Deploying OSSEC for Host-based Intrusion Detection

2 min read Web Security Fundamentals

Deploying OSSEC for Host-based Intrusion Detection

OSSEC provides comprehensive host-based intrusion detection:

# Install OSSEC
wget https://github.com/ossec/ossec-hids/archive/3.6.0.tar.gz
tar -xzf 3.6.0.tar.gz
cd ossec-hids-3.6.0
sudo ./install.sh

# Configure OSSEC for web server monitoring
sudo cat > /var/ossec/etc/ossec.conf << EOF
<ossec_config>
  <global>
    <email_notification>yes</email_notification>
    <email_to>[email protected]</email_to>
    <smtp_server>localhost</smtp_server>
    <email_from>ossec@$(hostname)</email_from>
  </global>
  
  <syscheck>
    <frequency>7200</frequency>
    <directories check_all="yes" report_changes="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes" report_changes="yes">/var/www</directories>
    <directories check_all="yes" report_changes="yes">/etc/apache2,/etc/nginx</directories>
    
    <ignore>/var/log</ignore>
    <ignore>/var/cache</ignore>
    
    <nodiff>/etc/ssl/private</nodiff>
  </syscheck>
  
  <rootcheck>
    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
    <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
    <apps_audit>/var/ossec/etc/shared/apps_audit_rcl.txt</apps_audit>
  </rootcheck>
  
  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/apache2/access.log</location>
  </localfile>
  
  <localfile>
    <log_format>apache</log_format>
    <location>/var/log/apache2/error.log</location>
  </localfile>
  
  <localfile>
    <log_format>nginx</log_format>
    <location>/var/log/nginx/access.log</location>
  </localfile>
  
  <localfile>
    <log_format>nginx</log_format>
    <location>/var/log/nginx/error.log</location>
  </localfile>
  
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/auth.log</location>
  </localfile>
  
  <active-response>
    <command>firewall-drop</command>
    <location>local</location>
    <level>10</level>
    <timeout>600</timeout>
  </active-response>
</ossec_config>
EOF

# Custom OSSEC rules for web servers
sudo cat > /var/ossec/rules/web_attacks.xml << EOF
<group name="web_attacks">
  <!-- SQL Injection attempts -->
  <rule id="100001" level="10">
    <if_sid>31101,31108</if_sid>
    <match>union select|concat(|information_schema</match>
    <description>SQL Injection attempt detected</description>
    <group>attack,sql_injection</group>
  </rule>
  
  <!-- XSS attempts -->
  <rule id="100002" level="8">
    <if_sid>31101,31108</if_sid>
    <match>script>|javascript:|onerror=|onload=</match>
    <description>XSS attempt detected</description>
    <group>attack,xss</group>
  </rule>
  
  <!-- Directory traversal -->
  <rule id="100003" level="8">
    <if_sid>31101,31108</if_sid>
    <match>../|..\\|%2e%2e</match>
    <description>Directory traversal attempt</description>
    <group>attack,directory_traversal</group>
  </rule>
  
  <!-- Repeated 404s (scanning) -->
  <rule id="100004" level="7" frequency="10" timeframe="60">
    <if_matched_sid>31101</if_matched_sid>
    <same_source_ip />
    <description>Multiple 404 errors - possible scanning</description>
    <group>recon,scan</group>
  </rule>
  
  <!-- Brute force login attempts -->
  <rule id="100005" level="10" frequency="6" timeframe="120">
    <if_matched_regex>POST.*(login|signin|authenticate)</if_matched_regex>
    <same_source_ip />
    <description>Multiple login attempts - possible brute force</description>
    <group>authentication_failed,brute_force</group>
  </rule>
</group>
EOF

# Start OSSEC
sudo /var/ossec/bin/ossec-control start