This DOES NOT include active response. I will discuss active response and walk you through the OSSEC configuration with active response in a later video.
Please be gentle… this is my first video tutorial. If you have any suggestions on how I can improve my tutorials, please send them my way. Any help would be much appreciated. [Looking for a good tool for screen recording.]
The following information is to be supplemented with the video:
1. Connect to your OSSIM box and “Jailbreak this Appliance” to get a shell.
2. Add agents (/var/ossec/bin/manage_agents)
3. Connect to your Linux (CentOS) box and add the necessary repositories (epel, remi, atomic)
rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm
wget -q -O – http://www.atomicorp.com/installers/atomic | sh
4. Install the OSSEC Agent
yum install ossec-hids-client
5. Configure OSSEC agent (/var/ossec/bin/ossec-configure)
6. Add the server IP to the conf file (/var/ossec/etc/ossec.conf)
7. Import the agent key.
[Extract the key from OSSIM]
[Import the key into the agent]
8. Start OSSEC (/var/ossec/bin)
9. On your windows box, install the agent (http://www.ossec.net)
10. Import the key for the Windows Agent
11. Start OSSEC
12. Check for connectivity
Connectivity issues are not uncommon. If you are using CentOS, create the appropriate iptables rule(s) to allow traffic between the agent and OSSIM. OSSEC uses UDP port 1514. The same applies to Windows. If you need help with the rule, feel free to contact me, but then again… I don’t think you would be here…
Duplicated directory warning
This problem is not uncommon and is something that I have encountered a few times (If you watched the video, you will see that I was blessed with this issue while recording). It is quite easy to overcome. All you have to do is remove the agent from OSSIM, recreate the agent within OSSIM, and then import the new key on your Linux OSSEC agent.
Like I said, this tutorial is extremely basic, and I wouldn’t recommend putting OSSEC or OSSIM into a production environment without properly testing the software and learning it thoroughly. Both tools have great communities and there are some great books out there on Intrusion Detection Systems and NSM that you may want to explore first.