Preliminary study on Ossec

Source: Internet
Author: User

Preliminary study on Ossec

Concept:

Ossec is an open-source, host-based intrusion detection system (HIDS) that performs log analysis, integrity checking, Windows Registry monitoring, stealth detection, and real-time alerting. It can run on a variety of different operating systems, including Linux, OpenBSD, Mac OS X, Solaris, and Windows.

Architecture:

OSSEC consists of several modules, including server, agent, database, log system and so on.

Simple understanding, ossec work in the C/S mode, by the agent monitoring the collection of information to the server side, the server side of the information analysis and preprocessing, and through the mail system changes sent to the administrator.

The server side saves all rule information, decoders, major configuration options, which are used to process agent-escalated information, making it easy to configure a large number of clients.

The agent is a small program that monitors the system, collects escalation information, and consumes only a small amount of CPU and memory resources.

Installation:

OS Version:CentOS 6.5

Ossec Version:2.8.3

Installation dependencies:

Yum-y Install Mysql-devel

MySQL configuration:

Mysql-uroot-p

mysql> CREATE database ossec;
Query OK, 1 row affected (0.02 sec)

Mysql> Grant all on ossec.* to [e- Mail protected] identified by ' ossec ';
Query OK, 0 rows affected, 1 warning (0.01 sec)

Mysql> flush Privileges;
Query OK, 0 rows affected (0.02 sec)

Installation:

TAR-ZXVF ossec-hids-2.8.3.tar.gz

CD OSSEC-HIDS-2.8.3/SRC

Make Setdb

Info:compiled with MySQL support.

Cd..

./install.sh

Enter the interactive installation interface

 ** Para instalação em português, Escolha [BR].  * * To install in Chinese, please select [CN].  * * Fur eine deutsche installation Wohlen Sie [de].  **γιαεγκατ?στασησταελληνικ?,επιλ?ξτε[el].  * * for installation in 中文版, choose [en].  * * Para instalar en Español, Eliga [es]. * * pour une installation en français, Choisissez [fr] * * A Magyar Nyelv?  Telepítéshez Válassza [Hu].  * * Per l ' installazione in Italiano, Scegli [it]. * * Japanese language でインストールします. Select Drivers 前転して開脚座り under Torune.  [JP].  * * voor installatie in het Nederlands, Kies [NL]. * * Aby Instalowa?  W j?zyku polskim, Wybierz [PL].  **ДЛЯИНСТРУКЦИЙПОУСТАНОВКЕНАРУССКОМ,ВВЕДИТЕ[RU].  * * Za instalaciju na Srpskom, Izaberi [SR].  * * Türkçe kurulum için seçin [tr]. (EN/BR/CN/DE/EL/ES/FR/HU/IT/JP/NL/PL/RU/SR/TR) [en]: CN #选择cn  
  ossec HIDS v2.8.3 installation Script-http://www.ossec.net you will begin the installation of Ossec HIDS. Make sure that C is installed correctly on your machine Compiler.   If you have any questions or suggestions, please send an e-mail to [email protected] (or [email protected]). -System type: Linux Master 2.6.32-573.el6.x86_64-User: Root-Host: Master-Press ENTER to continue or ctrl-c to exit. --
1-What kind of installation do you want (server, agent, local or help)? Server #服务端选择server, client select Agent-the installation of the server type is selected. 2-Initializing the installation environment.  -Please select the installation path of the ossec HIDS [/var/ossec]:/usr/local/ossec-ossec HIDS will be installed in/USR/LOCAL/OSSEC. 3-Configuring Ossec HIDS. 3.1-Do you want to receive an e-mail alert? (y/n) [y]: Y-Please enter your e-mail address? [email protected]-Please enter your SMTP server IP or host name? Test 3.2-Do you want to run the system integrity detection module? (y/n)  [y]: Y-the system Integrity detection module will be deployed. 3.3-Do you want to run a rootkit test? (y/n)         [y]: y-rootkit detection will be deployed.       The 3.4-Association response allows you to execute a defined command based on the analysis of received events.       For example, you can block access to an IP address or prohibit access to a user. For more information, you can access: Http://www.ossec.net/en/manual.html#active-response-do you want to turn on the interactive (active response) feature? (y/n)     [y]: Y-The associated response is turned on-by default, we turn on both host-Reject and firewall-reject responses.     The first case is to add a host to/etc/hosts.deny.   The second case is to deny access to the host in Iptables (Linux) or IPFilter (Solaris, FreeBSD, or NetBSD). -This feature can be used to block SSHD brute force attacks, port scans, and other forms of attack.   You can also add them to other places, such as events that add them as snort. -Do you want to turn on the firewall linkage (Firewall-drop) feature? (y/n)   [y]: Y-Firewall linkage (Firewall-drop) when event level >= 6 o'clock is started-The default whitelist for the linkage function is:-114.114.114.114-218.85.152.99-218.85.157.99-Do you want to add more IPs to the whitelist? (y/n)? [n]: Y-Please enter IP (separated by spaces): 8.8.8.8 3.5-Do you want to receive a remote machine syslog (Port 514 UDP)? (y/n)  [y]: Y-The remote machine syslog will be received. 3.6-Set the profile to analyze the log:--/var/log/messages--/var/log/secure--/var/log/maillog--If you hope   To monitor other files, simply add a new entry in the profile ossec.conf.  Any questions about the configuration can be found in http://www.ossec.net. ---press ENTER to continue---

Complete the installation and start the configuration

To add ossec users and Groups:

Useradd ossec

Useradd ossecm-g ossec

Useradd ossecr-g ossec

/usr/local/ossec/bin/ossec-control Enable database

Mysql-uossec-p </src/os_dbd/mysql.schema #新增表

chmod u+w/usr/local/ossec/etc/ossec.conf

Vim/usr/local/ossec/etc/ossec.conf

Add to

<Database_output>    <hostname>127.0.0.1</hostname>    <username>Ossec</username>    <Password>Ossec</Password>    <Database>Ossec</Database>    <type>Mysql</type>  </Database_output>
 <Remote>    <Connection>Syslog</Connection>    <allowed-ips>192.168.1.0/24</allowed-ips>  </Remote>  <Remote>    <Connection>Secure</Connection>    <allowed-ips>192.168.1.0/24</allowed-ips>  </Remote>

Add Agent

/usr/local/ossec/bin/manage_agents

Ossec HIDS v2.8.3 Agent Manager.   * * The following options is available: ***************************************** (a) DD an agent (a).   (e) Xtract key for an agent (e).   (l) Ist already added agents (l).   (r) emove an agent (R). (Q) uit.  Choose your action:a,e,l,r or q:a #选择添加agent-adding A new agent (use ' \q ' to return to the main menu). Provide the following: * A name for the new agent:ossec-agent-7 #agent的名词 * The IP address of the new A gent:192.168.1.7 * An ID for the new agent[001]: #默认, press enteragent directly information:id:001 name:ossec -agent-7 IP address:192.168.1.7confirm adding it?     (y/n): yagent added.***************************************** ossec HIDS v2.8.3 Agent Manager.   * * The following options is available: ***************************************** (a) DD an agent (a).   (e) Xtract key for an agent (e).   (l) Ist already added agents (l).   (r) emove an agent (R). (Q) uit. ChOose your action:a,e,l,r or q:e #查找Agent的key, you need to insert the keyavailable agents:id:001, name:ossec-agent-7, IP when installing the agent side:  192.168.1.7Provide the ID of the agent to extract the key (or ' \q ' to quit): 001Agent key information for ' 001 ' is:MDAXIG9ZC2VJLWFNZW50LTCGMTKYLJE2OC4XLJCGMDNJNDC0ZDFMYWM0ZGZKMJGZOTQ5NJIWMTYZZGZKZMYXYJNKMTJHMTA3MJCWNWFIMDEWOTVHOWFMN gfhzmflnw==* * Press ENTER to return to the main menu

/usr/local/ossec/bin/ossec-control start

Agent installation configuration:

TAR-ZXVF ossec-hids-2.8.3.tar.gzCD OSSEC-HIDS-2.8.3/SRCCD.../install.sh
* * Para instalação em português, Escolha [BR].  * * To install in Chinese, please select [CN].  * * Fur eine deutsche installation Wohlen Sie [de].  **γιαεγκατ?στασησταελληνικ?,επιλ?ξτε[el].  * * for installation in 中文版, choose [en].  * * Para instalar en Español, Eliga [es]. * * pour une installation en français, Choisissez [fr] * * A Magyar Nyelv?  Telepítéshez Válassza [Hu].  * * Per l ' installazione in Italiano, Scegli [it]. * * Japanese language でインストールします. Select Drivers 前転して開脚座り under Torune.  [JP].  * * voor installatie in het Nederlands, Kies [NL]. * * Aby Instalowa?  W j?zyku polskim, Wybierz [PL].  **ДЛЯИНСТРУКЦИЙПОУСТАНОВКЕНАРУССКОМ,ВВЕДИТЕ[RU].  * * Za instalaciju na Srpskom, Izaberi [SR].  * * Türkçe kurulum için seçin [tr]. (EN/BR/CN/DE/EL/ES/FR/HU/IT/JP/NL/PL/RU/SR/TR) [en]: Cnwhich:no host in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin) ossec HIDS v2.8.3 installation Script-http://w Ww.ossec.net you will begin the installation of Ossec HIDS. Make sure the C compiler is installed correctly on your machine.   If you have any questions or suggestions, please send an e-mail to [email protected] (or [email protected]). -System Type: LinuX localhost.localdomain 3.10.0-327.el7.x86_64-User: Root-Host: Localhost.localdomain-Press ENTER to continue or ctrl-c to exit. --1-which kind of installation do you want (server, agent, local or help)? Agent-the installation of the agent (client) type is selected. 2-Initializing the installation environment.  -Please select the installation path of the ossec HIDS [/var/ossec]:/usr/local/ossec-ossec HIDS will be installed in/USR/LOCAL/OSSEC. 3-Configuring Ossec HIDS. 3.1-Please enter the IP address or host name of the ossec HIDS server: 192.168.1.7-Add server IP 192.168.1.7 3.2-Do you want to run the system integrity detection module? (y/n)  [y]: Y-the system Integrity detection module will be deployed. 3.3-Do you want to run a rootkit test? (y/n)  [y]: y-rootkit detection will be deployed. 3.4-Do you want to turn on the linkage (active response) feature? (y/n)                             [y]: Y 3.5-set config file to analyze log:--/var/log/messages--/var/log/secure--/var/log/maillog   -If you want to monitor other files, simply add a new entry in the profile ossec.conf.  Any questions about the configuration can be found in http://www.ossec.net. ---press ENTER to continue---

Get the key from the server and insert it into the client:

Ossec HIDS v2.8.3 Agent Manager.     * * The following options is available: *****************************************   (i) mport key from the server (i). 
     (Q) uit.  Choose your action:i or q:i* provide the Key generated by the server.* the best approach are to cut and paste it.*** OBS: Do not include spaces or new lines. Paste it here (or ' \q ' to quit):
Mdaxig9zc2vjlwfnzw50ltcgmtkylje2oc4xljcgmdnjndc0zdfmywm0zgzkmjgzotq5njiwmtyzzgzkzmyxyjnkmtjhmta3mjcwnwfimdewotvhowfmngfhz mflnw==

/usr/local/ossec/bin/ossec-control start

Reference:

http://ossec.github.io/docs/

Preliminary study on Ossec

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.