OSSEC-HIDS
[open source security -Host Intrusion Detection System]
Introduction :
OSSEC is a platform to monitor and control your systems. It
mixes together all the aspects of HIDS (host-based intrusion detection), log
monitoring, and Security Incident Management (SIM)/Security Information and
Event Management (SIEM) together in a simple, powerful, and open source
solution.
The following
operating systems are supported by the OSSEC agent:
• GNU/Linux (all distributions, including RHEL, Ubuntu,
Slackware, Debian, etc)
• Windows XP, 2003, Vista, 2008, 2012
• VMWare ESX 3.0,3.5 (including CIS checks)
• FreeBSD (all current versions)
• OpenBSD (all current versions)
• NetBSD (all current versions)
• Solaris 2.7, 2.8, 2.9 and 10
• AIX 5.2 and 5.3
Key Benefits:
Compliance
Requirements
OSSEC helps customers meet specific compliance requirements
such as PCI and HIPAA. It lets customers detect and alert on unauthorized file
system modifications and malicious behaviour embedded in the log files of
commercial products as well as custom applications. For PCI, it covers the
sections of file integrity monitoring (PCI 11.5, 10.5), log inspection and
monitoring (section 10), and policy enforcement/checking
Multi-platform:
OSSEC lets customers implement a comprehensive host based intrusion detection system with fine
grained application/server specific policies across multiple platforms such as
Linux, Solaris, Windows, and Mac OS X
Real-time and
Configurable Alerts:
OSSEC lets customers configure incidents they want to be
alerted on, and lets them focus on raising the priority of critical incidents
over the regular noise on any system. Integration with smtp, sms, and syslog
allows customers to be on top of alerts by sending them to e-mail enabled
devices. Active response options to block an attack immediately are also
available
Integration with
current infrastructure:
OSSEC will integrate with current investments from customers
such as SIM/SEM (Security Incident Management/Security Events Management)
products for centralized reporting and correlation of events.
Example : currently routing to as below architecture Splunk
Key Features
File Integrity
checking :
There is one thing in common to any attack to your networks
and computers: they change your systems in some way. The goal of file integrity
checking (or FIM - file integrity monitoring) is to detect these changes and
alert you when they happen. It can be an attack, or a misuse by an employee or
even a typo by an admin, any file, directory or registry change will be alerted
to you.
Log Monitoring
Your operating system wants to speak to you, but do you know
how to listen? Every operating system, application, and device on your network
generate logs (events) to let you know what is happening. OSSEC collects,
analyzes and correlates these logs to let you know if something suspicious is
happening (attack, misuse, errors, etc). Do you want to know when an
application is installed on your client box? Or when someone changes a rule in
your firewall? By monitoring your logs, OSSEC will notify you.
Rootkit detection :
Criminal hackers want to hide their actions, but
using rootkit detection you can be notified when the system is modified in a
way common to rootkits. Active response Active response allows OSSEC to take
immediate action when specified alerts are triggered. This may prevent an
incident from spreading before an administrator can take action.
OSSEC Architecture :
Manager (server)
Manager (or Server) The manager is the central piece of the
OSSEC deployment. It stores the file integrity checking databases, the logs,
events, and system auditing entries. All the rules, decoders, and major
configuration options are stored centrally in the manager; making it easy to
administer even a large number of agents.
Agent
Agents The agent is a small program, or
collection of programs, installed on the systems to be monitored. The agent
will collect information and forward it to the manager for analysis and
correlation. Some information is collected in real time, others periodically.
It has a very small memory and CPU footprint by default, not affecting the
system’s usage. Agent security: It runs with a low privilege user (generally created during the
installation) and inside a chroot jail isolated from the system. Most of the
agent configuration can be pushed from the manager.
Agent -less
Agentless For systems that an agent cannot be installed on,
the agentless support may allow integrity checks to be performed. Agentless
scans can be used to monitor firewalls, routers, and even Unix systems
Functions of each module ?
