[[ossec]]
Trace:
Show page
AdminRecent ChangesSitemap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
ossec [2014/06/03 23:23]
a 		ossec [2014/07/24 20:55] (current)
a [Installation]
Line 1: Line 1:
 {{http://www.ossec.net/wp-content/uploads/2012/06/ossec-hids.png|}} ====== OSSEC Tips & Tricks ====== {{http://www.ossec.net/wp-content/uploads/2012/06/ossec-hids.png|}} ====== OSSEC Tips & Tricks ======
 **[[http://www.ossec.net/|OSSEC]]** is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. **[[http://www.ossec.net/|OSSEC]]** is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
 +
 +===== Installation =====
 +
 +==== Database support ====
 +
 +Enable database support:
 +
 +<code>
 +cd src
 +make setdb
 +Error: PostgreSQL client libraries not installed.
 +
 +Info: Compiled with MySQL support.
 +</code>
 +
 +then ran ./install.sh
 +===== GNU/Debian (Ubuntu)=====
 +See: [[http://www.ossec.net/?page_id=19|OSSEC Download]]
 +
 +<code>
 +    # wget -O - http://ossec.alienvault.com/repos/apt/conf/ossec-key.gpg.key | apt-key add -
 +    # echo "deb http://ossec.alienvault.com/repos/apt/debian wheezy main" >> /etc/apt/sources.list  
 +      (change wheezy for your Debian distribution)
 +    # apt-get update
 +    # apt-get install ossec-hids  (or ossec-hids-agent)
 +</code>
 +
 +**change "wheezy" to "jessie" to use with Ubuntu LTS 12.04 (14.04)**
 +
 +
 +===== Ansible deploy =====
 +
 +FIXME
 +
 +===== Windows (Agent) =====
 +
 +FIXME
 +
 +===== Configuration =====
 +
 +==== Add new agent ====
 +
 +=== Server side ===
 +<note important>Make sure you have port **1514/udp** (default) open for agents</note>
 +
 +   # ./manage_agents 
 +
 +'''(A)dd new Agent''' and copy agent key from '''(E)xtract key for an agent'''
 +
 +<code>
 +****************************************
 +* OSSEC HIDS v2.7.1 Agent manager.     *
 +* The following options are available: *
 +****************************************
 +   (A)dd an agent (A).
 +   (E)xtract key for an agent (E).
 +   (L)ist already added agents (L).
 +   (R)emove an agent (R).
 +   (Q)uit.
 +Choose your action: A,E,L,R or Q: 
 +</code>
 +
 +=== Agent side ===
 +
 +   ./manage_agents 
 +
 +paste agent key into '''(I)mport key from the server'''
 +<code>
 +****************************************
 +* OSSEC HIDS v2.8 Agent manager.     *
 +* The following options are available: *
 +****************************************
 +   (I)mport key from the server (I).
 +   (Q)uit.
 +Choose your action: I or Q: 
 +</code>
 +
 +
 +
 +
 +==== Local/master configuration (Debian) ====
 +
 +<code |/var/ossec/etc/ossec.conf>
 +<ossec_config>
 +  <global>
 +    <email_notification>yes</email_notification>
 +    <email_to>root@xxxx</email_to>
 +    <smtp_server>YOUR-SMTP-SERVER</smtp_server>
 +    <email_from>MAILFROM-EMAIL</email_from>
 +
 +    # List of IP addresses that should never be blocked by the 
 +    # active response (one per element). This option is only valid in server and local installs.
 +    <white_list>127.0.0.1</white_list>
 +    
 +    # If set, “X-IDS-OSSEC: ” will be added to the email headers with the specified value.
