Intro to OSSEC

Estimated reading time: 6 minutesIntro to OSSEC HIDSOSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection and real-time alerting and active response. When tied together with something like Snorby, Sguil, ELSA or Alienvault, this can be a very powerful tool for knowing when, where and how an intrusion or unauthorized event takes place on a sensitive host. With systems like these set up in a centralized manner after some tuning, it can make forensic analysis much more manageable. For this tutorial, we’re going to learn the basics of how this might be done using SecurityOnion.For this lab you will need:SecurityOnion VM (configured in a previous tutorial)Windows 7-10 VM (This demonstration uses 7)Putty (or at least PSFTP)Main takeaways:-          What an HIDS does-          How this type of HIDS functions-          How to transfer files using sFTP-          How logging is performed through machines.-          Intro to config files and what they do-          Intro to IPtablesAdding an agentThe first thing we need to do is add an agent to monitor. OSSEC can be run in an “agentless” setup but we’re going to go the more common route for simplicity. On our windows VM we need to download the agent client which can be found here https://ossec.github.io/downloads.html. You can uncheck IIS unless you are running a webserver on your windows machine. This is essentially our HIDS agent which will monitor for file changes or manipulation of windows registry entries. How this works when OSSEC is fully set up it sends the current hash values of windows files or registry entries to your chosen server and periodically checks every so often to see if they’ve been changed. The timing of this check can be configured as needed of course. Now that the agent is installed and running you should have a manager available which asks for the server IP and authentication key. We’re going to use the IP of our security onion box here and then move over to extract the key for this host.extracting host keys On our SO box, start a terminal and open up the agent management console for OSSEC with the following command:

sudo /var/ossec/bin/manage_agents

If we attempt to extract a key for our windows machine first as I’ve done above you’ll see this result. First, we need to add it as an agent. Fill out the ID, Name and IP address for the windows machine and you should be finished. The next step is to extract our key. Providing the ID in the previous step and you should get the key for that host. Now that we have our key we can move back to the windows host to finish the process. Of course, we don’t want to type out this key so in order to avoid errors go ahead and copy/paste it to a file. Once that’s finished we’ll transfer it using sftp.File transfer using SFTPOn your windows machine locate PSFTP and connect to your SecurityOnion VM using the “open” command. After logging in you can run ls to make sure you’re in the right directory.After that we want to change to the directory we’re going to save that file to on our local machine. The command:

Lcd C:\users\<YOURUSERNAMEHERE>\desktop

Allows us to accomplish the above easily. Now that we have a directory set on our windows machine we can go ahead and grab the file with the “get” command. I named my file key so “get key” was the command I used to grab the file. Below is the result. We can open that file with notepad and copy/paste our key into the agent we set up at the beginning.  Once that’s complete, all you have to do is hit save, then manage at the top and start OSSEC.Config filesI want to take a moment to highlight something very important here and that is config files. If you’re new to Linux then you must understand that a lot of work and tuning is done through these. Sometimes these can be difficult to read or infuriating to configure correctly but don’t give up! And of course, before you begin to edit anything in a config fileCreate backups! These files are comparable to the registry on a windows system and could break the functionality of protocols and services or the very system itself so this is the most important takeaway that will save you a lot of headaches. Open the agent manager on your windows machine and select view at the top. Hit “view config” and it will open “ossec.conf” which is where you can edit what files that you want monitored on this host, the frequency at which integrity checking happens and many other things you may need to do or change. This is what it looks like: Now we just have to move back to the SecurityOnion box and modify one thing, IPtables.This is essentially the host firewall on most Linux machines. I won’t go too in-depth here because someone could write an entire tutorial on this alone but we’re just going to add this rule:#Allows the host to communicate with the server through port 1514Sudo iptables –A INPUT –p UDP –dport 1514 –s <host IP here> -j ACCEPTWe also need to allow the server to talk back to our hosts:Sudo iptables –A OUTPUT –j ACCEPTFinally:Sudo iptables –A INPUT –j DROPAfter that, we’ll run this command

Sudo /var/ossec/bin/list_agents –c

Which should list all of our agents…nothing there? Uh oh. But don’t worry this is common and normal since we haven’t yet restarted the service on our machines. IPtables rules come into effect when they are added so we don’t need to restart that but they won’t survive a reboot. In order for that to be the case, we need to add the rules to a file and restore them through rc.local which is a script. Anyway reboot the service on the SecurityOnion box with this command:

Sudo /var/ossec/bin/ossec-control restart

 And through the agent on the W7 box. Afterward, hit view>view logs on the windows machine and scroll down to the bottom. You should now see a line like this:2017/01/27 12:34:55 ossec-agent(4102): INFO: Connected to the server (<Server IP here:1514>)Re-run the command from earlier to list agents and it should say that your host is now active! You should be able to view logs coming in through ELSA on the security onion machine by viewing the “Host logs” tab. I hope this was informative and that you enjoyed following along.