PerezBox

Tony Perez On Security, Business, And Life

emailstandard post icon

OSSEC: Stop Agent Email Notifications from Being Grouped

Published in Security on

This a quick post, for those of you that manage multiple agents under your manager, there might be instances where your email notifications will group different agent notifications together.

This has to do with two things:

  1. Number of emails sent in an hour
  2. Grouping setting is On

Default Max Emails

By default, OSSEC has a max email setting in their configuration, when it reaches the max, it will then group and email all remaining emails. In this instance, it bundles them all together, which leads to different messages from different agents being bundled.

Read More

Securitystandard post icon

OSSEC – Detecting New Files – Understanding How it Works

Published in Security on

I recently saw some discussion in the OSSEC distribution list of someone having an issue with getting OSSEC syscheck to work right in real-time. It reminded me of a similar issue I had with my own configuration and others I have read about, so I figured I’d write something to shed light on how OSSEC’s syscheck works in real-time. Thanks ofcourse to Dani for the assist.

Syscheck – Integrity Checking Daemon

If you’re familiar with OSSEC, then you know syscheck, if you’re not then this section will get you caught up – I hope.

Syscheck is the integrity checking daemon within OSSEC. It’s purpose is simple, identify and report on changes within the system files. The way it works is simple, when you first install OSSEC it runs an initial syscheck scan, this scan will go through and capture the check sum of every file on the system (every file you have identified in your configuration file – /var/ossec/etc/ossec.conf). Once the baseline is set, syscheck is able to perform change detection by comparing all the checksums on each scan. If it’s not a 1 for 1 match, it reports it as a change. If new files are added, it identifies it as new, and reports it.

Simple, right? Right…

Read More

Secure Webstandard post icon

OSSEC – Error: PostgreSQL client libraries not installed.

Published in Security on

I was playing with OSSEC HIDS this afternoon and trying to get it configured to work with MySQL and when I was running make on the DB setup I was getting this error:

Error: PostgreSQL client libraries not installed.

I was a bit frustrated with it, it seems as it if requires both MySQL and PostgreSQL to be installed to finish compiling. To get around this just install PostgreSQL that seems to do the trick.

Read More

Electronic Security Strategystandard post icon

OSSEC For Website Security: Part I

Published in Security on

OSSEC HIDS is my preferred host-based intrusion detection system (HIDS). I have to admit I am a bit partial to it because my good friend Daniel Cid built it and sold it to Trend Micro / Third Brigade back in 2008. I have what many don’t have, that’s the ability to pester Daniel until he tells me and guides through all my issues. In the process I have learned a number of things and made some very interesting observations about the product, here is where I will be sharing them.

Being that my focus is on website security my employment and utilization of the product will be as such. I won’t talk much to the configuration and monitoring of large scale enterprises, but will likely get into large n-tier implementations of web enterprises. This could include the utilization of load balancers, web servers and database servers, and possibly some storage devices. Pretty straight forward stuff.

Read More

Website Serversstandard post icon

OSSEC Agent to Server Connection Issues

Published in Security on

So naturally, as of late, I have found myself doing more than I probably need to on my servers and in the process causing more headaches then required. One of those issues has been with the communication between my agents and the mother-ship (command control) server with my OSSEC installs. For more details information, be sure to check out the OSSEC Host-Based Intrusion Detection Guide by Daniel.

The first thing to understand is how to check the status of your agents and easiest way to do that is running the following on the server install (my mothership):

# /var/ossec/bin/agent_control -lc

This will list out all your agents and if they are active it’ll read Active. If they are inactive, they don’t read inactive unfortunately, they just don’t show up.

Read More