How OSSEC HIDS works, and how to install it.

OSSEC is a free, open-source host-based intrusion detection system (HIDS).

It analyses and monitor system log files in real-time to check, detect and alerts suspicious activities.

In 2009 the project acquired by Trend Micro.

Supported OSs and devices:

OSSEC supports a wide range of systems and devices; it supports all Linux Distributions, Windows Server 2003 / 2012, BSD family, Solaris, AIX, OSX.
Devices include Cisco PIX, ASA, FWSM, IOS routers, IOS IDS/IPS. Checkpoint Firewall. For a full list of supported systems and devices

Some types of Alerts:

  • When there is a new port open in listening mode on the server.
  • When detecting and blocking port scan or protocol identification.
  • When blocking brute force attacks.
  • Integrity check alerts when a file gets changed.
  • Trojan or rootkit detected.
  • Alert that if a service failed.
  • Installed or removed packages.

Alerts available via: Syslog, instant email alerts, daily email reports, Prelude, store as JSON and store in a database.

The last Resort:

Suppose an attacker passed the external firewall, the internal firewall, the anti-virus and trying to gain access to the system or worse trying to install a rootkit, so this tool can be the last tool you can depend on security, I call it “The last resort.”

Integrity check:

There is always a common thing in viruses and rootlets, is that they alter files, viruses modify files, and rootkits alter kernel. Integrity check works in OSSEC (Also in the similar way in other tools like AIDE) by storing the unique hash MD5/SHA1 of the files, and recheck the system binary files every 6 hours (by default, but can be changed), to ensure nothing changed and alerts if any changed. It is common that they get changed without suspicious behavior, like updating. In either case, you will receive an alert to check. By default the tool checks for the system files in [/etc,/usr/bin,/usr/sbin,/bin,/sbin]

Rootkit check and detect:

OSSEC performs rootkit checks every 2 hours by default based on,
1- Files commonly used by them like stats, fopen, and system calls.
2- Database of Trojans and rootkits signatures.
3- Scan the /dev directory to look for anomalies, the /dev directory should only have device files. A lot of rootkits use the /dev to hide files.
4- Scan the whole filesystem looking for unusual files and permission problems. Files owned by root, with write permission to others.
5- Look for the presence of hidden processes and hidden ports.
6- Scan interfaces on the system and look for the ones with “promiscuous” mode enabled.


Download from (Check the page to download the latest version)

cd /tmp


tar zxvf ossec-hids-*.tar.gz

cd ossec-hids-*

Run the installation script:

The installation is simple and guided if you have a single system choose the option "local"