Intro to OSSEC

February 2, 2017 | Views: 9257

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Estimated reading time: 6 minutes

Intro to OSSEC HIDS

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection and real-time alerting and active response. When tied together with something like Snorby, Sguil, ELSA or Alienvault, this can be a very powerful tool for knowing when, where and how an intrusion or unauthorized event takes place on a sensitive host. With systems like these set up in a centralized manner after some tuning, it can make forensic analysis much more manageable. For this tutorial, we’re going to learn the basics of how this might be done using SecurityOnion.

For this lab you will need:

SecurityOnion VM (configured in a previous tutorial)

Windows 7-10 VM (This demonstration uses 7)

Putty (or at least PSFTP)

Main takeaways:

–          What an HIDS does

–          How this type of HIDS functions

–          How to transfer files using sFTP

–          How logging is performed through machines.

–          Intro to config files and what they do

–          Intro to IPtables

Adding an agent

The first thing we need to do is add an agent to monitor. OSSEC can be run in an “agentless” setup but we’re going to go the more common route for simplicity. On our windows VM we need to download the agent client which can be found here https://ossec.github.io/downloads.html. You can uncheck IIS unless you are running a webserver on your windows machine. This is essentially our HIDS agent which will monitor for file changes or manipulation of windows registry entries.

 

How this works when OSSEC is fully set up it sends the current hash values of windows files or registry entries to your chosen server and periodically checks every so often to see if they’ve been changed. The timing of this check can be configured as needed of course. Now that the agent is installed and running you should have a manager available which asks for the server IP and authentication key. We’re going to use the IP of our security onion box here and then move over to extract the key for this host.

extracting host keys

extracting-host-keys

 

On our SO box, start a terminal and open up the agent management console for OSSEC with the following command:

sudo /var/ossec/bin/manage_agents

If we attempt to extract a key for our windows machine first as I’ve done above you’ll see this result. First, we need to add it as an agent. Fill out the ID, Name and IP address for the windows machine and you should be finished. The next step is to extract our key. Providing the ID in the previous step and you should get the key for that host. Now that we have our key we can move back to the windows host to finish the process. Of course, we don’t want to type out this key so in order to avoid errors go ahead and copy/paste it to a file. Once that’s finished we’ll transfer it using sftp.

File transfer using SFTP

On your windows machine locate PSFTP and connect to your SecurityOnion VM using the “open” command. After logging in you can run ls to make sure you’re in the right directory.

After that we want to change to the directory we’re going to save that file to on our local machine. The command:

Lcd C:\users\<YOURUSERNAMEHERE>\desktop

Allows us to accomplish the above easily. Now that we have a directory set on our windows machine we can go ahead and grab the file with the “get” command. I named my file key so “get key” was the command I used to grab the file. Below is the result. We can open that file with notepad and copy/paste our key into the agent we set up at the beginning.

 

file-transfer-using-sftp

 

Once that’s complete, all you have to do is hit save, then manage at the top and start OSSEC.

Config files

I want to take a moment to highlight something very important here and that is config files. If you’re new to Linux then you must understand that a lot of work and tuning is done through these. Sometimes these can be difficult to read or infuriating to configure correctly but don’t give up! And of course, before you begin to edit anything in a config file

Create backups! These files are comparable to the registry on a windows system and could break the functionality of protocols and services or the very system itself so this is the most important takeaway that will save you a lot of headaches. Open the agent manager on your windows machine and select view at the top. Hit “view config” and it will open “ossec.conf” which is where you can edit what files that you want monitored on this host, the frequency at which integrity checking happens and many other things you may need to do or change. This is what it looks like:

config-files

 

Now we just have to move back to the SecurityOnion box and modify one thing, IPtables.

This is essentially the host firewall on most Linux machines. I won’t go too in-depth here because someone could write an entire tutorial on this alone but we’re just going to add this rule:

#Allows the host to communicate with the server through port 1514

Sudo iptables –A INPUT –p UDP –dport 1514 –s <host IP here> -j ACCEPT

We also need to allow the server to talk back to our hosts:

Sudo iptables –A OUTPUT –j ACCEPT

Finally:

Sudo iptables –A INPUT –j DROP

After that, we’ll run this command

Sudo /var/ossec/bin/list_agents –c

Which should list all of our agents…nothing there? Uh oh. But don’t worry this is common and normal since we haven’t yet restarted the service on our machines. IPtables rules come into effect when they are added so we don’t need to restart that but they won’t survive a reboot. In order for that to be the case, we need to add the rules to a file and restore them through rc.local which is a script. Anyway reboot the service on the SecurityOnion box with this command:

Sudo /var/ossec/bin/ossec-control restart

 

And through the agent on the W7 box. Afterward, hit view>view logs on the windows machine and scroll down to the bottom. You should now see a line like this:

2017/01/27 12:34:55 ossec-agent(4102): INFO: Connected to the server (<Server IP here:1514>)

Re-run the command from earlier to list agents and it should say that your host is now active! You should be able to view logs coming in through ELSA on the security onion machine by viewing the “Host logs” tab. I hope this was informative and that you enjoyed following along.

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
9 Comments
  1. Very interesting read, thanks

  2. I’ll give it a go. Thank you!

  3. This is extremely interesting, seeing as I’ve always had trouble with things like this.

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

Cybrary|0P3N

Is Linux Worth Learning in 2020?
Views: 333 / December 14, 2019
How do I Get MTA Certified?
Views: 925 / December 12, 2019
How much does your PAM software really cost?
Views: 1378 / December 10, 2019
How Do I Get into Android Development?
Views: 1756 / December 8, 2019

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel