Wazuh OSSEC fork - anyone using it?

[Mike Seward]

Has anyone tried using the Wazuh OSSEC fork instead of the stock OSSEC server with Security Onion? I'm interested in it mainly as it can use its own API calls to register new OSSEC installations, so helping automate registration of new clients.

http://wazuh-documentation.readthedocs.org/en/latest/ossec_wazuh.html
http://www.wazuh.com/

[Doug Burks]

Hi Mike,

There are many ways of automating OSSEC agent registration even using
our existing vanilla OSSEC package. You could script it manually
(I've done this for customers) or consider something like this
(haven't tried this myself):
https://www.binarydefense.com/bds/tool-release-auto-ossec-automated-ossec-deployment/
https://www.binarydefense.com/uncategorized/tool-update-auto-ossec-msi-builder/

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

[Alessandro Di Giuseppe]

On Monday, February 1, 2016 at 3:56:24 PM UTC-5, Doug Burks wrote:
> Hi Mike,
>
> There are many ways of automating OSSEC agent registration even using
> our existing vanilla OSSEC package. You could script it manually
> (I've done this for customers) or consider something like this
> (haven't tried this myself):
> https://www.binarydefense.com/bds/tool-release-auto-ossec-automated-ossec-deployment/
> https://www.binarydefense.com/uncategorized/tool-update-auto-ossec-msi-builder/
>

> On Mon, Feb 1, 2016 at 2:57 PM, Mike Seward <mike@######.com> wrote:
> > Has anyone tried using the Wazuh OSSEC fork instead of the stock OSSEC server with Security Onion? I'm interested in it mainly as it can use its own API calls to register new OSSEC installations, so helping automate registration of new clients.
> >
> > http://wazuh-documentation.readthedocs.org/en/latest/ossec_wazuh.html
> > http://www.wazuh.com/
> >
> > --
> > You received this message because you are subscribed to the Google Groups "security-onion" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> > To post to this group, send email to securit...@googlegroups.com.
> > Visit this group at https://groups.google.com/group/security-onion.
> > For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Doug Burks
> Need Security Onion Training or Commercial Support?
> http://securityonionsolutions.com

I've been using Wazuh-OSSEC v1.1 on top of Security Onion for the past year, and so far it works well. I've also used their Windows agent auto-registration APIs to deploy 30+ agents automagically. (Some tweaking/scripting required)

My SO-Wazuh hybrid setup: Wazuh-OSSEC v.1. installed over OSSEC on SO all-in-one, and pointing Wazuh-OSSEC agent JSON logs via Logstash-Forwarder to Wazuh-ELK stack on separate VM.

Wazuh 2.0 was just released, and it looks like a really great upgrade... looking forward to testing it out soon.

I'm hoping that with SO going towards ELK stack, SO and Wazuh might converge... <fingers crossed>

Doug?
;-)

[wedgeshot]

On Monday, February 1, 2016 at 3:56:24 PM UTC-5, Doug Burks wrote:

> Hi Mike,
>
> There are many ways of automating OSSEC agent registration even using
> our existing vanilla OSSEC package. You could script it manually
> (I've done this for customers) or consider something like this
> (haven't tried this myself):
> https://www.binarydefense.com/bds/tool-release-auto-ossec-automated-ossec-deployment/
> https://www.binarydefense.com/uncategorized/tool-update-auto-ossec-msi-builder/
>

FWIW - We used this tool to deploy ossec in the past and it worked well. We changed the key as noted in the script documentation. Also, instead of building into and MSI for the windows systems we used the python from our saltstack installation using the script.

Cheers,

[Kevin Branch]

Wazuh 2.0 rocks.  I'm so happy they have arrived at release!

I've been using pre-release Wazuh Agent 2.0 on my standalone Security Onion systems for some time, with Wazuh Manager 2.0 plus ElasticStack 5.x on separate servers.   This is working well for me.  I can't think of why you couldn't overwrite OSSEC server on SO with Wazuh Manager, though in my case I'm using it for full log centralization and don't want to add that load to my standalone SO instances.    I'm not using any standard distributed deployments of OSSEC at this time, so I'm not sure what special details might need attention to get everything right with Wazuh Agent on SO sensors and Wazuh Manager on the SO server.  Doug, do OSSEC sensor installs normally run OSSEC agent registered with OSSEC server on the SO server?

Take care when running SO updates, as soup might overwrite your Wazuh configs.  To be extra conservative about the possibility of soup breaking my Wazuh config, or of my replacement of OSSEC with Wazuh breaking soup, I wrote a pair of scripts to swap back and forth between the stock SO OSSEC setup and the replacement Wazuh setup before and after running soup, such that soup only sees what it expects as far as OSSEC goes, and any changes made to OSSEC configs by soup will not actually overwrite production Wazuh settings.   If those scripts would be of interest to anyone else, I'd be happy to share them.

