Professional Documents
Culture Documents
12
&
RT Logic CyberC4:Alert v4.12
AlienVault, Open Threat Exchange and Unified Security Management are trademarks of AlienVault. All other company and product
names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective
companies.
AlienVault Unified Security Management™ for Government v4.12
HIDS Deployment on Windows
TABLE OF CONTENTS
1. Introduction ............................................................................................................. 4
2. PREREQUISITES ..................................................................................................... 4
4. VALIDATION ............................................................................................................ 5
4.1. Validation On the Client .............................................................................................. 6
4.2. On the Server .............................................................................................................7
1. INTRODUCTION
AlienVault USM for Government includes a built-in host-based intrusion detection (HIDS)
agent that includes the following core features:
1. Log Monitoring and Collection
2. File Integrity Checking
3. Windows Registry Integrity Checking
4. Active Response
The AlienVault HIDS agent operates via server/agent architecture, with some limited
support for agentless operation with certain operating systems.
Agents are deployed to client systems and run as a continuous in-memory service,
communicating with the central server via UDP port 1514. Therefore, be sure to open this
port on any internal firewalls to allow the traffic to go through.
2. PREREQUISITES
• A host to be monitored running:
o Windows Server 2003 and 2008
o Windows 7, XP, 2000 and Vista
• An account with administrative rights for installation
4. Once an entry for the new agent is added, from the icon string to the right of the row for
the new agent. Click on Download Preconfigured Agent for Windows icon ( ):
5. The system will assemble a preconfigured binary, this may take a short time to
complete.
6. The assembled installer will then be downloaded. The file name will resemble the
following:
ossec_installer_564dabd0-fa1c-fd4c-d391-8feedf3246ff_001.exe
7. If necessary, move this generated installer binary to the intended client host for
installation.
8. Open the executable, the installer will briefly run in a console window, then display the
Installer progress UI for a short time, and, finally, exiting after completing the installation.
9. Skip to the Validation section of this document after this has been completed.
4. VALIDATION
Validating a successful pairing between the new client agent and the AlienVault Server can
be performed from both sides of the connection.
The log file will open in your system’s default application for .txt files (typically notepad).
A successful connection to the server will create a log entry similar to this:
Should the client agent not be able to connect to the OSSEC Service on the AlienVault
server, you will instead see log entries like this:
The trend chart will not immediately populate, requiring logs to be received from the client
for a period of time beforehand.
Your Client Installation is now completed.
When re-launching the OSSEC “manage agent” tool under windows, it must
always be started using the “run as Administrator” option. If not done so it will
indicate, falsely, that the agent is not running, service status will be unavailable,
and agent status logs will not be permitted to be viewed.
5. LOG MANAGEMENT
Event logs provide all the information you need to troubleshoot operational errors, and
investigate potential security exposures.
Navigate to “Analysis > Security Events (SIEM)”. The window is similar to the following: