Security with Host-based Intrusion Detection System (HIDS)

January 16, 2019 | Views: 2236

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here


I’ve been thinking for some time what topic could be interesting for you (the general Cybrary population) out there. After a few days I decided to introduce you one of my favorite tools. I’ll tell you a few words about Host-based Intrusion Detection System named OSSEC.

What is HIDS?

Maybe you are already familiar with NIDS (Network-based intrusion detection system) which is much easier to find in companies. NIDS is a system for monitoring, analyzing and securing network systems. On the other hand, HIDS is focused on not only network but also on the host itself. It’s widely used by on-premise solutions but also in cloud infrastructures.

What is OSSEC capable of?

Well, there is much to talk about and the best is of course to read the official information (https://www.ossec.net/about.html) and documentation.

Therefore I will sum up the basic capabilities of OSSEC:

  • Runs on multiple platforms (Windows, Linux, Unix, Solaris, MacOS, BSD)
  • It analyses your system real-time and monitors many aspects of your system
  • It monitors and analyzes logs, files, applications and services, windows registry, network traffic, authentication and more.
  • You get an alert information when there is unusual behavior happening in your system even if OSSEC doesn’t understand it.
  • It is able to perform actions based on rules and correlations, f.e. blocking IP in firewall (similar to fail2ban)
  • Monitors changes in user accounts like change of password, (de)activation, membership changes and more.
  • You can monitor any of folders and files on your system for changes

Examples of message and action from real system:

OSSEC Alert – ns1 – Level 7 – Listened ports status (netstat) changed (new port opened or closed):

OSSEC HIDS Notification.
2019 Jan 06 14:26:11

Received From: ns1->netstat -tan |grep LISTEN |egrep -v '(127.0.0.1| \1)' | sort
Rule: 533 fired (level 7) -> "Listened ports status (netstat) changed (new port opened or closed)."
Portion of the log(s):

ossec: output: 'netstat -tan |grep LISTEN |egrep -v '(127.0.0.1| \1)' | sort':
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:465             0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:5432            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:81              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN     
tcp        0      0 10.9.8.1:53             0.0.0.0:*               LISTEN     
tcp        0      0 144.76.72.212:53        0.0.0.0:*               LISTEN     
tcp        0      0 172.17.0.1:53           0.0.0.0:*               LISTEN     
tcp        0      0 172.18.0.1:53           0.0.0.0:*   
Previous output:
ossec: output: 'netstat -tan |grep LISTEN |egrep -v '(127.0.0.1| \1)' | sort':
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN    

OSSEC Notification – ns1 – Alert level 2:

OSSEC HIDS Notification.
2019 Jan 05 17:26:01

Received From: ns1.zeroconf.eu->/var/log/proftpd/proftpd.log
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Src IP: 196.52.43.64
Portion of the log(s):

2019-01-05 17:26:00,208 ns1 proftpd[30698] ns1.zeroconf.eu (196.52.43.64[196.52.43.64]): mod_tls/2.6: unexpected OpenSSL error, disconnecting

OSSEC Notification – ns1 – Alert level 8:

OSSEC HIDS Notification.
2019 Jan 04 20:45:46

Received From: ns1->/var/log/auth.log
Rule: 5701 fired (level 8) -> "Possible attack on the ssh server (or version gathering)."
Src IP: 52.246.208.9
Portion of the log(s):

Jan  4 20:45:46 ns1 sshd[12855]: Bad protocol version identification '320257 320277320276321205320270321211320265320275 320262 320260320275320263320273320270320270/320260320274320265321200320270320272320265/320260320262321201321202321200320260320273320270320270 27 320273320265321202 320275320260320267320260320264 320262 321201320272321200321213' from 52.246.208.9 port 52395

OSSEC Notification – ns1 – Alert level 10:

OSSEC HIDS Notification.
2019 Jan 04 03:43:54

Received From: ns1->/var/log/auth.log
Rule: 5712 fired (level 10) -> "SSHD brute force trying to get access to the system."
Src IP: 188.92.75.248
User: 1234
Portion of the log(s):

Jan  4 03:43:53 ns1 sshd[13801]: error: maximum authentication attempts exceeded for invalid user 1234 from 188.92.75.248 port 8665 ssh2 [preauth]
Jan  4 03:43:53 ns1 sshd[13801]: Failed password for invalid user 1234 from 188.92.75.248 port 8665 ssh2
Jan  4 03:43:35 ns1 sshd[13801]: Failed password for invalid user 1234 from 188.92.75.248 port 8665 ssh2
Jan  4 03:43:33 ns1 sshd[13801]: Failed password for invalid user 1234 from 188.92.75.248 port 8665 ssh2
Jan  4 03:43:23 ns1 sshd[13801]: Failed password for invalid user 1234 from 188.92.75.248 port 8665 ssh2
Jan  4 03:43:19 ns1 sshd[13801]: Failed password for invalid user 1234 from 188.92.75.248 port 8665 ssh2
Jan  4 03:43:16 ns1 sshd[13801]: Failed password for invalid user 1234 from 188.92.75.248 port 8665 ssh2
Jan  4 03:42:39 ns1 sshd[13579]: Failed password for invalid user 1111 from 188.92.75.248 port 39728 ssh2

OSSEC Notification – ns1 – Alert level 7:

OSSEC HIDS Notification.
2019 Jan 02 10:50:03

Received From: ns1->/var/log/dpkg.log
Rule: 2902 fired (level 7) -> "New dpkg (Debian Package) installed."
Portion of the log(s):

2019-01-02 10:50:02 status installed python-apt-common:all 1.4.0~beta3

OSSEC Notification – ns1 – Alert level 2:

OSSEC HIDS Notification.
2018 Dec 22 16:18:58

Received From: ns1->/var/log/auth.log
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Dec 22 16:18:58 ns1 phpMyAdmin[30967]: user denied: root (mysql-denied) from 118.24.66.194

Summary

As you can see, OSSEC is a very capable and reliable tool. It is possible to connect it to other systems like Grafana or Kibana. It can monitor and analyze many parts of your system, applications, services, security and also hardware (I was once notified about failing hard drive on server).

OSSEC is also great for use on workstations where you can gather simple data from employees computers (not sensitive data) and have at least brief information about what is going on in your infrastructure.

The best of all is its small size and small resources usage. If you find it impressive as I do, don’t hesitate and give it a try.

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel