20/02/2018 OSSEC Implementation Guide | Information Technology Services

OSSEC Implementation Guide

Current Policy (/node/48)
General Information
Installing OSSEC server
Installing OSSEC agent on the Linux based machine
Adding agents to the server
Installing agent on Windows based machine

General Information
OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, le
integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. OSSEC
runs on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX and Windows. This guide
will provide a basic information regarding installation and con guration of OSSEC within your
computing environment.

Note: In order to con gure OSSEC properly, a syslog server must be con gured and installed before 

Installing OSSEC server

1. Using web browser, or wget command and source address www.ossec.net/ les/ossec-hids-2.4.tar.gz
(http://www.ossec.net/ les/ossec-hids-2.4.tar.gz) download complete source code and cheksum
(http://www.ossec.net/ les/ossec-hids-2.4.1_checksum.txt (http://www.ossec.net/ les/ossec-hids-
2.4.1_checksum.txt)) that will check integrity of the OSSEC source.

2. Using command line, change to the directory where you saved the downloaded les and verify the
checksums by using this command.
        

http://its.sfsu.edu/guides/ossec-implementation 1/10
20/02/2018 OSSEC Implementation Guide | Information Technology Services

        # md5sum -c ossec-hids-1.4_checksum.txt

        ossec-hids-1.4.tar.gz: OK
        ossec-agent-win32-1.4.exe: OK

3. Because the OSSEC HIDS installer must compile the application from source code the rst time it
runs, a working build environment is required on your system.  For most operating systems of the Linux
or BSD persuasion, a C compiler and supporting les is already be installed. If not, you must install gcc
and development headers before proceeding.

   

4. Extract the .tar.gz le, change into the created directory, and then run the install script:

          # gunzip -c ossec-hids-1.3.tar.gz | tar -xf -

          # cd ossec-hids-1.3
          # ./install.sh

5. Choose installation language by typing en and hitting ENTER:

        ** For installation in English, choose [en].

   

6. Next you will see this on the monitor:

        (en/br/cn/de/es/fr/it/jp/pl/ru/sr/tr) [en]:

        OSSEC HIDS v1.4 Installation Script - http://www.ossec.net (http://www.ossec.net)
        You are about to start the installation process of the OSSEC HIDS.
        You must have a C compiler pre-installed in your system.
        If you have any questions or comments, please send an e-mail
        to dcid@ossec.net (mailto:dcid@ossec.net) (or daniel.cid@gmail.com (mailto:daniel.cid@gmail.com)).
        - System: Linux earth 2.6.20-16-generic
        - User: root
        - Host: earth
        -- Press ENTER to continue or Ctrl-C to abort. --

http://its.sfsu.edu/guides/ossec-implementation 2/10
20/02/2018 OSSEC Implementation Guide | Information Technology Services

 ## Note: System, user, and hosts elds depend on your own con guration.

7. After pressing ENTER the system will ask what installation would you like to have.

1- What kind of installation do you want (server, agent, local or help)?

        - Server installation chosen.
2- Setting up the installation environment.
        - Choose where to install the OSSEC HIDS [/var/ossec]: /var/ossec
        - Installation will be made at /var/ossec

8. Con gure alert noti cations (this is what you will see on the screen):

        - Con guring the OSSEC HIDS.

        - Do you want e-mail noti cation? (y/n) [y]: y
        - What’s your e-mail address? root@localhost (mailto:root@localhost)  ## use your sfsu email
        - We found your SMTP server as: 127.0.0.1     ## do not use local IP

        - Do you want to use it? (y/n) [y]: y

        --— Using SMTP server: 127.0.0.1  ## do not use local IP

9. Con gure active response. A tool that takes automated actions to prevent intrusion or reduce the
extent of an intrusion.

