After testing several HIDS like samhain, osiris i decided to give OSSEC a try. BTW, what the heck is OSSEC?
OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting and active response. The reason i pick OSSEC not samhain or osiris, because of it's simplicity.
Ossec is a client-server solution. So u need a server and clients. My server run on FreeBSD and clients run on windows/Linux/Solaris/Bsd. The installation process is very straight forward, so please visit
here.For monitoring purpose, i use ossec-wui, a web based interface for alerting. Installation also very straight forward, except that, i cant view alert from ossec logs file. I already add apache user into ossec group (edit /etc/group), but the result still the same. From Ossec mailing list, one of the guy pointed out that os_lib_alerts.php does not return the right user group. For solution, i need to comment that line.
/* Getting group information */ $evt_group = strstr($buffer, "-"); if($evt_group === FALSE) { /* Invalid group */ continue; => comment this line }
So, now my ossec-wui work like a charm. Heres the screenshot.
Further googling show that, i need to upgrade my OSSEC from 0.93 to 1.0 in order to overcome this problem. Without very much hesitation, i download the latest version and run ./setup.sh . Thats it . Job done for today.
