I learned about IDS at network class but doesn’t have a chance to try. Like people knows,there are two types of IDS; Host Based IDS and Network Based IDS. The IDS type I try out is the former type.
Since I am working on browser forensic, the first experiment is to know how the browser changes the file integrity for different stages and where the changes happen to the host machine. This is not the only functionalities of OSSEC. It can do more than file intrgrity checking.
For more information about OSSEC functionalites: OSSEC Feature
OSSEC can works in two modes: agent or agentless. It depends on what you wanna do. If you want a centralized server to monitor the rest of the machines in the network, the manager-agent mode is recommended. Agentless mode is to monitor one machine,which can’t install agent program, without the monitoring server.(however,there is no binary file for windows OS for that mode.)
About internalarchitecture: OSSEC Log Analysis/Inspection Architecture
Installation is quite straightforward and easy to follow. The first step is setup OSSEC manager to centralized server.
After that, install the agent progam to the servers you want to monitor. The exact provess will be varied upon the operating systems you are working on and your objective of installing OSSEC.
For more information: OSSEC Installation manual
For my setup, I installed OSSEC-HIDS on a Ubuntu machine and create a guestOS as a TEST-Server.This is the general information about the setup.
- make a guest-OS,windows 8 on virtualbox
- Host machine: Ubuntu 12.04 LTS
- RAM Share: 1024 MB
- HD: dynamic allocation up to 15GB
For my experience, there are some tips I can give at this point:
Check your log at both manager and agent to see what going on. Make sure the firewall and iptables configuration to allow the port and ip-address of the both parties(to communicate). If you have no idea how or what, you should not be reading this.
No. This book can make you know more about OSSEC: OSSEC Host-Based Intrusion Detection Guide