OSSEC

12/9/20241 min read

OSSEC is an Open Source Host-based Intrusion Detection System that runs on most Operating Systems. It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response

It is simple to install and configure, so i will not provide the step by step installation guide but rather provide resources to get the installer and configuration documentation.

Here is their GitHub page:

https://github.com/ossec/ossec-hids

Configuration and agent management can all be found at these link;

https://www.ossec.net/docs/

Some other good resource are this book and this blog

OSSEC Host-Based Intrusion Detection Guide

By Rory Bray, Daniel Cid, Andrew Hay

Wazuh:

https://documentation.wazuh.com/2.0/user-manual/ruleset/getting-started.html

After successful installation, you can find it under ALL Programs in your windows OS startup menu

![ossec](https://rootedinkent.us/content/images/2018/08/ossec.jpg)

Sample alert

```OSSEC HIDS Notification.

2018 Aug 09 01:06:22

Received From: ossectest->/var/log/secure

Rule: 5551 fired (level 10) -> "Multiple failed logins in a small period of time."

Portion of the log(s):

Aug 9 01:06:18 ossectest sshd[12330]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=cago.testlab.com user= gandolf

Aug 9 01:06:20 ossectest sshd[12331]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=cago.testlab.com user= gandolf