 +    <email_idsname>OSSEC</email_idsname>
 +  </global>
 +
 +  <rules>
 +    <include>rules_config.xml</include>
 +    <include>pam_rules.xml</include>
 +    <include>sshd_rules.xml</include>
 +    <include>telnetd_rules.xml</include>
 +    <include>syslog_rules.xml</include>
 +    <include>arpwatch_rules.xml</include>
 +    <include>symantec-av_rules.xml</include>
 +    <include>symantec-ws_rules.xml</include>
 +    <include>pix_rules.xml</include>
 +    <include>named_rules.xml</include>
 +    <include>smbd_rules.xml</include>
 +    <include>vsftpd_rules.xml</include>
 +    <include>pure-ftpd_rules.xml</include>
 +    <include>proftpd_rules.xml</include>
 +    <include>ms_ftpd_rules.xml</include>
 +    <include>ftpd_rules.xml</include>
 +    <include>hordeimp_rules.xml</include>
 +    <include>roundcube_rules.xml</include>
 +    <include>wordpress_rules.xml</include>
 +    <include>cimserver_rules.xml</include>
 +    <include>vpopmail_rules.xml</include>
 +    <include>vmpop3d_rules.xml</include>
 +    <include>courier_rules.xml</include>
 +    <include>web_rules.xml</include>
 +    <include>web_appsec_rules.xml</include>
 +    <include>apache_rules.xml</include>
 +    <include>nginx_rules.xml</include>
 +    <include>php_rules.xml</include>
 +    <include>mysql_rules.xml</include>
 +    <include>postgresql_rules.xml</include>
 +    <include>ids_rules.xml</include>
 +    <include>squid_rules.xml</include>
 +    <include>firewall_rules.xml</include>
 +    <include>cisco-ios_rules.xml</include>
 +    <include>netscreenfw_rules.xml</include>
 +    <include>sonicwall_rules.xml</include>
 +    <include>postfix_rules.xml</include>
 +    <include>sendmail_rules.xml</include>
 +    <include>imapd_rules.xml</include>
 +    <include>mailscanner_rules.xml</include>
 +    <include>dovecot_rules.xml</include>
 +    <include>ms-exchange_rules.xml</include>
 +    <include>racoon_rules.xml</include>
 +    <include>vpn_concentrator_rules.xml</include>
 +    <include>spamd_rules.xml</include>
 +    <include>msauth_rules.xml</include>
 +    <include>mcafee_av_rules.xml</include>
 +    <include>trend-osce_rules.xml</include>
 +    <include>ms-se_rules.xml</include>
 +    <!-- <include>policy_rules.xml</include> -->
 +    <include>zeus_rules.xml</include>
 +    <include>solaris_bsm_rules.xml</include>
 +    <include>vmware_rules.xml</include>
 +    <include>ms_dhcp_rules.xml</include>
 +    <include>asterisk_rules.xml</include>
 +    <include>ossec_rules.xml</include>
 +    <include>attack_rules.xml</include>
 +    <include>openbsd_rules.xml</include>
 +    <include>clam_av_rules.xml</include>
 +    <include>bro-ids_rules.xml</include>
 +    <include>dropbear_rules.xml</include>
 +    <include>local_rules.xml</include>
 +  </rules>  
 +
 +  <syscheck>
 +    <!-- Frequency that syscheck is executed - default to every 22 hours -->
 +    <frequency>79200</frequency>
 +    
 +    <!-- Directories to check  (perform all possible verifications) -->
 +    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
 +    <directories check_all="yes">/bin,/sbin</directories>
 +
 +    <!-- Files/directories to ignore -->
 +    <ignore>/etc/mtab</ignore>
 +    <ignore>/etc/mnttab</ignore>
 +    <ignore>/etc/hosts.deny</ignore>
 +    <ignore>/etc/mail/statistics</ignore>
 +    <ignore>/etc/random-seed</ignore>
 +    <ignore>/etc/adjtime</ignore>
 +    <ignore>/etc/httpd/logs</ignore>
 +    <ignore>/etc/utmpx</ignore>
 +    <ignore>/etc/wtmpx</ignore>
 +    <ignore>/etc/cups/certs</ignore>
 +    <ignore>/etc/dumpdates</ignore>
 +    <ignore>/etc/svc/volatile</ignore>
 +
 +    <!-- Windows files to ignore -->
 +    <ignore>C:\WINDOWS/System32/LogFiles</ignore>
 +    <ignore>C:\WINDOWS/Debug</ignore>
 +    <ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
 +    <ignore>C:\WINDOWS/iis6.log</ignore>
 +    <ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
 +    <ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
 +    <ignore>C:\WINDOWS/Prefetch</ignore>
 +    <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
 +    <ignore>C:\WINDOWS/SoftwareDistribution</ignore>
 +    <ignore>C:\WINDOWS/Temp</ignore>
 +    <ignore>C:\WINDOWS/system32/config</ignore>
 +    <ignore>C:\WINDOWS/system32/spool</ignore>
 +    <ignore>C:\WINDOWS/system32/CatRoot</ignore>
 +  </syscheck>
 +
 +  <rootcheck>
 +    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
 +    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
 +    <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
 +    <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
 +    <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
 +    <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
 +  </rootcheck>
 +  
 +  #<syslog_output>
 +  #  <server>10.0.0.1</server>
 +  #  <port>514</port>
 +  #
 +  #   Format of alert output. The default format is “default”, or full syslog output.
 +  #   CEF is the ArcSight Common Event Format.
 +  #   json can be used with a variety of tools.
 +  #   The splunk option is for sending data to a Splunk server.
