Advertisements

#OSSEC-VM 2.8.1 install on #ESX5.1i Notes 1

Need to hardcode an IP address

I just used the network config GUI

Install vmware tools

Do the stuffs here http://www.shellhacks.com/en/HowTo-Install-VMware-Tools-on-CentOS-RHEL

Installed this for grins so I can right click and check the checksums

http://code.kliu.org/hashcheck/

Ok, install the windows HIDS agent

Use putty to connect to the OSSEC vm, log in, and then execute /var/ossec/bin/manage_agents

Enter E to extract the agent key

–except it only let me in once… and now I think its denying me access 🙂

To fix (from http://www.ossec.net/?p=685)

OK I figured out what is going on. We ship the OSSEC virtual appliance with no default SSH keys in /etc/sshd/. When you attempt to login via SSH for the first time after booting the appliance, OSSEC rule 40101 will kick in which causes iptables to address the IP address from you are logging in, which is what you observed. The quick cure for this to do the following:

1. sudo iptables –flush
2. service iptables stop

After doing this you’ll be able to login again, because by this time default SSH keys have been created and iptables will remain disabled.

Ok, so back to running /var/ossec/bin/manage_agents

Press A to add agent, put in computer name and IP

Press E to extract a megga key

copy that into the windows agent

Q to quit, don’t forget to RESTART OSSEC

/var/ossec/bin/ossec-control restart

Save (windows agent)

Start agent.

Check logs, you are looking for Connected to the server

I’m reading more here about what to do next

https://blog.savoirfairelinux.com/wp-content/uploads/2014/03/SFL-ED01-OSSec-the-quick-and-dirty-way-140326-01.pdf

hmm I also was getting a bunch of logon logoff events so I followed this here

https://www.alienvault.com/forums/discussion/1058/ossec-collecting-too-many-windows-logon-events

You can modify the level for these rules to 0. In this way ossec will not generate an alert when one of these events come to sensor and ossim-agent will not process them.
The rules are in /var/ossec/rules/msauth/msauth_rules.xml file and you will need to restart ossec to apply this change. Although an update could be overwrite it.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: