OSSEC in agent / server mode

PlatinumX · 02-04-2010, 10:40 AM

Hey all,

I would like to install OSSEC in agent / server mode on a LAN.
I will deploy agent on all PCs, and then the server is able to detect any modification in the filesystem where the agent is running.

However, I am wondering how much information is transfered between the agent and the server?

Does the agent compute SHA1 hash for every file and send it to the server?
Means 60 bits for a SHA1 hash, multiplied by the number of files?

Or the agent sends a shorter information to the server?

Thanks

saifkhan123 · 02-07-2010, 11:40 PM

If you enable all the checks on the server i.e. file integrity check,rootkit detection etc, than yes it sends much amount of data to the OSSEC Server i.e hash info about each file on the server,

Make selections of the files to be monitored and review the ossec.conf file accordingly, only put those directories under <directories></directories> in <syscheck> block which are most important,and put others in <ignore></ignore> tag, also change the frequency of integrity check as per ur needs, the default is set to 86400(24 hours). An example would be

The default configuration to monitor a Unix, Linux, or BSD operating system is:

Code:

<ossec_config>
<syscheck>
<frequency>86400</frequency>
<directories check_all=“yes”>/etc,/usr/bin,/usr/sbin</directories>
<directories check_all=“yes”>/bin,/sbin</directories>
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
</syscheck>
</ossec_config>

The options which you can use with <directories> tag are

Code:

Option                           Description
check_all          Perform all available integrity checks

check_sum          Use MD5/SHA1 to check the integrity of files

check_size         Check files for size changes


check_owner        Check files for ownership changes

check_group        Check files for group ownership changes

check_perm         Check files for permission changes

PlatinumX · 04-29-2010, 03:54 AM

Thanks for information.
OSSEC seems to be a good candidate.

A last question: do you know if the onnection between agents and the manager are ciphered?

Tanks

saifkhan123 · 04-29-2010, 11:13 PM

Ofcourse dude, The OSSEC agents are connected to the server via an encrypted and secured connection that runs on UDP port 1514. The server and agents are encrypted (and authenticated) using a symmetric key that is defined on the server and then exported and copied to the agent.
When started, the agents connect and register to the server and send back alerts and log data in an encrypted format.

PlatinumX · 05-06-2010, 10:12 AM

Thanks !