knutee

Today I wanted to set up a IDS solution for my Windows partition, just for fun really. I decided to go with OSSEC, which is a host-based IDS, but this still requires you to have a server running.

So to get this running on a single machine, the first thing I did was to set up a tiny Xubuntu virtual machine. Now, you could of course use a even smaller Linux distro, but for testing purposes the Xubuntu was good enough for me. Getting both the server and client application is easy enough. Just head over to OSSEC and download both. Unpack the server files on the virtual machine and run the install.sh script as root. You’ll be asked a series of questions that are well described and should not cause any difficulties. After you have installed the server you should edit /var/ossec/etc/ossec.conf and change the default mail_from value, as my SMTP server rejected the default one. You will need to chmod +w the file to edit it. Finally, run /var/ossec/bin/ossec-control start to get the server running.

Now, you need to add clients to the server list. This is done by invoking /var/ossec/bin/manage_agents. Select (A) to add a new client, and give it a name, ID and an ip address. When this is done, select (E) to extract the authentication key for the client you just added. This key will be needed during the installation of the Windows agent.

Installing the Windows client is even easier. Run the installer and click through the install options. When the install reaches the end you will be asked for a server IP and a authentication key. Type in the IP address for you virtual server and the key you generated earlier. Save and restart.

And thats it! Now you have an IDS running on your machine. Local log files can be found in the installation directory of the OSSEC agent and server logs in /var/ossec/logs. All security events will be mailed to the e-mail address you chose during installation, but consider changing the alert level to avoid spam.

This is of course also possible on a Linux host!

Future work

I’m trying to find a lightweight OS and virtualization solution that starts up with Windows as a service and restores the previous virtual session upon login. I’ll get back to this later!