Host Intrusion Detection with OSSEC

With an increase in number of attacks, system breaches, and software exploits

within an enterprise, integrity of the system is a concern. This problem is

further compounded by tools that can delete traces of an attacker. HIDS (Host

based intrusion detection) is one popular technique used for intrusion

detection. Here, we look at the implementation of an open source HIDS called

OSSEC-HIDS, which can detect rootkits, perform file integrity checking, log

analysis, and registry monitoring.

On the feature front, this solution provides time based alerts and active

response components. It supports both standalone and server-agent models for

Linux/Unix, but doesn't support standalone monitoring on a Windows machine. This

is because one can't install its server on Windows. After



detecting an attack, its active response component either automatically blocks
the attacking machine or executes a specified script/program. Its log analysis

has support for Apache, ISS, Squid, event logs, Snort etc. and it automatically

analyzes the content of log files.If an odd entry is detected, it immediately

sends an alert.

OSSEC Architecture



The architecture of this solution is a simple Server-Agent architecture as

shown in the figure below. It uses ossec-syscheckd daemon for monitoring the

file for changes at the server as well as the agent end. The ossec-syscheckd

also keeps track of the file's (the one that is being monitored) md5sum, date,

file permissions etc. The ossec-logcollector daemon on the agent collects logs,

passes them to the ossec-agentd which in turn passes logs as well as details of

all events through encrypted traffic to ossec-remoted running on the server. All

events are then passed to ossec-analysisd, which decodes and analyzes the logs

and all other events. All active responses are handled by ossec-execd and email

alerts are handled by ossec-maild, both running at the server end.

OSSEC-HIDS uses seven daemons to communicate between server and agent

Installation



To install the OSSEC server, download the ossec-hids-latest.tar.gz file from

the URL mentioned in the Direct Hit Box.

It can only be installed on a Linux/Unix machine. Now, untar and unzip the

package by using the following command:

tar -zxvf ossec-hids-latest.tar.gz

Now, go to the location where you have extracted the package and execute the

installation script by using the command:

# ./install.sh

The script will now ask the kind of installation that you want, type 'server'

and proceed. Further it will ask if you want email notifications. Say 'yes' and

provide the email address. Next define the component that you want to run:

integrity check daemon, rootkit detection, and active response. To run all of

them at once type 'Y'. Once, the installation is done, to start OSSEC-HIDS run

the command below:

# /var/ossec/bin/ossec-control start

Once, the OSSEC server gets started, it will automatically start monitoring

your server. To monitor other servers and hosts in the network install agents on

them. Installing agents on Windows is simple, just download the .exe from the

OSSEC's website and run it.

After installation, provide authentication key, to get agent authenticated by

the server. Authentication key is generated at the OSSEC server, but before

generating a key, you've to add agents to it. To do this, go to the location /var/ossec/bin

on the machine that has OSSEC server installed and then run the./manage_agents

command. Now, to add an agent, type 'A' and press Enter. Provide the name of the

agent, then provide the IP address of the agent and lastly an ID for it. Now the

script will ask you to confirm the information you provided. To confirm press

'Y'. Once the agent is added, then to generate the key for the agent, type'E'

and press Enter. You will now be able to see an agent menu where you will find a

list of all the agents that you have added. Type in the ID of the agent for

which you want to generate the key and the key will be generated. Copy and paste

this key manually to the agent that you earlier installed on the machine that

you want to monitor. The agent will get automatically authenticated by the OSSEC

server.

Before agent monitors the host, a specific key is to be generated on the server for authentication, which is then manually entered on the agents

Configuring Web User Interface



OSSEC's WUI does not come integrated with the core package. You have to download
its WUI package using the 'http://www.ossec.net/files/ui/ossec-wui-0.2.tar.gz'

link. Download it, untar it, and move the extracted files to your Web server

directory say /var/www/ossec-wui. Now, go to the location where you have kept

the extracted files and to start the WUI setup script run the following command:

./setup.sh

After this, you need to add Web server users (mostly Apache or www) to OSSEC

group. Then configure per missions for the tmp directory and



for this run the commands written below:

#chmod 770 /tmp



#chgrp apache /tmp

and then restart Apache. Your WUI must be accessible at http: ///ossec-wui/.

Configuring rules for Windows monitoring



After installing an agent on Windows, you can also customize the rules for

monitoring. These rules are configured on OSSEC server. Once the server gets

updated, it will push the configured rules to the agent. By default Windows

policy monitoring files are present in the /var/ossec/etc/shared directory. In

the directory you will find three files: win_applications_rcl.txt, win_audit _rcl.

txt and win_malware_rcl.txt. In win_applications_rcl.txt you will find the

default rules for detecting applications such as Yahoo, Skype, Limewire, AOL,

and Kazaa. You can also add new application rules to this file. For example you

can create rules for detecting gtalk and generate alerts. For this, open the

file with VI and write the following command lines:

Using OSSEC's Web interface you can view detailed statistics of events and alerts from anywhere

<>



C:\Program Files\Google\Google Talk\googletalk.exe;


C:\Documents and Settings\All Users\Start Menu\Programs\Skype;


r:HKLM\SOFTWARE\Skype;


r:HKEY_CURRENT_USER\Software\Google\Google Talk;


p:r:googletalk.exe

To define rules for receiving an alert for any application mentioned in the

win_applications_rcl.txt file, open local_rules.xml and add the following rules:

510


^Application Found

OSSEC also generates an entry in the /var/ossec/queue/rootcheck directory

whenever it detects an application that it has been configured to detect. You
can view details of all events through its WebUI. Moreover, on WebUI you can
also see detailed statistics for each server over a



particular time period.