2- Setting up the installation environment.
- Choose where to install the OSSEC HIDS [/var/ossec]:
- Installation will be made at /var/ossec .
3- Configuring the OSSEC HIDS.
3.1- Do you want e-mail notification? (y/n) [y]:
- What's your e-mail address?
- What's your SMTP server ip/host?
3.2- Do you want to run the integrity check daemon? (y/n) [y]:
- Running syscheck (integrity check daemon).
3.3- Do you want to run the rootkit detection engine? (y/n) [y]:
- Running rootcheck (rootkit detection).
3.4- Active response allows you to execute a specific
command based on the events received. For example,
you can block an IP address or disable access for
a specific user.
More information at:
- Do you want to enable active response? (y/n) [y]:
- Active response enabled.
- By default, we can enable the host-deny and the
firewall-drop responses. The first one will add
a host to the /etc/hosts.deny and the second one
will block the host on iptables (if linux) or on
ipfilter (if Solaris, FreeBSD or NetBSD).
- They can be used to stop SSHD brute force scans,
portscans and some other forms of attacks. You can
also add them to block on snort events, for example.
- Do you want to enable the firewall-drop response? (y/n) [y]:
- firewall-drop enabled (local) for levels >= 6
- Default white list for the active response:
- Do you want to add more IPs to the white list? (y/n)? [n]:
3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]:
- Remote syslog enabled.
3.6- Setting the configuration to analyze the following logs:
- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net
While installing, I ran into this error:
To fix it, I found this:
Which later led me to this: https://groups.google.com/forum/?fromgroups#!topic/ossec-list/CcpufVmh6rM
So I installed a different version of gcc with ports, gcc47.
This put /opt/local/gcc-mp-4.7; i merely did sudo mv gcc-mp-4.7, ran the installer, and then moved it back. This succeeded, and then I got this build log:
This was funny because it gave a LOT of warnings in the compilation of the components. Compilation didn't fail (I didn't put the compilation warnings in the pastebin link), but there was some funny inability to do chmod on ossec. It complained about some argument errors.... I'm not sure if that is something that I should look into or if it will be ok, but I'm going to try and use it and hopefully things will work out fine. I'll look into things further if they don't pan out or if it malfunctions.
- System is Darwin.
- Init script modified to start OSSEC HIDS during boot.
- Configuration finished properly.
- To start OSSEC HIDS:
- To stop OSSEC HIDS:
- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at firstname.lastname@example.org or using our public maillist at
( http://www.ossec.net/main/support/ ).
More information can be found at http://www.ossec.net