Detecting outdated (web) applications with OSSEC

For the last few days I started working (again) on the system auditing module for OSSEC and one thing that can make it more useful is to detect outdated applications (specially web apps).

Things like WordPress, Joomla, Wikis and others that can be easily used to compromise a server if not upgraded.

To get started, I added a few rules for WordPress, Joomla and osCommerce, so if you try the latest snapshot it will alert you if it finds any of them not updated:

* Alert 1316458742.1014: mail – ossec,rootcheck,
2011 Sep 19 15:59:02 testdev->rootcheck
Rule: 519 (level 7) -> ‘System Audit: Vulnerable web application found.’
System Audit: Web vulnerability – Outdated WordPress installation. File: /var/www/

But I really think we can expand it a lot more. What web applications and tools we should check? What other things we can look in the server that are important to be alerted on? I would love more ideas to expand it more.

Example of the system auditing rule:

[Web vulnerability - Outdated WordPress installation] [any] []
d:$web_dirs -> ^version.php$ -> r:^\.wp_version && >:$wp_version = ’3.2.1′;

[Web vulnerability - Outdated Joomla (v1.0) installation] [any] []
d:$web_dirs -> ^version.php$ -> r:var \.RELEASE && r:’1.0′;

I am thinking on things like PHPmyadmin, timthumb, uploadify and other tools that are easy to forget to update and had serious security vulnerabilities in the recent past.

This entry was posted in log analysis, v27, webattacks and tagged , . Bookmark the permalink.

9 Responses to Detecting outdated (web) applications with OSSEC

  1. Great!!!

    Nice job dcid.



  2. The applications you quote are among the most useful for us. PHPMyAdmin in particular is often overlooked. We developed simple internal tests to detect such issues, but having OSSEC do this would be wonderful.
    Keep us the good work !

  3. Pingback: The Immutable Friday Fav Five for September 23, 2011 | Immutable Security

  4. How do we pull the latest rule snapshot from ?

    Thank you.

  5. Great application Dan! I hadn’t thought about using OSSEC like this, but this certainly makes sense as a great application. How do the rules know what the latest versions are? Are the version numbers hard-coded in the alerts, or is there someway to fetch the latest version from the respective sites?

  6. Kim says:

    I’m thinking C-Panel and just about anything that commonly plugs into C-panel.

  7. Pingback: OSSEC Host-based Intrusion Detection System | MG IT Solutions

  8. What about using a combination of both known broken checks (nikto) combined with either a vulnerability check, nessus has some stuff but may be better to use a scripted burp or zap check.

    Great idea!

  9. Is there a way for each agent that detects outdated web applications that in addition to the email alert the ossec server sends out, the agent could pipe the information to a file that can be included in the client’s logwatch report?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>