Getting started with OSSEC (Intrusion Detection System)

29/12/2020
OSSEC markets itself as the world’s most widely used Intrusion Detection System. An Intrusion Detection System (commonly called IDS) is a software which helps us to monitor our network for anomalies, incidents  or any event we determine to be reported. Intrusion Detection Systems are customizable like a firewall, they can be configured to send alarm messages upon a rule’s instruction, to apply a security measure or to automatically answer to the threat or warning as convenient for your network or device.

An Intrusion Detection System can warn us against DDOS, brute force, exploits, data leak, and more, it monitors our network in real time and interacts with us and with our system as we decide.

At LinuxHint we previously dedicated Snort  two tutorials, Snort is one of the leading Intrusion Detection Systems in the market and probably the first one. The articles were Installing and Using Snort Intrusion Detection System to Protect Servers and Networks and Configure Snort IDS and Create Rules.

This time I’ll show how to setup OSSEC. The server is the core of the software, it contains the rules, event entries and policies while agents are installed on the devices to monitor. Agents deliver logs and inform on incidents to the server. In this tutorial we will only install the server side to monitor the device in use, the server already contains agent’s functions to the device it is installed in.

OSSEC Installation:

First of all run:

apt install libmariadb2

For Debian and Ubuntu packages you can download OSSEC Server at https://updates.atomicorp.com/channels/ossec/debian/pool/main/o/ossec-hids-server/

For this tutorial I will download the current version by typing in the console:

wget https://updates.atomicorp.com/channels/ossec/debian/pool/main/o/
ossec-hids-server/ossec-hids-server_3.3.0.6515stretch_amd64.deb

Then run:

dpkg -i ossec-hids-server_3.3.0.6515stretch_amd64.deb

Start OSSEC by executing:

/var/ossec/bin/ossec-control start

By default our installation didn’t enable mail notification, to edit it  type

nano /var/ossec/etc/ossec.conf
 
Change
<email_notification>no</email_notification>
 
For
<email_notification>yes</email_notification>
 
And add:
<email_to>YOURADDRESS</email_to>
<smtp_server>SMTP SERVER</smtp_server>
<email_from>ossecm@localhost</email_from>

Press ctrl+x and Y to save and exit and start OSSEC again:

/var/ossec/bin/ossec-control start

Note: if you want to install  OSSEC’s agent on a different device type:

wget https://updates.atomicorp.com/channels/ossec/debian/pool/main/o/
ossec-hids-agent/ossec-hids-agent_3.3.0.6515stretch_amd64.deb

dpkg -i ossec-hids-agent_3.3.0.6515stretch_amd64.deb

Again lets check the configuration file for OSSEC

nano /var/ossec/etc/ossec.conf

Scroll down to reach Syscheck section

Here you can determine the directories checked by OSSEC and the revision  intervals. We can also define directories and files to be ignored.

To set OSSEC to report events in real time edit the lines

<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>

To

<directories report_changes="yes" realtime="yes" check_all="yes">/etc,/usr/bin,
/usr/sbin</directories>
<directories report_changes="yes" realtime="yes" check_all="yes">/bin,/sbin</directories>

To add a new directory for OSSEC to check add a line:

<directories report_changes="yes" realtime="yes" check_all="yes">/DIR1,/DIR2</directories>

Close nano by pressing CTRL+X and Y and type:

nano /var/ossec/rules/ossec_rules.xml

This file contains OSSEC’s rules, the rule level will determine the system’s response. For example, by default OSSEC only reports on level 7 warnings, if there is any rule with level lower than 7 and you want to get informed when OSSEC identifies the incident edit the level number for 7 or higher. For example if you want to get informed when a host gets unblocked by OSSEC’s Active Response edit the following rule:

<rule id="602" level="3">
<if_sid>600</if_sid>
<action>firewall-drop.sh</action>
<status>delete</status>
<description>Host Unblocked by firewall-drop.sh Active Response</description>
<group>active_response,</group>
</rule>

To:

<rule id="602" level="7">
<if_sid>600</if_sid>
<action>firewall-drop.sh</action>
<status>delete</status>
<description>Host Unblocked by firewall-drop.sh Active Response</description>
<group>active_response,</group>
</rule>

A safer alternative may be to add a new rule at the end of the file rewritting the previous one:

<rule id="602" level="7" overwrite="yes">
<if_sid>600</if_sid>
<action>firewall-drop.sh</action>
<status>delete</status>
<description>Host Unblocked by firewall-drop.sh Active Response</description>

Now we have OSSEC installed at local level, on a next tutorial we will learn more about OSSEC rules and configuration.

I hope you found this tutorial useful to get started with OSSEC, keep following LinuxHint.com for more tips and updates on Linux.

ONET IDC thành lập vào năm 2012, là công ty chuyên nghiệp tại Việt Nam trong lĩnh vực cung cấp dịch vụ Hosting, VPS, máy chủ vật lý, dịch vụ Firewall Anti DDoS, SSL… Với 10 năm xây dựng và phát triển, ứng dụng nhiều công nghệ hiện đại, ONET IDC đã giúp hàng ngàn khách hàng tin tưởng lựa chọn, mang lại sự ổn định tuyệt đối cho website của khách hàng để thúc đẩy việc kinh doanh đạt được hiệu quả và thành công.
Bài viết liên quan

hping3 flood ddos

This tutorial focuses on DDOS (Distributed Denial of Service) attacks using the hping3 tool. If you are already familiarized...
29/12/2020

Ethical Hacking Types, Functions and its Major Roles

If you are new to the field of cybersecurity and this field intrigues you, then you have come to the right place. Also know...
29/12/2020

How to Send Linux Logs to a Remote Server

The main reason to apply remote logging is the same reason because of which a dedicated /var partition is recommended:...
29/12/2020
Bài Viết

Bài Viết Mới Cập Nhật

Reliable IPv4 and IPv6 Subnet Rental Services: The Perfect Solution for Global Businesses
23/12/2024

Tìm Hiểu Về Thuê Proxy US – Lợi Ích và Cách Sử Dụng Hiệu Quả
11/12/2024

Mua Proxy V6 Nuôi Facebook Spam Hiệu Quả Tại Onetcomvn
03/06/2024

Hướng dẫn cách sử dụng ProxyDroid để duyệt web ẩn danh
03/06/2024

Mua proxy Onet uy tín tại Onet.com.vn
03/06/2024