Introduction Detection

From The World according to Vissie
Jump to navigation Jump to search

Ossec

https://blog.rapid7.com/2017/06/30/how-to-install-and-configure-ossec-on-ubuntu-linux/
https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-ossec-security-notifications-on-ubuntu-14-04

I had to setup email first

Mail

Custome rules

Wetty

https://groups.google.com/forum/#!topic/ossec-list/PZbxUx46QzE
vim: /etc/acpi/lid.sh
 <rule id="100014" level="0">
    <if_sid>31533</if_sid>
    <url>^/socket.io</url>
    <description>Ignoring Humhub Polls module activation events, phpMyAdmin and HackMd (socket.io).</description>
 </rule>

Snort

https://www.upcloud.com/support/installing-snort-on-debian/

To use white and black list, you HAVE to setup reputation preprocessor

https://sublimerobots.com/2015/12/the-snort-reputation-preprocessor/

Add the 2 rules.

Send snort alerts to syslog:

https://www.oreilly.com/library/view/snort-cookbook/0596007914/ch02s16.html