OSSEC-HIDS is much easier to install. Basically, there will be two steps to install Ossec. Download and run an installation script. To download ossec, you may visit ossec website here:
- and you can start downloading with wget command:
- After download complete, extract the tarball:
tar zxvf ossec-hids-1.6.tar.gz
- And now run the installation script by running this commands:
- You will be asked series of questions, but most of the questions are basic questions. So I dont think that you will have any problem in answering them. Add additional IP if you wish so into the whitelist.
- To start and stop the ossec services, just use:
sudo /etc/init.d/ossec start|stop
Configuring OSSECI hope you can try this HIDS in order to work side by side with snort. It's fun to experimenting with this HIDS. Detecting and preventing early stage of an attack is the best way to prevent it from happening.
Not much needs to be done. HOWEVER I would caution you that OSSEC has an active response to threats. If OSSEC detects a bad ip address, it will block that ip address using iptables. This means that if your snort rules are giving you false alerts legitimate traffic to your server will be blocked.
This also means you can lose access to your server as well.
Fortunately this is a temporary ban. It is more than sufficient to deter the script kiddies and if your access is blocked, access is restored in a few minutes.
This means , however, you need to monitor snort (base) and fine tune your rules so you are not blocking legitimate traffic.
Again, if there are repeat offending IP addresses, black list them in iptables (See the using snort/base post for how to do this).
Additional configuration of OSSEC is is done by editing /var/ossec/etc/ossec.conf
This configuration file is well commented and you will see a white list section where you may white list additional ip addresses if needed.
Taken from Ubuntuforums.org