Archive for the tag 'Intrusion'

SBDavid
Oct 21st, 2009

OSSEC Open Source Host-based Intrusion Detection System

OSSEC Open Source Host-based Intrusion Detection System.

OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response. It runs on most operating systems, including Linux, OpenBSD, FreeBSD, MacOS, Solaris and Windows. A list with all supported platforms is available http://www.ossec.net/main/supported-systems

Download http://www.ossec.net/files/ossec-hids-latest.tar.gz

If you have one system to monitor, you can install the OSSEC HIDS locally on that box and do everything from there.

However, if you are administering a few systems, you can select one to be your OSSEC server and the others to be OSSEC agents, forwarding events to the server for analysis. One of the greatest benefits of the OSSEC HIDS is its scalability, allowing you to monitor multiple systems from a central point.

# wget http://www.ossec.net/files/ossec-hids-latest.tar.gz

The best option is to select one of your machines to be the OSSEC server and perform the “server” installation on it. Then, choose the “agent” installation for the others.

Your IDS and rootkit rules will be just in one box, making it much easier to administer and configure.

Please make sure that you understand the type of installation you are choosing (manager, agent, local, etc) and are also aware of the order (always install the manager first).

Extract the compressed package and run the “./install.sh” script (It will guide you through the installation).

# tar -zxvf ossec-hids-*.tar.gz (or gunzip -d; tar -xvf)
# cd ossec-hids-*
# ./install.sh

Remember to open the port 1514 (UDP) if there is a firewall between the server and the agents (if you didn’t choose the local installation).

Start the OSSEC HIDS.

# /var/ossec/bin/ossec-control start