Welcome to Instant OSSEC Host-based Intrusion Detection. We're going to jump into exploring the vast possibilities that OSSEC HIDS offers its users. We'll dive into the installation and basic configuration of OSSEC HIDS so you can start protecting your valuable assets today! From there, we will build on these basic concepts to explore harnessing the power of OSSEC HIDS's flexible decoders, rules, and active responses to unlock powerful, time-saving functionality. We will challenge the notion that security software will slow you down and create more work by leveraging OSSEC HIDS's automation capabilities to do our work so we can spend more time at the pub!
Installing OSSEC (Simple) gets you started with installing OSSEC HIDS through a few different methods. We look at both source and binary installs to get OSSEC HIDS installed and ready to configure.
Configuring an OSSEC server (Simple) takes you through the basic configuration of the OSSEC HIDS server. This server allows us to perform aggregations and correlations across our install base to make better decisions.
Getting agents to communicate (Simple) walks us through the basics of setting up our OSSEC HIDS agents to communicate with the OSSEC HIDS server. We also look at utilizing the OSSEC HIDS authentication daemon to make this process simpler for larger installs.
Writing your own rules (Simple) asks you to roll up your sleeves and start extending the OSSEC HIDS rules to better suit your environment. We look at the ossec-logtest tool to understand how our rules are being interpreted.
Detecting SSH brute-force attacks (Intermediate) takes a look at the compound rules of OSSEC to see how we can detect events based on their frequency. We also delve into the decoders that make compound rules possible!
Configuring the alerts (Simple) looks at various options for adjusting the alert volume for OSSEC HIDS. We start with some broad, sweeping approaches to decrease e-mails and gradually increase our granularity. We also explore the different channels for alerting.
File integrity monitoring (Simple) briefly explains what FIM is and why it's useful for product security. After that, we dissect the problem and tune our alerting to more useful levels so we don't trip over the number of alerts!
Monitoring command output (Intermediate) demonstrates a few operational intelligence capabilities of OSSEC HIDS through the monitoring of the command output. We will look into monitoring the command output either line by line or all at once.
Detecting rootkits and anomalies (Simple) looks at the rootkit and policy auditing of OSSEC HIDS. We look at some of the possible problems with these modules and how we can solve them without compromising our coverage.
Introducing active response (Intermediate) walks us through the configuration and use of OSSEC HIDS active response systems to execute scripts in response to alerts. We'll block IP addresses attempting to perform a brute-force login attack over SSH.
Verifying alerts with active response (Advanced) delivers the promise of this book. We look at how to use the entire OSSEC HIDS framework to get our computers to work for us. Slaving through false-positive alerts is not the job of a security administrator, so we'll put OSSEC HIDS to work!
The concepts in this book should be generic enough to cover OSSEC HIDS on any operating system it supports, including Linux, BSD, Solaris, HP-UX, and Microsoft Windows. The author's primary experience is with Linux systems, so some of the examples may bias towards that environment.
This book is not a manual page and is not sentient. It cannot respond to voice commands and textual inquiry (yet!). Where should you turn when you have problems that have not been covered in this book? There are plenty of resources available online to assist you in configuring OSSEC HIDS.
The first place to start is the official documentation that is available online at http://www.ossec.net/?page_id=11. Linked from the site, you'll find the Reference Manual, FAQ, installation guides and videos, and tutorials written by OSSEC community members. Everything from starting a simple standalone installation through to writing your own decoders and rules is covered in depth on the site.
OSSEC HIDS has a vibrant community of developers and users who make themselves available through a number of channels. Depending on your preferred method of communication, you can find help on IRC (Internet Relay Chat) or through the OSSEC users' mailing list.
The mailing list is a great resource as many of the questions OSSEC users might ask are likely to have been asked and answered in great depth on the mailing list. The list is hosted on Google Groups, which makes searching the archive pleasant and useful. You can find the mailing list at the following link:
https://groups.google.com/forum/?fromgroups#!forum/ossec-list
If you're familiar with IRC, you can find a group of OSSEC users and developers hanging out in #ossec on irc.freenode.net. IRC is a great way to consult OSSEC gurus on topics such as "Where do I look for X" or "Is Y even possible?" (spoiler: yes it is). To find out more about how to connect to FreeNode, see the documentation at the following link:
http://freenode.net/faq.shtml#usingfreenode
Even if you don't have a question, subscribe to the mailing list and/or hang out on IRC. If you have OSSEC HIDS running on your network, chances are you might be able to help someone else get it up and running. You don't need to be a developer to help keep the community vibrant and alive!
Trend Micro, who owns OSSEC HIDS, provides commercial support contracts. While not preferred by the author, some organizations require commercial support contracts for the software they deploy on critical infrastructure. Management, who prefer to avoid open source software, may find comfort with OSSEC as they can have a professional services contract with Trend Micro to maintain the OSSEC architecture in the event that the original administrator(s) leaves the company. This eliminates the "bus factor" normally associated with deploying open source solutions.
This book is great for everyone who is concerned about the security of their servers but assumes some knowledge of basic security concepts and rudimentary scripting experience. Whether you are a system administrator, programmer, or security analyst, this book will provide you with tips to better utilize OSSEC HIDS. Whether you're new to OSSEC HIDS or a seasoned veteran, you'll find something in this book that you can apply today!
In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.
Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: "Binary installers will label their server packages as ossec-hids-server."
A block of code is set as follows:
<global>
<email_notification>yes</email_notification>
<email_to>[email protected]</email_to>
<smtp_server>localhost</smtp_server>
<email_from>[email protected]</email_from>
</global>When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:
<syslog_output>
<level>10</level>
<server>critical-events.example.com</server>
<port>514</port>
<format>json</format>
</syslog_output>Any command-line input or output is written as follows:
$ sudo apt-get install ossec-hids-server
New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: "OSSEC provides a binary installer for Windows on the Downloads page of the site."
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.
To send us general feedback, simply send an e-mail to <[email protected]>, and mention the book title via the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide on www.packtpub.com/authors.
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
You can download the example code files for all Packt books you have purchased from your account at http://www.packtpub.com. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register to have the files e-mailed directly to you.
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you would report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/submit-errata, selecting your book, clicking on the errata submission form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded on our website, or added to any list of existing errata, under the Errata section of that title. Any existing errata can be viewed by selecting your title from http://www.packtpub.com/support.
Piracy of copyright material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works, in any form, on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at <[email protected]> with a link to the suspected pirated material.
We appreciate your help in protecting our authors, and our ability to bring you valuable content.
You can contact us at <[email protected]> if you are having a problem with any aspect of the book, and we will do our best to address it.