Instruction: introducing HIDS OSSEC
OSSEC (Open Source Host-based Intrusion Detection System) is a host-based intrusion detection system. If you had the task of checking the integrity of files on your servers, logging various actions on the servers, receiving security events from your servers (as well as any others) and notifications about these events, displaying various reports and much more, then HIDS OSSEC is an excellent solution under these tasks. OSSEC can work locally, according to the agent + server scheme and in hybrid mode (agent-> server-> server). We will consider the agent + server scheme and work in hybrid mode.
Installing OSSEC
Configuring the OSSEC configuration file
Adding agents
Configuring the configuration file for agents
Email alerts
Working with agents and receiving reports
Outputting data to other systems
OSSEC in hybrid mode
Install on Ubuntu 14.04 OS Install the necessary packages for installing OSSEC:
Download OSSEC from offsite:
Run the installation script ./install.sh. Choose a language (en). We answer the questions:
We are waiting for the installation to complete.
By default, OSSEC is installed in the / var / ossec / directory. Directories with binary files - / var / ossec / bin /. Directories with configuration files - / var / ossec / etc /. Directories with logs - / var / ossec / logs /. For agents to work with the server, you must open port 1514udp.
Open the config file.
nano /var/ossec/etc/ossec.conf.
Global section.
In this section we will set up email alerts:
Syscheck section. This section contains parameters for checking file integrity:
We will analyze additional parameters for checking file integrity. If we need to run the scan at a specific time, then we can use the scan_time or scan_day parameter:
If we need constant monitoring of the integrity of any files, in this case there is a realtime parameter:
Permanent monitoring of specific files cannot be enabled; you must specify the directory where this file is located. You can also enable the start of verification at OS startup:
If we need to enable notifications when new files appear in directories, we can use the alert_new_files parameter:
The rootcheck section lists files with rootkit signatures.
The localfile sections specify the log files that ossec will monitor.
Based on the decoders and rules found in /var/ossec/etc/decoders.xml and / var / ossec / rules /, OSSEC will process events from these log files. By default, OSSEC has a fairly large number of rules; you can enable / disable them in the rules section. If you do not have enough of these rules or some of them are out of date, no one bothers you to change them or write your own.
The command and active-response sections contain IPS mode configurations. You can configure the response to an event. In / var / ossec / active-response / bin / there are default scripts that can be applied when an event occurs. With a lack of these scripts, you can add your own.
Install OSSEC agent from the same distribution, only during installation we will select agent mode.
3.1- What's the IP Address or hostname of the OSSEC HIDS server? Specify the IP address of our OSSEC server. Turn on the integrity check and rootkit search module again. We are waiting for the installation to complete. Now you need to connect the ossec agent to our server. There are two ways to do this.
We go to the server and start the agent manager:
Choose A (A) dd an agent (A). Next, write the name of our agent. Specify the ip address of our agent. Select the agent identifier, you can leave the id that OSSEC offers.
Confirm adding it? (Y / n): y We
confirm the addition of the agent. Next, select (E) xtract key for an agent. Specify the id of our new agent. Copy the base64 string and press Enter. Choose Q exit from the agent manager. Restart the server to successfully add the agent:
Next, go to our agent and go to the agent manager:
Select (I) mport key from the server to add the key that we copied. We insert the key and subject to the addition of the agent and exit. Next, you can run our agent.
You should receive a notification by mail stating that the new agent is connected. We go to the server to check if the agent is connected.
We should see your agent with Active status in the list. Also in /var/ossec/logs/alerts.alerts.log we should see the event.
New ossec agent connected.
Agent added successfully.
We go to the server. We generate a certificate for our server:
We start the daemon that will wait for agents to register on port 1515:
Go to the machine with the agent:
Add the agent
We start the agent /etc/init.d/ossec start. We go back to the server and see if our agent has appeared:
We should see a new agent, the agent name will match the hostname. To successfully connect the agent, you must restart the OSSEC server. This method of adding is very convenient, because it does not require many actions for working with keys from the OSSEC server administrator. For this mode to work, both on the server and on the agent, it is necessary to install OSSEC with the libssl-dev package.
Setting up a configuration file for agents is not much different from setting up this file for a server. There are also sections syschek, rootkit, localfile and others. But it’s more convenient to keep one configuration file for agents on the server, and agents themselves will pick up this config file and its changes.
To do this, we need to create the agent.conf file on the server in / var / ossec / etc / shared / - this will be our common configuration file. In this file, you can make different configurations for our agents, which can be divided into several types:
- Agent name. You can configure several agents and list their names.
- Server profile. You can make configurations for server groups (for example, web servers, databases, etc.):
- OS type. You can make configurations depending on the type of OS:
To check the syntax in the config file for agents, you can use:
As a result, in /var/ossec/etc/ossec.conf on the agent, you can leave several lines:
The agent will pick up the rest of the configuration from the server.
We have already specified the settings for email alerts in the global section of the OSSEC server configuration file. In each event from the ossec rules there is a level of criticality, if we want to receive email alerts no lower than a certain level, we can configure this in the alerts section:
We can also set up email alerts for events from any specific message groups (groups are specified in ossec rules).
If we want to receive sms messages, then in ossec there is a special format for this.
Get a list of all agents:
Getting information about the agent, the checksum of the configuration file is interesting here. It can be compared with the configuration on the server:
If the checksums do not match, then the agent did not pick up the config from the server.
Restarting the agent is usually necessary to apply changes to the config for agents.
Force run integrity check and rootkit search on all agents:
Same thing, but only for a specific agent:
Resetting file checksum counters:
To get reports in the console, you can use this:
Examples:
You can receive reports about the checksums of files of a specific agent or of a file.
In addition to outputting events to alerts files and in the form of email alerts, in OSSEC you can configure the output of events to other systems or to the database.
To output events to SIEM Prelude, you must install the libprelude-dev package and add prelude support before installing the OSSEC server
We conclude from ossec in the PreludeManager. To do this, open /var/ossec/etc/ossec.conf. In the global section, add the lineyes .
Now connect OSSEC to the prelude. Run in one terminal:
The "p9dfqy34" password will be requested by "prelude-admin register"
in order to connect. Please remove the quotes before using it.
Generating 1024 bits Diffie-Hellman key for anonymous authentication ...
Waiting for peers install request on 0.0.0.0 snapchat 553 ...
Waiting for peers install request on ::: 5553 ...
In another terminal, add the OSSEC command:
Generating 2048 bits RSA private key ... This might take a very long time.
[Increasing system activity will speed-up the process].
Generation in progress ... X
Now run both daemons.
Now we can observe events from OSSEC to Prelude.
To display event events in the database, you must add database support before installing OSSEC:
Later add the parameters for connecting to the database in the configuration file. Example:
Supported Databases: MySQL and PostgreSQL.
Database schemas are in off-documentation.
Next, you need to include the output in the database:
The following lines must be added to the config file:
Enable output:
Often through syslog from OSSEC events are output to SPLUNK, Logstash, various SIEMs.
The hybrid mode in OSSEC is used to build the Agent -> Server -> Main server scheme, in other words, for the forward of events to the host OSSEC server. In this mode, both the OSSEC agent and the OSSEC server are running on the server.
To install OSSEC in hybrid mode, you must run the installation script and select the hybrid installation mode, answer all questions and specify the ip address of the main server during installation.
All files from the agent are located in the / var / ossec / ossec-agent / directory.
Start, Stop, Restart agent is performed using:
To add this agent to the primary server, you must also install the key created on the primary server.
Now this agent will read the file /var/ossec/logs/alerts/alerts.log and send these events to the main server.
When this mode was working, the agent stopped reading this log after some time. The installation of this patch helped with the problem: github.com/ddpbsd/ossec-hids/tree/ossecalert
Now 135 agents are connected to my OSSEC server, there are both Windows and Linux servers (Ubuntu, Debian, CentOS).
