OSSEC Rule Testing

Introductions

In OSSEC, the rules are classified in multiple levels from the lowest (00) to the maximum level 16. But some levels are not used right now and below explain level details.
00 - Ignored
01 – None
05 – Error is generated by user
06 - Low relevance attack
08 - First time seen
12 - High important event
15 - Severe attack ( There is no chances of false positives)

Rules group are used specify groups for specific rules. It’s used for active response reasons and for correlation.

Checking Rules

You can find the OSSEC rule list ‘var/ossec/rules’. All this xml files in this directory contains the rules.

In rule xml file we have name group (‘group name’) at parent level of the xml <group name="web,accesslog,">. In there you can define the rules as below

As example I need to get all 400

<rule id="31101" level="5">
<if_sid>31100</if_sid>
<id>^4</id>
<description>Web server 400 error code.</description>
</rule>

Then you need to skip resources file which end with .jpg, .css and .js

<rule id="31102" level="0">
<if_sid>31101</if_sid>
<url>.jpg$|.css$|.js$</url>
<compiled_rule>is_simple_http_request</compiled_rule>
<description>Ignored extensions on 400 error codes.</description>
</rule>

‘is_simple_http_request’ [1] is function which already inbuilt in OSSEC, if you building ossec from source you can customizing the this functions or added new function that will improve your rules.

Testing the Rules

Initial Test Case

To test above rules you can add custom log record as below

In here we need to get current time by the terminal with below format.
23/Aug/2016:10:09:28 +0530

Setup sample apache log as below

now=$(date +"%d/%b/%Y:%T %z")
echo "192.168.100.78 - - [$now] \"GET /ossim/services HTTP/1.1\" 200 2295 \”-\” \"Mozilla Firefox/47.0\""

Log record adding to log file

httpStatus=400

logRecord="192.168.100.78 - - [$(date +"%d/%b/%Y:%T %z")] \"GET /ossim/services HTTP/1.1\" $httpStatus 2295 \”-\” \"Mozilla Firefox/47.0\""

Then add it the log file for testing our use case with custom rules

echo '{string}' >> file.txt

Our apache log is in /var/log/apache2/access.log

logRecord="192.168.100.78 - - [$(date +"%d/%b/%Y:%T %z")] \"GET /ossim/services HTTP/1.1\" $httpStatus 2295 \"Mozilla Firefox/47.0\""

echo '$logRecord' >> access.log

Or you can try this for testing

echo "192.168.100.78 - - [$(date +"%d/%b/%Y:%T %z")] \"GET /ossim/foo/ HTTP/1.1\" $httpStatus 3360 \"-\" \"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36\"" >> access.log

Second use case

Customizing the rule id="31104" which is in ‘var/ossec/rules/web_rules.xml’ as below to testing

<rule id="31104" level="6">
<if_sid>31100</if_sid>
<url>foo</url>
<description>Common web attack.</description>
<group>attack</group>
</rule>

Then restart OSSEC server which is content to OSSIM or AlienVault.

Then send rule triggering log record as below

echo "192.168.100.78 - frank [$(date +"%d/%b/%Y:%T %z")] \"GET /ossim/go/foo HTTP/1.1\" $httpStatus 3360 \"-\" \"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36\"" >> ../../log/apache2/access.log

Here is the trigger in OSSIM UI.

[1] https://github.com/Madhuka/ossec-hids/blob/master/src/analysisd/compiled_rules/generic_samples.c#L106

We used have Singleton Design Pattern in our applications whenever it is needed. As we know that in singleton design pattern we can create only one instance and can access in the whole application. But in some cases, it will break the singleton behavior.

There are mainly 3 concepts which can break singleton property of a singleton class in java. In this post, we will discuss how it can break and how to prevent those.

Here is sample Singleton class and SingletonTest class.

Singleton.Java

package demo1;

public final class Singleton {

    private static volatile Singleton instance = null;

    private Singleton() {
    }

    public static Singleton getInstance() {
        if (instance == null) {
            synchronized (Singleton.class) {
                if (instance == null) {
                    instance = new Singleton();
                }
            }
        }
        return instance;
    }
}

SingletonTest.java

package demo1;

public class SingletonTest {
    public static void main(String[] args) {
        Singleton object1 = Singleton.getInstance();
        Singleton object2 = Singleton.getInstance();
        System.out.println("Hashcode of Object 1 - " + object1.hashCode());
        System.out.println("Hashcode of Object 2 - " + object2.hashCode());
    }
}

Here is output, you can see it the same hashcode for objectOne and objectTwo

Hashcode of Object 1 - 1836019240
Hashcode of Object 2 - 1836019240

Now we will break this pattern. First, we will use java reflection.

