- Introduction to Wazuh
- HIDS,OSSEC and Wazuh
- Components of Wazuh
- Architecture of Wazuh
- Deployment Methods
- Wazuh Feature
- Wazuh Demo
- Wazuh Intergration
- Ubuntu Endpoint agent Enrollement
- Windows Endpoint agent Enrollment
- Uninstalling the Wazuh agent
- Wazuh Ruleset & Decoders
- Hands on lab 1: FilE Intergrity Monitoring
- Hands on lab 2: Detecting Network using Suricata IDS
- Hands on Lab 3: Detecting Vulnerabilities
- Hands on lab 4: Detecting Execution of Malicious Commands
- Hands on lab 5: Detecting and Blocking Brute Force Attack
- Detecting and removing malware using VirusTotal integration
- Linux-Server Hardening
OSSEC is open source HIDS security platform and a Host Intrusion Detection System(HIDS) software. Created by Daniel CID in year 2004, In year 2015 it forked from OSSEC AND Wazuh platform was created
Host-Based Intrusion Detection System that install directly on endpoint or servers. Purpose is basically to identify any Malicious activities or policy violations on individual hosts or devices. Deployed on each device or host that needs to be monitord For example: Realted to Memory,Suspicious Process, Installlation of ROOT-KIT , KERNAL LV Activity.
OSSEC Features
- Log Analysis
- File Integrity
- Rootkit Detection
- Reak-Time Alerts
- Compliance
- Vulnerability Detection
- Security Configuration Assessment (SCS) ---> (CISB)
- Cloud Security (AWS,AZURE,GOOGLE CLOUD...)
- Comprehensive Dashboard
- Integration
- Better Community Support
| S.no | Components |
|---|---|
| 1. | Agent |
| 2. | Server |
| 3. | Indexer |
| 4. | Dashboard |
| S.No | Agent Modules | Description |
|---|---|---|
| 1. | Active response | Incident Response,Kind of script which will be triggered once specific rules ment |
| 2. | Command Execution | Monitor running commands on Terminal |
| 3. | Configuration Assessment | used as security audit |
| 4. | Container Security | Docker,Kubernetes,Openshift |
| 5. | Cloud Security | Aws,Azure,GCP |
| 6. | File Integrity Monitoring | It is used to Monitor any file additon,Edit,deletion, ownership and permission |
| 7. | Log Collector | Collect logs |
| 8. | Malware Detection | Detect malicious files |
| 9. | System Inventory | Monitor installed app,storage |
| S.No | Agent Modules |
|---|---|
| 1. | Data Encryption |
| 2. | Modules Management |
| 3. | Remote Configuration |
| 4. | Server Authentication |
| Component | Architecture |
|---|---|
| The component talks about smaller scope focuing majorly on functionality and on differenet services mor different modules | This is all baout high level structure of your software this is about preformace of your system, The preformance of the system improvced when you have better scalability and elasticity and databse and Securitiy Function and how do youi maintain the entire infrastructure |
- Distributed Servers
- Virtual Machine
- Amazon Machine Image (AMI)
- Docker
- Kubernetes
Single node
- all in one Multi node deployment we have 2 nodes
- master
- worker
- it will be indexer
- dashboard
| S.no | Feature | Discription |
|---|---|---|
| 1. | Intrusion Detection | Scan and Monitor Endpoints. Llook for rootkit, malware, detect hidden file and unregiter network listners. |
| 2. | Log Data Analysis | Read os logs and app logs then encript it and send it to manager or server on rule base analysis. We still get data form sys logs like Router or switches |
| 3. | File Integrity Monitoring | Wazuh Monitor the file system Identify any changes in the content, permission, ownership and different attributes of file and generates an alert when there is any unauthorized changes. We can join pci |
- CLamAV
- Kaspersky Antivirus
- McAfee
- Sophos
- Symantec Endpoint Protection
- CrowdStrick Falcon
- Carbon Black
- Cylance PROTECT
- Sentinel One
- Microsoft Defender for Endpoint
- Shuffle SOAR
- Cortex XSOAR
- Siemplify
- Swimlane
- TheHive
- MISP (Malware Information Sharing Platform)
- IR Flow
- IBM Resilient
- Splunk Phantom
- Virus Total
- AlienValut OTX
- IBM X-Force Exchange
- Recorded Future
- Threat Connect
- Suricata
- Snort
- Zeek (formerly bro)
- Graylog
- Grafana
- Elastic Stack
- AWS CloudTrail
- Azure Security Center
- Google Cloud Security Command Center
- Cloudflare
C:\Program Files (x86)\ossec-agent
systemctl disable wazuh-agent
systemctl daemon-reload
yum remove wazuh-agent
apt-get remove wazuh-agent -y
apt-get remove --purge wazuh-agent -y
var/ossec/bin/manage_agents
wazuh@wazuh:~$ sudo /var/ossec/bin/manage_agents
****************************************
* Wazuh v4.9.2 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q:
wazuh@wazuh:~$ sudo /var/ossec/bin/manage_agents
****************************************
* Wazuh v4.9.2 Agent manager. *
* The following options are available: *
****************************************
(A)dd an agent (A).
(E)xtract key for an agent (E).
(L)ist already added agents (L).
(R)emove an agent (R).
(Q)uit.
Choose your action: A,E,L,R or Q: r
Available agents:
ID: 001, Name: windows-test, IP: any
ID: 002, Name: on-ubuntu, IP: any
Provide the ID of the agent to be removed (or '\q' to quit):
check out