<rule id="31110" level="6">
<if_sid>31100</if_sid>
<url>?-d|?-s|?-a|?-b|?-w</url>
<description>PHP CGI-bin vulnerability attempt.</description>
<group>attack,</group>
</rule>

 
It looks for the possibly dangerous options (-d,-s,-a,-b and -w) and alerts if it sees those. This is the alert it generates when detected:

** Alert 1336547515.182029: - web,accesslog,attack,
2012 May 09 03:11:55 (honeypot3) any->/var/log/httpd/access.log
Rule: 31110 (level 6) -> 'PHP CGI-bin vulnerability attempt.'
Src IP: 93.233.72.66
93.233.72.66 - - [09/May/2012:07:11:55 +0000] "GET /index.php?-s HTTP/1.1" 200 39479 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0"

This rule is also in my repository and you can download the latest from here.

To enable on PostgreSQL (and be compatible with OSSEC):

# Adding the timestamp, hostname and database.
log_line_prefix = '[%m] %h:%d '

# Recommended settings:
log_connections = on
log_disconnections = on
log_duration = on

# Maybe a good idea to reduce the default log level to info:
client_min_messages = info
log_min_messages = info

# To enable query logging (all for everything or mod for inserts, updates, etc)
log_statement = 'all'

On MySQL:

To enable the generic Query log on MySQL (the error log in on by default), you need to start MySQL with –log:

/bin/sh /usr/bin/mysqld_safe --log

The best option is to modify /etc/init.d/mysqld (if using Centos) and inside the –log in there.

Nothing new, but I was searching for this information online and couldn’t find much info.

So every time you visit a site, a request is made to their servers to query the site rank:

192.168.1.X.44210 > 107.22.173.51.80:
GET /data/ABCD?cli=10&ver=alxg-1.1.0&dat=ns&url=http%3A//sucuri.net/ HTTP/1.1
Host: data.alexa.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.91…
Accept: */*

If you are using it, you expect those requests to be made (wich is supposed to be anonymous), so not a problem.

However, I just noticed one big issue is that they also do that for all your HTTPS traffic. So if you are visiting a https site (which would be encrypted in the wire), you are also leaking the sites you are visiting via their rank requests. So if I go to gmail.com (https), a HTTP request is made at the same time:

192.168.1.X.47733 > 23.21.107.170.80:
GET /data/ABCD?cli=10&ver=alxg-1.1.0&dat=ns&url=https%3A//gmail.com HTTP/1.1
Host: data.alexa.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.91…
Accept: */*

I actually thought their plugin (extension) would not work for HTTPS or would at least have a setting to disable it. This is specially bad because now you are leaking all your encrypted traffic browsing for anyone that is watching the wire.

*I know, I know, if you are using that toolbar you probably don’t care about privacy, but it is something to keep in mind. A simple fix is to just remove it and move on.

So I wrote this small (non technical) paper on my thoughts on passwords and how I define a good password: http://dcid.me/texts/good-passwords.

Comments are welcome.

Anyway, I pushed some of my old papers/texts here: http://dcid.me/texts/, including a few that I thought had disappeared (specially log analysis for intrusion detection).

Now back to work.

With OSSEC, you can do it using the command monitoring output.

First, download the latest version from here and install it.

You will see a new tool in the /var/ossec/bin directory:

# /var/ossec/bin/util.sh
/var/ossec/bin/util.sh: addfile <filename> [<format>]
/var/ossec/bin/util.sh: addsite <domain>
/var/ossec/bin/util.sh: adddns <domain>

Example: /var/ossec/bin/util.sh adddns ossec.net
Example: /var/ossec/bin/util.sh addsite dcid.me

So, you can just run the command “util.sh adddns” and it will add the domain specified to be monitored:

# /var/ossec/bin/util.sh adddns ossec.net

In this case, we added the domain ossec.net. In the backend, it will add those new entries:

<ossec_config>
   <localfile>
     <log_format>full_command</log_format>
     <command>host -W 5 -t NS ossec.net; host -W 5 -t A ossec.net | sort</command>
   </localfile>
   </ossec_config>

   <group name="local,dnschanges,">
   <rule id="150013" level="10">
     <if_sid>530</if_sid>
     <check_diff />
     <match>^ossec: output: ’host -W 5 -t NS ossec.net</match>
     <description>DNS Changed for ossec.net</description>
   </rule>
   </group>

So you get a nice alert when your IP address changes.

Things like WordPress, Joomla, Wikis and others that can be easily used to compromise a server if not upgraded.

To get started, I added a few rules for WordPress, Joomla and osCommerce, so if you try the latest snapshot it will alert you if it finds any of them not updated:

* Alert 1316458742.1014: mail – ossec,rootcheck,
2011 Sep 19 15:59:02 testdev->rootcheck
Rule: 519 (level 7) -> ‘System Audit: Vulnerable web application found.’
System Audit: Web vulnerability – Outdated WordPress installation. File: /var/www/mysite.com/wp-includes/version.php.

But I really think we can expand it a lot more. What web applications and tools we should check? What other things we can look in the server that are important to be alerted on? I would love more ideas to expand it more.

Example of the system auditing rule:

[Web vulnerability - Outdated WordPress installation] [any] []
d:$web_dirs -> ^version.php$ -> r:^\.wp_version && >:$wp_version = ’3.2.1′;

[Web vulnerability - Outdated Joomla (v1.0) installation] [any] []
d:$web_dirs -> ^version.php$ -> r:var \.RELEASE && r:’1.0′;

I am thinking on things like PHPmyadmin, timthumb, uploadify and other tools that are easy to forget to update and had serious security vulnerabilities in the recent past.

We are very happy to announce the availability of OSSEC version 2.6.

This has been a long release cycle, but it is here now with some good new features and very stable (thanks to our beta users). Our manual for the new version is also live at http://www.ossec.net/doc/.

..

Thanks!

How to test the BETA?

Download it from here:

• Unix/Solaris/Linux/Mac: http://www.ossec.net/files/snapshots/ossec-hids-110607.tar.gz
• Windows: http://www.ossec.net/files/snapshots/ossec-agent-win32-110607.exe

And install on as many systems as you can. Make sure that the upgrade/install process is working without errors and that everything that was working before still it. If everything works (or you see any error), post in the comments section in here, send to the mailing list or privately to us (dcid@ossec.net).

Testing the new features

In addition to making sure everything still works, you can try some of the new features (full list here):

• Added IPv6 support
• Lots of new rules (OpenBSD, Clamav, BRO-ids, active response logs, etc, etc)
• Added os-authd – Automatically creating and setting up the agent keys
• Added CEF support to client syslog
• Improved reporting for file changes
• Added option to Block repeated offenders with OSSEC

Plus a bunch of bug fixes… Let us know how it goes.

On the latest OSSEC snapshot you can use the “filename” option to filter and correlate values. For example, if I run the default reporting for the month of May I will see at the bottom a list of file changes:

# zcat /var/ossec/logs/alerts/2011/May/*.gz | /var/ossec/bin/ossec-reportd
..
Top entries for ‘Filenames’:
————————————————
/etc/ossec-init.conf |3 |
/var/www/x/index.php |1 |
/var/www/x/js.js |1 |

And you can also use the related options to see on which agents the files were changed. So for a basic integrity monitoring report, I would filter for the group syscheck and list where each file was changed:

# zcat /var/ossec/logs/alerts/2011/May/*.gz | /var/ossec/bin/ossec-reportd -f group syscheck -r location filename
..
Top entries for ‘Filenames’:
————————————————
/etc/ossec-init.conf |3 |
/var/www/x/index.php |1 |
/var/www/x/js.js |1 |

Related entries for ‘Location’:
————————————————
web1->syscheck |1 |
    filename: ‘/etc/ossec-init.conf’
    filename: ‘/var/www/x/js.js’
    filename: ‘/var/www/x/index.php’
db1->syscheck
    filename: ‘/etc/ossec-init.conf’
obsd-fw->syscheck
    filename: ‘/etc/ossec-init.conf’

So the report is simple. It shows which files were changed and how many times (for example, ossec-init changed 3 times, on 3 agents). I am even thinking on making these reports enabled by default and reducing the severity of the normal syscheck alerts so they don’t get sent by email. Comments?