From OSSEC Wiki

Jump to: navigation, search

What is OSSEC?

Intrusion Detection is the process or techniques used to detect attacks on a specific network, system or application. Most intrusion detection tools not only detect attacks, but also software misuse, policy violations and other forms of inappropriate activities. A Host-based IDS performs intrusion detection from within the systems you want to protect. Some of these tools perform log analysis, others spyware detection, while others perform virus detection. OSSEC HIDS is an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, rootkit detection, time-based alerting and active response.

What is BASE?

  • BASE is the Basic Analysis and Security Engine. It is based on the code from the Analysis Console for Intrusion Databases (ACID) project. This application provides a web front-end to query and analyze the alerts coming from a SNORT IDS system.

Put them together:

Install base

  • download latest base install from http://sourceforge.net/projects/secureideas/
  • Install base with mysql as backend database
  • Run the create_mysql that came with snort
  • Run the ossec2base.sql that came with ossec-ui
  • Run the create_base_tbls_mysql.sql that came with base

Install ossec2base

  • Copy ossec2mysql.pl,ossec2mysqld.pl ossec2base_txt.pl to /usr/local/bin
  • Copy ossecmysql.pm to a directory inside your PERL library path (i.e. /usr/lib/perl/perl5/)
  • edit ossec2base.conf setting your BASE database, dbusername and dbpassword.
  • copy ossec2base.conf to etc and change permission to 0600 owner root

Build signature files for BASE

  • Create directory under base webroot for the signatures txt files

/var/ossec# mkdir -p /var/www/html/ossecbase/signatures/


  • Generate the txt files

/var/ossec# cat rules/*.xml | perl contrib/ossec2basetxt.pl -e -o /var/www/html/ossecbase/signatures/


Initialize OSSEC BASE database (optional)

  • Delete all rows in the signature table. This step can be done later when trying to rebuild signatures.

/var/ossec# echo 'TRUNCATE TABLE `signature` ;' | mysql ossecbase -p


  • delete all rows in the sensor table.

/var/ossec# echo 'TRUNCATE TABLE `sensor` ;' | mysql ossecbase -p


  • Delete all alerts from base

/var/ossec# echo 'TRUNCATE TABLE `acid_event` ;' | mysql ossecbase -p /var/ossec# echo 'TRUNCATE TABLE `events` ;' | mysql ossecbase -p /var/ossec# echo 'TRUNCATE TABLE `data` ;' | mysql ossecbase -p


Run manual feed of events

zcat /var/ossec/logs/alerts/2006/Jul/ossec-alerts-31.log.gz| /usr/local/bin/ossec2mysql.pl --conf /etc/ossec2base.conf --interface manualfeed


Run Real time feed of events

/usr/local/bin/ossec2mysqld.pl --conf /etc/ossec2base.conf -d --sensor ossecsensor


Enjoy Ossec2Base

  • open your browser to your base site

$ firefox http://localhost/ossecbase

Retrieved from "http://ossec.net/wiki/OSSEC_%26_BASE"
Views
Personal tools