <rule id="100032" level="10" timeframe="120">
102 |     <if_group>authentication_success</if_group>
103 |     <if_matched_group>authentication_failed,authenticaton_failures</if_matched_group>
104 |     <same_source_ip />
105 |     <same_user />
106 |     <description>Success after failed authentication</description>
107 |   </rule>
108 | 
109 |   <rule id="100033" level="0" timeframe="120">
110 |     <if_matched_group>system_shutdown</if_matched_group>
111 |     <if_sid>503,504</if_sid>
112 |     <same_location />
113 |     <description>Ignore agent started after system shutdown</description>
114 |   </rule>
115 | 
116 |   <rule id="100034" level="8">
117 |     <url>/contact/|/administrator/|/admin/|/session.php</url>
118 |     <match>JDatabaseDriverMysqli</match>
119 |     <description>Possible Joomla! exploitation attempt</description>
120 |   </rule>
121 | 
122 |   <rule id="100035" level="8">
123 |     <if_sid>5715</if_sid>
124 |     <user>root</user>
125 |     <list field="srcip" lookup="not_address_match_key" >lists/networks.list</list>
126 |     <description>Non-organization root login</description>
127 |   </rule>
128 | 
129 |   <rule id="100036" level="11">
130 |     <if_sid>100035</if_sid>
131 |     <match>password</match>
132 |     <description>Non-organization root login with password</description>
133 |   </rule>
134 | 
135 |   <!-- id is kerberus principal found in log -->
136 |   <rule id="100038" level="11">
137 |     <if_sid>15001,15003</if_sid>
138 |     <list field="id" lookup="not_match_key" >lists/ksu.list</list>
139 |     <description>Authentication attempted from unvetted ksu user</description>
140 |   </rule>
141 | 
142 |   <!-- id is the user executing sudo -->
143 |   <rule id="100039" level="12">
144 |     <if_sid>5400</if_sid>
145 |     <list field="id" lookup="match_key" >lists/system_users.list</list>
146 |     <description>System account executed sudo</description>
147 |   </rule>
148 | 
149 |   <rule id="100040" level="12">
150 |     <if_sid>5400</if_sid>
151 |     <list field="status" lookup="match_key" >lists/commands.list</list>
152 |     <description>Suspicious command executed</description>
153 |   </rule>
154 | 
155 |   <rule id="100042" level="11">
156 |     <match>$BAD_SMTP</match>
157 |     <description>Illegal E-mail-mail list from 2006 by Aashish</description>
158 |   </rule>
159 | 
160 |   <rule id="100043" level="11">
161 |     <match>OOM for frozen_buffer</match>
162 |     <description>Kernel went into write mode</description>
163 |   </rule>
164 | 
165 |   <rule id="100044" level="11">
166 |     <match>kernel: Program Xnest tried to access /dev/mem|kernel: Program Xnest tried</match>
167 |     <description>Possible Phalanx exploit</description>
168 |   </rule>
169 | 
170 |   <rule id="100045" level="11">
171 |     <if_sid>5749</if_sid>
172 |     <match>Disconnecting: Bad packet length</match>
173 |     <description>Possible Phalanx exploit</description>
174 |   </rule>
175 | 
176 |   <!-- user is any decoded user/dstuser field - it won't always be available -->
177 |   <rule id="100046" level="11" frequency="0">
178 |     <if_matched_group>authentication_failed|authenticaton_failures|authentication_success|add_user|account_changed|invalid_login</if_matched_group>
179 |     <list field="user" lookup="match_key">lists/watched_users.list</list>
180 |     <description>Watched user alert triggered</description>
181 |   </rule>
182 | 
183 |   <!-- id is the user executing sudo -->
184 |   <rule id="100047" level="11">
185 |     <if_sid>5400</if_sid>
186 |     <if_matched_group>syslog,sudo</if_matched_group>
187 |     <list field="id" lookup="not_match_key">lists/sudo.list</list>
188 |     <description>Authentication attempted from unvetted sudo user</description>
189 |   </rule>
190 | 
191 |   <rule id="100048" level="12" frequency="0">
192 |     <if_matched_group>authentication_failed|authenticaton_failures|authentication_success|connection_attempt|virus|attacks|invalid_login|syslog</if_matched_group>
193 |     <list field="srcip" lookup="address_match_key" >lists/watched_ips.list</list>
194 |     <description>Activity from watched IP list detected</description>
195 |   </rule>
196 | 
197 | </group> <!-- SYSLOG,LOCAL -->
198 | 


--------------------------------------------------------------------------------
/rules/organization_syscheck_rules.xml:
--------------------------------------------------------------------------------
 1 | <!-- organization custom rules -->
 2 | 
 3 | <!-- Note that <hostname> matches agent name, not hostname field in log line -->
 4 | 
 5 | <group name="organization,organization_syscheck">
 6 | 
 7 |   <rule id="110000" level="4">
 8 |     <if_sid>550</if_sid>
 9 |     <match>/var/ossec/lists/</match>
10 |     <description>a CDB list has been modified</description>
11 |     <options>no_log</options>
12 |   </rule>
13 | 
14 |   <rule id="110001" level="11">
15 |     <if_sid>550</if_sid>
16 |     <match>/etc/krb5.keytab</match>
17 |     <description>Priority file alert, Kerberos keytab file modified</description>
18 |   </rule>
19 | 
20 |   <rule id="110002" level="12">
21 |     <if_sid>550</if_sid>
22 |     <match>/etc/khupd2.p2</match>
23 |     <description>Phalanx rootkitt</description>
24 |   </rule>
25 | 
26 |   <rule id="110003" level="1">
27 |     <if_group>syscheck</if_group>
28 |     <match>/var/ossec/etc/shared/agent.conf</match>
29 |     <description>agent.conf was modified</description>
30 |   </rule>
31 | 
32 | </group> <!-- SYSLOG,LOCAL -->
33 | 


--------------------------------------------------------------------------------
/rules/overwrite_rules.xml:
--------------------------------------------------------------------------------
 1 | <!-- organization overwrite rules --> 
 2 | 
 3 | <var name="NEW_BAD_WORDS">core_dumped|error|attack|bad |illegal |fatal|Segmentation Fault|Corrupted</var>
 4 | 
 5 | <!-- Keep original intact and set level to 0 to ignore -->
 6 | 
 7 | <group name="overwrite">
 8 | 
 9 |   <rule id="502" level="3" overwrite="yes">
10 |     <if_sid>500</if_sid>
11 |     <match>Ossec started</match>
12 |     <description>Ossec server started.</description>
13 |   </rule>
14 | 
15 |   <rule id="554" level="10" overwrite="yes">
16 |     <category>ossec</category>
17 |     <decoded_as>syscheck_new_entry</decoded_as>
18 |     <description>File added to the system.</description>
19 |     <group>syscheck,</group>
20 |   </rule>
21 | 
22 |   <rule id="591" level="0" overwrite="yes">
23 |     <if_sid>500</if_sid>
24 |     <match>^ossec: File rotated </match>
25 |     <description>Log file rotated.</description>
26 |   </rule>
27 | 
28 |   <rule id="1002" level="2" overwrite="yes">
29 |     <match>$NEW_BAD_WORDS</match>
30 |     <options>alert_by_email</options>
31 |     <description>Unknown problem somewhere in the system.</description>
32 |   </rule>
33 | 
34 |   <rule id="1003" level="2" maxsize="1025" overwrite="yes">
35 |     <description>Non standard syslog message (size too large).</description>
36 |   </rule>
37 | 
38 |   <rule id="5703" level="10" frequency="4" timeframe="360" overwrite="yes">
39 |     <if_matched_sid>5702</if_matched_sid>
40 |     <description>Possible breakin attempt </description>
41 |     <description>(high number of reverse lookup errors).</description>
42 |     <options>no_email_alert</options>
43 |   </rule>
44 | 
45 |   <rule id="5710" level="5" overwrite="yes">
46 |     <if_sid>5700</if_sid>
47 |     <match>illegal user|invalid user</match>
48 |     <description>Attempt to login using a non-existent user</description>
49 |     <group>invalid_login,authentication_failed,</group>
50 |     <options>no_log</options>
51 |   </rule>
52 | 
53 |   <rule id="5741" level="4" overwrite="yes">
54 |     <if_sid>5700</if_sid>
55 |     <match>Connection refused$</match>
56 |     <description>ssh connection refused</description>
57 |     <options>no_log</options>
58 |   </rule>
59 | 
60 |   <rule id="5109" level="0" overwrite="yes">
61 |     <if_sid>5100</if_sid>
62 |     <match>I/O error: dev |end_request: I/O error, dev</match>
63 |     <description>Kernel Input/Output error</description>
64 |   </rule>
65 | 
66 |   <rule id="10100" level="4" overwrite="yes">
67 |     <if_group>authentication_success</if_group>
68 |     <if_fts></if_fts>
69 |     <group>authentication_success</group>
70 |     <description>First time user logged in.</description>
71 |   </rule> 
72 | 
73 |   <rule id="5104" level="11" overwrite="yes">
74 |     <if_sid>5100</if_sid>
75 |     <regex>Promiscuous mode enabled|</regex>
76 |     <regex>device \S+ entered promiscuous mode</regex>
77 |     <description>Interface entered in promiscuous(sniffing) mode.</description>
78 |     <group>promisc,</group>
79 |   </rule>
80 | 
81 |   <rule id="40501" level="15" timeframe="300" frequency="2" overwrite="yes">
82 |     <if_group>adduser</if_group>
83 |     <if_matched_group>attacks</if_matched_group>
84 |     <same_location />
85 |     <description>Attacks followed by the addition </description>
86 |     <description>of an user.</description>
87 |   </rule>
88 | 
89 | </group> <!-- SYSLOG,LOCAL -->
90 | 


--------------------------------------------------------------------------------