Sunday, November 24, 2019

OSSEC-HIDS


OSSEC-HIDS 

[open source security -Host Intrusion Detection System]

Introduction :


OSSEC is a platform to monitor and control your systems. It mixes together all the aspects of HIDS (host-based intrusion detection), log monitoring, and Security Incident Management (SIM)/Security Information and Event Management (SIEM) together in a simple, powerful, and open source solution.
The following operating systems are supported by the OSSEC agent:

• GNU/Linux (all distributions, including RHEL, Ubuntu, Slackware, Debian, etc)
• Windows XP, 2003, Vista, 2008, 2012
• VMWare ESX 3.0,3.5 (including CIS checks)
• FreeBSD (all current versions)
• OpenBSD (all current versions)
• NetBSD (all current versions)
• Solaris 2.7, 2.8, 2.9 and 10
• AIX 5.2 and 5.3

Key Benefits:
Compliance Requirements

OSSEC helps customers meet specific compliance requirements such as PCI and HIPAA. It lets customers detect and alert on unauthorized file system modifications and malicious behaviour embedded in the log files of commercial products as well as custom applications. For PCI, it covers the sections of file integrity monitoring (PCI 11.5, 10.5), log inspection and monitoring (section 10), and policy enforcement/checking

Multi-platform:

OSSEC lets customers implement a comprehensive host  based intrusion detection system with fine grained application/server specific policies across multiple platforms such as Linux, Solaris, Windows, and Mac OS X

Real-time and Configurable Alerts:

OSSEC lets customers configure incidents they want to be alerted on, and lets them focus on raising the priority of critical incidents over the regular noise on any system. Integration with smtp, sms, and syslog allows customers to be on top of alerts by sending them to e-mail enabled devices. Active response options to block an attack immediately are also available

Integration with current infrastructure:

OSSEC will integrate with current investments from customers such as SIM/SEM (Security Incident Management/Security Events Management) products for centralized reporting and correlation of events.

Example : currently routing to  as below architecture Splunk

Key Features

File Integrity checking :

There is one thing in common to any attack to your networks and computers: they change your systems in some way. The goal of file integrity checking (or FIM - file integrity monitoring) is to detect these changes and alert you when they happen. It can be an attack, or a misuse by an employee or even a typo by an admin, any file, directory or registry change will be alerted to you.

Log Monitoring

Your operating system wants to speak to you, but do you know how to listen? Every operating system, application, and device on your network generate logs (events) to let you know what is happening. OSSEC collects, analyzes and correlates these logs to let you know if something suspicious is happening (attack, misuse, errors, etc). Do you want to know when an application is installed on your client box? Or when someone changes a rule in your firewall? By monitoring your logs, OSSEC will notify you.

Rootkit detection :

Criminal hackers want to hide their actions, but using rootkit detection you can be notified when the system is modified in a way common to rootkits. Active response Active response allows OSSEC to take immediate action when specified alerts are triggered. This may prevent an incident from spreading before an administrator can take action.

OSSEC Architecture :

Manager (server)
Manager (or Server) The manager is the central piece of the OSSEC deployment. It stores the file integrity checking databases, the logs, events, and system auditing entries. All the rules, decoders, and major configuration options are stored centrally in the manager; making it easy to administer even a large number of agents.

Agent

Agents The agent is a small program, or collection of programs, installed on the systems to be monitored. The agent will collect information and forward it to the manager for analysis and correlation. Some information is collected in real time, others periodically. It has a very small memory and CPU footprint by default, not affecting the system’s usage. Agent security: It runs with a low privilege user (generally created during the installation) and inside a chroot jail isolated from the system. Most of the agent configuration can be pushed from the manager.

Agent -less

Agentless For systems that an agent cannot be installed on, the agentless support may allow integrity checks to be performed. Agentless scans can be used to monitor firewalls, routers, and even Unix systems

Functions of each module ?

