Pentest Tips
  • ABOUT
  • Information Shares
  • CTF
    • Stego
    • Memory
  • Blue Team
    • Tools/Resources
    • One Liners
    • Threat Hunting
    • Scripts
    • Intrusion
  • Web
    • Resources
    • General Web
    • Subdomain Discovery
    • Content Discovery
    • MYSQL
    • Burpsuite
  • Network Exploitation
    • Resources
    • Kerberos
    • Network Based
    • Phishing
    • Metasploit
    • Weaponization
    • Password Cracking
    • Shell Upgrades
    • Linux PrivEsc
    • Windows PrivEsc
    • Windows Persistence
    • Exfiltration
  • Windows Internals
    • Kernal
  • Recon
    • Nmap
    • OSINT
    • SMB Enumeration
    • LDAP
    • Physical
  • Malware
    • Obfuscation
  • Scripting
    • Bash Basics
    • Powershell Basics
  • Cloud
    • AWS
  • Game Hacking
    • Resources
Powered by GitBook
On this page
  • OSSEC (Open Source Security)
  • Wazuh
  • Wazuh Docs Quick-guide
  • ClamAV Wazuh Integration
  • Suricata
  • Snort
Edit on GitHub
  1. Blue Team

Intrusion

PreviousScriptsNextResources

Last updated 2 years ago

The running theme for this page is FOSS. I am a broke college student and my tooling definitely reflects that. Regardless, these are all amazing (enterprise ready) tools.

OSSEC (Open Source Security)

is a free and open endpoint security monitoring. This is the building block for a lot of open source security solutions such as Wazuh. There are few good reasons not to use OSSEC for endpoint management. Its one of the best FOSS HIDs. OSSEC has great support for the following features:

  • Real time alerts

  • Multi-platform agents

  • Log monitoring

  • rootkit detection

  • active response

  • file integrity checks

  • centralized management

OSSEC Rule Creation

Good resources for learning how to create OSSEC rules:

Custom rules are stored in: /var/ossec/rules/local_rules.xml

<!-- Modified rule examples from https://knoats.com/link/86#bkmrk-custom-local-rules -->

<!-- This example will ignore NXDOMAIN alerts --> 
<rule id="100002" level="0"> <!--Define the rule ID we are creating-->
	<if_sid>1002</if_sid> <!-- Specify rule ID we are altering -->
	<program_name>systemd-resolved</program_name> <!-- Optional cross check with rule program name -->
	<match>Server returned error NXDOMAIN</match> <!-- Match error text -->
	<description>Usless systemd-resolvd log message</description> <!-- local description -->
</rule>

<!-- Ignore SSH for user redTeam. -->
<rule id="100003" level="5"> 
	<if_sid>5711</if_sid> 
	<user>redTeam</user> 
	<description>Rule for disableing user SSH</description>
	<description>failed logins for the Redteam.</description> 
</rule>

  • Custom decoders are stored in: /var/ossec/etc/local_decoder.xml

<!-- Decder example from https://staging.ossec.net/docs/manual/rules-decoders/create-custom.html-->

<!-- Custom decoded to match authenticated users  -->
<decoder name="ossec-exampled-auth">
  <parent>ossec-exampled</parent> <!--Checks if OSSEC-Exampled is matched-->
  <prematch offset="after_parent"> authentication </prematch>
  <regex offset="after_parent">^(\S+) authentication for user (\S+) from (\S+) via (\S+)$</regex> <!-- Using after_parent here because after_prematch would eliminate the possibility of matching the status (successful) -->
  <order>status, srcuser, srcip, protocol</order> <!--The order of the (\S+) in the regex. This allows for the params to be used in rules. -->
</decoder>

Wazuh

Download and install the manager manager:

curl -sO https://packages.wazuh.com/4.3/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

Download Debian agent:

curl -so wazuh-agent-4.3.4.deb https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.3.4-1_amd64.deb && sudo WAZUH_MANAGER='<IP OF MGMT>' dpkg -i ./wazuh-agent-4.3.4.deb

sudo systemctl daemon-reload 
sudo systemctl enable wazuh-agent 
sudo systemctl start wazuh-agent

Wazuh Docs Quick-guide

  • Manage Rules: management > Administration > Rules

  • Manage Decoders: management > Administration > Decoders

  • Dark mode URI: /app/management/opensearch-dashboards/settings

ClamAV Wazuh Integration

  • Use clamd and clamdscan rather than clamscan since the log parsing between the two differ. Using clamd will allow Wazuh to more easily digest logs since the decoder looks for the clamd daemon.

  • Get Wazuh to integrate with ClamAV by setting LogSyslog true at /etc/clamav/clamd.conf. Wazuh already reads from syslog so no further work will be required.

  • If you don't want to use syslog for whatever reason, you can change ClamAV's default log location (/var/log/clamav/freshclam.log) by modifying OSSEC config file (/var/ossec/etc/ossec.conf) to include:

<localfile>  
	<log_format>syslog</log_format>  
	<location>/var/log/clamav/freshclam.log</location> <!-- location of new log file -->
</localfile>

Suricata

Snort

  • Imma go pig wild. o")~

is an Free and Open Security Information and Event Management and Extended Detection and Response software that leverages the Open Source Security Host based Intrusion Detection Software for endpoint security. Or for short, its a FOSS SIEM XDR using the HIDS.

Malware trigger sample string located at (actual string not listed to prevent my AV from triggering)

is a Free and Open Thread Detection Engine combines network based IPS and IDS Developed by the PFSense has support for suricata through a plugin.

is a Free and Open Network based Intrusion Prevention system. This tool is amazing at sniffing packets and digesting logs. The tool is maintained by the Cisco Talos and the snort engine pairs well with the ELK stack.

Make snort rules:

OSSEC
source
https://www.knoats.com/books/security/page/ossec-rules
https://staging.ossec.net/docs/manual/rules-decoders/create-custom.html
https://staging.ossec.net/docs/programs/ossec-logtest.html
Wazuh
Source
OSSEC
Hardware Requirements
Required Ports
Architecture
eicar
Suricata
Source
Open Information Security Foundation.
Snort
Source
http://www.cyb3rs3c.net/