Updating your ruleset automatically

The ruleset is one of the most important parts of OSSEC. Thanks to the ruleset, OSSEC is able to detect attacks, intrusions, software misuse, configuration problems, application errors, malware, rootkits, etc.

At this time, there are two ways to update the ruleset: wait for a new OSSEC release or review the official repository for new rules, decoders and rootchecks. Wazuh is very aware of this, so we work every day to improve it by updating out-of-the-box rules provided by OSSEC and including new ones. All these changes are published in our repository of rules. I encourage you to visit […]

By |April 25th, 2016|0 Comments

File Integrity Monitoring and Wazuh RESTful API

The goal of this article is to explain how to set up a basic configuration of FIM (File Integrity Monitoring) using the syscheck component in OSSEC. After that, we will to check the files being monitored using Wazuh RESTful API.

Prerequisites

  • Wazuh HIDS v1.1
  • Wazuh RESTful API v1.2

Configure FIM in a Windows Agent

The syscheck daemon is the main process used for FIM in OSSEC, however we will need to change some options in order to configure it.

On the OSSEC agent (your Windows host), open the file ossec.conf, usually situated in the default installation folder C:\Program Files (x86)\ossec-agent, look for the section, then add the files […]

By |April 15th, 2016|1 Comment

Root user access monitoring with OSSEC

OSSEC can be used to monitor whether the SSH configuration file allows root user access. In this particular case, we show how to use OSSEC to check that this file is configured NOT to allow root user login. If it turns out to be the contrary, we will see that an alert will be triggered.

OSSEC uses its rootcheck component to verify that the system configuration is set up as expected. This capability, known as policy monitoring, is very useful when monitoring a large number of hosts that need to be configured according to a baseline or a security policy, for instance CIS hardening guidelines or PCI DSS.

[…]

By |April 11th, 2016|0 Comments