Wednesday , December 19 2018
Home / Information Security / Configuring OSSEC Clients with OSSIM

Configuring OSSEC Clients with OSSIM

Adding OSSEC Agents for Vulnerability and Files Integrity Scanning:

In this tutorial I’ll be installing OSSEC agents on Windows and Linux Client machines to be monitored by OSSIM SIEM. For configuring OSSEC clients with OSSIM, we need OSSEC agent be downloaded and installed on hosts, but first, we’ll enable/activate OSSEC Plugin on OSSIM Server.

To enable OSSEC Plugin on OSSIM Server, follow the steps shown below:
1- Goto:

Configure Sensor     >     Configure Data Source Plugins    >     Select “ossec-single-line”(if not already enabled)   >   select OK

OSSEC-1  Configuring OSSEC Clients with OSSIM OSSEC 1

OSSEC-2  Configuring OSSEC Clients with OSSIM OSSEC 2

OSSEC-3  Configuring OSSEC Clients with OSSIM OSSEC 3
2- Go Back to Main Screen and Select “Apply All Changes” and Select OK,

OSSEC-4  Configuring OSSEC Clients with OSSIM OSSEC 4

3- Select “YES” on next confirmation Screen.

OSSEC-5  Configuring OSSEC Clients with OSSIM OSSEC 5

4- It may take some time to complete and restart server as shown below:

OSSEC-6  Configuring OSSEC Clients with OSSIM OSSEC 6

 

Generate OSSEC Client Keys:

1- Select “Jailbreak System” and then “OK”.

OSSEC-7  Configuring OSSEC Clients with OSSIM OSSEC 7
2- Execute following Command to add OSSEC agent:

 # /var/ossec/bin/manage_agents
– Enter “A” to Add new OSSEC Agent.
– Provide Required information like ClientName to Show, IP Address and ClientID (leave default if not want to change).
– Press “y” to save the information of client.

OSSEC-8  Configuring OSSEC Clients with OSSIM OSSEC 8
3- Now Extract Client Key by entering following command again:

 # /var/ossec/bin/manage_agents
– Enter “E” to Extract client’s Key.
– Enter Client’s ID, in my case it is 001 as shown below:
– Copy the extracted key as shown below and exit.

OSSEC-9  Configuring OSSEC Clients with OSSIM OSSEC 9

Restart OSSEC Control Services by:

# /var/ossec/bin/ossec-control restart

Installing OSSEC Agent on Windows Host:

Download latest stable release of OSSEC Agent for windows from following link:

>>>   http://www.ossec.net/?page_id=19   <<<

1- Execute downloaded “ossec-agent-win32XXXX.exe” file.

OSSEC-10  Configuring OSSEC Clients with OSSIM OSSEC 10
1- Enter IP Address of OSSIM Server and Key Generated and Extracted in Step 3 above and Click Save.

OSSEC-11  Configuring OSSEC Clients with OSSIM OSSEC 11
2- Start the OSSEC client on Client Host to start sending Files integrity alerts to OSSIM Server.

OSSEC-12  Configuring OSSEC Clients with OSSIM OSSEC 12
3- Restart OSSIM Server’s Agent by:

/var/ossec/bin/ossec-control restart

 

Installing OSSEC Agent on Linux/Unix Host:

The OSSEC agent will be required to be built from source code files on the linux OS. Many production Linux systems will have the code compilation tools removed from them however.
Acquiring a basic software build environment will depend upon the Linux platform you install to deploy on, but at a minimal will require a C compiler, and basic Kernel and LibC include files. These may be installed via the appropriate package manager commands.

For Debian-Based-Systems: (e.g. Ubuntu)

# sudo apt-get install build-essential

For Redhat -Based-Systems: [e.g CentOS]

# yum groupinstall “Development Tools” -y
# yum install kernel-devel –y

Change the working directory to a location suitable for building and installing software from:

# cd /usr/src

Download latest version available, currently, 2.7 is the latest version.

# wget http://www.ossec.net/files/ossec-hids-2.7.tar.gz

Extract the downloaded archive using tar:

 #  tar –xzvf ossec-hids-2.7.tar.gz

Change Directory to OSSEC-Agent and Compile Script:

# cd ossec-hids-2.7

# /bin/bash ./install.sh

 

Ubuntu uses /bin/dash as the default shell – this will cause the installer to break and install the server component of OSSEC instead of the agent as requested – the use of directly calling /bin/bash in the command above prevents this error from occurring.

– Pick your language for OSSEC, default is English and is what I’ve selected.

OSSEC Linux 2  Configuring OSSEC Clients with OSSIM OSSEC Linux 2

– Press Enter key to begin the Installation.

OSSEC Linux 3  Configuring OSSEC Clients with OSSIM OSSEC Linux 3

– Select “Installation Type” as   ” Agent“.

OSSEC Linux 4  Configuring OSSEC Clients with OSSIM OSSEC Linux 4

– Enter the path where to install OSSEC client, default location is /var/ossec.

OSSEC Linux 5  Configuring OSSEC Clients with OSSIM OSSEC Linux 5

– Enter the IP Address or Host Name of the OSSIM Server. Remember, in case of using Hostname, DNS or local hosts file must have IP of the OSSIM host name.

OSSEC Linux 6  Configuring OSSEC Clients with OSSIM OSSEC Linux 6

– In next steps:

–  Choose whether you want File Integrity Check to be enabled or Not.

– Choose whether you want Rootkit Detection enabled or not.

– Choose whether you want to run the Active Response Engine (enables execution of external commands when particular alerts trigger)

– Then OSSEC will display configured options:

OSSEC Linux 9  Configuring OSSEC Clients with OSSIM OSSEC Linux 9

– Now installation Script will start installation of OSSEC Client Agent.

– If no Dependency issue arise, setup will be finished smoothly and press Enter to Finish when asked for as shown below:

OSSEC Linux 10  Configuring OSSEC Clients with OSSIM OSSEC Linux 10

 

Configuring Client:

– First of all generate Client Key using Steps shown above.

– Now on client, being a Root user, execute the following command to add Generated OSSEC client key for communication with OSSIM Server.

# /var/ossec/bin/manage_agents

OSSEC Linux 11  Configuring OSSEC Clients with OSSIM OSSEC Linux 11

– Enter ‘I’ to import key from Server
– Provide the Client Key extracted from the server previously:

OSSEC Linux 12  Configuring OSSEC Clients with OSSIM OSSEC Linux 12

– Confirm when asked that key is correct.

– Quit the OSSEC Agent Management Tool by entering Q.

– Restart OSSEC Agent on Client Host by following command:

#  /var/ossec/bin/ossec-control restart

– After Configuring OSSEC Agents, it is recommended to Restart OSSEC Agent on OSSIM Server as well. Use the same procedure used above by Jailbreak into the OSSIM Console or you can also use OSSIM Server Web Interface for that.

Go To:

Environment >  Detection  >  OSSEC Control

Click “Restart” as shown in below Figure.

OSSEC Linux 13  Configuring OSSEC Clients with OSSIM OSSEC Linux 13

About Muhammad Attique

Check these out :)

How to Modify GRUB Bootloader version 2

I’m going to show you how can we edit and modify GRUB Bootloader version 2, …

4 comments

  1. Thank you for the help you gave me great help

  2. hi. im having difficulty how to view collection of logs from alienvault ossim using jailbreak system (command line)

  3. Hi,is there any configuration for PRADS for ossim v 5.3 ?

Leave a Reply

Your email address will not be published. Required fields are marked *