What is Ossec :
It claims to be the world’s most widely used open-source host-based intrusion detection system. In short, we can call it HIDS. It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and active response. This is made up of two parts: Ossec server and Ossec agent. The Ossec server is used to monitor other servers that we call Ossec agents. At any time, an agent can be added to the Ossec server for its monitoring and can be removed. For that, server and agent connections need to be established, which we will be discussing. It also provides a Web interface for showing all alerts, logs, and agent information.
Possible scenarios that you might face of Intrusion on your servers:
1) Attacker launched a brute force attack against your machine. Now you need to track him. For that, you need his IP address. First, on your Ossec server, do:
cat/var/ossec/logs/alerts/alerts.log
Where you find Source IP against the alert of SSH insecure connection attempt rule. Secondly, we can get it from a UI-based alert.
Continue reading “HOST-BASED INTRUSION DETECTION USING OSSEC”