OSSEC Rule Examples

Direct copy from the blog https://akmalhisyam.my/blog/ossec-creating-custom-rules for my reference – thanks Akmal!

When parsing log, OSSEC will look at level 0 first, and then highest level -> lowest levelOSSEC will not produce alert for rules with level 0It is best to put custom rules in local_rules.xml or other file to avoid being overwritten during upgradeossec-logtest is a very useful tool to test your rules & decoder

Example

Silencing certain rules

<rule id="100030" level="0">
  <if_sid>503,502</if_sid>
  <description>List of rules to be ignored.</description>
</rule>

OSSEC will not produce any alert when rule 502 and 503 is triggered


Ignore alert if rules triggered by certain IP

<rule id="100225" level="0">
  <if_sid>40101</if_sid>
  <srcip>127.0.0.1</srcip>
  <description>Ignore this</description>
</rule>

If rule 40101 triggered by 127.0.0.1, dont produce any alert


Ignore alert if contains certain strings

<rule id="100223" level="0">
  <if_sid>1002</if_sid>
  <match>terrorist|terror|femmefatale|heart-attack</match>
  <description>Ignore 1002 false positive</description>
</rule>

OSSEC is using OS_match/sregex syntax in <match>


Ignore alert if contains certain strings (using regex)

<rule id="100207" level="4">
  <if_sid>1002,1003</if_sid>
  <regex>^WordPress database error You have an error in your SQL syntax(\.*)functionName$</regex>
  <description>Unescaped SQL query, known issue</description>
</rule>

OSSEC is using OS_regex/regex syntax in <regex>


Trigger custom rule when certain field match certain value in cdb list

<rule id="100215" level="5">
  <if_sid>31101</if_sid>
  <list lookup="match_key" field="url">rules/badurl</list>
  <description>URL is in badurl</description>
</rule>

Trigger custom rule when certain rules is fired x time within n second from same srcip

<rule id="100216" level="10" frequency="4" timeframe="90">
  <if_matched_sid>100215</if_matched_sid>
  <same_source_ip />
  <description>Multiple badurl access </description>
  <description>from same source ip.</description>
  <group>web_scan,recon,</group>
</rule>

Overriding rules

<rule id="1003" level="13" overwrite="yes" maxsize="2000">
  <description>Non standard syslog message (size too large).</description>
</rule>

Original rule 1003 have 10245 as its maxsize. Using overwrite=”yes” will make OSSEC overwrite certain field in original rule


Custom rule group

<group name="app_error">
  <rule id="100207" level="4">
    <if_sid>1002,1003</if_sid>
    <regex>^WordPress database error You have an error in your SQL syntax(\.*)functionName$</regex>
    <description>Unescaped SQL query, known issue</description>
  </rule>

  <rule id="100218" level="0">
    <if_sid>1003</if_sid>
    <match>WUID | WTB</match>
    <description>ignorance is bliss</description>
  </rule>
</group>

RHEL Subscription Manager Useful Commands

The following was copied from <https://access.redhat.com/discussions/3312101?tour=8> and provides a method of cleaning all subscription manager configuration and re-subscribing – you’ll need an active account with Red Hat to complete this though they do offer free developer accounts (use your account name and not your email address as the username!)

sudo subscription-manager remove --all
sudo subscription-manager unregister
sudo subscription-manager clean

sudo subscription-manager register
sudo subscription-manager refresh
sudo subscription-manager attach --auto

Linux Ubuntu Kernel Management

To revert to the latest recommended kernel:

sudo apt-get install --install-recommends linux-generic-hwe-18.04

To maintain the kernel and cleanse the unused:

You should check partially removed kernels with

dpkg -l linux-image-\* | grep ^rc

and remove them with for example sudo apt-get purge linux-image-4.4.0-101-generic.

Purging will remove initramfs generation rules from /var/lib/initramfs-tools/.

