Setup OSSIM With Linux and Windows OSSEC Agents


This is a very basic tutorial on how to install a both Linux based and Windows based OSSEC agents and to have those agents communicate with OSSIM.

This DOES NOT include active response.  I will discuss active response and walk you through the OSSEC configuration with active response in a later video.

Please be gentle… this is my first video tutorial.  If you have any suggestions on how I can improve my tutorials, please send them my way.  Any help would be much appreciated.  [Looking for a good tool for screen recording.]

The following information is to be supplemented with the video:

1. Connect to your OSSIM box and “Jailbreak this Appliance” to get a shell.

Jailbreak OSSIM

2. Add agents (/var/ossec/bin/manage_agents)

Add OSSEC Agents To OSSIM

3. Connect to your Linux (CentOS) box and add the necessary repositories (epel, remi, atomic)

wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm
wget -q -O – http://www.atomicorp.com/installers/atomic | sh

4. Install the OSSEC Agent

yum install ossec-hids-client

5. Configure OSSEC agent (/var/ossec/bin/ossec-configure)

Configure Linux OSSEC Agent

6. Add the server IP to the conf file (/var/ossec/etc/ossec.conf)

Add Server IP To OSSEC Conf File

7. Import the agent key.

[Extract the key from OSSIM]

Extract OSSEC Agent Keys

[Import the key into the agent]

Import Linux OSSEC Agent Key

8. Start OSSEC (/var/ossec/bin)

./ossec-control start

9. On your windows box, install the agent (http://www.ossec.net)

Install OSSEC Windows Agent

10. Import the key for the Windows Agent

Import Windows OSSEC Agent Key

11. Start OSSEC

Start OSSEC Agent Windows

12. Check for connectivity

Check OSSEC Connectivity in OSSIM

Troubleshooting

Connectivity Issues

Connectivity issues are not uncommon.  If you are using CentOS, create the appropriate iptables rule(s) to allow traffic between the agent and OSSIM.  OSSEC uses UDP port 1514.  The same applies to Windows.  If you need help with the rule, feel free to contact me, but then again… I don’t think you would be here…

Duplicated directory warning

This problem is not uncommon and is something that I have encountered a few times (If you watched the video, you will see that I was blessed with this issue while recording).  It is quite easy to overcome.  All you have to do is remove the agent from OSSIM, recreate the agent within OSSIM, and then import the new key on your Linux OSSEC agent.

 

What’s Next?

Like I said, this tutorial is extremely basic, and I wouldn’t recommend putting OSSEC or OSSIM into a production environment without properly testing the software and learning it thoroughly.  Both tools have great communities and there are some great books out there on Intrusion Detection Systems and NSM that you may want to explore first.

The next videos coming up will include: Configuring OSSEC with active response, and configuring snort with OSSIM (I will also be using pfSense in this video as well).

1 Comment

  1. SACHIN DEV V says:

    Hey james, that was a good tutorial on ossim, I had installed ossec agents in the test environment ( windows xp and 7) from the the web interface without jail breaking. Is it possible to proceed further. My intention is to create a hierarchical multiple layer of security by including (HIDS—> NIDS —–> Log management ). So i thought to deploy ossec agents for hids and snort for nids. Please help !!

Leave A Reply