Updates to the good old HIDS Ossec-Wazuh

So back in the day I began working with OSSEC, the open source host based intrusion detection system. OSSEC has been running sonce around 2008, and been shepherded by Trend Micro since 2009. I ran the base package for some years, but was frustrated by the lack of native support for a 1st party reporting dashboard or management platform. This led my installs to kind of wane over the years to neglect. But this past week I decided to reignite my relationship to the tool trying out one of the companies that’s sprouted up around OSSEC that have expanded on it capabilities and rule sets, that is Wazuh.

 

So while OSSEC was a pretty single purpose tool with heavy command line environment, Wazih  has packaged the OSSEC package with a deployment of the ELK stack with their custom dashboard. Not only that they have heavily expanded on the OSSEC capabilities I was familiar with, adding vulnerability assessment, GDPR compliance, PCI compliance, CIS to 20  assessments, Virustotal integration, slack integration, and osquery support just to mention a few. This is not the OSSEC I had been familiar with.

So far I’ve been playing with all the possibilities and so far I quite impressed. One recommendation I would have is tied to the Virustotal integration, in a default configuration you will likely not be plesed as the tool will quickly exhaust your API limits unless you are paying for the primo enterprise packages. I recommend the following tweak if you are using a public API key:

time.sleep(18)

This will make sure you stay under the 4 API calls per minute that the public API is restricted by, with this subtle change I’ve had no more API limits hit since adding.

As well I am just beginning to play with the custom rule configurations, and tried out letting Wazuh manage scheduled malware scans using my Blazescan DFIR tool. And am quite happy with the results. (hat tip to Xavier Mertens from SANS for the write-up on running custom commands in OSSEC)

So these are first impressions, and so far they are quite good, I’ll likely write some follow up material, perhaps tutorials after I’ve had some more time with it.

 

If you have any questions feel free to find me on twitter @laskow26.