Hi all, this is my first english post so… excuse me I will try to show how we can use OSSEC and SEC for detect malware in our servers.
We need a working installation of ossec (local or server mode), mhc, this small perl script and SEC. After installing (copy) mhc and the perl script (do it in /usr/local/bin, for example), open a new file with your favorite text editor:

#
# New syscheck event - Store agent name
#
type=Single
pattern= (\S+)->syscheck
ptype=regexp
desc=$0
action=create OSSEC_SYSCHECK; assign %agent $1

#
# Integrity checking - Store filename
#
type=Single
ptype=regexp
context=OSSEC_SYSCHECK
desc=$0
pattern=Integrity checksum changed for: '(\S+)'
action=assign %file $1;

#
# Integrity checking - New event for SingleWithScript (I can't use %vars with script directive)
#
type=Single
ptype=regexp
context=OSSEC_SYSCHECK
pattern=New md5sum is : '(\S+)'
desc=OSSEC: Filename: %file - md5sum: $1
action=event OSSEC: Filename: %file - md5sum: $1

#
# Integrity checking - Check againts Virustotal.com
#
type=SingleWithScript
desc=$0
ptype=regexp
context=OSSEC_SYSCHECK
pattern=^OSSEC: Filename: (\S+) - md5sum: (\S+)
script=/usr/local/bin/sec-virustotal $2 $1
action=none
action2=eval %a \
({	use Sys::Syslog; \
	openlog('sec-virustotal','','user'); \
	syslog('info', "%agent: File %file ($1) is tagged as VIRUS by virustotal.com"); \
	closelog; \
	1;  \
};); delete OSSEC_SYSCHECK

Save this file under /etc/sec directory (I used ossec.sec as filename). Then we must define a new ossec rule:

sec-virustotal
	VIRUS
	Virus Found!!

Be sure to use an unused id for your new rule. You can add a group directive for correlating with another event if you want. Before start SEC, we can change sec-virustotal script to scan only those files with a desired extension:

#!/usr/bin/perl

use strict;
my $virus_script = '/usr/local/bin/mhc';
my @extensions = qw/exe dll/; # Use * for all extensions
my $filename;
my $hash;
my $ext;
my @tmp;

if($#ARGV != 1) {
    print "usage: $0 md5hash filename\n";
    exit 100;
}

$filename = $ARGV[1];
$hash = $ARGV[0];
my @tmp=split(/\./,$filename);
$ext = lc($tmp[$#tmp]);

foreach (@extensions) {
    if($ext eq $_ || $_ eq '*') { # Extension found, scanning...
        my $res = qx/$virus_script --hash $hash --no-cache/;
        exit ($? >> 8);
    }
}
exit 0;

We can change @extensions variable to scan ‘.scr’ files, for example. Now we have our new rule, restart ossec and launch SEC:

 # /var/ossec/bin/ossec-control restart
 # /usr/bin/perl -w /usr/bin/sec -conf=/etc/sec/ossec.sec -quoting -input=/var/ossec/logs/alerts/alerts.log -detach

I leave to the reader the step of launching SEC at startup. But for Debian edit /etc/default/sec:

#Defaults for sec
RUN_DAEMON="yes"
DAEMON_ARGS="-conf=/etc/sec/ossec.sec -input=/var/ossec/logs/alerts/alerts.log -pid=/var/run/sec.pid -detach -quoting"

I hope you find this useful.

Hace una semana, hice una charla sobre ossec. Aquí os la dejo:

http://bit.ly/9EkuvX

Y las diapositivas:

- http://bit.ly/b3OLTD (odp)
- http://bit.ly/bJKhKw (ppt)
- http://bit.ly/cSLoZW (pdf)

Nos vemos

Para todos aquellos que estén interesados en conocer OSSEC HIDS, he organizado una charla el Viernes 12 de Febrero a la 16:20 hora española. Sólo tenéis que apuntaros: