Intrusion

The running theme for this page is FOSS. I am a broke college student and my tooling definitely reflects that. Regardless, these are all amazing (enterprise ready) tools.

OSSEC (Open Source Security)

OSSEC is a free and open source endpoint security monitoring. This is the building block for a lot of open source security solutions such as Wazuh. There are few good reasons not to use OSSEC for endpoint management. Its one of the best FOSS HIDs. OSSEC has great support for the following features:

• Real time alerts

• Multi-platform agents

• Log monitoring

• rootkit detection

• active response

• file integrity checks

• centralized management

OSSEC Rule Creation

Good resources for learning how to create OSSEC rules:

• https://www.knoats.com/books/security/page/ossec-rules

• https://staging.ossec.net/docs/manual/rules-decoders/create-custom.html

• https://staging.ossec.net/docs/programs/ossec-logtest.html

Custom rules are stored in: /var/ossec/rules/local_rules.xml

<!-- Modified rule examples from https://knoats.com/link/86#bkmrk-custom-local-rules -->

<!-- This example will ignore NXDOMAIN alerts --> 
<rule id="100002" level="0"> <!--Define the rule ID we are creating-->
	<if_sid>1002</if_sid> <!-- Specify rule ID we are altering -->
	<program_name>systemd-resolved</program_name> <!-- Optional cross check with rule program name -->
	<match>Server returned error NXDOMAIN</match> <!-- Match error text -->
	<description>Usless systemd-resolvd log message</description> <!-- local description -->
</rule>

<!-- Ignore SSH for user redTeam. -->
<rule id="100003" level="5"> 
	<if_sid>5711</if_sid> 
	<user>redTeam</user> 
	<description>Rule for disableing user SSH</description>
	<description>failed logins for the Redteam.</description> 
</rule>

• Custom decoders are stored in: /var/ossec/etc/local_decoder.xml

<!-- Decder example from https://staging.ossec.net/docs/manual/rules-decoders/create-custom.html-->

<!-- Custom decoded to match authenticated users  -->
<decoder name="ossec-exampled-auth">
  <parent>ossec-exampled</parent> <!--Checks if OSSEC-Exampled is matched-->
  <prematch offset="after_parent"> authentication </prematch>
  <regex offset="after_parent">^(\S+) authentication for user (\S+) from (\S+) via (\S+)$</regex> <!-- Using after_parent here because after_prematch would eliminate the possibility of matching the status (successful) -->
  <order>status, srcuser, srcip, protocol</order> <!--The order of the (\S+) in the regex. This allows for the params to be used in rules. -->
</decoder>

Wazuh

Wazuh is an Free and Open Source Security Information and Event Management and Extended Detection and Response software that leverages the Open Source Security Host based Intrusion Detection Software for endpoint security. Or for short, its a FOSS SIEM XDR using the OSSEC HIDS.

Download and install the manager manager:

curl -sO https://packages.wazuh.com/4.3/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

Download Debian agent:

curl -so wazuh-agent-4.3.4.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.3.4-1_amd64.deb && sudo WAZUH_MANAGER='<IP OF MGMT>' dpkg -i ./wazuh-agent-4.3.4.deb

sudo systemctl daemon-reload 
sudo systemctl enable wazuh-agent 
sudo systemctl start wazuh-agent

Wazuh Docs Quick-guide

• Hardware Requirements

• Required Ports

• Architecture

• Manage Rules: management > Administration > Rules

• Manage Decoders: management > Administration > Decoders

• Dark mode URI: /app/management/opensearch-dashboards/settings

ClamAV Wazuh Integration

• Use clamd and clamdscan rather than clamscan since the log parsing between the two differ. Using clamd will allow Wazuh to more easily digest logs since the decoder looks for the clamd daemon.

• Malware trigger sample string located at eicar(actual string not listed to prevent my AV from triggering)

• Get Wazuh to integrate with ClamAV by setting LogSyslog true at /etc/clamav/clamd.conf. Wazuh already reads from syslog so no further work will be required.

• If you don't want to use syslog for whatever reason, you can change ClamAV's default log location (/var/log/clamav/freshclam.log) by modifying OSSEC config file (/var/ossec/etc/ossec.conf) to include:

<localfile>  
	<log_format>syslog</log_format>  
	<location>/var/log/clamav/freshclam.log</location> <!-- location of new log file -->
</localfile>

Suricata

Suricata is a Free and Open Source Thread Detection Engine combines network based IPS and IDS Developed by the Open Information Security Foundation. PFSense has support for suricata through a plugin.

Snort

Snort is a Free and Open Source Network based Intrusion Prevention system. This tool is amazing at sniffing packets and digesting logs. The tool is maintained by the Cisco Talos and the snort engine pairs well with the ELK stack.

• Imma go pig wild. o")~

• Make snort rules: http://www.cyb3rs3c.net/