Masaryk University Faculty of Informatics Implementation of Systems for Intrusion Detection and Log Management Master’s Thesis Severin Simko Brno, Spring 2018 Masaryk University Faculty of Informatics Implementation of Systems for Intrusion Detection and Log Management Master’s Thesis Severin Simko Brno, Spring 2018 This is where a copy of the official signed thesis assignment and a copy ofthe Statement of an Author is located in the printed version of the document. Declaration Hereby I declare that this paper is my original authorial work, which I have worked out on my own. All sources, references, and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Severin Simko Advisor: doc. RNDr. Tomáš Pitner, Ph.D. i Acknowledgements I would like to thank my family for their continuous support. iii Abstract Increasing IT threats requires advances and sophisticated IT se- curity solutions that can keep the organizations and companies safe. Log Management and Intrusion Detection Systems are one of these solutions. The aim of this master thesis was to examine the Log Man- agement system Graylog and the Host-based Intrusion Detection sys- tem OSSEC. Both systems were analyzed, deployed and integrated into the IT infrastructure of the AXENTA a.s. company. According to the Graylog throughput testing that was performed in this project, we determined whether the Graylog meets the requirements for the AXENTA a.s. business purposes. This thesis describes both technolo- gies, presents the deployment details and integration of both of these systems, and finally interprets the testing results. iv Keywords Graylog, OSSEC, log management, intrusion detection, security, log, log analysis ... v Contents 1 Introduction 1 2 Overview and Description of Technologies 3 2.1 OSSEC ............................3 2.1.1 What are IDS systems . .3 2.1.2 Understanding of OSSEC and its Key Features .4 2.1.3 Client-Server Architecture . .8 2.1.4 OSSEC Alternatives . 10 2.2 Graylog ............................ 11 2.2.1 Log Management . 11 2.2.2 Technology Description and Key Features . 12 2.2.3 Lifecycle of a Log . 12 2.2.4 Graylog Components . 15 2.2.5 Graylog Alternatives . 17 3 Deployment 21 3.1 Introduction to the Project .................. 21 3.1.1 Project Environment . 22 3.2 OSSEC ............................ 24 3.2.1 Server Configuration . 24 3.2.2 Alerting, Notifications, and Reporting . 26 3.3 Graylog ............................ 29 3.3.1 Architectures Deployed . 29 3.3.2 Server Configuration . 32 3.4 OSSEC and Graylog Integration ............... 46 4 Testing and Results 49 4.1 Graylog Throughput Testing ................. 49 4.1.1 Graylog Buffering . 50 4.1.2 Testing Explanation . 53 4.1.3 Results and Findings . 55 4.2 Summary of OSSEC ..................... 59 5 Conclusion 63 Bibliography 65 vii List of Figures 2.1 Example File Integrity Configuration 5 2.2 Archived Logs Example 6 2.3 The client and server OSSEC services 9 2.4 Example Lifecycle of a Log in Graylog 14 2.5 High-level overview of Graylog components 16 3.1 AXENTA a.s. Log Management Architecture 22 3.2 OSSEC syslog-ng folder monitoring 25 3.3 OSSEC syslog-ng rules 26 3.4 The configuration of OSSEC Alerts 27 3.5 High-level OSSEC Processing 28 3.6 Graylog Cluster Architecture 32 3.7 Not parsed logs from pfSense firewall 35 3.8 Number Of Logs Received shown on Histogram 38 3.9 List of Devices sending logs as a Quick Values Analysis 38 3.10 Source IP Addresses shown using the Geo-Location Plugin 40 3.11 Multi-tenancy REST-API command for revoking Roles 44 3.12 Graylog Cluster Architecture 47 4.1 Graylog Internal Processing - Buffering 51 4.2 Testing throughput script 55 4.3 Graylog Throughput Testing Results 57 4.4 Graylog Server Monitoring Showing the Processes and CPU Usage 59 ix 1 Introduction Every organization and company, regardless of the size, needs to have a secure IT. Intrusion Detection and Log Management most definitely belong to the most important parts of the IT security. Organizations use the log analysis, which is a part of the log management, to become aware of the security events that can potentially affect the entire organi- zation and allows them to perform an in-depth log analysis. Intrusion Detection Systems are used for detection of anomalies and unusual behavior by analyzing the network traffic and logs and monitoring the remote servers. Graylog is an open-source log management system, and OSSEC is an open-source Host-based Intrusion Detection System that provides multiple features, such as File Integrity Checking, Log Analysis or Rootkit Detection. Both systems are described in chap- ter . This chapter provides the high-level overview of both systems, explains their features and configuration. The main goal of this project was the analysis, successful deploy- ment and testing of these systems in the AXENTA a.s. infrastructure. AXENTA