Fuente:
https://www.youtube.com/watch?v=JVmvgLS81wk
http://manipulatesecurity.com/2013/12/18/setup-ossim-with-linux-and-windows-ossec-agents/
https://www.alienvault.com/open-threat-exchange/projects
3. Connect to your Linux (CentOS) box and add the necessary repositories (epel, remi, atomic)
# cd /root
# wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
# wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
# rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm
# wget -q -O http://www.atomicorp.com/installers/atomic | sh
Troubleshooting
Connectivity Issues
Connectivity issues are not uncommon. If you are using CentOS, create the appropriate iptables rule(s) to allow
traffic between the agent and OSSIM. OSSEC uses UDP port 1514. The same applies to Windows. If you
need help with the rule, feel free to contact me, but then again I dont think you would be here
Duplicated directory warning
This problem is not uncommon and is something that I have encountered a few times (If you watched the video,
you will see that I was blessed with this issue while recording). It is quite easy to overcome. All you have to do
is remove the agent from OSSIM, recreate the agent within OSSIM, and then import the new key on your Linux
OSSEC agent.
Whats Next?
Like I said, this tutorial is extremely basic, and I wouldnt recommend putting OSSEC or OSSIM into a
production environment without properly testing the software and learning it thoroughly. Both tools have great
communities and there are some great books out there on Intrusion Detection Systems and NSM that you may
want to explore first.
The next videos coming up will include: Configuring OSSEC with active response, and configuring snort with
OSSIM (I will also be using pfSense in this video as well).