INSTALAR OSSEC Y OSSIM

Fuente:
https://www.youtube.com/watch?v=JVmvgLS81wk
http://manipulatesecurity.com/2013/12/18/setup-ossim-with-linux-and-windows-ossec-agents/
https://www.alienvault.com/open-threat-exchange/projects

The following information is to be supplemented with the video:

1. Connect to your OSSIM box and Jailbreak this Appliance to get a shell.

2. Add agents (/var/ossec/bin/manage_agents)

3. Connect to your Linux (CentOS) box and add the necessary repositories (epel, remi, atomic)
# cd /root
# wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

# wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
# rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm
# wget -q -O http://www.atomicorp.com/installers/atomic | sh

4. Install the OSSEC Agent

yum install ossec-hids-client
5. Configure OSSEC agent (/var/ossec/bin/ossec-configure)

6. Add the server IP to the conf file (/var/ossec/etc/ossec.conf)

7. Import the agent key.

[Extract the key from OSSIM]

[Import the key into the agent]

8. Start OSSEC (/var/ossec/bin)

./ossec-control start
9. On your windows box, install the agent (http://www.ossec.net)

10. Import the key for the Windows Agent

11. Start OSSEC

12. Check for connectivity

Troubleshooting
Connectivity Issues
Connectivity issues are not uncommon. If you are using CentOS, create the appropriate iptables rule(s) to allow
traffic between the agent and OSSIM. OSSEC uses UDP port 1514. The same applies to Windows. If you
need help with the rule, feel free to contact me, but then again I dont think you would be here
Duplicated directory warning
This problem is not uncommon and is something that I have encountered a few times (If you watched the video,
you will see that I was blessed with this issue while recording). It is quite easy to overcome. All you have to do
is remove the agent from OSSIM, recreate the agent within OSSIM, and then import the new key on your Linux
OSSEC agent.

Whats Next?
Like I said, this tutorial is extremely basic, and I wouldnt recommend putting OSSEC or OSSIM into a
production environment without properly testing the software and learning it thoroughly. Both tools have great
communities and there are some great books out there on Intrusion Detection Systems and NSM that you may
want to explore first.
The next videos coming up will include: Configuring OSSEC with active response, and configuring snort with
OSSIM (I will also be using pfSense in this video as well).

Instalar OSSIM desde virtual box

https://www.youtube.com/watch?v=Fl5T2MVc25g

SNORT AND OSSEC

https://www.youtube.com/watch?v=E8bFC1byVBE