SuSE Security (HIDS) - OSSEC & Analogi makes an awesome combination

If you have searched high and low for a good HIDS analysis software, well OSSEC combined with Analogi Visual Data Analysis may fit the bill on a budget.

OSSEC is an Open Source Host-based Intrusion Detection System(HIDS) that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. It runs on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX and Windows. OSSEC is powerful and Professional, but...itself does not have a really great way of presenting all the information it collects! If you have searched high and low for good analysis software, well OSSEC combined with Analogi Visual Analysis Web Front-End may fit the bill on a budget. In this case its totally free except for some time dedicated to setting up, learning and fine tuning.

There are other good software vendors that utilize OSSEC and other methods. Tools like Alienvault, OSSIM and others, many require much time to configure and can get costly. OSSIM which itself is also free contains:

  • Tripwire -- monitor Linux systems to detect and report any unauthorized changes to files and directories.
  • Arpwatch - used for MAC anomaly detection.
  • Passive OS Fingerprinting(p0f) - used for passive OS detection and OS change analysis.
  • Passive Asset Detection System(Pads) - used for service anomaly detection.
  • Nessus - used for vulnerability assessment and for cross correlation (IDS vs Security Scanner).
  • Snort - the IDS, also used for cross correlation with nessus.
  • Spade - the statistical packet anomaly detection engine. Used to gain knowledge about attacks without signatures.
  • Tcptrack - used for session data information which can prove useful for attack correlation.
  • Ntop - which builds an impressive network information database from which we can identify aberrant behavior/anomaly detection.
  • Nagios - fed from the host asset database, it monitors host and service availability information.
  • Osiris - a great HIDS.
  • OCS-NG - cross-platform inventory solution.
  • OSSEC - integrity, rootkit, registry detection, and more.

I have found that standalone OSSEC combined with the Analogi interface makes a perfect low budget HIDS. Analogi organizes all alerts in a visually clear and informative fashion and If you want to add Snort, you will have combined a great HIDS and Network Intrusion Detection System(NIDS).

Using OSSEC and Analogi on SuSE is really easy. You can opt to install everything, the OSSEC Master, Analogi Web Front End and Databases on the same machine or you can split it out over a few servers for utilization and redundancy, the choice is yours. For example, assume we are going to install everything on the same machine. This single machine will be the OSSEC Master Server to which all Agents will forward alerts. On this machine you will need to install and configure Apache, PHP, MySQL, OSSEC and Analogi. Apache and PHP are the keys to runnning the Front End Data Analysis - Analogi and MySQL will house all of the alerts from all your OSSEC agents.

To get started, begin installing SuSe with the basic LAMP stack. Once you have that installed, you can begin to pull down the OSSEC source from: http://www.ossec.net.


 # wget http://www.ossec.net/files/ossec-hids-2.8.1.tar.gz
 # tar -xvf ossec-hids-2.8.1.tar.gz
 # cd ossec-hids-2.8.1/src
 # make setdb
 # cd ..

Next you'll want to to create a new MySQL database to hold all of your alerts and configure a user.


 # mysql -u root -p
       mysql> create database ossec;
       mysql> grant all privileges on ossec.* to YOUR_USER identified by YOUR_USER@<ADDRESS> ;
       mysql> set password for YOUR_USER = PASSWORD('Passw0rd') ; 
       mysql> flush privileges;
       mysql> quit

Now create the schema.


 # mysql -u root -p ossec < ossec-hids-2.8.1/src/os_dbd/mysql.schema

Then add the MySQL schema to the OSSEC configuration on the Master in /var/ossec/etc/ossec.conf


	<ossec_config>
    	  <database_output>
              <hostname>127.0.0.1</hostname>
              <username>YOUR_USER</username>
              <password>Passw0rd</password>
              <database>ossec</database>
              <type>mysql</type>
          </database_output>
        </ossec_config>
        

Now in the root of the ossec-hids-2.8.1 directory, issue the command to begin the compile and installation. Enter 'server' when asked during the installation.


	# ./install.sh
	

Finally enable the DB daemon and restart ossec.


	# /var/ossec/bin/ossec-control enable database
	# /var/ossec/bin/ossec-control restart
	

You have just installed OSSEC on the Master! Now let's install Analogi by cloning the source tree where you have set up your Apache root. In this example let's say it is in /srv/www/


	# cd /srv/www
	# git clone https://github.com/ECSC/analogi.git
	

After cloning, edit the DB connection settings and any other configuration settings - adjusiting to your needs and restart Apache. After you restart you should have a beautiful web portal. Test it by pointing your browser to your servers location.


	# cd /srv/www/analogi
	# vi db_ossec.php 
	# service apache2 restart
	

Once you have all of these installed and operational you will then need to install the clients on each of your hosts systems and configure them to point to your OSSEC Master server. Installation of the clients on Linux are practically the same as installing on the server with the exception that you must choose the 'client' option. Windows systems are even easier using the client setup.exe. Next you will need to create security key on the Master server and enter it on the client. On the OSSEC Master, use the following to create the key and record for the client.


	# /var/ossec/bin/manage_agents
	

Enter option (A), then the hostname, IP and ID for the client you want to add. Next use the same command and extract the key information with Option (E). Next on the client use the issue the following command and import (I) the key.


	# /var/ossec/bin/manage_agents
	

Also make sure you edit /var/ossec/etc/ossec.conf on the client and add the following information.


	<client>
  	    <server-hostname>YOUR_SERVER_HOSTNAME</server-hostname>
	</client>
	

Finally restart the OSSEC agent on the client.


	# var/ossec/bin/ossec-control restart
	

And now you have a very good functioning HIDS.


Peace be unto you. Thank you for visiting!