Deploying HIDS Client to Windows Hosts

AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat Exchange, AlienVault OTX Reputation Monitor, AlienVault OTX Reputation Monitor Alert, AlienVault OSSIM and OSSIM are trademarks or service marks of AlienVault.

CONTENTS 1. INTRODUCTION... 4 2. PREREQUISITES... 4 3. PRECONFIGURED MANUAL INSTALLATION... 4 4. VALIDATION... 5 4.1. On the Client... 6 4.2. On the Server... 7 5. LOG MANAGEMENT... 8 DC-00127 Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 3 of 10

1. INTRODUCTION AlienVault currently distributes a custom OSSEC 2.7 version, which is a host-based Intrusion Detection system with the following features: Log Monitoring and Collection File Integrity Checking Windows Registry Integrity Checking Active Response AlienVault integrates OSSEC as a key component for providing extended visibility of the operating system layer. OSSEC operates via server/agent architecture, with some limited support for agentless operation with certain operating systems. Agents are deployed to client systems and run as a continuous in-memory service, communicating with the central server via UDP port 1514. Therefore, if there is any firewall in the network, it is necessary to open the UDP port 1514 to make it work. 2. PREREQUISITES A host to be monitored running: Windows Server 2003 and 2008 Windows 7, XP, 2000 and Vista An account with administrative rights for installation 3. PRECONFIGURED MANUAL INSTALLATION For Windows Client Hosts, AlienVault can generate a pre-configured binary this binary will install without the need for any additional configuration. The binary will already have the appropriate server configuration and authentication key embedded in the installation binary. 1. Navigate to Environment > Detection > HIDS and choose Agents. 2. Click on ADD AGENT: 3. Enter the details of the agent to be added either its fixed IP address, or the CIDR subnet if it will have an address assigned by DHCP. DC-00127 Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 4 of 10

4. Once an entry for the new agent is added, from the icon string to the right of the row for the new agent. Click on Download Preconfigured Agent for Windows icon ( ): Figure 1. Detection option: download preconfigured agent for Windows 5. The system will assemble a preconfigured binary, this may take a short time to complete. 6. The assembled installer will then be downloaded. The file name will resemble the following: ossec_installer_564dabd0-fa1c-fd4c-d391-8feedf3246ff_001.exe 7. If necessary, move this generated installer binary to the intended client host for installation. 8. Open the executable, the installer will briefly run in a console window, then display the Installer progress UI for a short time, and, finally, exiting after completing the installation. 9. Skip to the Validation section of this document after this has been completed. 4. VALIDATION Validating a successful pairing between the new client agent and the OSSEC Server host can be performed from both sides of the connection. DC-00127 Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 5 of 10

4.1. ON THE CLIENT The agent maintains a local log file regarding its operation; this can be accessed more directly via the Agent Manager > View menu > View Logs. Figure 2. OSSEC Agent Manager: View menu The log file will open in your system s default application for.txt files (typically notepad). A successful connection to the server will create a log entry similar to this: 2013/05/28 10:53:42 ossec-agent(4102): INFO: Connected to the server (192.168.1.240:1514). 2013/05/28 10:53:42 ossec-agent Sending keep alive message... Should the client agent not be able to connect to the OSSEC Service on the AlienVault server, you will instead see log entries like this: 2013/05/28 12:20:15 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '192.168.1.240'. 2013/05/28 12:25:05 ossec-agent: INFO: Trying to connect to server (192.168.1.240:1514). 2013/05/28 12:25:05 ossec-agent: INFO: Using IPv4 for: 192.168.1.240 DC-00127 Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 6 of 10

4.2. ON THE SERVER Return to the AlienVault Web UI. Open the OSSEC configuration panel through Environment > Detection > HIDS. Look for the Agent s listing at the bottom of the main panel, for your newly created agent to be marked as Active: Figure 3. OSSEC configuration panel The trend chart will not immediately populate, requiring logs to be received from the client for a period of time beforehand. Your Client Installation is now completed. When re-launching the OSSEC manage agent tool under windows, it must always be started using the run as Administrator option. If not done so it will indicate, falsely, that the agent is not running, service status will be unavailable, and agent status logs will not be permitted to be viewed. DC-00127 Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 7 of 10

5. LOG MANAGEMENT Event logs provide all the information you need to troubleshoot operational errors, and investigate potential security exposures. Navigate to Analysis > Security Events (SIEM). The window is similar to the following: DC-00127 Edition 00 Copyright 2014 AlienVault. All rights reserved. Page 8 of 10