Saturday, June 2, 2012

Installing ossec in mac OSX lion

I'm installing OSSec on my mac as both a server and an agent-so mac host is the server that manages everything, and mac is also an agent of itself. My VM's will also have agents installed, and they will be responsible to my mac host.

Installation log:

2- Setting up the installation environment.

 - Choose where to install the OSSEC HIDS [/var/ossec]: 

    - Installation will be made at  /var/ossec .

3- Configuring the OSSEC HIDS.

  3.1- Do you want e-mail notification? (y/n) [y]: 

   - What's your e-mail address? 
   - What's your SMTP server ip/host?

  3.2- Do you want to run the integrity check daemon? (y/n) [y]: 

   - Running syscheck (integrity check daemon).

  3.3- Do you want to run the rootkit detection engine? (y/n) [y]: 

   - Running rootcheck (rootkit detection).

  3.4- Active response allows you to execute a specific 
       command based on the events received. For example,
       you can block an IP address or disable access for
       a specific user.  
       More information at:
   - Do you want to enable active response? (y/n) [y]: 

     - Active response enabled.
   - By default, we can enable the host-deny and the 
     firewall-drop responses. The first one will add
     a host to the /etc/hosts.deny and the second one
     will block the host on iptables (if linux) or on
     ipfilter (if Solaris, FreeBSD or NetBSD).
   - They can be used to stop SSHD brute force scans, 
     portscans and some other forms of attacks. You can 
     also add them to block on snort events, for example.

   - Do you want to enable the firewall-drop response? (y/n) [y]: 

     - firewall-drop enabled (local) for levels >= 6

   - Default white list for the active response:

   - Do you want to add more IPs to the white list? (y/n)? [n]: 

  3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: 

   - Remote syslog enabled.

  3.6- Setting the configuration to analyze the following logs:
    -- /var/log/secure.log
    -- /var/log/system.log

 - If you want to monitor any other file, just change 
   the ossec.conf and add a new localfile entry.
   Any questions about the configuration can be answered
   by visiting us online at

While installing, I ran into this error:

To fix it, I found this:

Which later led me to this:!topic/ossec-list/CcpufVmh6rM
So I installed a different version of gcc with ports, gcc47.
This put /opt/local/gcc-mp-4.7; i merely did sudo mv gcc-mp-4.7, ran the installer, and then moved it back. This succeeded, and then I got this build log:
This was funny because it gave a LOT of warnings in the compilation of the components. Compilation didn't fail (I didn't put the compilation warnings in the pastebin link), but there was some funny inability to do chmod on ossec. It complained about some argument errors.... I'm not sure if that is something that I  should look into or if it will be ok, but I'm going to try and use it and hopefully things will work out fine. I'll look into things further if they don't pan out or if it malfunctions.

Final result: 

 - System is Darwin.
 - Init script modified to start OSSEC HIDS during boot.

 - Configuration finished properly.

 - To start OSSEC HIDS:
/var/ossec/bin/ossec-control start

 - To stop OSSEC HIDS:
/var/ossec/bin/ossec-control stop

 - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf

    Thanks for using the OSSEC HIDS.
    If you have any question, suggestion or if you find any bug,
    contact us at or using our public maillist at
    ( ).

    More information can be found at

Tuesday, April 17, 2012

Correctly configuring googlemock on Mac with eclipse

So, if you ever do C++ development on a mac, you'll want a unit testing framework.

The GoogleMock utility, available at, includes both a unit testing framework and a system for creating mock objects. 

cppcheck and splint are both static source checkers, and they help you find errors in your C++ code. It's really cool to have a problem, not know how to fix it, discover that it is actually really vague and that it might take hours to find the source and solve it-only to be able to run a single command that will give you a strong indication or at least a hint of where to look to find the solution.

All, log4cxx is kind of a debugging tool with a lot more features than the usual printf statement. Enhance your execution having the ability to record where execution went and what every variable was when it ran! I haven't used log4cxx, but I know that if you use log4j, you could just add a line that would set the logging sensitivity, and if you set it to pedantic or something it would log the entrance into every function and every variable change.

I just spent a day or so configuring googlemock for a computer networks class project. I can say that if you don't read the instructions carefully, it will really bite you. 

If you are on a linux system, you can install of these with a single command:
sudo apt-get install google-mock cppcheck splint liblog4cxx10

But I've been doing all the work on mac, so I'll give step by step instructions on mac. After untarring: 
cd gmock-1.6.0 ; autoreconf -fvi ; GMOCK_DIR=/path/to/gmock-1.6.0 ; GTEST_DIR=$GMOCK_DIR/gtest ; 
g++ -I${GTEST_DIR}/include -I${GTEST_DIR} -I${GMOCK_DIR}/include -I${GMOCK_DIR} -c ${GTEST_DIR}/src/ ; 
g++ -I${GTEST_DIR}/include -I${GTEST_DIR} -I${GMOCK_DIR}/include -I${GMOCK_DIR} -c ${GMOCK_DIR}/src/ ; 
ar -rv libgmock.a gtest-all.o gmock-all.o

then move libgmock.a to $GMOCK_DIR/lib

cd $GMOCK_DIR/make ; make ; ./gmock_test && echo "all tests should succeed!"

#NOTE: you might have to run the configure command in $GMOCK_DIR somewhere along the line... I did it, but it's not in the instructions ; cd $GMOCK_DIR ; ./configure 

If you want eclipse to work with this, add a new build configuration and add the include files from gmock and gtest, then add the archive in the link step. To do all of these, in eclipse, go to project -> properties -> C/C++ General -> Paths and symbols -> includes
(make sure that you have the right build configuration selected, the ones that you will build and run your tests from.)
select GNU C++ under languages, and then on the right where it says add, click the button, then click filesystem. Add $GMOCK_DIR/include and $GTEST_DIR/include (not the variables, I mean actually navigate to those directories!)

Now that you've done that, to include the archive file in the link step:
Project -> properties -> C/C++ Build -> Settings -> MacOSX C++ Linker
In the command line pattern textbox, add the directory to your libgmock.a that you compiled, should be at $GMOCK_DIR/lib/libgmock.a

The above steps work on all platforms, but doing a manual setup is a pain, especially a nuisance because in linux you want everything to be managed by the repo. Because I did my setup on mac, I don't know where the libgmock.a file is, and I don't know if it automatically places the gmock include files in the default include path where it would just get found by the compiler if you just did #include <gmock/gmock.h>... You have to do your own exploring here, but it shouldn't be too hard, as the step are 1-1 from what I've done. Just find out how it sets up the include and if it drops a libgmock.a file anywhere, or if you have to compile that.

Tuesday, January 31, 2012

Custom VIM Auto Backup Plugin

Check out my public .vimrc and my custom plugin script.

A little bit of info about this script:
each time that you save a file in vim, it automatically places it in $HOME/VIMBackups/ with some extra stuff on the end...
It creates a year month day directory, and inside that directory it places directory/ and then the directory and file of the file you just saved in vim.

So say you were working on ~/.vim/plugin/aplugin.vim, and then you saved it.

The script would create a new directory in Dropbox/VIMBackups/<year,month,day>/<full homedirectory>/.vim/plugin/aplugin.vim.(hour,minute,second).bak