Upgrading OSSEC 2.7 to 2.8 and the bro-ids rule issue

‘Tis the season for upgrading.

This hour, the target is OSSEC. Next will be a Cloud server running Ubuntu 12.04 LTS, which will be upgraded to Ubuntu 14.04 LTS

OSSEC is a cross-platform and Free Software “host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.”

It is one of the best of its kind, and one piece of software you want on your server as soon as it’s online. Most tutorials you read advocate Fail2ban, but OSSEC brings a lot more to the table than Fail2ban. Don’t get me wrong, Fail2ban is nice to have on your server, but OSSEC is nicer.

Before the upgrade, the target server was running OSSEC 2.7.1. It was then upgraded to OSSEC 2.8, which was released on June 4 (2014). Upgrading OSSEC is a very simple operation, but I ran into a problem at the end. More on that later. For now, here’s how the upgrade was done.

Downloaded OSSEC 2.8 from here. Verified its checksums and moved the compressed tarball to the server. Unpacked it (tar zxf ossec-hids-2.8.tar.gz), changed to the OSSEC directory (cd ossec-hids-2.8), and started the installation by typing ./install.sh.

Your language is likely supported by the installation script.
Upgrade OSSEC 2.7

It wil detect that there’s an existing OSSEC installation and ask for an upgrade.
Upgrade OSSEC 2.7 to 2.8

From this screenshot, you can tell that something did not go as intended: OSSEC analysisd. Testing rules failed. Configuration error. Exiting.
Upgrade OSSEC 2.7 Linux

Querying the status of OSSEC showed that it is not running. What can the log file tell me?
Upgrade OSSEC 2.7 failed

Entries in the log file revealed the cause of the problem: The program failed to load the bro-ids rule: Invalid decoder name: ‘bro-ids’. Error loading the rules: ‘bro-ids_rules.xml’.
Upgrade OSSEC 2.7 logs

I found out that the issue with bro-ids rules is a longstanding one and that the recommended fix, if you can call it that, is to uncomment the bro-ids_rules.xml line in OSSEC’s main configuration file. And that did the trick
Upgrade OSSEC 2.7 bro-ids rule

Now, OSSEC is up and running, monitoring the system and sending email alerts when it detects bad traffic.

Related Posts

Your choice: Cinnamon or MATE I get a lot of queries regarding the difference(s) between the MATE and Cinnamon desktop environments. And of course such queries tend to come from th...
How to custmize KDE’s window titlebar buttons If you are using the latest KDE edition of your favorite distribution, your window titlebar could be missing a button or two that you most certainly n...
Dual-boot Linux Mint 11 and Windows 7 Dual-booting between a GNU/Linux distribution and Windows on a computer with one or more hard disks is a common practice for those who use both operat...
Android Touch-Event Hijacking With the recent release of Android 2.3 (Gingerbread), developers can now protect themselves from a new twist on an old bug: TapJacking. Like ClickJack...
Install Cinnamon 1.6 in Ubuntu 12.04 LTS Alternate titles: How to install Cinnamon desktop in Ubuntu 12.04 Precise Pangolin; how to install Cinnamon desktop 1.6 in Ubuntu 12.04 LTS. Cinnam...
How to install Java Runtime on Zenwalk 6.2 Zenwalk is a Slackware-based, Linux operating system. Version 6.2, the latest release, does not come with Java Runtime Environment (jre) installed. W...

We Recommend These Vendors

Launch an SSD VPS in Europe, USA, Asia & Australia on Vultr's KVM-based Cloud platform starting at $5:00/month (15 GB SSD, 768 MB of RAM).

Deploy an SSD Cloud server in 55 seconds on DigitalOcean. Built for developers and starting at $5:00/month (20 GB SSD, 512 MB of RAM).

Leave a Comment

Your email address will not be published. Required fields are marked *