Work-flow :
Internal Architecture :
File Directory Structure as below :
Description
|
Location of file
|
Installed at
|
/var/ossec
|
Main Configuration file
|
/var/ossec/etc/ossec.conf
|
Decoders stored at
|
/var/ossec/etc/decorders.xml
|
Binaries at
|
/Var/ossec/bin
|
Rules stored at
|
/var/ossec/rules/*.xml
|
Alerts
|
/var/ossec/logs/alerts.log
|
Agent Components
|
Syscheckd
|
File integrity
|
Rootcheckd
|
Malware and rootkits detection
|
Agentd
|
Forwards data to the server
|
Logcollectord
|
Read logs (Syslogs,wmi, flat files)
|
Server
Components
|
Remoted
|
Receives data
|
Analysid
|
Process data
|
Monitord
|
Monitor agents
|
Installation Procedure of OSSEC-HIDS:
On Ubuntu you will need the build-essential package in order
to compile and install OSSEC. To install the package run the following command.
# apt-get install
build-essential
If database support is needed mysql-dev or postgresql-dev
should be installed. Run the following command to install these packages
# apt-get install
mysql-dev postgresql-dev
Installation of server package :
Installation of OSSEC HIDS is very simple, the install.sh
shell script automating most of it. There are a few questions to be answered
before the installation will occur, one of the most important being which type
of installation is desired. It is important to choose the correct installation
type: server, agent, local, or hybrid.
1. Download the
latest version and verify its checksum
# wget -U ossec
http://www.ossec.net/files/ossec-hids-2.8.1.tar.gz //Server
package//
2. Extract
the compressed package and the run the file (install.sh)
# tar -zxvf ossec-hids-*.tar.gz (or gunzip -d; tar -xvf)
# cd ossec-hids-*
# ./install.sh
Note : Usually installed files will be present
in /home/InfoSec/
Step by step by
configuration of server :
1.
What kind of installation do you want :Server
2. Where
to install the OSSEC HIDS : at /var/ossec
3.
Email notification (Yes /No) -Yes ,
4.
Do you want to run integrity check daemon ?
(Yes/No) : Yes
5. Root
kit detection engine (Yes/No) : Yes
6.
Active response allows : (Yes/No):
Installing GUI :
2. Extract
to Desktop : # cd /home/infosec/
# tar xvf v0.8.tar.gz
3.
Move extracted file (ossec-wui-0.8 ) to
# mv
/home/infosec/ossec-wui-0.8
/var/www/html/
4.
Navigate to ossec-wui-0.8 directory and run
setup.sh
1.
Try to install check apache2 server status by
below command
Service apache2 status | restart | start
Configuration
check if any problem troubleshoot as below
#Cd /var/www/html/ossec-wui-0.8
#Chmod 770 tmp/
#Chgrp www-data tmp/
#apachectl restart
#service apache2 start
#usermod -a -G ossec
www-data
#apachectl restart
To get logs into desired location please run this command:
Cd /var/ossec/bin/
/var/ossec/bin/ossec-control enable client-syslog
Try to
access Web-GUI via browser:
The etc/ossec.conf has 6 sections:
• global (global);
• rules (rules);
• syscheck (syscheck/rootcheck);
• alerts (alert);
• active-response (command/active-response);
• * collector (localfile
Agent Installation on windows:
2.
Install as normal package
3. Run as administrator
4. You see page as below
5. Provide server IP as : xxxx
6.
Copy key from ossec-HIDS server and save restart.
Adding Agent on OSSEC-HIDS server
& Extraction of Key :
Goto below directory as below :
/var/osssec/bin/manage_agents
2choose A to add agent as below
cchoose E to extract key and paste the key to associated agent .
* If communication has not done kindly
check logs at agent side located in path :
C:\Program Files (x86)\ossec-agent\ossec
If successfully connected you see logs as below :
Note : You must allow 1514 port from
firewall if server and agent in different network
You check
Alerts in below location :
#Cd /var/ossec/logs/alerts/
#nano alerts.log
Conclusion:
OSSEC Reports On :
·
Common
Web attack detections
·
XSS
attempts
·
SQL
injections
·
Windows
authentication failure attempts
·
MySQL
authentication attempt failed detections
·
PostgreSQL
authentication attempts failed detections
·
SonicWALL
authentication attempt failed detections
·
RDP
attempts failed detections
·
SSH
service authentication attempts failed
· Login authentication failed
detections