- www.ossec.net
- OSSEC HIDS Host-Based Intrusion Detection Guide
Content
Installing OSSEC
Configuring the OSSEC configuration file
Adding agents
Configuring the configuration file for agents
Email alerts
Working with agents and receiving reports
Outputting data to other systems
OSSEC in hybrid mode
Install OSSEC
Install on Ubuntu 14.04 OS Install the necessary packages for installing OSSEC:
apt-get install make gcc libssl-dev
Download OSSEC from offsite:
http://www.ossec.net/files/ossec-hids-2.8.2.tar.gz
tar -xvf ossec-hids-2.8.2.tar.gz
cd ossec-hids-2.8.2
Run the installation script ./install.sh. Choose a language (en). We answer the questions:
1) What kind of installation do you want (server, agent, local, hybrid or help)?
Выбираем server.
2) Выбираем путь установки.
3) Do you want e-mail notification? (y/n) [y]:
Указываем параметры smtp сервера для получения email оповещений.
4) Do you want to run the integrity check daemon? (y/n) [y]:
Включаем демон проверки целостности файлов.
5) Do you want to run the rootkit detection engine? (y/n) [y]:
Включаем проверку руткитов.
6) Do you want to enable active response? (y/n) [n]:
Включаем режим IPS. Работу этого режима в этом примере рассматривать не будем.
7) Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: y
We are waiting for the installation to complete.
By default, OSSEC is installed in the / var / ossec / directory. Directories with binary files - / var / ossec / bin /. Directories with configuration files - / var / ossec / etc /. Directories with logs - / var / ossec / logs /. For agents to work with the server, you must open port 1514udp.
Configuring the OSSEC configuration file
Open the config file.
nano /var/ossec/etc/ossec.conf.
Global section.
In this section we will set up email alerts:
yes
Включено оповещение по почте
ivanov@ossec.ru
Кому отправлять оповещения
mail.ossec.ru
Ваш SMTP Сервер
ossec@ossec.ru
От кого отправляем
100
Максимальное количество писем отправляемых за час
Syscheck section. This section contains parameters for checking file integrity:
18000
Периодичность запуска проверки в секундах
/etc,/usr/bin,/usr/sbin,/boot,/opt,/lib,/lib64
Каталоги для проверки
/etc/mtab
Указываем файлы которые нужно игнорировать
We will analyze additional parameters for checking file integrity. If we need to run the scan at a specific time, then we can use the scan_time or scan_day parameter:
Пример 04:00 # запуск проверки в 4 утра
If we need constant monitoring of the integrity of any files, in this case there is a realtime parameter:
/etc,/usr/bin,/usr/sbin Permanent monitoring of specific files cannot be enabled; you must specify the directory where this file is located. You can also enable the start of verification at OS startup:
yes If we need to enable notifications when new files appear in directories, we can use the alert_new_files parameter:
yes The rootcheck section lists files with rootkit signatures.
The localfile sections specify the log files that ossec will monitor.
Based on the decoders and rules found in /var/ossec/etc/decoders.xml and / var / ossec / rules /, OSSEC will process events from these log files. By default, OSSEC has a fairly large number of rules; you can enable / disable them in the rules section. If you do not have enough of these rules or some of them are out of date, no one bothers you to change them or write your own.
The command and active-response sections contain IPS mode configurations. You can configure the response to an event. In / var / ossec / active-response / bin / there are default scripts that can be applied when an event occurs. With a lack of these scripts, you can add your own.
Adding Agents
apt-get install make gcc libssl-dev
Install OSSEC agent from the same distribution, only during installation we will select agent mode.
3.1- What's the IP Address or hostname of the OSSEC HIDS server? Specify the IP address of our OSSEC server. Turn on the integrity check and rootkit search module again. We are waiting for the installation to complete. Now you need to connect the ossec agent to our server. There are two ways to do this.
1st method
We go to the server and start the agent manager:
/var/ossec/bin/manage_agents
Choose A (A) dd an agent (A). Next, write the name of our agent. Specify the ip address of our agent. Select the agent identifier, you can leave the id that OSSEC offers.
Confirm adding it? (Y / n): y We
confirm the addition of the agent. Next, select (E) xtract key for an agent. Specify the id of our new agent. Copy the base64 string and press Enter. Choose Q exit from the agent manager. Restart the server to successfully add the agent:
/etc/init.d/ossec restart
Next, go to our agent and go to the agent manager:
/var/ossec/bin/manage_agents
Select (I) mport key from the server to add the key that we copied. We insert the key and subject to the addition of the agent and exit. Next, you can run our agent.
