Unlike OSSEC, Samhain HIDS is not being able to detect any false login, its not being able to detect rootkits or do any kernel level checks.

I have configured Kernel, SUID, Login and logout but it seems it doesn't take any effect.

The things that it can detect only if I add users and it performs file integrity check.

I would really appreciate if anyone could help or provide me with any suggestions.
Its intalled and configured properly according to BOOK (Host Integrity Monitoring Using Osiris and Samhain) yet it is not detecting a thing.
I dont know where i'm making mistake.

I even have installed rootkit and it doesn't even detect any file modification cause by it.

I seriously need help..

I could be wrong but AFAIK the rootkit component of OSSEC HIDS hasn't been significantly updated in a while...


Define "false login"?
How did you test it?


How did you test this?
What Samhain release?
Installed from source or as a distribution or third party package?
What distribution do you use (maybe fill in your Control Panel details)?
What kernel do you run?


Attach your full configuration file?


That is not a suggestion I would make unless you test inside an isolated and expendable virtualization guest.
What rootkit BTW?

I am performing this in a virtual environment. I am doing it in VMware to be safe and secure.
I have installed latest version of samhain-3.0.1 in Ubuntu 10.04 Desktop edition (server edition) both, kernel version 2.6.32.33.
I did I have done gpg check too and its totally fine.
To install I performed
I didn't do because i am just testing and if reboot it will scan everything and will take more than an hour to start up.

I do not have problem with tuning configuration files for file integrity check. I have done minor changes and left rest to default setting.

I changed few things, it is exactly same to books configuration
These are just how I configured.

Now, I need to create a baseline

I just checked with above command and it detects few alerts, that's fine, I'm not much worried about minor ones for now.

Now lets test for real threats
I am doing these changes directly in the ubuntu desktop.

In my case false login is like this (This is for internal threat test.):
I am direclty trying to login to root but providing wrong password.
I have installed openssh-server then i'm trying to login via ssh client from different computer.
I have been doing brute-force attack using hydra. Unlike OSSEC which detects and log each and every detail.


After installing and modifing I need to scan for possible threats

# samhain -t check -p warn --foreground

I don't know why i get these warning, I shouldn't be getting isn't it. I don't know why, I changed these before creating a baseline.

For some reason for the first time, I just performed everything and it really detected most of those things I mentioned.
It detected kbeast but I'm not sure if it detected it as rootkit and I didn't find any false login.

I have attached configuration and log files.

Attached Files

	samhain_log.txt (61.2 KB, 9 views)
	samhainrc.txt (15.8 KB, 18 views)

Sorry for the late reply. Priorities and such.


Good.


Thanks.


You should not assume everybody knows or has that book. Anyway. The [Kernel] section is missing values the documentation (samhain-3.0.1/docs/MANUAL-2_3.html/MANUAL-2_3/checking-for-kernel-module-rootkits.html) talks about. Without these the LKM check can't detect changes.


If you run Ubuntu then root is not allowed to log in so which password you use should not matter.


The configuration file has generic "SetFilecheckTime" of one hour but the [Utmp] section is missing a specific "LoginCheckInterval" for scheduling the login/logout check.
* IMHO OSSEC HIDS shouldn't be compared with Samhain. If you would then in some aspects it may perform better and worse in others.
** Also I've noticed you use "SyslogFacility=LOG_LOCAL2". Did you define this facility in your syslog configuration, initialize the log file and restart syslog?


Maybe the checks weren't enabled when you compiled Samhain. Check your build directory, the configure.log / configure.status files.


Doubtful. At least your (current) log and configuration file don't support that. Samhain detected Kbeast only by the files added to the /usr/_h4x_ path.

Finally, I have corrected my mistakes and I am quite happy with your suggestion never the less this link really helped me a lot http://www.linuxquestions.org/questi...amhain-895613/.

I Understood and now I have compiled various optional modules required.

Later I installed Kbeast, I got these results I just want you to confirm if these are the possible changes done in kernel due to the rootkit installtion

I defined [Utmp] so that I can monitor login events
I don't know for some reason it worked once but then it wasn't working. But I'm sure I'll get it working.

Finally, I would like to know which checksum does samhain support by default.

Ah, yes, one of the more elaborate threads of 2011. Was fun doing that.


Yes, it would be very uncommon for any process to modify system calls. Looks good. Except the log line ctime and mtime values look wacky. Best run that by Rainer Wichmann, the Samhain developer via http://la-samhna.de/contact.html or http://la-samhna.de/forum/cgi-bin/wolfbbs_index.cgi.


See samhain-3.0.1/docs/MANUAL-2_3.html/MANUAL-2_3/hash-function.html and samhain-3.0.1/docs/MANUAL-2_3.html/MANUAL-2_3/file-signatures.html: TIGER but SHA-1 or MD5 can be used.

I think now I am able to do what I really wanted to do.
Thanks for the help.