Scribd
Upload
3 views

4.7 Implementing Host-based IDS Functionality Using Wazuh HIDS

The document outlines a lab exercise focused on implementing Host-based Intrusion Detection System (HIDS) functionality using Wazuh HIDS. It details the installation and configuration of Wazuh and its agent to monitor network traffic for malicious activities, including a practical scenario involving an FTP attack. The lab aims to demonstrate the effectiveness of Wazuh in capturing and analyzing security events on a network.

Uploaded by

Ziad Nasr
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
3 views

4.7 Implementing Host-based IDS Functionality Using Wazuh HIDS

The document outlines a lab exercise focused on implementing Host-based Intrusion Detection System (HIDS) functionality using Wazuh HIDS. It details the installation and configuration of Wazuh and its agent to monitor network traffic for malicious activities, including a practical scenario involving an FTP attack. The lab aims to demonstrate the effectiveness of Wazuh in capturing and analyzing security events on a network.

Uploaded by

Ziad Nasr
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 36

Module 04: Network Perimeter Security

2 Hr 9 Min Remaining
Instructions Resources Help 100%
Exercise 7: Implementing Host-based IDS functionality using
Wazuh HIDS

Host Intrusion Detection is a requirement for today’s networks. Host-based Intrusion Detection Systems
(HIDS) detect the events on the server and generate alerts. Attacks and threats can be monitored easily
because the full communication stream can be inspected using HIDS.

Lab Scenario

Intrusion Detection Systems (IDS) help monitor network activity. HIDS enables a network defender to
monitor the network traffic for malicious activity or policy violations. Using Wazuh enables network
defenders to perform continuous monitoring and respond to advanced threats.

Lab Objectives

This lab will demonstrate the use of Wazuh HIDS and agent to capture network traffic and show how
to monitor the captured traffic for malicious activities. In this lab, you will learn:

• Installing and configuring Wazuh HIDS and Wazuh agent


• Monitoring network traffic for malicious activity using Sguil

Overview of the Lab

Wazuh (OSSEC) is an open-source HIDS. The Wazuh agent runs at a host-level, combining anomaly
and signature-based technologies to detect intrusions or software misuse. It can also be used to
monitor user activities, assess system configuration, and detect vulnerabilities. Sguil is an open-
source interface for network security monitoring and event-driven analysis of IDS alerts (Snort and
Barnyard). It consists of an intuitive GUI for accessing real-time events, session data, and network
traffic capture.

Lab Tasks

1. Click Admin Machine-2 to launch AdminMachine-2 VM.


2. Log in with the username sam and password admin@123.
3. To configure Wazuh HIDS for detecting endpoint suspicious activity, right-click on
the desktop, and select the Open Terminal option from the pop-up list as shown in the
screenshot below.
4. When the terminal window appears, type command sudo su, and press
the Enter button. When it prompts for the password, type the system
password admin@123 and press Enter.
5. To add the Web Server VM as the Wazuh agent, type
command /var/ossec/bin/manage_agents and press Enter as shown in the screenshot
below.
6. The list of options is displayed. Type A to add the new agent (Web Server) for the
monitor and hit Enter.
7. You will be prompted to add new agent details. Provide the following details as
shown in the screenshot below, and hit Enter:

• A name for the new agent: WebServer


• The IP address of the new agent: 10.10.10.16
• Confirm adding it? (y/n): y
8. The Wazuh agent manager will add a new agent. The agent ID here is 001. (It may
differ in your lab).
9. To extract the key for the agent (WebServer), type E and hit Enter. You will be
prompted to provide the agent ID to extract the key. Type 001 (In your lab, it may
differ).
10. Hit Enter to continue, and type Q to quit agent configuration. Copy the
extracted key.
11. Open another terminal window and type sudo gedit key.txt. Hit Enter. If prompts
for password type admin@123 as password.
12. The new key.txt file opens. Paste the copied extracted key.
13. Save the file. Close all windows. Open home folder from Desktop, copy key.txt file
to Desktop.
14. Open the home folder from the Desktop, and press CTRL + L This will enable the
search textbox. Type smb://10.10.10.16, and press the Enter button.
15. If prompted to enter the password, type the username Administrator and
password admin@123. Click Connect.
16. The Windows share folder opens. Go to the desktop and copy the key.txt file. Switch
back to the Windows share folder, open the C$ folder, and paste the key.txt file.
17. We have shared the agent key to Webserver. To configure the firewall to
communicate with the agent, open terminal and type sudo ufw allow proto udp from
10.10.10.16 to 10.10.10.79 port 1514 as shown in the screenshot below, and press
the Enter button, if prompts for the password, then type admin@123 as password and
press Enter button.
18. The firewall will be configured to allow communication between Web Server and
Admin Machine-2.
19. Click Web Server VM.
20. Click Ctrl+Alt+Delete link to login.
21. The default username Administrator is selected type admin@123 as password and
press Enter.
22. Navigate to Z:\CND-Tools\CNDv2 Module 04 Network Perimeter
Security\Wazuh agent\. Double click Wazuh v3.8.2-1.msi, and follow the wizard-
driven installation.
23. Check I accept the terms in the License Agreement, and click Install.
24. Check Run Agent configuration interface, and click Finish to complete the
installation.
25. Once the installation is complete, the Wazuh Agent Manager window will open.
26. Type the IP address (10.10.10.79) of the Wazuh manager that is Admin Machine-2
into the Manager IP field. Copy the agent key from the shared C:\key.txt file, and paste
into the Authentication key field. Click Save.
27. Click OK to confirm the importing key.
28. Manager IP will be added. By default, the Wazuh agent manager will be stopped.
Select Manage --> Start from the main menu, and click OK for the prompted message.
29. Click Refresh to view the Running status of the agent.
30. Switch to Admin Machine-2, login with password admin@123.
31. Open terminal in root privileges using sudo su command and
type /var/ossec/bin/ossec-control restart, press Enter.
32. To check whether the agent is active, type /var/ossec/bin/agent_control -l and
press Enter. You will see the WebServer agent which we added as Active.
33. Click Attacker Machine to launch AttackerMachine VM, select username as bob and
type password as user@123, press Enter.
34. Copy the wrd.txt file and pwd.txt file from the home directory (bob) and paste on
the Desktop.
35. Launch the terminal and type the below command to perform FTP attack
on Webserver.

hydra -L 'wrd.txt' -P 'pwd.txt' ftp://10.10.10.16


Reexecute the command if you don't get the result showed in the above screenshot.

36. This indicates that the attacker can extract the FTP username and password over the
network using insecure ports.
37. Switch to Admin Machine-2, login with password admin@123.
38. Launch the sguil application from the desktop.
39. The Sguil window appears. Type the username martin and password user@123.
Click the OK button.
40. Network interfaces will be displayed. Click the Select All button.
41. All available interfaces will be selected. Click the Start SGUIL button.
42. You will see the Sguil window as shown in the screenshot below.
43. The Windows Login Failure event is captured by the Wazuh agent.
44. You can observe the Dst IP 10.10.10.16 OSSEC alert.
45. Click on the OSSEC Windows: Logon Failure–unknown user record from the list
and check the Display Detail pane/option.
46. As described above, a network defender can use Wazuh to detect malicious activity
on the host machine.

You might also like