Week of OSSEC Day 4: Using Groups

Groups are one of the features that make OSSEC truly useful, yet one I suspect not many people are taking full advantage of. Groups in rules allow us to normalize the data in ways that make sense to us. Think of them as collections of like concepts. Streets in common areas are referred to as “neighborhoods” and streets in common areas with high crime rates are referred to as “bad neighborhoods.” We then use these concepts in our daily lives. For example, I might warn someone to not get an apartment in a certain neighborhood because it is a “bad neighborhood.” This is the OSSEC equivalent to an e-mail alert.

OSSEC makes use of several default groups. Some of them are:

  • authentication_failed
  • web_scan
  • system_error

This, like our neighborhood example, is a collection of single, like concepts. And just like the neighborhood example, you can make up your own groups within OSSEC.

Let’s say you have a collection of servers that are within the scope of PCI. They need to be monitored at a level above what the other not-as-critical systems are monitored, so you decide that any new account should create a special kind of alert. Your rule might like like this (watch that the rule id doesn’t conflict with your own):

<rule id=”100022″ level=”12″>
<if_group>adduser</if_group>
<hostname>pci-server</hostname>
<group>pci_rule,</group>
<description>User added to PCI system</description>
</rule>

This rule will fire an alert with the description above for any user added to the system “pci-server.” It doesn’t matter if it was an OS or application user as long as the original rule includes the group “adduser.” In addition, we added our own group, “pci_rule.”

We certainly don’t need this additional group for the rule to work, but it can come in handy in other ways. Let’s say that these systems are so important that we want to also have a page sent to the on-call pager. That way someone can be assured of getting the alert. We simply add this to etc/ossec.conf:

<email_alerts>
<email_to>pager@example.com</email_to>
<group>pci_rule</group>
<format>sms</format>
<do_not_delay />
</email_alerts>

Now, in addition to getting an e-mail to the global address, an sms-formatted e-mail is also sent to pager@example.com, without delay. When other rules for these systems are created, all that needs to be done is to assign them the “pci_rule” group and a page will be sent along with the main e-mail.

Groups tap into the power off OSSEC to normalize data in the way that makes most sense to you. Think of the various ways in which groups would make your alerts more meaningul, then try them out, but remember to always test the rules to make sure they have the intended affect.

Posted in Intrusion Detection, Log Analysis Tagged with:

Leave a Reply

Your email address will not be published. Required fields are marked *

*