hids on SWiK

OSSEC v1.5 now has builtin Asterisk rules

Fri, 02 May 2008 01:17:38 -0700

A new OSSEC version has been released. Along with a number of updates, OSSEC now includes the Asterisk rules that were first published in my hakin9 article and then here. The rest of the updates are described in the Changelog.

Grab it now.

OSSEC v1.5 now has builtin Asterisk rules

Fri, 02 May 2008 01:17:37 -0700

Using OSSEC to detect attacks on an Asterisk box

Wed, 02 Apr 2008 21:55:49 -0700

This post is an echo on the previous post which describes how to configure snort to detect SIP attacks. This time we look at detecting attacks at the PBX's end rather than by monitoring network traffic. OSSEC allows us to do just this - it is a host intrusion detection system that can do matching on log files and actively react to attack.

By default OSSEC does not have support for Asterisk. To add this functionality place a new xml file called asterisk.xml in the OSSEC rules directory (typically at /var/ossec/rules/). This file contains rules for the following violations:

User/Extension enumeration
Password cracking attacks

The actual rules file can be downloaded here.

This rules file needs to be referenced from the main configuration usually found in /var/ossec/etc/ossec.conf. This can be done by adding the following line to this file:

<include>asterisk.xml</include>

Then we need to add a decoder entry so that OSSEC can extract the offending IP address. This is done by including the below section to the decoder definition file usually found at /var/ossec/etc/decoder.conf:


<decoder name="asterisk">
<program_name>^asterisk</program_name>
</decoder>

<decoder name="asterisk-denied">
<parent>asterisk</parent>
<prematch>Registration from </prematch>
<regex offset="after_prematch">failed for '(\d+.\d+.\d+.\d+)'</regex>
<order>srcip</order>
</decoder>

Do not forget to restart OSSEC. Typically done by executing the following command:

/etc/init.d/ossec restart

Finally - it is important to make sure that Asterisk is configured to log to syslog and restarted. The next commands to execute are:

echo "syslog.local0 => notice,warning,error" >> /etc/asterisk/logger.conf

/etc/init.d/asterisk restart

Note: Check out Laureano's post on how to just reload the logger configuration.

That's it. Note that this has been tested on a Trixbox VM and your Asterisk configuration might require some modifications since it appears that Asterisk log files are not so standard.

Oh, and to test these rules you can obviously use SIPVicious tool suite ;-)

Using OSSEC to detect attacks on an Asterisk box

Wed, 02 Apr 2008 21:55:45 -0700

User/Extension enumeration
Password cracking attacks

<include>asterisk.xml</include>


<decoder name="asterisk">
<program_name>^asterisk</program_name>
</decoder>

<decoder name="asterisk-denied">
<parent>asterisk</parent>
<prematch>Registration from </prematch>
<regex offset="after_prematch">failed for '(\d+.\d+.\d+.\d+)'</regex>
<order>srcip</order>
</decoder>

Do not forget to restart OSSEC. Typically done by executing the following command:

/etc/init.d/ossec restart

Finally - it is important to make sure that Asterisk is configured to log to syslog and restarted. The next commands to execute are:

echo "syslog.local0 => notice,warning,error" >> /etc/asterisk/logger.conf

/etc/init.d/asterisk restart

Using OSSEC to detect attacks on an Asterisk box

Sat, 15 Mar 2008 03:51:17 -0700

User/Extension enumeration
Password cracking attacks

<include>asterisk.xml</include>


<decoder name="asterisk">
<program_name>^asterisk</program_name>
</decoder>

<decoder name="asterisk-denied">
<parent>asterisk</parent>
<prematch>Registration from </prematch>
<regex offset="after_prematch">failed for '(\d+.\d+.\d+.\d+)'</regex>
<order>srcip</order>
</decoder>

Do not forget to restart OSSEC. Typically done by executing the following command:

/etc/init.d/ossec restart

Finally - it is important to make sure that Asterisk is configured to log to syslog and restarted. The next commands to execute are:

echo "syslog.local0 => notice,warning,error" >> /etc/asterisk/logger.conf

/etc/init.d/asterisk restart

Using OSSEC to detect attacks on an Asterisk box

Sat, 15 Mar 2008 03:51:16 -0700

User/Extension enumeration
Password cracking attacks

<include>asterisk.xml</include>


<decoder name="asterisk">
<program_name>^asterisk</program_name>
</decoder>

<decoder name="asterisk-denied">
<parent>asterisk</parent>
<prematch>Registration from </prematch>
<regex offset="after_prematch">failed for '(\d+.\d+.\d+.\d+)'</regex>
<order>srcip</order>
</decoder>

Do not forget to restart OSSEC. Typically done by executing the following command:

/etc/init.d/ossec restart

Finally - it is important to make sure that Asterisk is configured to log to syslog and restarted. The next commands to execute are:

echo "syslog.local0 => notice,warning,error" >> /etc/asterisk/logger.conf

/etc/init.d/asterisk restart

OSSEC

Thu, 20 Dec 2007 19:58:53 -0800

Open Source Host-based Intrusion Detection System. Performs log analysis, interity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response.`

Downloads

Wed, 22 Aug 2007 05:15:28 -0700

OSSIM (Open Source Security Information Management)

Mon, 30 Apr 2007 12:36:34 -0700

Its goal is to provide a comprehensive compilation of tools which, when working together, grant a network/security administrator with detailed view over each and every aspect of his networks/hosts/physical access devices/server/etc...

OSSIM (Open Source Security Information Management)

Tue, 13 Mar 2007 02:34:17 -0700

OSSEC HIDS - Open Source Security

Sat, 03 Feb 2007 03:06:28 -0800

OSSEC HIDS - Open Source Security

Sat, 03 Feb 2007 02:30:18 -0800

OSSEC HIDS - Open Source Security

Tue, 26 Dec 2006 20:27:53 -0800

SourceForge.net: aide

Thu, 14 Sep 2006 03:14:11 -0700

OSSEC HIDS - Open Source Security

Tue, 08 Aug 2006 13:04:00 -0700

Tiger - The UNIX Security audit and intrusion detection tool

Mon, 10 Jul 2006 06:51:09 -0700

Snort - SWiK

Tue, 20 Jun 2006 15:13:31 -0700