If it does not help, you can remove them manually from initramfs list:

sudo rm /var/lib/initramfs-tools/3.13.0-39-generic
sudo rm /var/lib/initramfs-tools/4.4.0-101-generic
sudo rm /var/lib/initramfs-tools/4.4.0-103-generic
sudo rm /var/lib/initramfs-tools/4.4.0-38-generic
sudo rm /var/lib/initramfs-tools/4.4.0-45-generic
sudo rm /var/lib/initramfs-tools/4.4.0-59-generic
sudo rm /var/lib/initramfs-tools/4.4.0-77-generic
sudo rm /var/lib/initramfs-tools/4.4.0-78-generic
sudo rm /var/lib/initramfs-tools/4.4.0-81-generic

Usually I run purge-old-kernels followed by sudo apt-get autoremove to have only 2 recent kernels.

You can reinstall installed kernels with their initramfses:

sudo apt-get install --reinstall \
$(dpkg -l linux-image-\* | grep ^ii | awk '{print $2}')

ref: https://askubuntu.com/questions/1001285/why-are-old-initrd-files-of-uninstalled-kernels-filling-up-boot-partition

VMWare Workstation 14 Ubuntu

I recently encountered a  minor issue attempting to create additional VMs in VMWare Workstation 14 on Ubuntu. The error I received suggested there wasn’t enough memory free to power on an additional VM but the host has 32GB of RAM and I’d allocated 20GB across all VMs.

Inspecting the /etc/vmware/config file revealed the value:

prefvmx.allVMMemoryLimit = "12954"

Which is a hard upper limit for all VMs, adjusting it to the following with VMWare closed and then start VMWare resolved the problem:

prefvmx.allVMMemoryLimit = "20480"

 

Ubuntu, Kernel 4.14+, VMWare Workstation 14

I was unable to compile the ubuntu kernel patches for VMWare Workstation 14.0 for a couple of reasons on Ubuntu 16.04 with an updated kernel v4.14:

 

1. Launching VMWare Workstation resulted in a GUI window complaining no GCC-7.2 was available, solved by the following commands (thanks to https://askubuntu.com/questions/859256/how-to-install-gcc-7-or-clang-4-0) :

sudo add-apt-repository ppa:jonathonf/gcc-7.1
sudo apt-get update
sudo apt-get install gcc-7 g++-7
 

2. The next failure was with further kernel compiling modules with the vmmonitor service failing. This needed a patch on the install scripts to support the latest kernel, resolved by the following commands (thanks to https://github.com/mkubecek/vmware-host-modules/commit/770c7ffe611520ac96490d235399554c64e87d9f for the patch and https://superuser.com/questions/1255099/vmware-workstation-not-enough-physical-memory-since-last-update/1255963 for guidance on applying it):


~$ sudo cd /tmp
~$  cp /usr/lib/vmware/modules/source/vmmon.tar .
~$  tar xf vmmon.tar
~$  rm vmmon.tar
~$  wget https://raw.gi 
thubusercontent.com/mkubecek/vmware-host-modules/fadedd9c8a4dd23f74da2b448572df95666dfe12/vmmon-only/linux/hostif.c
~$  mv -f hostif.c vmmon-only/linux/hostif.c
~$  tar cf vmmon.tar vmmon-only
~$  rm -fr vmmon-only
~$  mv -f vmmon.tar /usr/lib/vmware/modules/source/vmmon.tar
~$  vmware-modconfig --console --install-all

Ubuntu, LVM, Partitions

Ubuntu disk partition extension under LVM:

1/ extend the LVM volume (cheated with gparted but parted would work fine, this is the container partition for the “Volume Group”.

 

2/ Next launch LVM and use “lvdisplay” to print the current output, mine was a container group with a single logical volume named “root”

 

3/ Now I know the location and name of the LV I can issue the following command to expand it into the available free space created in step 1:

lvextend -l +100%FREE /dev/Container1/root

 

4/ Finally exit lvm and expand the file system to fill the LV:

sudo resize2fs /dev/Container1/root