Guest Diary: Xavier Mertens - Playing with IP Reputation with Dshield & OSSEC
Last Updated: 2015-06-02 13:00:20 UTC
by Alex Stanford (Version: 1)
[Guest Diary: Xavier Mertens] [Playing with IP Reputation with Dshield & OSSEC]
When investigating incidents or searching for malicious activity in your logs, IP reputation is a nice way to increase the reliability of generated alerts. It can help to prioritize incidents. Let's take an example with a Wordpress blog. It will, sooner or later, be targeted by a brute-force attack on the default /wp-admin page. In this case, IP reputation can be helpful: An attack performed from an IP address reported as actively scanning the Internet will not (or less) attract my attention. On the contrary, if the same kind of attack is coming from an unkown IP address, this could be more suspicious...
By using a reputation system, our monitoring tool can tag an IP address with a label like "reported as malicious" based on a repository. The real value of this repository depends directly of the value of collected information. I'm a big fan of dshield.org (https://www.dshield.org), a free service provided by the SANS Internet Storm Center. Such service is working thanks to the data submitted by many people across the Internet. For years, I'm also pushing my firewall logs to dshield.org from my OSSEC server. I wrote a tool to achieve this: ossec2dshield (https://github.com/xme/ossec2dshield). By contributing to the system, it's now time to get some benefits from my participation: I'm re-using the database to automatically check the reputation of the IP addresses attacking me. We come full circle!
To achieve this, let's use the API (https://isc.sans.edu/api/) provided on isc.sans.org and the OSSEC (http://www.ossec.net) feature called "Active-Response" which allows to trigger a script upon a set of conditions. In this example, we call the reputation script with our attacker address for any alert with a level >= 6.
The ISC API can be used to query information about an IP address. The returned results are:
The script can be configuration with a YAML configuration file (default to /etc/isc-ipreputation.conf) which is very easy to understand:
user-agent: 'isc-ipreputation/1.0 (blog.rootshell.be)’
The script is available on my github repository (https://github.com/xme/toolbox/blob/master/isc-ipreputation.py).