Let's start off with a great opensource product titled OSSEC that can be found at www.ossec.net. This product works on unix based systems only and provides capabilities to check for rootkits, file and directory integrity, integrates with system logging and with snort FULL and FAST alert logging. What does all of this mean? Once installed, this application can be configured to check at configurable intervals for rootkits on the system. The OSSEC syscheck component monitors system files and directories for modify/delete/add activities. The logcheck component defaults to monitoring log entries in /var/log/syslog and /var/log/authlog, but can be configured to check other files if desired. The last component monitors snort alerts residing in /var/log/snort as the "alert" file. Some redeeming features of this application is that it can be configured in a server-agent model where one system is designated to receive all of the alerts from the agents. The communicate between the agent and server is encrypted and uses a non standard UDP port. Systems may also be configured in local mode which means that all components log to the main server all on the same system. Add to this email alerting capabilities and you end up with a fairly robust host based IDS with alerting capabilities. The final component is the automatic response component. This allows the OSSEC application to interact with tcp wrappers and/or IPTables/IPChains for IPS capabilities. Responses and rules can be custom configured and require a degree of investment of time but if done correctly, well worth it.
So let's install OSSEC on a Debian system. Good news but bad for GUI fans is that the server can be configured for console only or run level 2 without any KDE, X, or Gnome, providing the server owner to lock down the system to a fairly granular level. That aside, on Debian systems not too many packages are required except for make and gcc with a small handful of other depencies. Not too difficult to track down though and all available with apt-get. The install is easy, just tar gunzip the source code , change to the directory and run install.sh. To make things easy, just go with the local install mode first so all the components end up on the same system. Go with the defaults for everything and the install should go pretty flawless. OSSEC default installs to /var/ossec. Getting the application started presents a couple of challenges that are fairly easy to work around. Before starting OSSEC, the permissions for /var/ossec need to be changed to the OSSEC user and group. Type in a quick "chown -R ossec:ossec /var/ossec". Change directory to /var/ossec/bin and then start OSSEC by typing in the command "./ossec-control start" without the quotes. Check the log file in /var/ossec/logs. The log file is ossec.log. You will probably see some errors about not being able to access files and directories. This can be fixed by setting the permissions on the /var/ossec directory again with "chown -R ossec:ossec /var/ossec". The previous command may have to be run one or two more times to ensure all newly created files in the /var/ossec directory get the right permissions. Check to make sure everything is running using "ps -ef".
By default, snort alerts may not be placed into the configuration file. The configuration file is locate at /var/ossec/etc/ossec.conf. You will see lines similar to this:
To get the snort alert files into the picture, add in the following lines:
Make sure is configured to log to file /var/log/snort/alert with -A FULL otherwise OSSEC might not pick up the entires correctly. Once these changes have been made, OSSEC should be stopped and started by issuing the following commands - "/var/ossec/bin/ossec-control stop" and "/var/ossec/bin/ossec-control start". Keep an eye on the ossec.log file in /var/ossec/logs for any permission errors or other errors.
Assuming everything is running correctly, test OSSEC out, try testing the logcheck component by trying to log into the system using bad credentials or try to su with the wrong password. Alerts show up in the following directory - /var/ossec/logs/alerts/2006/Feb/* - where the year and month will change according to when you are trying this. If your email and email relay (if applicable) are working, you should also be receiving email alerts for the authentication failures. Next test out the syscheck component by adding files, deleting files or modifying files that are covered in the ossec.conf file:
yes /etc,/usr/bin,/usr/sbin,/bin,/sbin queue /etc/mtab /etc/hosts.deny
Feel free to add in your own files and directories and restart the OSSEC daemon.
If Snort is already running you can test that out running scans from another host or even the host you are on.
I will post later covering the server agent model and different platforms.