by November 2, 2007 0 comments

With an increase in number of attacks, system breaches, and software exploits
within an enterprise, integrity of the system is a concern. This problem is
further compounded by tools that can delete traces of an attacker. HIDS (Host
based intrusion detection) is one popular technique used for intrusion
detection. Here, we look at the implementation of an open source HIDS called
OSSEC-HIDS, which can detect rootkits, perform file integrity checking, log
analysis, and registry monitoring.

On the feature front, this solution provides time based alerts and active
response components. It supports both standalone and server-agent models for
Linux/Unix, but doesn’t support standalone monitoring on a Windows machine. This
is because one can’t install its server on Windows. After
detecting an attack, its active response component either automatically blocks
the attacking machine or executes a specified script/program. Its log analysis
has support for Apache, ISS, Squid, event logs, Snort etc. and it automatically
analyzes the content of log files.If an odd entry is detected, it immediately
sends an alert.

Direct Hit!
Applies To:
Network and security managers
USP: Monitoring machines with OSSEC
Primary Link:
Google Keywords: HIDS, OSSEC

OSSEC Architecture
The architecture of this solution is a simple Server-Agent architecture as
shown in the figure below. It uses ossec-syscheckd daemon for monitoring the
file for changes at the server as well as the agent end. The ossec-syscheckd
also keeps track of the file’s (the one that is being monitored) md5sum, date,
file permissions etc. The ossec-logcollector daemon on the agent collects logs,
passes them to the ossec-agentd which in turn passes logs as well as details of
all events through encrypted traffic to ossec-remoted running on the server. All
events are then passed to ossec-analysisd, which decodes and analyzes the logs
and all other events. All active responses are handled by ossec-execd and email
alerts are handled by ossec-maild, both running at the server end.

OSSEC-HIDS uses seven daemons to
communicate between server and agent

To install the OSSEC server, download the ossec-hids-latest.tar.gz file from
the URL mentioned in the Direct Hit Box.

It can only be installed on a Linux/Unix machine. Now, untar and unzip the
package by using the following command:

tar -zxvf ossec-hids-latest.tar.gz

Now, go to the location where you have extracted the package and execute the
installation script by using the command:

# ./

The script will now ask the kind of installation that you want, type ‘server’
and proceed. Further it will ask if you want email notifications. Say ‘yes’ and
provide the email address. Next define the component that you want to run:

integrity check daemon, rootkit detection, and active response. To run all of
them at once type ‘Y’. Once, the installation is done, to start OSSEC-HIDS run
the command below:

# /var/ossec/bin/ossec-control start

Once, the OSSEC server gets started, it will automatically start monitoring
your server. To monitor other servers and hosts in the network install agents on
them. Installing agents on Windows is simple, just download the .exe from the
OSSEC’s website and run it.

After installation, provide authentication key, to get agent authenticated by
the server. Authentication key is generated at the OSSEC server, but before
generating a key, you’ve to add agents to it. To do this, go to the location /var/ossec/bin
on the machine that has OSSEC server installed and then run the./manage_agents
command. Now, to add an agent, type ‘A’ and press Enter. Provide the name of the
agent, then provide the IP address of the agent and lastly an ID for it. Now the
script will ask you to confirm the information you provided. To confirm press
‘Y’. Once the agent is added, then to generate the key for the agent, type’E’
and press Enter. You will now be able to see an agent menu where you will find a
list of all the agents that you have added. Type in the ID of the agent for
which you want to generate the key and the key will be generated. Copy and paste
this key manually to the agent that you earlier installed on the machine that
you want to monitor. The agent will get automatically authenticated by the OSSEC

Before agent monitors the host,
a specific key is to be generated on the server for authentication, which is
then manually entered on the agents

Configuring Web User Interface
OSSEC’s WUI does not come integrated with the core package. You have to download
its WUI package using the ‘’
link. Download it, untar it, and move the extracted files to your Web server
directory say /var/www/ossec-wui. Now, go to the location where you have kept
the extracted files and to start the WUI setup script run the following command:


After this, you need to add Web server users (mostly Apache or www) to OSSEC
group. Then configure per missions for the tmp directory and
for this run the commands written below:

#chmod 770 /tmp
#chgrp apache /tmp

and then restart Apache. Your WUI must be accessible at http: //<localhost>/ossec-wui/.

Configuring rules for Windows monitoring
After installing an agent on Windows, you can also customize the rules for
monitoring. These rules are configured on OSSEC server. Once the server gets
updated, it will push the configured rules to the agent. By default Windows
policy monitoring files are present in the /var/ossec/etc/shared directory. In
the directory you will find three files: win_applications_rcl.txt, win_audit _rcl.
txt and win_malware_rcl.txt. In win_applications_rcl.txt you will find the
default rules for detecting applications such as Yahoo, Skype, Limewire, AOL,
and Kazaa. You can also add new application rules to this file. For example you
can create rules for detecting gtalk and generate alerts. For this, open the
file with VI and write the following command lines:

Using OSSEC’s Web interface you
can view detailed statistics of events and alerts from anywhere

[Chat/IM – gtalk] [any] []
C:\Program Files\Google\Google Talk\googletalk.exe;
C:\Documents and Settings\All Users\Start Menu\Programs\Skype;
r:HKEY_CURRENT_USER\Software\Google\Google Talk;

To define rules for receiving an alert for any application mentioned in the
win_applications_rcl.txt file, open local_rules.xml and add the following rules:

<rule id="514" level="2" overwrite="yes">
<match>^Application Found</match>
<description>Windows application monitor event.</description>

OSSEC also generates an entry in the /var/ossec/queue/rootcheck directory
whenever it detects an application that it has been configured to detect. You
can view details of all events through its WebUI. Moreover, on WebUI you can
also see detailed statistics for each server over a
particular time period.

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.