 Active response allows you to execute a speci c command based on the events received. For
example, you can block an IP address or disable access for a speci c user. More information at:
http://www.ossec.net/en/manual.html#active-response
(http://www.ossec.net/en/manual.html#active-response)
Do you want to enable active response? (y/n) [y]: y
Active response enabled.
By default, we can enable the host-deny and the rewall-drop responses. The rst one will add a
host to the /etc/hosts.deny and the second one will block the host on iptables (if linux) or on
ip lter (if Solaris, FreeBSD or NetBSD).

http://its.sfsu.edu/guides/ossec-implementation 3/10
20/02/2018 OSSEC Implementation Guide | Information Technology Services

They can be used to stop SSHD brute force scans, portscans and some other forms of attacks. You
can also add them to block on snort events, for example.
Do you want to enable the rewall-drop response? (y/n) [y]: y
Firewall-drop enabled (local) for levels >= 6
Default white list for the active response:
  - 192.168.65.2
Do you want to add more IPs to the white list? (y/n)? [n]: n

   

10. With a server installation, the OSSEC HIDS can receive alerts through an encrypted channel (port
1514) or through syslog (port 514).

        - Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: y
        - Remote syslog enabled.
        - Setting the con guration to analyze the following logs:
        -- /var/log/messages
        -- /var/log/auth.log
        -- /var/log/syslog
        -- /var/log/mail.info
        - If you want to monitor any other le, just change
        the ossec.conf and add a new local le entry.
        Any questions about the con guration can be answered
        by visiting us online at http://www.ossec.net (http://www.ossec.net) .
        --— Press ENTER to continue —--

11.After you press Enter, the OSSEC HIDS is compiled, installed, and con gured with the options you
speci ed. When the installation is complete, the installer script provides you with some nal
information.You can always change con guration of your OSSEC server in /etc/pf.conf le.

## Note: in order to start your server use this: # /opt/ossec/bin/ossec-control start

    
Installing agent on the Linux based machine:
http://its.sfsu.edu/guides/ossec-implementation 4/10
20/02/2018 OSSEC Implementation Guide | Information Technology Services

1. Follow steps 1 through 6 from the server installation

2. When the system will ask you about installation type choose: agent

 What kind of installation do you want (server, agent, local or help)? agent

 - Agent(client) installation chosen.

  Setting up the installation environment.

       ( Choose where to install the OSSEC HIDS [/var/ossec]: /opt/ossec)

 - Installation will be made at /opt/ossec .

 Con guring the OSSEC HIDS.

 - What’s the IP Address of the OSSEC HIDS server?: 192.168.65.20

 - Adding Server IP 192.168.65.20

  Do you want to run the integrity check daemon? (y/n) [y]: y

 - Running syscheck (integrity check daemon).

  Do you want to run the rootkit detection engine? (y/n) [y]: y

 Running rootcheck (rootkit detection).

3. Enable active response.

       - - Do you want to enable active response? (y/n) [y]: y

        -- Setting the con guration to analyze the following logs:
        -- /var/log/messages
        -- /var/log/authlog
        -- /var/log/secure
        -- /var/log/xferlog
        -- /var/log/maillog
        - If you want to monitor any other le, just change
        the ossec.conf and add a new local le entry.
http://its.sfsu.edu/guides/ossec-implementation 5/10
20/02/2018 OSSEC Implementation Guide | Information Technology Services

        Any questions about the con guration can be answered

        by visiting us online at http://www.ossec.net (http://www.ossec.net) .
        --— Press ENTER to continue —--

4. After you press Enter, the OSSEC HIDS is compiled, installed, and con gured with the options you
speci ed.

[root@ossec (mailto:root@ossec) ~]# /var/ossec/bin/ossec-control start

Adding agents to the server:

 

The communication between the server and the agents is secure (encrypted and authenticated).
Because of that, for every “agent” that you want to install, you need to create an “authentication key” for
it on the server. When the key is generated on the server, you need export it from there an import (or
push) to the agent.

1.  Add the agent to the server ( run the “manage_agents” command, provide the IP Address of the agent
and choose a name for it or username ).

