By Rory Bray, Daniel Cid and Andrew Hay
Service provider takeaway: Open source security (OSSEC) is a commonly used host-based intrusion detection software that detects unauthorized activity on any particular computer. This section of the chapter excerpt from the book OSSEC Host-Based Intrusion Detection Guide covers Windows agent installations of the OSSEC HIDS.
Download the... .pdf of the chapter here.
As you have already seen, performing the local, server, and agent installations on Unix-based operating systems is similar and relatively easy. The Windows installation, however, is different. This is because Windows environments do not typically have development tools included. Even when these tools are available, they often require more preparation before use compared with Unix and Linux systems.
Because of these issues, the Windows agent comes precompiled and packaged in a graphical installation wizard. The text menu procedure seen with the other installations is replaced with GUI screens. Similarly, after the software is installed, there is a GUI version of the manage agents utility.
Begin by running the installation executable ossec-agent-win32-1.4.exe as seen in Figure 2.1, to open the wizard.Click Next to start the installation.
Review the license agreement and then click I Agree to continue (Figure 2.2).
Choose the components you want to install, and click Next (Figure 2.3).
Accept the default installation folder, or click Browse to specify a new location. Click
Install to continue (Figure 2.4).
Because this is an agent installation, there are very few questions to answer as part of the installation. Apart from picking the location in Figure 2.3 and importing the agent key in
Figures 2.5 through 2.9, the installation on Windows is very simple.
Launch the SSH client on your Windows host and connect to the OSSEC HIDS server.
We must use SSH to connect to the OSSEC HIDS server, Extract the key for this agent, and then paste the key in the Authentication key field (Figure 2.5).
PuTTY is an ideal SSH client and is shown in Figure 2.6. In the Host Name field, type the IP address or hostname of your OSSEC HIDS server and then click Open. If this is your first time connecting to the server from this Windows host, you are asked to accept the server SSH identity. Accept the server identity, log in to the server, and then execute the manage_agents utility.
Enter E to extract the agent key for the current Windows host (Figure 2.7).
In this case, the host is mercury, which has ID 002. Enter 002, select the key information, and copy it to the clipboard (Figure 2.8).
Now return to the OSSEC HIDS installer.
Type the OSSEC HIDS server IP address and paste the agent key information into the appropriate fields. Click Save (Figure 2.9).
You are asked to confirm the values by clicking OK. After the values have been confirmed, exit the Agent Manager by clicking the X at the top-right corner of the window (Figure 2.10).
The installer asks if you want to start OSSEC HIDS; click OK (Figure 2.11).
The Windows agent is now installed and running. To confirm that the agent is connected to the server, let's look at the logs for the Windows agent. In Figure 2.12, the two messages
Connecting to server and Connected to server confirm that the agent key is properly imported and the agent is able to connect to UDP port 1514. The Windows agent is successfully installed and communicating with the server.
OSSEC Host-Based Intrusion Detection Guide
Downloading OSSEC HIDS
Performing local installation
Performing server agent installations
Installing the Windows agent
Streamlining the installations
Summary and FAQs
About the book
OSSEC Host-Based Intrusion Detection Guide is specifically devoted to Open Source Security (OSSEC) and is a comprehensive and exhaustive guide to the often complicated procedures of installing and implementing such an intrustion detection software. Purchase the book from Syngress Publishing.
Printed with permission from Syngress, a division of Elsevier. Copyright 2008. "OSSEC Host-Based Intrusion Detection Guide" by Rory Bray, Daniel Cid and Andrew Hay. For more information about this title and other similar books, please visit www.elsevierdirect.com.
This was first published in August 2008