Copyright© 2014 AlienVault. All rights reserved.
AlienVault Unified Security Management™ Solution
Complete. Simple. Affordable
AlienVault™, AlienVault Unified Security Management™, AlienVault USM™, AlienVault Open Threat Exchange™, AlienVault OTX™, Open Threat Exchange™, AlienVault OTX Reputation Monitor™, AlienVault OTX Reputation Monitor Alert™, AlienVault OSSIM™ and OSSIM™ are trademarks or service marks of AlienVault.
AlienVault Unified Security Management™ Solution Deploying HIDS Client to Windows Hosts
DC-00127 Edition 00 Copyright© 2014 AlienVault. All rights reserved. Page 3 of 10
CONTENTS
1.
INTRODUCTION ... 4
2.
PREREQUISITES ... 4
3.
PRECONFIGURED MANUAL INSTALLATION ... 4
4.
VALIDATION ... 5
4.1. On the Client ... 6
4.2. On the Server ... 7
DC-00127 Edition 00 Copyright© 2014 AlienVault. All rights reserved. Page 4 of 10
1.
INTRODUCTION
AlienVault currently distributes a custom OSSEC 2.7 version, which is a host-based Intrusion Detection system with the following features:
Log Monitoring and Collection File Integrity Checking
Windows Registry Integrity Checking Active Response
AlienVault integrates OSSEC as a key component for providing extended visibility of the operating system layer.
OSSEC operates via server/agent architecture, with some limited support for agentless operation with certain operating systems.
Agents are deployed to client systems and run as a continuous in-memory service, communicating with the central server via UDP port 1514. Therefore, if there is any firewall in the network, it is necessary to open the UDP port 1514 to make it work.
2.
PREREQUISITES
A host to be monitored running: Windows Server 2003 and 2008 Windows 7, XP, 2000 and Vista
An account with administrative rights for installation
3.
PRECONFIGURED MANUAL INSTALLATION
For Windows Client Hosts, AlienVault can generate a pre-configured binary – this binary will install without the need for any additional configuration. The binary will already have the appropriate server configuration and authentication key embedded in the installation binary. 1. Navigate to “Environment > Detection > HIDS” and choose Agents.
2. Click on ADD AGENT:
3. Enter the details of the agent to be added – either its fixed IP address, or the CIDR subnet if it will have an address assigned by DHCP.
AlienVault Unified Security Management™ Solution Deploying HIDS Client to Windows Hosts
DC-00127 Edition 00 Copyright© 2014 AlienVault. All rights reserved. Page 5 of 10
4. Once an entry for the new agent is added, from the icon string to the right of the row for the new agent. Click on Download Preconfigured Agent for Windows icon ( ):
Figure 1. Detection option: “download preconfigured agent for Windows”
5. The system will assemble a preconfigured binary, this may take a short time to complete. 6. The assembled installer will then be downloaded. The file name will resemble the following:
ossec_installer_564dabd0-fa1c-fd4c-d391-8feedf3246ff_001.exe
7. If necessary, move this generated installer binary to the intended client host for installation. 8. Open the executable, the installer will briefly run in a console window, then display the
Installer progress UI for a short time, and, finally, exiting after completing the installation. 9. Skip to the Validation section of this document after this has been completed.
4.
VALIDATION
Validating a successful pairing between the new client agent and the OSSEC Server host can be performed from both sides of the connection.
DC-00127 Edition 00 Copyright© 2014 AlienVault. All rights reserved. Page 6 of 10
4.1. ON THE CLIENT
The agent maintains a local log file regarding its operation; this can be accessed more directly via the “Agent Manager > View menu > View Logs”.
Figure 2. OSSEC Agent Manager: “View” menu
The log file will open in your system’s default application for .txt files (typically notepad). A successful connection to the server will create a log entry similar to this:
2013/05/28 10:53:42 ossec-agent(4102): INFO: Connected to the server (192.168.1.240:1514).
2013/05/28 10:53:42 ossec-agent Sending keep alive message....
Should the client agent not be able to connect to the OSSEC Service on the AlienVault server, you will instead see log entries like this:
2013/05/28 12:20:15 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '192.168.1.240'.
2013/05/28 12:25:05 ossec-agent: INFO: Trying to connect to server (192.168.1.240:1514).
AlienVault Unified Security Management™ Solution Deploying HIDS Client to Windows Hosts
DC-00127 Edition 00 Copyright© 2014 AlienVault. All rights reserved. Page 7 of 10
4.2. ON THE SERVER
Return to the AlienVault Web UI.
Open the OSSEC configuration panel through “Environment > Detection > HIDS”. Look for the Agent’s listing at the bottom of the main panel, for your newly created agent to be marked as
Active:
Figure 3. OSSEC configuration panel
The trend chart will not immediately populate, requiring logs to be received from the client for a period of time beforehand.
Your Client Installation is now completed.
When re-launching the OSSEC “manage agent” tool under windows, it must always be started using the “run as Administrator” option. If not done so it will indicate, falsely, that the agent is not running, service status will be unavailable, and agent status logs will not be permitted to be viewed.
DC-00127 Edition 00 Copyright© 2014 AlienVault. All rights reserved. Page 8 of 10
5.
LOG MANAGEMENT
Event logs provide all the information you need to troubleshoot operational errors, and investigate potential security exposures.
AlienVault Unified Security Management™ Solution Deploying HIDS Client to Windows Hosts
DC-00127 Edition 00 Copyright© 2014 AlienVault. All rights reserved. Page 9 of 10
Figure 4. Security Events (SIEM)
DC-00127 Edition 00 Copyright© 2014 AlienVault. All rights reserved. Page 10 of 10