Work-flow :                                                                                                            

Internal Architecture :

 

File Directory Structure as below :

Description
Location of file

Installed at
/var/ossec

Main Configuration file
/var/ossec/etc/ossec.conf

Decoders stored at
/var/ossec/etc/decorders.xml

Binaries at
/Var/ossec/bin

Rules stored at
/var/ossec/rules/*.xml

Alerts
/var/ossec/logs/alerts.log

Agent Components
Syscheckd
File integrity
Rootcheckd
Malware and rootkits detection
Agentd
Forwards data to the server
Logcollectord
Read logs (Syslogs,wmi, flat files)
Server Components
Remoted
Receives data
Analysid
Process data
Monitord
Monitor agents








Installation Procedure of  OSSEC-HIDS:

On Ubuntu you will need the build-essential package in order to compile and install OSSEC. To install the package run the following command.
# apt-get install build-essential
If database support is needed mysql-dev or postgresql-dev should be installed. Run the following command to install these packages
# apt-get install mysql-dev postgresql-dev

Installation of server package :
Installation of OSSEC HIDS is very simple, the install.sh shell script automating most of it. There are a few questions to be answered before the installation will occur, one of the most important being which type of installation is desired. It is important to choose the correct installation type: server, agent, local, or hybrid.

1. Download the latest version and verify its checksum

# wget -U ossec  http://www.ossec.net/files/ossec-hids-2.8.1.tar.gz       //Server package//

# wget -U ossec  http://www.ossec.net/files/ossec-hids-2.8.1-checksum.txt  //verify hash value//


  2.  Extract the compressed package and the run the file (install.sh)

# tar -zxvf ossec-hids-*.tar.gz (or gunzip -d; tar -xvf)
# cd ossec-hids-*
# ./install.sh

Note :  Usually installed files will be present in   /home/InfoSec/


Step by step by configuration of server :

1.       What kind of installation do you want    :Server
2.       Where to install the OSSEC HIDS : at     /var/ossec
3.       Email notification (Yes /No) -Yes ,  
4.       Do you want to run integrity check daemon ? (Yes/No) : Yes
5.       Root kit detection engine (Yes/No) : Yes
6.       Active response allows : (Yes/No): 


Installing GUI :

1.       Download the package from  https://github.com/ossec/ossec-wui/archive/v0.8.tar.gz
2.       Extract to Desktop : # cd  /home/infosec/
                                  
                                    # tar xvf  v0.8.tar.gz

3.       Move extracted file (ossec-wui-0.8 ) to
                                 
 # mv   /home/infosec/ossec-wui-0.8   /var/www/html/

4.       Navigate to ossec-wui-0.8 directory and run setup.sh
1.       Try to install check apache2 server status by below command
                                 Service apache2  status | restart | start 

Configuration check if any problem troubleshoot as below 

#Cd /var/www/html/ossec-wui-0.8
#Chmod 770 tmp/
#Chgrp www-data tmp/
#apachectl restart
#service apache2 start
#usermod  -a -G ossec www-data
#apachectl restart
To get logs into desired location please run this command:
Cd /var/ossec/bin/
/var/ossec/bin/ossec-control enable client-syslog


Try to access Web-GUI via browser:

http://serverFQDN/ossec-wui-0.8/index.php?f=i

The etc/ossec.conf has 6 sections:
• global (global);
• rules (rules);
• syscheck (syscheck/rootcheck);
• alerts (alert);
• active-response (command/active-response);
•      * collector (localfile

Agent Installation on windows:

1.       Download the agent package from below link https://updates.atomicorp.com/channels/atomic/windows/ossec-agent-win32-3.1.0 5696.exe
2.       Install as normal package
      
3.      Run as administrator
4.      You see page as below
5.      Provide server IP as : xxxx
6.      Copy key from ossec-HIDS server and save restart.
Adding Agent on OSSEC-HIDS server & Extraction of Key :

   Goto below directory as below :
/var/osssec/bin/manage_agents
2choose A to add agent as below
cchoose E to extract key and paste the key to associated agent .

   *   If communication has not done kindly check logs at agent side located in path :

C:\Program Files (x86)\ossec-agent\ossec

If successfully connected you see logs as below :


Note : You must allow 1514 port from firewall if server and agent in different network
You check Alerts in below location :
#Cd /var/ossec/logs/alerts/
#nano  alerts.log


Conclusion:


OSSEC Reports On :


·        Common Web attack detections
·        XSS attempts
·        SQL injections
·        Windows authentication failure attempts
·        MySQL authentication attempt failed   detections
·        PostgreSQL authentication attempts failed detections
·        SonicWALL authentication attempt failed detections
·        RDP attempts failed detections
·        SSH service authentication attempts failed
·       Login authentication failed detections
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)