Guest Diary: Xavier Mertens - Playing with IP Reputation with Dshield & OSSEC

Published: 2015-06-02
Last Updated: 2015-06-02 13:00:20 UTC
by Alex Stanford (Version: 1)

[Guest Diary: Xavier Mertens] [Playing with IP Reputation with Dshield & OSSEC]

When investigating incidents or searching for malicious activity in your logs, IP reputation is a nice way to increase the reliability of generated alerts. It can help to prioritize incidents. Let's take an example with a Wordpress blog. It will, sooner or later, be targeted by a brute-force attack on the default /wp-admin page. In this case, IP reputation can be helpful: An attack performed from an IP address reported as actively scanning the Internet will not (or less) attract my attention. On the contrary, if the same kind of attack is coming from an unkown IP address, this could be more suspicious...

By using a reputation system, our monitoring tool can tag an IP address with a label like "reported as malicious" based on a repository. The real value of this repository depends directly of the value of collected information. I'm a big fan of dshield.org (https://www.dshield.org), a free service provided by the SANS Internet Storm Center. Such service is working thanks to the data submitted by many people across the Internet. For years, I'm also pushing my firewall logs to dshield.org from my OSSEC server. I wrote a tool to achieve this: ossec2dshield (https://github.com/xme/ossec2dshield). By contributing to the system, it's now time to get some benefits from my participation: I'm re-using the database to automatically check the reputation of the IP addresses attacking me. We come full circle!

To achieve this, let's use the API (https://isc.sans.edu/api/) provided on isc.sans.org and the OSSEC (http://www.ossec.net) feature called "Active-Response" which allows to trigger a script upon a set of conditions. In this example, we call the reputation script with our attacker address for any alert with a level >= 6.

(Check the Active-Response (http://ossec-docs.readthedocs.org/en/latest/manual/ar/) documentation for details)

The ISC API can be used to query information about an IP address. The returned results are:

$ wget -O - -q https://isc.sans.edu/api/ip/195.154.243.219?json

{"ip":{"abusecontact":"unknown","number":"195.154.243.219","country":" FR ","as":"12876 ","asname":" AS12876 ONLINE S.A.S.,FR","network":" 195.154.0.0\/16 ","comment":null}}

The most interesting fields are:

• count - the number of times the IP address has been reported as an attacker

• attacks - the number of targeted IP addresses

• mindate - the first report

• maxdata - the last report

The script "isc-ipreputation.py" can be used from the command line or from an OSSEC Active-Response configuration block. To reduce the requests against the API, a SQLite database is created and populated with a local copy of the data. Existing IP addresses will be checked again after a specified TTL (time-to-live), by default 5 days. Data are also dumped in a flat file or Syslog for further processing by another tool. Here is an example of entry:

$ tail -f /var/log/ipreputation.log

[2015-05-27 23:30:07,769] DEBUG No data found, fetching from ISC

[2015-05-27 23:30:07,770] DEBUG Using proxy: 192.168.254.8:3128

[2015-05-27 23:30:07,772] DEBUG Using user-agent: isc-ipreputation/1.0 (blog.rootshell.be)

[2015-05-27 23:30:09,760] DEBUG No data found, fetching from ISC

[2015-05-27 23:30:09,761] DEBUG Using proxy: 192.168.254.8:3128

[2015-05-27 23:30:09,762] DEBUG Using user-agent: isc-ipreputation/1.0 (blog.rootshell.be)

[2015-05-27 23:30:10,138] DEBUG Saving 178.119.0.173

[2015-05-27 23:30:10,145] INFO IP=178.119.0.173, AS=6848("TELENET-AS Telenet N.V.,BE"), Network=178.116.0.0/14, Country=BE, Count=148, AttackedIP=97, Trend=0, FirstSeen=2015-04-21, LastSeen=2015-05-27, Updated=2015-05-27 18:37:15

In this example, you can see that this IP address started to attack on the 21st of April. It was reported 148 times while attacking 97 different IP addresses (This IP is certainly part of a botnet).

