4. • A Host-Based Intrusion Detection System (HIDS)
• HIDS collects, analyzes and pre-correlates a client's logs and
alerts if an attack, fraudulent use (policy) or detected error.
• It verifies the integrity of local system files, the detection of
rootkits, identifies hidden actions of attackers; Trojan horses,
Malware, etc.
• HIDS leads to real-time alerts and active response
• HIDS easily integrates with SIEMs
• Centralized policy deployment is performed for all agents HIDS
to monitor server compliance.
HIDS – Host Based Intrusion
Detection System
Ref. Anglia Ruskin University, OWASP Cambridge Chapter
image ref. https://www.decipherzone.com/blog-detail/web-application-architecture
5. • OSSEC is open source HIDS.
• Its purpose is to detect abnormal behavior on a machine.
• It collects the information sent to it by the equipment, it uses
signatures or behavior to detect an anomaly.
• An OSSEC agent is installed on each machine.
OSSEC
Ref. Anglia Ruskin University, OWASP Cambridge Chapter
7. WAZUH
Ref. Anglia Ruskin University, OWASP Cambridge Chapter
• Wazuh is a open source platform for detecting intrusion
detection, security monitoring, incident response and
compliance check.
• He joins OSSEC
• It can be used to monitor endpoints, services cloud and
containers, and to aggregate and analyze data from external
sources
8. • The Wazuh solution consists of an endpoint security agent,
deployed on the monitored systems, and a management server,
which collects and analyzes the data collected by the agents.
• Additionally, Wazuh has been fully integrated with ElasticStack,
providing a search engine and a visualization tool for data that
allows users to navigate their alerts of security.
WAZUH
9. • A brief overview of some of the most popular use cases currents
of the Wazuh solution.
WAZUH Abilities
Log analysis File Integrity monitoring
Rootkit detection Active response
Configuration Assessment System inventory
Vulnerability detection Cloud security
Container security Regulatory conformity
10. • The Wazuh architecture is based on agents, executed on the
monitored terminals, which transmit security data to a central
server.
• Agentless devices such as firewalls, switches, routers and access
points are supported and can actively submit log data via
Syslog, SSH or using their API.
• The central server decodes and analyzes incoming information
and forwards the results to the Wazuh indexer for indexing and
storage.
• The Wazuh indexer cluster is a set of one or more nodes that
communicate with each other to perform operations reading
and writing indexes
WAZUH Architecture
13. • The Wazuh indexer is a text search and analysis engine highly
scalable integral.
• Wazuh indexer stores data as documents JSON. Each document
correlates a set of keys, names of fields or properties, with their
values corresponding
• An index is a collection of documents related to each other.
• Wazuh uses four different indexes to store different types of
events: wazuh - alerts, wazuh - archives, wazuh - monitoring,
wazuh - statistics
WAZUH Indexer
Ref. Anglia Ruskin University, OWASP Cambridge Chapter
15. • The Wazuh server component analyzes the received data
agents, triggering alerts when threats or abnormalities are
detected.
• It is also used to manage the configuration of agents at distance
and monitor their status.
• The Wazuh server uses sources of information about the threats
to improve its detection capabilities.
• It also enriches alert data using the MITER framework ATT&CK
and regulatory compliance requirements such as PCI DSS,
GDPR, HIPAA, CIS and NIST 800-53 providing context useful for
security analysis.
WAZUH Server
17. • The Wazuh dashboard is a flexible web-based user interface and
intuitive for exploring, analyzing and visualizing security events
and alert data.
• It is also used for platform management and monitoring Wazuh.
• Additionally, it provides access control functionality based on
Roles (RBAC), Single Sign-On (SSO), Viewing and data analysis,
agent monitoring and configuration, Platform Management,
Developer Tools
WAZUH Dashboard
28. • The Wazuh agent is cross-platform and runs on the hosts that
the user wants to monitor.
• It is also used for platform management and monitoring Wazuh.
• The Wazuh Agent provides key functionality to improve the
security of your system
WAZUH Agent
Log collector Command execution
File integrity monitoring (FIM) Security configuration assessment
(SCA)
System inventory Malware detection
Active response Container security monitoring
Cloud security monitoring