a.s. is a Czech IT company that deals with the IT security and provides advanced and sophisticated Log Management and IT security solutions. According to the analysis and deployment, it was necessary to determine whether or not these systems are useful for the AXENTA a.s. purposes, and if yes then for which use-cases. The main part of this thesis focuses on providing details of the deploy- ment process in this infrastructure and summarizing the experiences and problems that were encountered in the process of deployment. The details about the deployment and integration of both systems are summarized in the chapter 3. One part of this project deals with the Graylog throughput taesting that was performed on two different servers and in a total of five different use-cases. The testing consists of 40 separate tests toget the most accurate throughput results. The findings and results are summarized in chapter 4. 1 2 Overview and Description of Technologies This chapter explains both technologies used in the project in detail, it describes their use, features, functionalities and should provide the technical background required for the general understanding of both technologies and the whole project itself. As mentioned above, the two main technologies used in the project were the open-source HIDS1 security tool called OSSEC and the open-source Log Management system called Graylog. 2.1 OSSEC OSSEC is an open source Host-based Intrusion Detection System (HIDS) that performs log analysis, file integrity checking, rootkit de- tection and real-time alerting. OSSEC provides centralized, multi- platform architecture that allows managing the security of computers from one central place. 2.1.1 What are IDS systems Host-based Intrusion Detection Systems (HIDS), together with the Network-based Intrusion Systems (NIDS) are subgroups of the Intru- sion Detection Systems (IDS). IDS is a network security system that monitors network traffic to detect suspicious and potentially malicious activities. Such activities may indicate a system or network attack from someone who is trying to compromise the data or the whole system. IDS are used to monitor the entire network, a portion of a network, or an individual system.[1] IDS use sophisticated detection methods and raise alerts when such activities are taking place. Although, both NIDS and HIDS are used for security management for networks and computers, they work differently and are used for different purposes. NIDS is installed on a strategic point in the network infrastructure and provides broader traffic examination than the HIDS. NIDS is listening to all the packets going through this strategic point and is 1. Host-based intrusion detection system 3 2. Overview and Description of Technologies monitoring the whole network segment. That’s why this network- based idea is not a perfect way to monitor a particular host. The reason for that is that there can be an alternative path to this host and in that case, the intrusion will not be detected. On the other hand, HIDS runs as a service or an agent installed on a certain network endpoint and monitors the unusual activity only for this endpoint. HIDS monitors setting on the server such as critical system or configuration files, or file checksums and so protects the file or registry integrity. HIDS is often an after-the-fact tool because it monitors log files to find the anomalies, whereas the NIDS ismuch more real-time because it monitors the packets going through the network right now. Both systems have to be fine-tuned to eliminate the false positive alerts.[2] 2.1.2 Understanding of OSSEC and its Key Features OSSEC can check the integrity of system files, detect rootkits and has a powerful log analysis engine capable of analyzing almost every type of logs created on a system. The log analysis can be done for some services such as Apache, Bind, LDAP and also 3rd party logs from devices like Cisco. Apart from this, OSSEC contains active response module that can respond to detected attacks or threats. File Integrity Monitoring: Also called a syscheck, is a periodic validation of the integrity of operating system or application files by comparing current file state and known, stored value. It is avery important part of the intrusion detection, and it often uses the crypto- graphic functions to calculate the checksums for detecting changes or modifications. OSSEC uses MD5/SHA1 checksums for monitoring crucial configuration files in a system. OSSEC supports two versions of validations; validation in an user-defined period, by default set to every 6 hours, or near-real time. The near-real-time version is sup- ported on Windows and modern Linux distributions, such as Ubuntu or CentOS. OSSEC agent scans the system in a given period and sends the checksums to the central server where the known values are stored.