/etc/init.d/ossec start
You should receive a notification by mail stating that the new agent is connected. We go to the server to check if the agent is connected.
Запускаем /var/ossec/bin/agent_control –l
We should see your agent with Active status in the list. Also in /var/ossec/logs/alerts.alerts.log we should see the event.
New ossec agent connected.
Agent added successfully.
2nd method
We go to the server. We generate a certificate for our server:
# openssl genrsa -out /var/ossec/etc/sslmanager.key 2048
# openssl req -new -x509 -key /var/ossec/etc/sslmanager.key -out /var/ossec/etc/sslmanager.cert -days 365
We start the daemon that will wait for agents to register on port 1515:
/var/ossec/bin/ossec-authd -p 1515 >/dev/null 2>&1 &
Go to the machine with the agent:
Add the agent
/var/ossec/bin/agent-auth -m 192.168.1.113(ip адрес сервера) -p 1515
We start the agent /etc/init.d/ossec start. We go back to the server and see if our agent has appeared:
/var/ossec/bin/agent_control –l
We should see a new agent, the agent name will match the hostname. To successfully connect the agent, you must restart the OSSEC server. This method of adding is very convenient, because it does not require many actions for working with keys from the OSSEC server administrator. For this mode to work, both on the server and on the agent, it is necessary to install OSSEC with the libssl-dev package.
Configuring agents configuration file
Setting up a configuration file for agents is not much different from setting up this file for a server. There are also sections syschek, rootkit, localfile and others. But it’s more convenient to keep one configuration file for agents on the server, and agents themselves will pick up this config file and its changes.
To do this, we need to create the agent.conf file on the server in / var / ossec / etc / shared / - this will be our common configuration file. In this file, you can make different configurations for our agents, which can be divided into several types:
- Agent name. You can configure several agents and list their names.
настройки проверки контроля целостности
настройки проверки руткитов
настройки просмотра файлов
- Server profile. You can make configurations for server groups (for example, web servers, databases, etc.):
настройки проверки контроля целостности
настройки проверки руткитов
настройки просмотра файлов
- OS type. You can make configurations depending on the type of OS:
настройки проверки контроля целостности
настройки проверки руткитов
настройки просмотра файлов
To check the syntax in the config file for agents, you can use:
/var/ossec/bin/verify-agent-conf
As a result, in /var/ossec/etc/ossec.conf on the agent, you can leave several lines:
dns_имя_нашего сервера
#или ip_сервера наш_профиль, lowmemory The agent will pick up the rest of the configuration from the server.
Email Alerts
We have already specified the settings for email alerts in the global section of the OSSEC server configuration file. In each event from the ossec rules there is a level of criticality, if we want to receive email alerts no lower than a certain level, we can configure this in the alerts section:
1 7 We can also set up email alerts for events from any specific message groups (groups are specified in ossec rules).
web_admin@ossec.ru apache If we want to receive sms messages, then in ossec there is a special format for this.
admin@ossec.ru 7 sms Work with agents and receiving reports
/var/ossec/bin/agent_control –l
Get a list of all agents:
/var/ossec/bin/agent_control –i id_агента
Getting information about the agent, the checksum of the configuration file is interesting here. It can be compared with the configuration on the server:
md5sum /var/ossec/etc/shared/agent.conf
If the checksums do not match, then the agent did not pick up the config from the server.
/var/ossec/bin/agent_control –R id_агента
Restarting the agent is usually necessary to apply changes to the config for agents.
/var/ossec/bin/agent_control -r –a
Force run integrity check and rootkit search on all agents:
/var/ossec/bin/agent_control -r –u id_агента
Same thing, but only for a specific agent:
/var/ossec/bin/syscheck_update -h
Resetting file checksum counters:
/var/ossec/bin/syscheck_update -h
-l List available agents.
-a Update (clear) syscheck database for all agents.
-u Update (clear) syscheck database for a specific agent.
-u local Update (clear) syscheck database locally.
