Month: February 2007

bookmark_borderOSSEC v1.1 BETA1 available

Posted on by Daniel Cid

If you are looking for a way to help the project, here is your chance. We just release the first beta for the 1.1 version and we need beta testers. This version has numerous bug fixes and new features, so a great deal of QA will be required. If you try it out, let us know if it worked or not (and provide the operating system/version that you used).

Partial changelog:Added support for hostnames in the server-ip configuration. Use “server-hostname” to specify it.Added granular e-mail configuration options. Extra email_alerts options can be added based on the severity or event location.Added support for Solaris 10 and OpenBSD su messages.Improved Windows installer to use NSIS Modern UI.Added overwrite attribute to the rules. It allows an entire rule to be overwritten. Example to overwrite rule 1002:

Partial changelog:

  • Added support for hostnames in the server-ip configuration.
  • Use “server-hostname” to specify it.Added granular e-mail configuration options.
  • Extra email_alerts options can be added based on the severity or event location.
  • Added support for Solaris 10 and OpenBSD su messages.
  • Improved Windows installer to use NSIS Modern UI.Added overwrite attribute to the rules. It allows an entire rule to be overwritten. Example to overwrite rule 1002:


<rule id="1002" level="8" overwrite="yes">
<match>Segmentation|XYZ</match>
<description>Rule 1002 overwriten.  </description>
</rule>

You can download the Unix and Windows files from:
http://www.ossec.net/files/snapshots/

Let us know of any question (dcid @ ossec.net).

bookmark_borderLog alerts from OSSEC (NSM 2)

Posted on by Daniel Cid

Richard Bejtlich, from taosecurity, posted two interesting blog entries, where he mentions some ossec alerts.

He says that he got some ossec log alerts, but lacked more information regarding what do you with them. I agree with his assessment, where he used Sguil to get more network-based details to see what happened during that time. However, in addition of using a network sensor, he could have setup a log server, where he would be able to do a great deal of analysis with his log data (without ever touching the affected system).

Using firewall logs, for example, he would be able to see all connections during that time from that IP address. Looking at authentication messages from all his systems, he would be able to see if that IP was ever able to connect remotely, or if it ever accessed any other service (like http or his mail server, etc).

What am I trying to say here? Well, as I said before, I just want to point that Network Security Monitoring (NSM) along with log analysis can provide much more visibility than any of this two alone.