Was working with a client who needed a FIM solution and some centralized logging. After talking with Alien Vault, Tripwire and a few others it became clear that we needed a more wallet friendly solution… enter OSSEC.

From http://ossec.github.io/ “OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS). It has a powerful correlation and analysis engine, integrating log analysis, file integrity checking, Windows registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting and active response.It runs on most operating systems, including Linux, OpenBSD, FreeBSD, MacOS, Solaris and Windows.”

Cool, sounds good… where to start?

First off, we wanted to host the server component of OSSEC on VMWare. First shot out the gate, we got an error when setting up the Virtual Appliance (.ova file) found at: http://ossec.github.io/downloads.html

The error was: “This OVF package requires unsupported hardware.”

After some Googling we found this: https://jekil.sexy/blog/2015/this-ovf-package-requires-unsupported-hardware.html

Which provided a solution to the problem. In short, the steps were:

1) Download the OVA to OVF conversion tool from VMWare.
2) Run ovftool.exe –lax source.ova destination.ovf
3) Open the newly created OVF file and make the following modifications:

This:

<vssd:VirtualSystemType>virtualbox-2.2</vssd:VirtualSystemType>

Changes To:

<vssd:VirtualSystemType>vmx-07</vssd:VirtualSystemType>

This:

<Item>
<rasd:Address>0</rasd:Address>
<rasd:Caption>sataController0</rasd:Caption>
<rasd:Description>SATA Controller</rasd:Description>
<rasd:ElementName>sataController0</rasd:ElementName>
<rasd:InstanceID>5</rasd:InstanceID>
<rasd:ResourceSubType>AHCI</rasd:ResourceSubType>
<rasd:ResourceType>20</rasd:ResourceType>
</Item>

Changes To:

<Item>
<rasd:Address>0</rasd:Address>
<rasd:Caption>SCSIController</rasd:Caption>
<rasd:Description>SCSI Controller</rasd:Description>
<rasd:ElementName>SCSIController</rasd:ElementName>
<rasd:InstanceID>5</rasd:InstanceID>
<rasd:ResourceSubType>lsilogic</rasd:ResourceSubType>
<rasd:ResourceType>6</rasd:ResourceType>
</Item>

Once installed, go to: http://x.x.x.x/xampp (where x.x.x.x is the IP)
You should see a the XAMPP for Linux page.

Then, to get into OSSEC, go to: http://x.x.x.x/ossec-wui/index.php (where x.x.x.x is the IP)
username: user
password: _0ssec_

Leave a Reply

Your email address will not be published. Required fields are marked *