I’ve always wondered what a Distributed Denial of Service (DDOS) really looks like. Fortunately, there is now this pretty awesome video illustration of what it looks like:
I’ll be in Miami this weekend, April 5 – 7th, 2013, for WordCamp Miami. I’ll be giving a new, updated, talk on Website Security on Saturday. You should come by and say hi if you’re around. If you’re not, no problem, you can see my slides here:
Here is the video recording of my talk on the presentation above. Unfortunately we had a few technical difficulties so you’ll have to follow on the slide deck I have above.
OSSSEC is my preferred host-based intrusion detection system (HIDS). I have to admit I am a bit partial to it because my good friend Daniel Cid built it and sold it to Trend Micro / Third Brigade back in 2008. I have what many don’t have, that’s the ability to pester Daniel until he tells me and guides through all my issues. In the process I have learned a number of things and made some very interesting observations about the product, here is where I will be sharing them.
Being that my focus is on website security my employment and utilization of the product will be as such. I won’t talk much to the configuration and monitoring of large scale enterprises, but will likely get into large n-tier implementations of web enterprises. This could include the utilization of load balancers, web servers and database servers, and possibly some storage devices. Pretty straight forward stuff.
Unfortunately, one of the observations I have made is that the implementation of OSSEC is piss poor. They are not monitoring anything of value. The other observation is simplicity. What I have learned about my dear friend is that he doesn’t believe in complexity, where possible he tries to simplify, and while I know if he had the chance he would rewrite OSSEC, simplicity is still at its core. I mention this because it’s very important to note when you work with the application.
So let’s start there.
The one caveat I need to make is that I don’t run off the version of OSSSEC provided here: http://www.ossec.net/?page_id=19. I actually run off Daniel’s branch here: https://bitbucket.org/dcid/ossec-hids/get/tip.tar.gz. This includes almost all the changes provided in the latest version of 2.7 and is pulled into the latest versions on the main site.
So naturally, as of late, I have found myself doing more than I probably need to on my servers and in the process causing more headaches then required. One of those issues has been with the communication between my agents and the mother-ship (command control) server with my OSSEC installs.
The first thing to understand is how to check the status of your agents and easiest way to do that is running the following on the server install (my mothership):
# /var/ossec/bin/agent_control -lc
This will list out all your agents and if they are active it’ll read Active. If they are inactive, they don’t read inactive unfortunately, they just don’t show up.