[P]Delete

OSSEC is an open source host-based intrusion detection system that performs log analysis, file integrity checking, policy monitoring, rootkit detection. Running on different systems (Windows, Linux, MAC, …), collected data can be stored in a mySQL database and some reports can be displayed using the web gui AnaLogi. Prerequisites Starting from the CentOS 6.4 minimal installation, this procedure relies on three main packages : mySQL v5.x database OSSEC v2.7 log analyzer AnaLogi v1.3 ossec-wui Install mySQL Update the system and install mySQL packages and compilers. # yum update # yum install mysql-devel mysql-server gcc make To work properly, SELINUX must be disabled. # vi /etc/selinux/config Enable mySQL to start during system boot and start the service. # chkconfig mysqld on # service mysqld start Secure mySQL running the following command. # /usr/bin/mysql_secure_installation Install Ossec and create mySQL db Using the com

Installing Splunk in OSSEC allows a better overview of the thousand information collected by the system useful to create reports for the management. Splunk is the tools that can be integrated into OSSEC to transform the logs in a graphic format with some built-in reports that allows to better check monitored systems. Configure OSSEC OSSEC installation procedure can be found in this post . To enable syslog, edit OSSEC configuration file ossec.conf and add the following lines: 1 2 3 4 <syslog_output>     <server>192.168.10.109< /server >        # OSSEC server IP     <port>10002< /port > < /syslog_output > # vi /var/ossec/etc/ossec.conf Enable module syslog_output and restart OSSEC. # /var/ossec/bin/ossec-control enable client-syslog # /var/ossec/bin/ossec-control restart Install Splunk Download from website latest Splunk release and install the application through rpm command. # rpm -Uvh splun

Continuing with the posts about Snort Snort from scratch (part II) , now we have a complete installation and web interface to monitor our network alerts. One of the most important things when you maintain an IDS like Snort in a network, is the include of new rules to alert of possible attacks, behaviors of Malware or simply the needed of control a part of our traffic for some reasons. The rules of Snort are very flexible and has a lot of possibilities of configuration, logically in this post I’ll do a short introduction to write basic rules explaining the components of a rule and some options that can be useful. Anatomy of a rule A Snort rule, basically is composed by the header (information about the traffic) and the options (contains some action to do on the packet). Headers is composed by: Action Protocol Source IP Source Port Direction Operator Destination IP Destination Port (Options) Action : Refers what snort will do when a packet match with the rule. Poss

Continuing with the last post Snort from scratch part I  now I’ll explain how to install BASE and barnyard2. BASE (Basic Analysis and Security Engine) provides a web front-end to query and analyze the alerts coming from Snort. The alerts will send to a MySQL database, this feature is provided by barnyard2. Barnyard2 is an output system for Snort, it reads the binary logs from snort using the unified2 format and then it will resend the information of this logs to a database backend, for this We’ll configure Snort to output alerts to this format. Install BASE dependencies # yum install -y mysql-server mysql-devel php-mysql php-adodb php-pear php-gd httpd # pear channel-update pear.php.net # pear install Numbers_Roman # pear install channel://pear.php.net/Image_Canvas-0.3.5 # pear install channel://pear.php.net/Image_Graph-0.8.0 Preparing MySQL environment - Initializing mysql and configuring to start the daemon at boot time: # service mysql start

An IDS is a security tool, that allow us to monitor our network events searching attempts to compromise the security of our systems. It’s possible matching predefinied rules emulating the behaviour of an attack and it’s possible to deny the package or simply alert us to an email or sending messages to log. Basically we can find two types of IDS: HIDS: Host based IDS, monitors the activity of a single machine, searching anomaling behaviors. NID: Network IDS, capture and analyze network packages to search attack patterns. Generally an IDS can be located in each network segment, for example front of the firewall or back of the firewall or also can be implemented in the same firewall if we have a small network traffic, with this way we can analyze all input and output traffic. SNORT Snort is a NIDS, implements real time scanning of attack detection and port scanning detecting. The basic architecture of snort: Packet capture module: Used to capture network traffic using lib