If you overwrite SO's ossec-hids-server package with Wazuh Agent, then you should turn off ossec_agent.tcl which normally writes certain OSSEC events to the Sguil database.  Otherwise "service nsm status" will complain about that agent being down.  

/etc/nsm/securityonion.conf: OSSEC_AGENT_ENABLED=no

I presume it would not be too bad to redeploy ossec_agent.tcl on a separate Wazuh Manager server if you wanted to, though I have not tried to.

Also, if you are switching SO to Wazuh, regardless of where your Wazuh Manager is located, I'd suggest looking over SO's custom OSSEC rules to see if you want to add them to your Wazuh ruleset:

From this file on SO with stock OSSEC: /var/ossec/rules/securityonion_rules.xml

add desired rules to this file on your Wazuh Manager: /var/ossec/etc/rules/local_rules.xml

Ultimately, I think SO would benefit from switching over to Wazuh, ideally with an option to choose between Wazuh Manager and Wazuh Agent, once the Wazuh 2.0 release is more than a few days old.  In the mean time, it is not very difficult to fold in manually.

Kevin Branch

On Sun, Apr 30, 2017 at 9:28 AM, Alessandro Di Giuseppe <a.digi...@gmail.com> wrote:

On Monday, February 1, 2016 at 3:56:24 PM UTC-5, Doug Burks wrote:
> Hi Mike,
>
> There are many ways of automating OSSEC agent registration even using
> our existing vanilla OSSEC package.  You could script it manually
> (I've done this for customers) or consider something like this
> (haven't tried this myself):
> https://www.binarydefense.com/bds/tool-release-auto-ossec-automated-ossec-deployment/
> https://www.binarydefense.com/uncategorized/tool-update-auto-ossec-msi-builder/
>

> On Mon, Feb 1, 2016 at 2:57 PM, Mike Seward <mike@######.com> wrote:
> > Has anyone tried using the Wazuh OSSEC fork instead of the stock OSSEC server with Security Onion? I'm interested in it mainly as it can use its own API calls to register new OSSEC installations, so helping automate registration of new clients.
> >
> > http://wazuh-documentation.readthedocs.org/en/latest/ossec_wazuh.html
> > http://www.wazuh.com/
> >
> > --
> > You received this message because you are subscribed to the Google Groups "security-onion" group.

> > To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
> > To post to this group, send email to security-onion@googlegroups.com.

> > Visit this group at https://groups.google.com/group/security-onion.
> > For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Doug Burks
> Need Security Onion Training or Commercial Support?
> http://securityonionsolutions.com

I've been using Wazuh-OSSEC v1.1 on top of Security Onion for the past year, and so far it works well. I've also used their Windows agent auto-registration APIs to deploy 30+ agents automagically. (Some tweaking/scripting required)

My SO-Wazuh hybrid setup: Wazuh-OSSEC v.1. installed over OSSEC on SO all-in-one, and pointing Wazuh-OSSEC agent JSON logs via Logstash-Forwarder to Wazuh-ELK stack on separate VM.

Wazuh 2.0 was just released, and it looks like a really great upgrade... looking forward to testing it out soon.

I'm hoping that with SO going towards ELK stack, SO and Wazuh might converge... <fingers crossed>

Doug?
;-)

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---

You received this message because you are subscribed to the Google Groups "security-onion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.

[Kevin Branch]

I've used auto-ossec before at several sites and was pleased with it, but in its present form it is not compatible with Wazuh.    Both its client and server scripts have references to the init.d service called "ossec" which does not exist under that name with Wazuh installations.  There may be other issues as well.  I don't imagine it would take much to get auto-ossec Wazuh-compatible, though.   

On the other hand, Wazuh 2.0 includes majorly improved support for authenticated agent self-registration, for both Windows and Linux agents.  With the built-in agent-auth on the agent side and ossec-authd on the manager side, you have about all that is needed to self-register Windows and Linux agents, with password-based agent authentication or multiple options for certificate-based agent/manager authentication.  I'm planning on trying that out before exploring the auto-ossec Wazuh compatibility issue.

