Installed as usual. Then it was merely a matter of adding the log files (access.log and error.log) from my nginx site into the ossec.cfg configuration file. Recent versions from 2.3 upwards to the latest (2.5.1) are able to parse nginx logs.

I was not sure on the log_format parameter, so I left it as syslog. Started up ossec and proceed to pound my web server with a Nikto Scan. Anyone who has used Nikto and taken a peak the access.log of your web server knows that it is a very noisy testing tool. That noise is great when you want to test a new ossec.net install. Emails were firing from ossec alerting me to fact that my site was being scanned.

Rule: 31151 fired (level 10) -> “Mutiple web server 400 error codes from same source ip.”
Portion of the log(s):

209.x.x.7 – - [06/Feb/2011:23:39:46 +0000] “GET /d9jH9IhB.EXE HTTP/1.1″ 404 20398 “-” “Mozilla/4.75 (Nikto/@Version) (Evasions:None) (Test:map_codes)”
209.x.x.7 – - [06/Feb/2011:23:39:46 +0000] “GET /d9jH9IhB.password HTTP/1.1″ 404 20398 “-” “Mozilla/4.75 (Nikto/@Version) (Evasions:None) (Test:map_codes)”
–snip–

And others like this…

OSSEC HIDS Notification.
2011 Feb 06 23:41:45

Received From: li242-18->/var/log/nginx/hackertarget.com/access.log
Rule: 31153 fired (level 10) -> “Multiple common web attacks from same souce ip.”
Portion of the log(s):

209.20.68.7 – - [06/Feb/2011:23:41:44 +0000] “GET /nsn/..%5Cutil/set.bas HTTP/1.1″ 404 20398 “-” “Mozilla/4.75 (Nikto/@Version) (Evasions:None) (Test:000379)”
209.20.68.7 – - [06/Feb/2011:23:41:43 +0000] “GET /nsn/..%5Cutil/send.bas HTTP/1.1″ 404 20398 “-” “Mozilla/4.75 (Nikto/@Version) (Evasions:None) (Test:000378)”
209.20.68.7 – - [06/Feb/2011:23:41:43 +0000] “GET /nsn/..%5Cutil/ren.bas HTTP/1.1″ 404 20398 “-” “Mozilla/4.75 (Nikto/@Version) (Evasions:None) (Test:000377)”
209.20.68.7 – - [06/Feb/2011:23:41:43 +0000] “GET /nsn/..%5Cutil/rd.bas HTTP/1.1″ 404 20398 “-” “Mozilla/4.75 (Nikto/@Version) (Evasions:None) (Test:000376)”
–snip–

This highlights how easy it is to test your intrusion detection capability. If you run a serious website, you really should have something in place that will alert you to this sort of noisy scanning. So get on with it and start testing your IDS / IPS. It’s easy and free at HackerTarget.com.

Best practice security management calls for a layered approach to security, security vulnerability scanning, a firewall, strong passwords, patch management and intrusion detection are all important layers. Using a HIDS is a great way to understand what security events are taking place on a server.

The latest version of OSSEC is easy to use and provides a high level of system surveillence for a small amount of effort.

It provides a number of functions, its primary role is log monitoring and alerting based on log alerts, while other checks such as file system integrity checking, and rootkit detection will allow you to quickly notice if someone is attacking or taken over your server. At the most basic level you can install it, set an email address and let
it do its job alerting you to security related events on your server. OSSEC Runs on both Windows and Linux.

Tuning is easy and you will likely only need to tune out a few things to reduce the amount of alerts you receive as the rate of false positives is very low.

Full installation instructions are available here – http://www.ossec.net/main/manual/manual-installation

However a quick guide to installing on Ubuntu 904 (Jaunty Jackalope) follows:

wget http://www.ossec.net/files/ossec-hids-2.1.1.tar.gz

tar zxvf ossec-hids-2.1.1.tar.gz
cd ossec-hids-2.1.1
sudo ./install.sh

Choose your language

1. What kind of installation do you want (server, agent, local or help)?

* If you are doing a basic install to a single server select ‘local’.
This creates a single install to monitor only the server you are
installing on. See the documentation on the site for details on
setting up multiple agents on a number of servers that all report back
to a server.

2- Setting up the installation environment.

– Choose where to install the OSSEC HIDS [/var/ossec]:

– Installation will be made at /var/ossec .

3- Configuring the OSSEC HIDS.

3.1- Do you want e-mail notification? (y/n) [y]:
– What’s your e-mail address? — enter your email address here

– We found your SMTP server as: example.test.com.
– Do you want to use it? (y/n) [y]: n

– What’s your SMTP server ip/host? enter your preffered smtp server here

3.2- Do you want to run the integrity check daemon? (y/n) [y]:
(this is for file integrity checking, alerts you to changes to
files on your system)

– Running syscheck (integrity check daemon).

3.3- Do you want to run the rootkit detection engine? (y/n) [y]:
(this checks for rootkits on a regular basis)

– Running rootcheck (rootkit detection).

3.4- Active response allows you to execute a specific
command based on the events received. For example,
you can block an IP address or disable access for
a specific user.
More information at:

http://www.ossec.net/en/manual.html#active-response

– Do you want to enable active response? (y/n) [y]:
(this can block attacks that meet certain rules)

If you select yes for Active response you are adding Intusion
Prevention capability, this is a good thing but keep in mind it is a
good idea to whitelist your own IP’s as you don’t want active response
to trigger against your IP and auto block your access. This could
happen if you failed multiple ssh logins, or if you were to run a
vulnerabliity scan against your IP – as ossec would detect this as an
attack. So your IP would get blocked, and then you would be unable to
ssh to your server for example to manage it!

After compiling is complete you will be presented with final instructions:

- System is Debian (Ubuntu or derivative).
– Init script modified to start OSSEC HIDS during boot.

– Configuration finished properly.

– To start OSSEC HIDS:
/var/ossec/bin/ossec-control start

– To stop OSSEC HIDS:
/var/ossec/bin/ossec-control stop

– The configuration can be viewed or modified at /var/ossec/etc/ossec.conf

Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at contact@ossec.net or using our public maillist at
ossec-list@ossec.net
( http://www.ossec.net/main/support/ ).

More information can be found at http://www.ossec.net

— Press ENTER to finish (maybe more information below). —

That’s it your done. Just start it up with:

/var/ossec/bin/ossec-control start

After your initial install you will get a number of alerts (assuming
your smtp is configured correctly). Agent starting up, new user logged
in and that sort of thing.

So for 15mins work you now have real time security monitoring of your
server, if you would like to test active response head over to
http://www.hackertarget.com and launch some scans against your host.
The HackerTarget.com scanning IP addresses will likely get blocked and
the scan will not be completed. On the other hand if you want to run a
vulnerability scan against your host that does not get blocked you
will need to turn off ossec.

/var/ossec/bin/ossec-control stop

Once the scans are completed don’t forget to restart ossec.