$ sudo ./install.sh

The first important question is what type of installation we will be performing:

1- What kind of installation do you want (server, agent, local, hybrid or help)?

The simplest configuration is the local profile. This configures OSSEC as a standalone daemon analyzing and correlating only locally to this system. It's a good starting point to get familiar with OSSEC.

3.2- Do you want to run the integrity check daemon? (y/n) [y]:

The integrity check daemon monitors your critical files and binaries for changes. This is usually referred to as file integrity monitoring or FIM.

3.3- Do you want to run the rootkit detection engine? (y/n) [y]:

The rootkit detection engine is a combination of signature- and anomaly-based checks to discover the presence of popular or yet-to-be-discovered rootkits on Linux/BSD systems. It looks for out-of-place or hidden files and strange-network behavior.

3.4- Do you want to enable active response? (y/n) [y]:

Active response provides a functionality to run scripts when alerts are triggered. This feature provides the capacity for OSSEC to move beyond a detection system into a prevention system. There are a few tested responses that come standard with OSSEC.

- Do you want to enable the firewall-drop response? (y/n) [y]:

If you have an active response enabled, OSSEC ships with a firewall-drop response that works on almost every operating system, without modification, and creates a firewall rule to drop traffic coming from IPs identified by the rules as attackers.

- Do you want to add more IPs to the white list? (y/n)? [n]:

If you have the firewall-drop response enabled, you'll be prompted to create a whitelist of IPs that will never be blocked by the active response system. If you have networks or IPs that you'd prefer not to be blocked, you can configure them here. Generally, critical systems should be excluded: DNS servers, LDAP servers, and mail servers. Without this protection, OSSEC may interrupt key communication channels during an attack. If you selected yes, use spaces to separate IPs and/or networks in CIDR notation, for example:

- IPs (space separated):
 192.168.0.0/23 10.0.0.0/8 1.2.3.4

OSSEC will now be built based on your answers to questions and information attained through the build tools on your system. If everything goes successfully, the last message you see should look something similar to the following:

Installation Completed.