(server)# /var/ossec/bin/manage_agents

****************************************
* OSSEC HIDS v0.8 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your actions: A,E,R or Q: a
http://its.sfsu.edu/guides/ossec-implementation 6/10
20/02/2018 OSSEC Implementation Guide | Information Technology Services

- Adding a new agent (use ‘q’ to return to main menu).

Please provide the following:
* A name for the new agent: linux1
* The IP Address for the new agent: 192.168.2.32

* An ID for the new agent[001]:

Agent information:
ID:001
Name:linux1
IP Address:192.168.2.32

Con rm adding it?(y/n): y

Added.

2. After agent is added, extract the authentication key from your server. In the “manage_agents”, choose
the “E” option and provide the ID of the agent. The key to be used by the agent will be printed. Then,
copy and paste it in the agent side.

(server)# /var/ossec/bin/manage_agents

****************************************
* OSSEC HIDS v0.8 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your actions: A,E,R or Q: e

Available agents:
ID: 001, Name: linux1, IP: 192.168.2.32
ID: 002, Name: obsd1, IP: 192.168.2.10
Provide the ID of the agent you want to extract the key: 001

Agent key information for ‘001′ is:

CDAxIGxpbnX4MSAxOTIuMTY4LjAuMzIgOWM5MENlYzNXXXYYYZZZZZ==

http://its.sfsu.edu/guides/ossec-implementation 7/10
20/02/2018 OSSEC Implementation Guide | Information Technology Services

** Press ENTER to continue

3. After a key is generated, copy it and paste it on the agent side. Run the same “manage_agents”
command in the agent.

(agent)# /var/ossec/bin/manage_agents

****************************************
* OSSEC HIDS v0.8 Agent manager. *
* The following options are available: *
****************************************
(I)mport key for the server (I).
(Q)uit.
Choose your actions: I or Q: i

* Provide the Key generated from the server.

* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.

Paste it here: CDAxIGxpbnX4MSAxOTIuMTY4LjAuMzIgOWM5MENlYzNXXXYYYZZZZZ==

Agent information:
ID:001
Name:linux1
IP Address:192.168.2.32

Con rm adding it?(y/n): y

Added.
** Press ENTER to continue.

****************************************
* OSSEC HIDS v0.8 Agent manager. *
* The following options are available: *
****************************************

http://its.sfsu.edu/guides/ossec-implementation 8/10
20/02/2018 OSSEC Implementation Guide | Information Technology Services

(I)mport key for the server (I).

(Q)uit.
Choose your actions: I or Q: q

manage_agents: Exiting ..

   

2. After that the agent installation is complete, you can start the OSSEC HIDS service by

running the following command:

      # /opt/ossec/bin/ossec-control start  

Installing agent on the Windows based machine:

 

1. Go to link below and download the OSSEC installer for Widows:

http://www.ossec.net/ les/ossec-agent-win32-2.4.1.exe (http://www.ossec.net/ les/ossec-agent-

win32-2.4.1.exe)

2. Launch installer:

          

         

http://its.sfsu.edu/guides/ossec-implementation 9/10
20/02/2018 OSSEC Implementation Guide | Information Technology Services

3. Accept the license.

  

4. Select components. ( in this case use agent)

5. After choosing folder location, in the Host Name eld, type the IP address or hostname of your
OSSEC HIDS server and then click Open. If this is your rst time connecting to the server from this
Windows host, you are asked to accept the server SSH identity. Launch the SSH client on your Windows
host and connect to the OSSEC HIDS server. You must use SSH to connect to the OSSEC HIDS server,
Extract the key for this agent, and then paste the key in the Authentication key eld.Accept the server
identity, log in to the server, and then execute the manage_agents utility.

6. Connect to the ossec server.

7. Run manage_agents command and option E

8. In this case, the host name is mercury, which has ID 002. Enter 002, select the key information, and
copy it to the clipboard.

9. Paste the key and click OK

http://its.sfsu.edu/guides/ossec-implementation 10/10