Monitoring Network Devices with OSSEC HIDS

| by | Wazuh 1.1
Post icon

In this article, I will discuss the different methods which can be used to monitoring network devices and cover some basics on Wazuh HIDS agentless configuration.

OSSEC can be used to monitor a wide range of network devices. Switches, firewalls, and routers can be monitored for successful or failed logins, alerting if a port is down or if a VLAN has changed, as well as reporting if there are any errors on the device. This can be accomplished via syslog data sent from the device (if supported) or through an SSH tunnel to the device in an agentless configuration.

Method 1: Sending Syslog data from a network device to the OSSEC manager

First, we will cover sending syslog data from a network device to the OSSEC manager. If your device is listed here, then you can follow these instructions. Otherwise, see method 2 for OSSEC agentless monitoring
Devices supported via Syslog:

  • Cisco PIX, ASA and FWSM (all versions)
  • Cisco IOS routers (all versions)
  • Juniper Netscreen (all versions)
  • SonicWall firewall (all versions)
  • Checkpoint firewall (all versions)
  • Cisco IOS IDS/IPS module (all versions)
  • Sourcefire (Snort) IDS/IPS (all versions)
  • Dragon NIDS (all versions)
  • Checkpoint Smart Defense (all versions)
  • McAfee VirusScan Enterprise (v8 and v8.5)
  • Bluecoat proxy (all versions)
  • Cisco VPN concentrators (all versions)
  • VMWare ESXi 4.x

Case 1: Enabling syslog on a new OSSEC installation

When you perform a OSSEC Manager installation there a step to “enable remote syslog”, this is an option to set it as a syslog server.

Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: y - Remote syslog enabled.

From here, you will need to specify the configuration in the ossec.conf in order to receive the events from the agent. Under the connection tag, we will need to add syslog to allow the syslog messages from the agents. Next, we will need to specify the allowed devices, in this case, I added in every device in the 192.168.1.0/24 range. However, you can add individual IP’s if you choose.

<ossec_config>
<remote>
<connection>syslog</connection>
<allowed-ips>192.168.1.0/24</allowed-ips>
</remote>
</ossec_config>
  • Restart the Manager
$ /var/ossec/bin/ossec-control restart

Now any network device within that network (192.168.1.0/24) that is sending syslog data to the manager will be able to alert on authentication failures, ports going down, errors, etc.

If you receive the following error, this means that you haven’t specified an allowed-IP address. You need to add at least one IP in order for the remoted service to start.

ossec-remoted(1501): ERROR: No IP or network allowed in the access list for syslog. No reason for running it. Exiting.

Case 2: Enabling syslog on an existing manager

If you have an existing OSSEC manager but have not enabled the syslog feature, all you need to do to enable it is add the following to the ossec.conf. Of course, you will need to change the allowed-ips to your devices.

<remote>
<connection>syslog</connection>
<allowed-ips>your-device-ip-1</allowed-ips>
<allowed-ips>your-device-ip-2</allowed-ips>
<allowed-ips>your-device-ip-3</allowed-ips>
</remote>
  • Restart the Manager
$ /var/ossec/bin/ossec-control restart

Method 2: Using agentless monitoring for network devices

Agentless monitoring allows integrity checking on network devices, the only requirement being an ssh tunnel to the device which allows the agentless daemon to scan for checksums and diffs.

First you will need to configure the device you want to monitor in /var/ossec/etc/ossec.conf. There is a list of options that can be used here.

  • Example:

This is for configuring the integrity check of the /bin, /etc and /sbin to run every 10 hours periodically:

<agentless>
<type>ssh_integrity_check_linux</type>
<frequency>36000</frequency>
<state>periodic</state>
<arguments>/bin /etc/ /sbin</arguments>
</agentless>

Next, we need to enable agentless monitoring and register the host. There are two ways to do this, using SSH keys (recommended) or via password.

  • Enable the agent
$ /var/ossec/bin/ossec-control enable agentless
  • Register the host
$ /var/ossec/agentless/register_host.sh add root@example.net password

As mentioned above, you can create an ssh key as a secure method of connecting the network device to the ossec manager. And if you are really paranoid you can use something like this:

$ ssh-keygen -b 4096 -f .ssh/id_rsa4096 -C user@servername -o -a 1000

After you have configured the ossec.conf, enabled the agentlessd and registered the host you should now be ready to receive alerts.

Note: if you are using a Debian or RedHat server for your manager, and you would prefer to use passwords instead of SSH keys, you will need to install the expect libraries (apt-get install expect) in order to execute the agentlessd scripts.

Remember you can troubleshoot issues by watching the logs for errors.

$ tail -f /var/ossec/logs/ossec.log

If you have any questions about this, join our Slack #community channel! Our team and other contributors will help you.