OSSEC

OSSEC Comprehensive Guide & Cheat Sheet

Introduction to OSSEC

OSSEC (Open Source Security Event Correlator) is a powerful, open-source, host-based intrusion detection system (HIDS). It provides log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting, and active response across multiple platforms (Linux, Windows, macOS, Solaris, BSD) .

Architecture & Components

OSSEC uses a client-server (manager-agent) architecture:

• Manager (Server): Central component that receives, stores, and analyzes data from agents and other sources. It generates alerts and manages responses .

• Agents: Installed on monitored endpoints. They collect logs, monitor files, and send data to the manager.

• Agentless Monitoring: For devices that cannot run an agent (e.g., routers, switches), OSSEC can collect logs via SSH, WMI, or syslog.

• Decoders: Parse and normalize log messages.

• Rules: Define what constitutes suspicious or malicious activity.

• Active Responses: Automated actions triggered by specific events (e.g., block IP, disable account) .

Key Features

• Log Analysis: Real-time analysis of logs from various sources (syslog, Windows Event Logs, application logs).

• File Integrity Monitoring (FIM): Detects unauthorized changes to critical files.

• Rootkit Detection: Scans for rootkits and suspicious binaries.

• Registry Monitoring: Monitors Windows registry changes.

• Real-Time Alerting: Immediate notification of security events.

• Active Response: Automated mitigation actions.

• Centralized Management: Unified policy enforcement and alerting .

Installation & Deployment

Supported Platforms

• Linux/Unix: Most distributions supported.

• Windows: All major versions.

• macOS, Solaris, BSD: Supported.

Deployment Scenarios

• Single Host: Manager and agent on the same machine.

• Distributed: Central manager with multiple agents across the network.

• Agentless: For devices that cannot run an agent.

Installation Steps (Linux Example)

1. Download OSSEC:

   Copy

   wget https://github.com/ossec/ossec-hids/archive/master.tar.gz
   tar -zxvf master.tar.gz
   cd ossec-hids-*

2. Run Installer:

   Copy

   sudo ./install.sh

   • Choose "server" or "agent" as appropriate.

3. Configure Firewall: Allow communication on the default port (1514/UDP).

4. Start OSSEC:

   Copy

   sudo /var/ossec/bin/ossec-control start

5. Agent Registration: On the manager, add agents and provide keys for secure communication.

For Windows, use the provided installer and follow the GUI prompts.

Large-Scale/Automated Deployment

• Use configuration management tools (Ansible, Puppet, Chef).

• For agentless, configure SSH/WMI access.

Configuration Essentials

ossec.conf Overview

The main configuration file is /var/ossec/etc/ossec.conf. It is XML-based and controls all aspects of OSSEC.

Key Sections:

• <global>: General settings.

• <rules>: Rule files to load.

• <decoders>: Decoder files to load.

• <active-response>: Automated response actions.

• <syscheck>: File integrity monitoring.

• <rootcheck>: Rootkit detection.

• <alerts>: Alerting configuration.

Example ossec.conf Snippet

<ossec_config>
  <global>
    <email_notification>yes</email_notification>
    <email_to>admin@example.com</email_to>
  </global>
  <rules>
    <include>rules/local_rules.xml</include>
  </rules>
  <active-response>
    <command>firewalldrop</command>
    <location>local</location>
    <level>10</level>
  </active-response>
  <syscheck>
    <frequency>3600</frequency>
    <directories check_all="yes">/etc,/usr/bin</directories>
  </syscheck>
</ossec_config>

Rules

• Location: /var/ossec/etc/rules/

• Format: XML

• Purpose: Define what log patterns trigger alerts.

• Customization: Add custom rules for your environment. Always back up custom rules before upgrades .

Example Rule

<rule id="100001" level="10">
  <decoded_as>sshd</decoded_as>
  <description>Multiple failed SSH login attempts</description>
  <group>authentication_failures,</group>
  <frequency>5</frequency>
  <timeframe>60</timeframe>
  <same_source_ip />
</rule>

Decoders

• Location: /var/ossec/etc/decoders/

• Purpose: Parse and extract fields from log messages.

• Customization: Write custom decoders for unique log formats. Back up before upgrades .

Example Decoder

<decoder name="custom-ssh">
  <program_name>sshd</program_name>
  <regex>Failed password for (\w+) from (\d+\.\d+\.\d+\.\d+)</regex>
  <order>user, srcip</order>
</decoder>

Active Responses

• Purpose: Automate mitigation (e.g., block IP, disable user).

• Configuration: Each response in its own <active-response> block in ossec.conf .

• Key Options:

  • command: The script or action to run.

  • location: Where to execute (local, server, agent).

  • level: Minimum alert level to trigger.

  • timeout: How long the response lasts.

Example Active Response

<active-response>
  <command>firewalldrop</command>
  <location>local</location>
  <level>10</level>
  <timeout>600</timeout>
</active-response>

Monitoring & Log Analysis

• Log Sources: Internal logs, Windows Event Logs, syslog, application logs.

• Logcollector: Collects events from sources.

• Analysisd: Decodes, filters, and classifies events in real-time .

• Supported Formats: syslog, snort, squid, IIS, MySQL, PostgreSQL, Apache, and more .

• Capabilities: Detects attacks, misuse, policy violations, and system errors .

Alerting & Response

• Real-Time Alerts: Immediate notification via email, syslog, or custom scripts .

• Alert Levels: 0 (ignore) to 15 (critical).

• Active Response: Automated actions (e.g., block IP, restart service).

• Centralized Policy Enforcement: Uniform security policies across all monitored devices .

Integration with Other Tools & SIEM

• SIEM Integration: OSSEC can send logs/alerts to SIEMs like ELK Stack (Elasticsearch, Logstash, Kibana), Graylog, and Splunk for advanced analysis and visualization .

• Other Security Tools: Integrates with Snort, Suricata, Zeek for network security monitoring .

• Log Management: Centralized log collection and advanced search via Graylog or Elastic Stack .

• Community Support: Strong community for plugins, integrations, and troubleshooting .

Maintenance, Troubleshooting & Best Practices

Troubleshooting

• Identify Problems: Check logs in /var/ossec/logs/ for errors.

• Systematic Approach: Isolate the issue (agent, manager, network).

• Diagnostic Tools: Use OSSEC's built-in tools and system utilities.

• Common Issues: Agent connectivity, rule misconfiguration, permission errors.

Maintenance

• Preventive: Regularly update OSSEC, review rules/decoders, and back up configurations .

• Corrective: Address alerts and incidents promptly, verify system integrity .

• Routine: Clean up old logs, rotate log files, and monitor system performance.

Best Practices

• Backup: Always back up custom rules, decoders, and configuration files before upgrades .

• Least Privilege: Run OSSEC with minimal required permissions.

• Regular Updates: Keep OSSEC and all dependencies up to date.

• Training: Ensure staff are trained on OSSEC operation and incident response .

• Feedback Loops: Review and refine rules based on incident feedback .

Community & Resources

• Official Website: ossec.github.io

• GitHub: github.com/ossec/ossec-hids

• Forums: OSSEC Google Group, Stack Overflow, Reddit

• Documentation: OSSEC Documentation

• Related Projects: Wazuh (OSSEC fork with extended features)

• Blogs & Case Studies: Search for real-world use cases and example configurations on GitHub, company blogs, and security forums.

Quick Reference Cheat Sheet

Common Commands

Key File Locations

Alert Levels

Useful Links

• OSSEC Documentation

• Wazuh Documentation

• OSSEC GitHub