Ready to Start Your Career?

Security with Host-based Intrusion Detection System (HIDS)

Falko 's profile image

By: Falko

January 16, 2019

I've been thinking for some time what topic could be interesting for you (the general Cybrary population) out there. After a few days I decided to introduce you one of my favorite tools. I'll tell you a few words about Host-based Intrusion Detection System named OSSEC.

What is HIDS?

Maybe you are already familiar with NIDS (Network-based intrusion detection system) which is much easier to find in companies. NIDS is a system for monitoring, analyzing and securing network systems. On the other hand, HIDS is focused on not only network but also on the host itself. It's widely used by on-premise solutions but also in cloud infrastructures.

What is OSSEC capable of?

Well, there is much to talk about and the best is of course to read the official information (https://www.ossec.net/about.html) and documentation.Therefore I will sum up the basic capabilities of OSSEC:
  • Runs on multiple platforms (Windows, Linux, Unix, Solaris, MacOS, BSD)
  • It analyses your system real-time and monitors many aspects of your system
  • It monitors and analyzes logs, files, applications and services, windows registry, network traffic, authentication and more.
  • You get an alert information when there is unusual behavior happening in your system even if OSSEC doesn't understand it.
  • It is able to perform actions based on rules and correlations, f.e. blocking IP in firewall (similar to fail2ban)
  • Monitors changes in user accounts like change of password, (de)activation, membership changes and more.
  • You can monitor any of folders and files on your system for changes

Examples of message and action from real system:

OSSEC Alert - ns1 - Level 7 - Listened ports status (netstat) changed (new port opened or closed):
OSSEC HIDS Notification.2019 Jan 06 14:26:11Received From: ns1->netstat -tan |grep LISTEN |egrep -v '(127.0.0.1| \1)' | sortRule: 533 fired (level 7) -> "Listened ports status (netstat) changed (new port opened or closed)."Portion of the log(s):ossec: output: 'netstat -tan |grep LISTEN |egrep -v '(127.0.0.1| 1)' | sort':tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:81 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN tcp 0 0 10.9.8.1:53 0.0.0.0:* LISTEN tcp 0 0 144.76.72.212:53 0.0.0.0:* LISTEN tcp 0 0 172.17.0.1:53 0.0.0.0:* LISTEN tcp 0 0 172.18.0.1:53 0.0.0.0:* Previous output:ossec: output: 'netstat -tan |grep LISTEN |egrep -v '(127.0.0.1| \1)' | sort':tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
OSSEC Notification - ns1 - Alert level 2:
OSSEC HIDS Notification.2019 Jan 05 17:26:01Received From: ns1.zeroconf.eu->/var/log/proftpd/proftpd.logRule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."Src IP: 196.52.43.64Portion of the log(s):2019-01-05 17:26:00,208 ns1 proftpd[30698] ns1.zeroconf.eu (196.52.43.64[196.52.43.64]): mod_tls/2.6: unexpected OpenSSL error, disconnecting
OSSEC Notification - ns1 - Alert level 8:
OSSEC HIDS Notification.2019 Jan 04 20:45:46Received From: ns1->/var/log/auth.logRule: 5701 fired (level 8) -> "Possible attack on the ssh server (or version gathering)."Src IP: 52.246.208.9Portion of the log(s):Jan 4 20:45:46 ns1 sshd[12855]: Bad protocol version identification '320257 320277320276321205320270321211320265320275 320262 320260320275320263320273320270320270/320260320274320265321200320270320272320265/320260320262321201321202321200320260320273320270320270 27 320273320265321202 320275320260320267320260320264 320262 321201320272321200321213' from 52.246.208.9 port 52395
OSSEC Notification - ns1 - Alert level 10:
OSSEC HIDS Notification.2019 Jan 04 03:43:54Received From: ns1->/var/log/auth.logRule: 5712 fired (level 10) -> "SSHD brute force trying to get access to the system."Src IP: 188.92.75.248User: 1234Portion of the log(s):Jan 4 03:43:53 ns1 sshd[13801]: error: maximum authentication attempts exceeded for invalid user 1234 from 188.92.75.248 port 8665 ssh2 [preauth]Jan 4 03:43:53 ns1 sshd[13801]: Failed password for invalid user 1234 from 188.92.75.248 port 8665 ssh2Jan 4 03:43:35 ns1 sshd[13801]: Failed password for invalid user 1234 from 188.92.75.248 port 8665 ssh2Jan 4 03:43:33 ns1 sshd[13801]: Failed password for invalid user 1234 from 188.92.75.248 port 8665 ssh2Jan 4 03:43:23 ns1 sshd[13801]: Failed password for invalid user 1234 from 188.92.75.248 port 8665 ssh2Jan 4 03:43:19 ns1 sshd[13801]: Failed password for invalid user 1234 from 188.92.75.248 port 8665 ssh2Jan 4 03:43:16 ns1 sshd[13801]: Failed password for invalid user 1234 from 188.92.75.248 port 8665 ssh2Jan 4 03:42:39 ns1 sshd[13579]: Failed password for invalid user 1111 from 188.92.75.248 port 39728 ssh2
OSSEC Notification - ns1 - Alert level 7:
OSSEC HIDS Notification.2019 Jan 02 10:50:03Received From: ns1->/var/log/dpkg.logRule: 2902 fired (level 7) -> "New dpkg (Debian Package) installed."Portion of the log(s):2019-01-02 10:50:02 status installed python-apt-common:all 1.4.0~beta3
OSSEC Notification - ns1 - Alert level 2:
OSSEC HIDS Notification.2018 Dec 22 16:18:58Received From: ns1->/var/log/auth.logRule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."Portion of the log(s):Dec 22 16:18:58 ns1 phpMyAdmin[30967]: user denied: root (mysql-denied) from 118.24.66.194

Summary

As you can see, OSSEC is a very capable and reliable tool. It is possible to connect it to other systems like Grafana or Kibana. It can monitor and analyze many parts of your system, applications, services, security and also hardware (I was once notified about failing hard drive on server).OSSEC is also great for use on workstations where you can gather simple data from employees computers (not sensitive data) and have at least brief information about what is going on in your infrastructure.The best of all is its small size and small resources usage. If you find it impressive as I do, don't hesitate and give it a try.
Schedule Demo