Re: [ossec-list] Question about OSSEC Windows agent

Mon, 21 Jun 2010 15:17:20 -0700 

Inline response....


My hosts are running debian lenny and one windows server 2008.

One of my requirements is that the installation come from a debian
repository for the linux boxes.
OSSEC does not maintain debian packages you are welcome to create them yourself as the installation process is very simple. 

* <http://www.ossec.net/main/manual/manual-installation>

If you require binary installations I would suggest you start here:

* <http://www.ossec.net/wiki/Know_How:BinaryInstall>


To limit the amount of data going over the wire, I'm interested in sending
alerts only when possible.
While this is a good goal, in most cases the better choice is to get all data OFF the OS and into a central location as fast as possible. By doing this their is less time for attackers to take out local daemons and/or modify the logs. This is (as i understand it) one of the design goals of OSSEC. 


I really like ossec, but since there is no debian repository for it (as
far as I can tell), I have to look elsewhere for the the package
install/update feature.

I found prelude as a SIM/LIDS,  samhain as an integrity checker for
debian, and snort as a NIDS in the standard debian repository.

So that leaves the windows box, and ossec windows agent seems to fit the
bill.

When installing the windows ossec agent, it asks for the ossec server ip
as well as the authentication key.  I want windows ossec agent to work
with prelude.


Here's my question:

I see instructions for the linux agent (run "make
setprelude;./install.sh").   How can I get an ossec windows agent to work
with prelude?
You cannot. The OSSEC agent cannot talk to anything other then an OSSEC server.
You are going to have a fair amount of overlap with OSSEC + snort + samhain + Prelude. As they all share functionality at some level. As someone that has done large installs using all the tools you have suggested here is my 2 cent suggestion: 

* ossec agents running on all hosts (windows and unix)
* ossec server with prelude support compiled (<http://www.ossec.net/wiki/Know_How:PreludeOutput>) * migrate your samhain rules to ossec rootcheck & syscheck (<http://www.ossec.net/wiki/Know_How:Syscheck>) 
* snort + prelude is the way to go, wish more people did that.
OSSEC can do the same things that samhain does, while still does all its other features (rootcheck, open ports, nmap scans, log IDS, scipted input, and much more) 
--
Jeremy Rossi
e: look at the headers people
t: http://twitter.com/jrossi

Reply via email to