See the Wazuh docs for more about agent self-registration options:

https://documentation.wazuh.com/current/user-manual/agents/registering-agents/index.html

Kevin

On Sun, Apr 30, 2017 at 9:08 PM, wedgeshot <wedg...@gmail.com> wrote:

On Monday, February 1, 2016 at 3:56:24 PM UTC-5, Doug Burks wrote:
> Hi Mike,
>
> There are many ways of automating OSSEC agent registration even using
> our existing vanilla OSSEC package.  You could script it manually
> (I've done this for customers) or consider something like this
> (haven't tried this myself):
> https://www.binarydefense.com/bds/tool-release-auto-ossec-automated-ossec-deployment/
> https://www.binarydefense.com/uncategorized/tool-update-auto-ossec-msi-builder/
>

FWIW - We used this tool to deploy ossec in the past and it worked well.  We changed the key as noted in the script documentation. Also, instead of building into and MSI for the windows systems we used the python from our saltstack installation using the script.

Cheers,

> On Mon, Feb 1, 2016 at 2:57 PM, Mike Seward <mi...@tengroup.com> wrote:
> > Has anyone tried using the Wazuh OSSEC fork instead of the stock OSSEC server with Security Onion? I'm interested in it mainly as it can use its own API calls to register new OSSEC installations, so helping automate registration of new clients.
> >
> > http://wazuh-documentation.readthedocs.org/en/latest/ossec_wazuh.html
> > http://www.wazuh.com/
> >
> > --
> > You received this message because you are subscribed to the Google Groups "security-onion" group.

> > To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
> > To post to this group, send email to security-onion@googlegroups.com.

> > Visit this group at https://groups.google.com/group/security-onion.
> > For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Doug Burks
> Need Security Onion Training or Commercial Support?
> http://securityonionsolutions.com

--

Follow Security Onion on Twitter!
https://twitter.com/securityonion
---

You received this message because you are subscribed to the Google Groups "security-onion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.

[Kevin Branch]

Self-correction:  Wazuh's agent-auth.exe self-registration can only be authenticated by password at this time.  The SSL self-registration methods only work for Wazuh's Linux (and possibly other *nix) agent-auth programs.  Hopefully Wazuh's agent-auth.exe will catch up to the full feature set of their agent-auth *nix program soon.

Kevin

On Thu, May 4, 2017 at 12:08 PM, Kevin Branch <ke...@branchnetconsulting.com> wrote:

I've used auto-ossec before at several sites and was pleased with it, but in its present form it is not compatible with Wazuh.    Both its client and server scripts have references to the init.d service called "ossec" which does not exist under that name with Wazuh installations.  There may be other issues as well.  I don't imagine it would take much to get auto-ossec Wazuh-compatible, though.   

On the other hand, Wazuh 2.0 includes majorly improved support for authenticated agent self-registration, for both Windows and Linux agents.  With the built-in agent-auth on the agent side and ossec-authd on the manager side, you have about all that is needed to self-register Windows and Linux agents, with password-based agent authentication or multiple options for certificate-based agent/manager authentication.  I'm planning on trying that out before exploring the auto-ossec Wazuh compatibility issue.

See the Wazuh docs for more about agent self-registration options:

https://documentation.wazuh.com/current/user-manual/agents/registering-agents/index.html

Kevin

On Sun, Apr 30, 2017 at 9:08 PM, wedgeshot <wedg...@gmail.com> wrote:

On Monday, February 1, 2016 at 3:56:24 PM UTC-5, Doug Burks wrote:
> Hi Mike,
>
> There are many ways of automating OSSEC agent registration even using
> our existing vanilla OSSEC package.  You could script it manually
> (I've done this for customers) or consider something like this
> (haven't tried this myself):
> https://www.binarydefense.com/bds/tool-release-auto-ossec-automated-ossec-deployment/
> https://www.binarydefense.com/uncategorized/tool-update-auto-ossec-msi-builder/
>

FWIW - We used this tool to deploy ossec in the past and it worked well.  We changed the key as noted in the script documentation. Also, instead of building into and MSI for the windows systems we used the python from our saltstack installation using the script.

Cheers,

> On Mon, Feb 1, 2016 at 2:57 PM, Mike Seward <mi...@tengroup.com> wrote:
> > Has anyone tried using the Wazuh OSSEC fork instead of the stock OSSEC server with Security Onion? I'm interested in it mainly as it can use its own API calls to register new OSSEC installations, so helping automate registration of new clients.
> >
> > http://wazuh-documentation.readthedocs.org/en/latest/ossec_wazuh.html
> > http://www.wazuh.com/
> >
> > --
> > You received this message because you are subscribed to the Google Groups "security-onion" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.

> > To post to this group, send email to securit...@googlegroups.com.

> > Visit this group at https://groups.google.com/group/security-onion.
> > For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Doug Burks
> Need Security Onion Training or Commercial Support?
> http://securityonionsolutions.com

--

Follow Security Onion on Twitter!
https://twitter.com/securityonion
---

You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.

To post to this group, send email to securit...@googlegroups.com.