The script can be configuration with a YAML configuration file (default to /etc/isc-ipreputation.conf) which is very easy to understand:

logging:

debug: yes
database:

path: '/data/ossec/logs/isc-ipreputation.db'
network:

exclude-ip: '192\.168\..*|172\.16\..*|10\..*|fe80:.*’

ttl-days: 5

http:

proxy: '192.168.254.8:3128'
user-agent: 'isc-ipreputation/1.0 (blog.rootshell.be)’

Finally, the SQLite database can use used to get interesting statistics. Example, to get the top-10 of suspicious IP addresses that attacked me (and their associated country):

$ sqlite3 isc-ipreputation.db

SQLite version 3.8.2 2013-12-06 14:53:30

Enter ".help" for instructions

Enter SQL statements terminated with a ";"

sqlite> select ip, count, attacks,country from ip order by count desc limit 10;

61.240.144.66|4507455|32533|CN

218.77.79.43|2947146|63295|CN

61.240.144.65|2408418|24185|CN

61.240.144.64|1947038|22054|CN

61.240.144.67|1759210|25421|CN

184.105.139.67|1678608|63055|US

61.160.224.130|1553361|62140|CN

61.183.128.6|1385025|13829|CN

61.160.224.129|1312580|15202|CN

61.160.224.128|1209176|61006|CN

sqlite>

It is also very easy to generate dynamic lists of IP addresses (or CDB (http://ossec-docs.readthedocs.org/en/latest/manual/rules-decoders/rule-lists.html) as called by OSSEC). The following command will generate a CDB list with my top-10 of malicious IP addresses:

$ sqlite3 isc-ipreputation.db \

"select ip from ip order by count desc limit 10;"| \

while read IP;

echo "$IP:Suspicious”;

done >/data/ossec/lists/bad-ips

$ cat /data/ossec/lists/bad-ips

61.240.144.66:Suspicious

218.77.79.43:Suspicious

61.240.144.65:Suspicious

61.240.144.64:Suspicious

61.240.144.67:Suspicious

184.105.139.67:Suspicious

61.160.224.130:Suspicious

61.183.128.6:Suspicious

61.160.224.129:Suspicious

61.160.224.128:Suspicious

$ ossec-makelists

* File lists/bad-ips.cdb needs to be updated

Based on this list, you can add more granularity to your alerts by correlating the attacks with the CDB list. Note that dshield.org proposes a recommended block list (http://feeds.dshield.org/block.txt) ready to be used. A few months ago, Richard Porter (http://www.twitter.com/packetalien) explained how (https://isc.sans.edu/forums/diary/Subscribing+to+the+DShield+Top+20+on+a+Palo+Alto+Networks+Firewall/19365) to integrate one of them in a Palo Alto Networks firewall. This is a great resource but I think that both are complementary.

The script is available on my github repository (https://github.com/xme/toolbox/blob/master/isc-ipreputation.py).

"If the enemy leaves a door open, you must rush in." - Sun Tzu

PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x42D006FD51AD7F2

Keywords: DShield IP Reputation OSSEC

0 comment(s)

ISC StormCast for Tuesday, June 2nd 2015 http://isc.sans.edu/podcastdetail.html?id=4509

Comments

cwqwqwq

eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>

WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]

dwqqqwqwq mashood

[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)

[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]

What's this all about ..?

password reveal .

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

https://thehomestore.com.pk/

Internet Storm Center

Guest Diary: Xavier Mertens - Playing with IP Reputation with Dshield & OSSEC

Comments

www

Nov 17th 2022
6 months ago

EEW

Nov 17th 2022
6 months ago

qwq

Nov 17th 2022
6 months ago

mashood

Nov 17th 2022
6 months ago

isc.sans.edu

Nov 23rd 2022
6 months ago

isc.sans.edu

Nov 23rd 2022
6 months ago

isc.sans.edu

Dec 3rd 2022
5 months ago

isc.sans.edu

Dec 3rd 2022
5 months ago

isc.sans.edu

Dec 26th 2022
5 months ago

isc.sans.edu

Dec 26th 2022
5 months ago

Guest Diary: Xavier Mertens - Playing with IP Reputation with Dshield & OSSEC

Comments

www

Nov 17th 20226 months ago

EEW

Nov 17th 20226 months ago

qwq

Nov 17th 20226 months ago

mashood

Nov 17th 20226 months ago

isc.sans.edu

Nov 23rd 20226 months ago

isc.sans.edu

Nov 23rd 20226 months ago

isc.sans.edu

Dec 3rd 20225 months ago

isc.sans.edu

Dec 3rd 20225 months ago

isc.sans.edu

Dec 26th 20225 months ago

isc.sans.edu

Dec 26th 20225 months ago

Nov 17th 2022
6 months ago

Nov 17th 2022
6 months ago

Nov 17th 2022
6 months ago

Nov 17th 2022
6 months ago

Nov 23rd 2022
6 months ago

Nov 23rd 2022
6 months ago

Dec 3rd 2022
5 months ago

Dec 3rd 2022
5 months ago

Dec 26th 2022
5 months ago

Dec 26th 2022
5 months ago