 +  #   Allowed default, cef, splunk, json
 +  #  <format>default</format>
 +  #</syslog_output>
 +
 +  <active-response>
 +    <disabled>yes</disabled>
 +  </active-response>
 +
 +
 +  <alerts>
 +    <log_alert_level>1</log_alert_level>
 +    <email_alert_level>7</email_alert_level>
 +  </alerts>
 +  
 +  <!-- Files to monitor (localfiles) -->
 +  <localfile>
 +    <log_format>syslog</log_format>
 +    <location>/var/log/auth.log</location>
 +  </localfile>
 +
 +  <localfile>
 +    <log_format>syslog</log_format>
 +    <location>/var/log/syslog</location>
 +  </localfile>
 +
 +  <localfile>
 +    <log_format>syslog</log_format>
 +    <location>/var/log/dpkg.log</location>
 +  </localfile>
 +
 +  <localfile>
 +    <log_format>apache</log_format>
 +    <location>/var/log/apache2/error.log</location>
 +  </localfile>
 +
 +  <localfile>
 +    <log_format>apache</log_format>
 +    <location>/var/log/apache2/access.log</location>
 +  </localfile>
 +
 +  <localfile>
 +    <log_format>command</log_format>
 +    <command>df -h</command>
 +  </localfile>
 +
 +  <localfile>
 +    <log_format>full_command</log_format>
 +    <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command>
 +  </localfile>
 +
 +  <localfile>
 +    <log_format>full_command</log_format>
 +    <command>last -n 5</command>
 +  </localfile>
 +</ossec_config>
 +</code>
 +
 +
 +==== Agent configuration (Debian) ====
 +<code |/var/ossec/etc/ossec.conf>
 +<ossec_config>
 +  <client>
 +    <server-ip>SERVER-IP</server-ip>
 +  </client>
 +
 +  <syscheck>
 +    <!-- Frequency that syscheck is executed - default to every 22 hours -->
 +    <frequency>79200</frequency>
 +    
 +    <!-- Directories to check  (perform all possible verifications) -->
 +    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
 +    <directories check_all="yes">/bin,/sbin</directories>
 +
 +    <!-- Files/directories to ignore -->
 +    <ignore>/etc/mtab</ignore>
 +    <ignore>/etc/mnttab</ignore>
 +    <ignore>/etc/hosts.deny</ignore>
 +    <ignore>/etc/mail/statistics</ignore>
 +    <ignore>/etc/random-seed</ignore>
 +    <ignore>/etc/adjtime</ignore>
 +    <ignore>/etc/httpd/logs</ignore>
 +    <ignore>/etc/utmpx</ignore>
 +    <ignore>/etc/wtmpx</ignore>
 +    <ignore>/etc/cups/certs</ignore>
 +    <ignore>/etc/dumpdates</ignore>
 +    <ignore>/etc/svc/volatile</ignore>
 +
 +    <!-- Windows files to ignore -->
 +    <ignore>C:\WINDOWS/System32/LogFiles</ignore>
 +    <ignore>C:\WINDOWS/Debug</ignore>
 +    <ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
 +    <ignore>C:\WINDOWS/iis6.log</ignore>
 +    <ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
 +    <ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
 +    <ignore>C:\WINDOWS/Prefetch</ignore>
 +    <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
 +    <ignore>C:\WINDOWS/SoftwareDistribution</ignore>
 +    <ignore>C:\WINDOWS/Temp</ignore>
 +    <ignore>C:\WINDOWS/system32/config</ignore>
 +    <ignore>C:\WINDOWS/system32/spool</ignore>
 +    <ignore>C:\WINDOWS/system32/CatRoot</ignore>
 +  </syscheck>
 +
 +  <rootcheck>
 +    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
 +    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
 +    <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
 +    <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
 +    <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
 +    <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
 +  </rootcheck>
 +  <!-- Files to monitor (localfiles) -->
 +
 +  <localfile>
 +    <log_format>syslog</log_format>
 +    <location>/var/log/messages</location>
 +  </localfile>
 +
 +  <localfile>
 +    <log_format>syslog</log_format>
 +    <location>/var/log/auth.log</location>
 +  </localfile>
 +
 +  <localfile>
 +    <log_format>syslog</log_format>
 +    <location>/var/log/syslog</location>
 +  </localfile>
 +
 +  <localfile>
 +    <log_format>syslog</log_format>
 +    <location>/var/log/mail.info</location>
 +  </localfile>
 +
 +  <localfile>
 +    <log_format>syslog</log_format>
 +    <location>/var/log/dpkg.log</location>
 +  </localfile>
 +
 +  <localfile>
 +    <log_format>command</log_format>
 +    <command>df -h</command>
 +  </localfile>
 +
 +  <localfile>
 +    <log_format>full_command</log_format>
 +    <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command>
 +  </localfile>
 +
 +  <localfile>
 +    <log_format>full_command</log_format>
 +    <command>last -n 5</command>
 +  </localfile>
 +</ossec_config>
 +</code>
 +
 +
 +
 +
  
  
ossec.1401830580.txt.gz · Last modified: 2014/06/03 23:23 by a
Show pageOld revisions
Media ManagerBack to top
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready