Has anyone used any custom decoders with OSSEC

I have the OSSEC HIDS software version 2.8.3 running on a RHEL 6 server. We have been testing this in the lab with a DNS server to track queries that come into our RPZ and Malware zones. The DNS server has the OSSEC agent installed. In order for this to work we had to use a custom written decoder. Has anyone else had any experience with OSSEC and custom decoders besides those that are installed "out of the box". I am mainly looking to get creative ideas on what other system administrators are doing with OSSEC that could also be useful in our production environment.

For instance, has anyone had success in writing/using a custom decoder to detect USB storage for Linux?

UPDATE: I have been working on a custom decoder and rule for detection of when a USB device is inserted into a server. Here is what the line of the log looks like that I want to match on:

Feb  3 10:23:08 testsys kernel: usb 1-1.2: New USB device found, idVendor=0781, idProduct=5575

My decoder rules in OSSCE:

<decoder name="usb-storage">
<program_name>kernel</program_name>
</decoder>

<decoder name="usb-storage-attached">
<parent>usb-storage</parent>
<regex offset="after_parent">^USB \S+: New</regex>
<order>extra_data</order>
</decoder>

My rules in OSSEC:

<group name="syslog,">
<!-- USB Storage Detection Log Types -->
<!-- level=0 for not generating alerts by default -->
<rule id="310201" level="0">
<decoded_as>usb-storage</decoded_as>
<description>Looking for unknown USB attached storage</description>
</rule>

<!-- USB Storage Detection Event Chains -->
<!-- Fire an alert (level=8) if the log line contains "New USB   device found" -->
<rule id="310202" level="8">
<if_sid>310201</if_sid>
<match>^New USB device found</match>
<description>Attached USB Storage</description>
</rule>
</group>

Best Answer

iptables is using kernel as program_name:

<decoder name="iptables">
   <program_name>^kernel</program_name>
</decoder>

We can use iptables as parent (intead of kernel). Also, id field is used to facilitate the creation of rules. So, you need this decoder:

<decoder name="usb-storage-attached">
    <parent>iptables</parent>
    <regex offset="after_parent">^(usb) </regex>
    <order>id</order>
</decoder>

The rules could be:

<rule id="310201" level="0">
    <decoded_as>iptables</decoded_as>
    <id>usb</id>
    <description>USB messages grouped.</description>
</rule>

<rule id="310202" level="1">
    <if_sid>310201</if_sid>
    <match>New USB device found</match>
    <description>Attached USB Storage</description>
</rule>

Now, you can use rule 310201 for everything related with USB. And the rule 310202 is the rule what you want:

Feb  3 10:23:08 testsys kernel: usb 1-1.2: New USB device found, idVendor=0781, idProduct=5575


**Phase 1: Completed pre-decoding.
       full event: 'Feb  3 10:23:08 testsys kernel: usb 1-1.2: New USB device found, idVendor=0781, idProduct=5575'
       hostname: 'testsys'
       program_name: 'kernel'
       log: 'usb 1-1.2: New USB device found, idVendor=0781, idProduct=5575'

**Phase 2: Completed decoding.
       decoder: 'iptables'
       id: 'usb'

**Phase 3: Completed filtering (rules).
       Rule id: '310202'
       Level: '1'
       Description: 'Attached USB Storage'
**Alert to be generated.

I just added to our ruleset repository: Decoder and Rules.

Best Answer

Related Solutions

Related Topic