search

githubfoam / ossec-sandbox

ossec network security monitoring NIDS HIDS
GNU General Public License v3.0
0 stars 0 forks source link
hids network-monitoring nids ossec

readme

ossec-sandbox

vagrant up

cd /tmp/ossec-hids-3.1.0
sudo sh install.sh

1- What kind of installation do you want (server, agent, local, hybrid or help)? server

/tmp/ossec-hids-3.1.0$ sudo /var/ossec/bin/ossec-control start
Starting OSSEC HIDS v3.1.0 (by Trend Micro Inc.)...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.

/tmp/ossec-hids-3.1.0$ sudo ls /var/ossec/etc/ossec.conf
/var/ossec/etc/ossec.conf

/tmp/ossec-hids-3.1.0$ sudo ls /var/ossec/rules/local_rules.xml
/var/ossec/rules/local_rules.xml

/tmp/ossec-hids-3.1.0$ sudo /var/ossec/bin/ossec-control restart
Deleting PID file '/var/ossec/var/run/ossec-remoted-1157.pid' not used...
Killing ossec-monitord ..
Killing ossec-logcollector ..
ossec-remoted not running ..
Killing ossec-syscheckd ..
Killing ossec-analysisd ..
Killing ossec-maild ..
Killing ossec-execd ..
OSSEC HIDS v3.1.0 Stopped
Starting OSSEC HIDS v3.1.0 (by Trend Micro Inc.)...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.

$ ls -l /tmp/
drwxrwxr-x 7 root    root    4096 Oct 11  2018 ossec-hids-3.1.0
drwxr-xr-x 8 root    root    4096 Nov 26 08:58 ossec-wui-master

$ sudo cp -r ossec-wui-master /var/www/html/ossec

:/tmp$ cd /var/www/html/ossec
:/var/www/html/ossec$ sudo ./setup.sh

/var/www/html/ossec$ sudo ./setup.sh
trap: SIGHUP: bad trap
Setting up ossec ui...

Username: ossecadmin
New password:
Re-type new password:
Adding password for user ossecadmin
Enter your web server user name (e.g. apache, www, nobody, www-data, ...)
www-data
You must restart your web server after this setup is done.

Setup completed successfully.

<http://192.168.21.9/ossec>

vagrant@vg-ossec-02:/tmp/ossec-hids-3.1.0$ sudo ./install.sh

1- What kind of installation do you want (server, agent, local, hybrid or help)? agent
3.1- What's the IP Address or hostname of the OSSEC HIDS server?: 192.168.21.9

Add Ossec Agent to the OSSEC Server

vagrant@vg-ossec-01:~$ sudo /var/ossec/bin/manage_agents

****************************************
* OSSEC HIDS v3.1.0 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: A

- Adding a new agent (use '\q' to return to the main menu).
  Please provide the following:
   * A name for the new agent: vg-ossec-02
   * The IP Address of the new agent: 192.168.21.10
   * An ID for the new agent[001]:
Agent information:
   ID:001
   Name:vg-ossec-02
   IP Address:192.168.21.10

Confirm adding it?(y/n): y
Agent added.

****************************************
* OSSEC HIDS v3.1.0 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: E

Available agents:
   ID: 001, Name: vg-ossec-02, IP: 192.168.21.10
Provide the ID of the agent to extract the key (or '\q' to quit): 001

Agent key information for '001' is:
MDAxIHZnLW9zc2VjLTAyIDE5Mi4xNjguMjEuMTAgNTQyYjg1NzgwMmNhOWM0YmFiYjRkY2RlMWM5ZjNlNWYwYTRjMjY5NDM3N2I5OTlkMTA2YTgzMGZjZGFlMzMxZQ==

Import Key from OSSEC Server

vagrant@vg-ossec-02:/tmp/ossec-hids-3.1.0$ sudo /var/ossec/bin/manage_agents

****************************************
* OSSEC HIDS v3.1.0 Agent manager.     *
* The following options are available: *
****************************************
   (I)mport key from the server (I).
   (Q)uit.
Choose your action: I or Q: I

* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.

Paste it here (or '\q' to quit): MDAxIHZnLW9zc2VjLTAyIDE5Mi4xNjguMjEuMTAgNTQyYjg1NzgwMmNhOWM0YmFiYjRkY2RlMWM5ZjNlNWYwYTRjMjY5NDM3N2I5OTlkMTA2YTgzMGZjZGFlMzMxZQ==

Agent information:
   ID:001
   Name:vg-ossec-02
   IP Address:192.168.21.10

Confirm adding it?(y/n): y
Added.
** Press ENTER to return to the main menu
****************************************
* OSSEC HIDS v3.1.0 Agent manager.     *
* The following options are available: *
****************************************
   (I)mport key from the server (I).
   (Q)uit.
Choose your action: I or Q: Q

** You must restart OSSEC for your changes to take effect.

manage_agents: Exiting.
vagrant@vg-ossec-02:/tmp/ossec-hids-3.1.0$ sudo /var/ossec/bin/ossec-control restart
ossec-logcollector not running ..
ossec-syscheckd not running ..
ossec-agentd not running ..
ossec-execd not running ..
OSSEC HIDS v3.1.0 Stopped
Starting OSSEC HIDS v3.1.0 (by Trend Micro Inc.)...
Started ossec-execd...
2019/11/26 09:39:35 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800
Started ossec-agentd...
Started ossec-logcollector...
Started ossec-syscheckd...
Completed.

vagrant@vg-ossec-01:~$ sudo /var/ossec/bin/ossec-control restart
Killing ossec-monitord ..
Killing ossec-logcollector ..
Killing ossec-remoted ..
Killing ossec-syscheckd ..
Killing ossec-analysisd ..
Killing ossec-maild ..
Killing ossec-execd ..
OSSEC HIDS v3.1.0 Stopped
Starting OSSEC HIDS v3.1.0 (by Trend Micro Inc.)...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.
vagrant@vg-ossec-01:~$ sudo /var/ossec/bin/list_agents -c
vg-ossec-02-192.168.21.10 is active.

<http://192.168.21.9/ossec>