To get reports in the console, you can use this:
/var/ossec/bin/ossec-reportd
Examples:
Вывод всех алертов за сегодняшнего дня - cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -s
Вывод всех алертов за определенный день - zcat /var/ossec/logs/alerts/2014/Dec/ossec-alerts-29.log.gz | /var/ossec/bin/ossec-reportd -s
Вывод всех алертов о смене конторльных сумм за день - cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -s -f group syscheck
Вывод всех неудачных попыток авторизации за день - cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -s -f rule 5503
Вывод всех неудачных попыток авторизации по ssh за день - cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -s -f rule 5716
Вывод всех установленных пакетов за день - cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -s -f rule 2902
Вывод всех удаленных пакетов за день - cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -s -f rule 2903
Вывод попыток брутфорса ssh за день - cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -s -f rule 5712
Вывод данных за месяц - zcat /var/ossec/logs/alerts/2009/Jul/*.gz | /var/ossec/bin/ossec-reportd -s
You can receive reports about the checksums of files of a specific agent or of a file.
/var/ossec/bin/syscheck_control
Data output to other systems
In addition to outputting events to alerts files and in the form of email alerts, in OSSEC you can configure the output of events to other systems or to the database.
Output to SIEM Prelude
To output events to SIEM Prelude, you must install the libprelude-dev package and add prelude support before installing the OSSEC server
cd ossec-hids-2.8.2/src/
# make setprelude
cd ..
./install.sh
We conclude from ossec in the PreludeManager. To do this, open /var/ossec/etc/ossec.conf. In the global section, add the line
Now connect OSSEC to the prelude. Run in one terminal:
prelude-admin registration-server prelude-manager
The "p9dfqy34" password will be requested by "prelude-admin register"
in order to connect. Please remove the quotes before using it.
Generating 1024 bits Diffie-Hellman key for anonymous authentication ...
Waiting for peers install request on 0.0.0.0 snapchat 553 ...
Waiting for peers install request on ::: 5553 ...
In another terminal, add the OSSEC command:
# prelude-admin register OSSEC "idmef:w" 127.0.0.1 --uid ossec --gid ossec
Generating 2048 bits RSA private key ... This might take a very long time.
[Increasing system activity will speed-up the process].
Generation in progress ... X
Now run both daemons.
/etc/init.d/prelude-manager start
/etc/init.d/ossec restart
Now we can observe events from OSSEC to Prelude.
Conclusion of events in a DB
To display event events in the database, you must add database support before installing OSSEC:
cd ossec-hids-2.8.2/src/
# make setdb
cd ..
./install.sh
Later add the parameters for connecting to the database in the configuration file. Example:
192.168.2.32 db_test db_pass1 ossecdb mysql Supported Databases: MySQL and PostgreSQL.
Database schemas are in off-documentation.
Next, you need to include the output in the database:
/var/ossec/bin/ossec-control enable database
/var/ossec/bin/ossec-control restart
Output to other systems via syslog
The following lines must be added to the config file:
ip_address 514 default Enable output:
/var/ossec/bin/ossec-control enable client-syslog
Often through syslog from OSSEC events are output to SPLUNK, Logstash, various SIEMs.
OSSEC Hybrid Operation
The hybrid mode in OSSEC is used to build the Agent -> Server -> Main server scheme, in other words, for the forward of events to the host OSSEC server. In this mode, both the OSSEC agent and the OSSEC server are running on the server.
To install OSSEC in hybrid mode, you must run the installation script and select the hybrid installation mode, answer all questions and specify the ip address of the main server during installation.
All files from the agent are located in the / var / ossec / ossec-agent / directory.
Start, Stop, Restart agent is performed using:
/var/ossec/ossec-agent/bin/ossec-control start|stop|restart
To add this agent to the primary server, you must also install the key created on the primary server.
/var/ossec/ossec-agent/bin/manage_agents
Now this agent will read the file /var/ossec/logs/alerts/alerts.log and send these events to the main server.
When this mode was working, the agent stopped reading this log after some time. The installation of this patch helped with the problem: github.com/ddpbsd/ossec-hids/tree/ossecalert
Now 135 agents are connected to my OSSEC server, there are both Windows and Linux servers (Ubuntu, Debian, CentOS).
References
- www.ossec.net
- OSSEC HIDS Host-Based Intrusion Detection Guide