Experimenting with OSSEC

Here we were circling to a well know tool called OSSEC HIDS or host intrusion detection system which is used by many in the field. The purpose is to educate users on what OSSEC or OSSIM is and how to get setup the easy way as it can be a complicated process to get going if you do not know were to get started. It can be used as a first line real time defense IDS and SIEM to monitor your critical network infrastructure. While there is many different installation methods we will concentrate on the easiest way by install the Management server on VirtualBox.

One thing you should note is this can be installed on your Linux production server to serve as your intrusion detection and log incident system. Many have imployed this because is easy to use once up and running also it is very powerful making it top of the line tool to have inside your network.

First you want to go to https://www.ossec.net and take a look around as it can be a lot to take in if you never seen this system before.

Next go over to Documentation and soon you will see there are 2 basic parts to OSSEC and OSSIM. First you have the Server this needs to be installed preferably on a Linux distribution like Ubuntu. Second is the agent installs this can be done on either Windows or Mac so that the server can log and monitor system details.

Here for the security guys wandering if it can be installed on Kali the answer is yes! Watch video here. You once again during the installation process have the option to run as an server or agent. If you are using your kali machine as a server in a demo then use server when prompted after running ./install.sh script.

After taking it all in we are ready to do our server install by going to our OSSEC Downloads here and run the install.sh script from the Linux Terminal. Here we are given several options including username and password also whether the install will be a sever, agent, or even hybird look at docs for more information!

There we can see it installs to the /var/ folder under /var/ossec and in the /bin folder is were you will find your startup scripts and follow the instructions to fire up your server by typing /var/ossec/bin/ossec-control start.

This will now fire up your OSSEC server for more information on installing the wui GUI on your server go to https://github.com/ossec/ossec-wui then download the wui. You will need to place this in the /var/ folder as well follow the video for the kali install as a guide.

Last step to make this experiment complete we need to add an agent to our server we just installed. We go back to the OSSEC downloads page and this time select the Windows agent it is the same process for Linux as above make sure you select agent during install. Double pedaling back we must go into our server and into the /var/ossec/bin folder to run the manage-agents script. When we do we get prompted for a selection and one of the options is to add so we select A. We then generate a key to copy for our windows agent. Once this is complete we jump back over to our windows machine and run the installation exe file. After getting finished we are left with adding the IP address of our OSSEC server and insert the key generated during the add agent process.

Voila we are done now comes the fun part of watching and poking around the software. Make sure you watch adding user to apache and add www-data to the proper group watch this video for reference –  https://www.youtube.com/watch?v=7P5LyU69ceM to get GUI working on server manager. Next install agents and play and look our for our next blog about connecting OSSEC and OSSIM by Alien Vault which is the same thing and able to communicate with one another. Enjoy! Remember hack the Planet!

 

Leave a Reply

Your email address will not be published. Required fields are marked *