Reflection

Java Reflection is an API which is used to examine or modify the behavior of methods, classes, interfaces at runtime. Using Reflection API we can create multiple objects in singleton class. Consider the following example.

ReflectionSingleton.java

package demo1;

import java.lang.reflect.Constructor;

public class ReflectionSingleton {
    public static void main(String[] args)  {

        Singleton objOne = Singleton.getInstance();
        Singleton objTwo = null;
        try {
            Constructor constructor = Singleton.class.getDeclaredConstructor();
            constructor.setAccessible(true);
            objTwo = (Singleton) constructor.newInstance();
        } catch (Exception ex) {
            System.out.println(ex);
        }

        System.out.println("Hashcode of Object 1 - "+objOne.hashCode());
        System.out.println("Hashcode of Object 2 - "+objTwo.hashCode());

    }
}

Example to show how reflection can break the singleton pattern with Java reflect. You will get two hash code as below. It has a break on the singleton pattern.

Hashcode of Object 1 - 1836019240
Hashcode of Object 2 - 325040804

Prevent Singleton pattern from Reflection

There are many ways to prevent Singleton pattern from Reflection API, but one of the best solutions is to throw run time exception in the constructor if the instance already exists. In this, we can not able to create a second instance.

    private Singleton() {
        if( instance != null ) {
           throw new InstantiationError( "Creating of this object is not allowed." );
        }
    }

Deserialization

In serialization, we can save the object of a byte stream into a file or send over a network. Suppose if you serialize the Singleton class and then again de-serialize that object will create a new instance, hence deserialization will break the Singleton pattern.

Below code is to illustrate how the Singleton pattern breaks with deserialization.

Implements Serializable interface for Singleton Class.

DeserializationSingleton.Java

package demo1;

import java.io.*;

public class DeserializationSingleton {

    public static void main(String[] args) throws Exception {

        Singleton instanceOne = Singleton.getInstance();
        ObjectOutput out = new ObjectOutputStream(new FileOutputStream("file.text"));
        out.writeObject(instanceOne);
        out.close();

        ObjectInput in = new ObjectInputStream(new FileInputStream("file.text"));
        Singleton instanceTwo = (Singleton) in.readObject();
        in.close();

        System.out.println("hashCode of instance 1 is - " + instanceOne.hashCode());
        System.out.println("hashCode of instance 2 is - " + instanceTwo.hashCode());
    }

}

The output is below and you can see two hashcodes.

hashCode of instance 1 is - 2125039532
hashCode of instance 2 is - 381259350

Prevent Singleton Pattern from Deserialization

To overcome this issue, we need to override readResolve() method in Singleton class and return same Singleton instance. Update Singleton.java, with below method.

   protected Object readResolve() { 
           return instance; 
     }

Now run above DeserializationDemo class and see the output.

hashCode of instance 1 is - 2125039532
hashCode of instance 2 is - 2125039532

Cloning

Using the "clone" method we can create a copy of original object, samething if we applied clone in singleton pattern, it will create two instances one original and another one cloned object. In this case will break Singleton principle as shown in below code.

Implement the "Cloneable" interface and override the clone method in the above Singleton class.

Singleton.java

    @Override
    protected Object clone() throws CloneNotSupportedException  {
        return super.clone();
    }

Then Test with cloning for breaking the singleton
CloningSingleton.java

public class CloningSingleton {
    public static void main(String[] args) throws CloneNotSupportedException, Exception {
        Singleton instanceOne = Singleton.getInstance();
        Singleton instanceTwo = (Singleton) instanceOne.clone();
        System.out.println("hashCode of instance 1 - " + instanceOne.hashCode());
        System.out.println("hashCode of instance 2 - " + instanceTwo.hashCode());
    }

}

Here is the output

hashCode of instance 1 - 1836019240
hashCode of instance 2 - 325040804

If we see the above output, two instances have different hashcodes means these instances are not the same.

Prevent Singleton Pattern from Cloning

In the above code, breaks the Singleton principle i. e created two instances. To overcome the above issue we need to implement/override clone() method and throw an exception CloneNotSupportedException from clone method. If anyone try to create clone object of Singleton, it will throw an exception as see below code.

    @Override
    protected Object clone() throws CloneNotSupportedException  {
        throw new CloneNotSupportedException();
    }

Now we can run the CloningSingleton class, it will throw CloneNotSupportedException while creating a clone object of Singleton object.

Add a comment

Madhuka

Microservices, Java, DevOps, WSO2, Enterprise Solution, Enterprise Integration, SOA, EDA, Restful, C#, C++ tutorial, Ruby on rails, API Manager, jaggery, javascript, Madhuka

Reflection

Deserialization

Cloning

View comments