Académique Documents
Professionnel Documents
Culture Documents
General Information
OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, le
integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. OSSEC
runs on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX and Windows. This guide
will provide a basic information regarding installation and con guration of OSSEC within your
computing environment.
Note: In order to con gure OSSEC properly, a syslog server must be con gured and installed before
2. Using command line, change to the directory where you saved the downloaded les and verify the
checksums by using this command.
http://its.sfsu.edu/guides/ossec-implementation 1/10
20/02/2018 OSSEC Implementation Guide | Information Technology Services
3. Because the OSSEC HIDS installer must compile the application from source code the rst time it
runs, a working build environment is required on your system. For most operating systems of the Linux
or BSD persuasion, a C compiler and supporting les is already be installed. If not, you must install gcc
and development headers before proceeding.
4. Extract the .tar.gz le, change into the created directory, and then run the install script:
http://its.sfsu.edu/guides/ossec-implementation 2/10
20/02/2018 OSSEC Implementation Guide | Information Technology Services
## Note: System, user, and hosts elds depend on your own con guration.
7. After pressing ENTER the system will ask what installation would you like to have.
8. Con gure alert noti cations (this is what you will see on the screen):
9. Con gure active response. A tool that takes automated actions to prevent intrusion or reduce the
extent of an intrusion.
Active response allows you to execute a speci c command based on the events received. For
example, you can block an IP address or disable access for a speci c user. More information at:
http://www.ossec.net/en/manual.html#active-response
(http://www.ossec.net/en/manual.html#active-response)
Do you want to enable active response? (y/n) [y]: y
Active response enabled.
By default, we can enable the host-deny and the rewall-drop responses. The rst one will add a
host to the /etc/hosts.deny and the second one will block the host on iptables (if linux) or on
ip lter (if Solaris, FreeBSD or NetBSD).
http://its.sfsu.edu/guides/ossec-implementation 3/10
20/02/2018 OSSEC Implementation Guide | Information Technology Services
They can be used to stop SSHD brute force scans, portscans and some other forms of attacks. You
can also add them to block on snort events, for example.
Do you want to enable the rewall-drop response? (y/n) [y]: y
Firewall-drop enabled (local) for levels >= 6
Default white list for the active response:
- 192.168.65.2
Do you want to add more IPs to the white list? (y/n)? [n]: n
10. With a server installation, the OSSEC HIDS can receive alerts through an encrypted channel (port
1514) or through syslog (port 514).
- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: y
- Remote syslog enabled.
- Setting the con guration to analyze the following logs:
-- /var/log/messages
-- /var/log/auth.log
-- /var/log/syslog
-- /var/log/mail.info
- If you want to monitor any other le, just change
the ossec.conf and add a new local le entry.
Any questions about the con guration can be answered
by visiting us online at http://www.ossec.net (http://www.ossec.net) .
--— Press ENTER to continue —--
11.After you press Enter, the OSSEC HIDS is compiled, installed, and con gured with the options you
speci ed. When the installation is complete, the installer script provides you with some nal
information.You can always change con guration of your OSSEC server in /etc/pf.conf le.
Installing agent on the Linux based machine:
http://its.sfsu.edu/guides/ossec-implementation 4/10
20/02/2018 OSSEC Implementation Guide | Information Technology Services
2. When the system will ask you about installation type choose: agent
What kind of installation do you want (server, agent, local or help)? agent
Do you want to run the rootkit detection engine? (y/n) [y]: y
4. After you press Enter, the OSSEC HIDS is compiled, installed, and con gured with the options you
speci ed.
The communication between the server and the agents is secure (encrypted and authenticated).
Because of that, for every “agent” that you want to install, you need to create an “authentication key” for
it on the server. When the key is generated on the server, you need export it from there an import (or
push) to the agent.
1. Add the agent to the server ( run the “manage_agents” command, provide the IP Address of the agent
and choose a name for it or username ).
(server)# /var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v0.8 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your actions: A,E,R or Q: a
http://its.sfsu.edu/guides/ossec-implementation 6/10
20/02/2018 OSSEC Implementation Guide | Information Technology Services
2. After agent is added, extract the authentication key from your server. In the “manage_agents”, choose
the “E” option and provide the ID of the agent. The key to be used by the agent will be printed. Then,
copy and paste it in the agent side.
(server)# /var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v0.8 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your actions: A,E,R or Q: e
Available agents:
ID: 001, Name: linux1, IP: 192.168.2.32
ID: 002, Name: obsd1, IP: 192.168.2.10
Provide the ID of the agent you want to extract the key: 001
http://its.sfsu.edu/guides/ossec-implementation 7/10
20/02/2018 OSSEC Implementation Guide | Information Technology Services
3. After a key is generated, copy it and paste it on the agent side. Run the same “manage_agents”
command in the agent.
(agent)# /var/ossec/bin/manage_agents
****************************************
* OSSEC HIDS v0.8 Agent manager. *
* The following options are available: *
****************************************
(I)mport key for the server (I).
(Q)uit.
Choose your actions: I or Q: i
Agent information:
ID:001
Name:linux1
IP Address:192.168.2.32
Added.
** Press ENTER to continue.
****************************************
* OSSEC HIDS v0.8 Agent manager. *
* The following options are available: *
****************************************
http://its.sfsu.edu/guides/ossec-implementation 8/10
20/02/2018 OSSEC Implementation Guide | Information Technology Services
manage_agents: Exiting ..
2. After that the agent installation is complete, you can start the OSSEC HIDS service by
2. Launch installer:
http://its.sfsu.edu/guides/ossec-implementation 9/10
20/02/2018 OSSEC Implementation Guide | Information Technology Services
5. After choosing folder location, in the Host Name eld, type the IP address or hostname of your
OSSEC HIDS server and then click Open. If this is your rst time connecting to the server from this
Windows host, you are asked to accept the server SSH identity. Launch the SSH client on your Windows
host and connect to the OSSEC HIDS server. You must use SSH to connect to the OSSEC HIDS server,
Extract the key for this agent, and then paste the key in the Authentication key eld.Accept the server
identity, log in to the server, and then execute the manage_agents utility.
8. In this case, the host name is mercury, which has ID 002. Enter 002, select the key information, and
copy it to the clipboard.
http://its.sfsu.edu/guides/ossec-implementation 10/10