I came across this article while surfing the Internet. [ Server Security: Indicators of Compromised Behavior with OSSEC ]
Indicator of Compromised Behavior Definition!
Attackers are always evolving and changing their tactics and security products are never 100% on their detection of malicious behavior.
However, there is an additional data point that can be monitored: your own users and servers, specifically how they interact with each other. Not looking for malicious behaviour, but looking at their normal behaviour and trying to find anomalies that may signal a compromise.
Over a period of time, the same person (or server) will start to display patterns that remain consistent and are measurable. This allows us to move beyond focusing on malicious behavior and allows us to measure and look at the patterns created to better understand what users are doing.
May be someone try to open a backdoor, catch it with using OSSEC alerts!
Clearly i understood Indicators of Compromised behavious with Ossec article. At the end of the article, comments consist of real uploding shell scenario, and how do you catch it using ossec alerts? Than i am publishing this article for educational and information only. İf you want to read full article, you should visit here! Thanks,
This alert is actually a real OSSEC alert that found a backdoor:
OSSEC HIDS Notification.
2013 Jun 16 23:48:29
Received From: hetzner->/var/www/logs/error.log
Rule: 31421 fired (level 5) -> "PHP internal error (missing file or function)."
Portion of the log(s):
2013/06/16 23:48:27 [error] 2252#0: *9980497 FastCGI sent in stderr: "PHP message: PHP Fatal error:
Call to undefined function includ_once()
in /var/www/docs/wp-content/themes/bluetheme/footer.php on line 1" while reading upstream, client: 5.9.164.69, server: hetzner, request: "GET /wp-content/themes/bluetheme/images/favico
Thanks for sharing Jonas Lejon
