Dec 31, 2014

OSSEC Rules for OpenVPN

ossec-hids We use OpenVPN and OSSEC together regularly. Unfortunately, OSSEC doesn’t do any useful interpretation of OpenVPN events out of the box. Instead, you’ll wade through a stream of event id 1002s in your email to see what’s going on with OpenVPN.

We recently sat down and drafted a custom decoder and a few custom rules for one of our clients who graciously permitted us to share them with the public.

The decoder is simple: a parent decoder matches on the program_name “openvpn” and two child decoders match login and failure strings. The decoder pulls the srcip and user from the log messages for use in active response.

The rules are also relatively straight-forward. Events are grouped into appropriate existing OSSEC groups. If there are ~5 authentication failures in 2 minutes, a level 10 alert is created which will trigger active response and block the offending ip address.

openvpn_decoder.xml:


  openvpn

  openvpn
  TLS: Username/Password authentication succeeded for username
  ^(\d+.\d+.\d+.\d+):\d+ TLS: Username/Password authentication succeeded for username '(\S+)'
  srcip,user

  openvpn
  AUTH_FAILED
  ^(\d+.\d+.\d+.\d+):\d+ SENT CONTROL [(\S+)]
  srcip,user

openvpn_rules.xml:


     openvpn
     OpenVPN messages grouped.

     100500
     authentication succeeded
     OpenVPN authentication success.
     authentication_success,

     100500
     AUTH_FAILED
     OpenVPN authentication failed.
     authentication_failed,

     100502

     Multiple OpenVPN authentication failures.
     authentication_failures,

     100500
     error trying to bind as user|
     PLUGIN_AUTH_USER_PASS_VERIFY failed with status|
     Username/Password verification failed for peer|
     TLS Error|
     SIGUSR1[soft,tls-error] received, client-instance restarting
     OpenVPN message that is useless, redundant, or lacking context.

For cleanliness, we deploy custom decoders in decoders.d and custom rulesets in rules.d as separate files. If your OSSEC installation isn’t already configured this way, save yourself some frustration and modify your server ossec.conf to have these two lines first in your section:


    etc/decoder.xml
    etc/decoders.d

and this line last:


    etc/rules.d

Failure to include these in this order this will cause issues with your installation.