July 2007 – OSSEC

Windows policy monitoring

Posted on July 26, 2007July 2, 2020 by Daniel Cid

OSSEC v1.3 will come with support for Windows policy monitoring, allowing you to verify that all your systems conform to a set of policies regarding configuration settings, applications usage, etc. They are configured centrally on the ossec server and pushed down to all your agents.

With the Windows policy monitoring, you can get alerts like the following (detecting Skype and Yahoo):

2007 Jul 22 17:42:57 Rule Id: 514 level: 2
Location: (winhome) 192.168.2.190->rootcheck
Windows application monitor event.
Application Found: Chat/IM – Yahoo.
2007 Jul 22 17:42:57 Rule Id: 514 level: 2
Location: (winhome) 192.168.2.190->rootcheck
Windows application monitor event.
Application Found: Chat/IM/VoIP – Skype.

And compliance alerts like the following:

2007 Jul 23 13:44:54 Rule Id: 512 level: 3
Location: (winhome) 192.168.2.190->rootcheck
Windows Audit event.
Windows Audit: Null sessions allowed.
2007 Jul 23 13:44:54 Rule Id: 512 level: 3
Location: (winhome) 192.168.2.190->rootcheck
Windows Audit event.
Windows Audit: LM authentication allowed (weak passwords).

Interested? Read more how it works here. You can also try our beta version to help us improve it.

Security Horizon journal

Posted on July 24, 2007July 2, 2020 by Daniel Cid

If you never read (or didn’t know) the Security Horizon journal you are missing on the good stuff. They release their security journal every few months with some interesting articles and their summer 2007 edition was just made available today.

If that wasn’t enough, they have an article about OSSEC, written by Chuck Little, entitled: “OSSEC-HIDS: Documenting my Further Adventures in Intrusion Detection” (on page 20). Excelent read!

OSSEC v1.3 BETA1 – Testers Needed

Posted on July 22, 2007July 2, 2020 by Daniel Cid

OSSEC v1.3 is soon to be available and we really need some help beta testing it. As I always say, trying out our beta releases is a simpler and very effective way of helping the project.

How can you test it?
We created an entry in our Wiki with all the information necessary regarding beta testing. The test sets are very simple, but I plan to improve it as we progress. Download information, what to test and everything else is there.

Any help is very appreciated.

HIDS are from Mars, NIDS are from Venus

Posted on July 17, 2007July 2, 2020 by Daniel Cid

Chuck MdMonk wrote a very funny article, HIDS are from Mars, NIDS are from Venus and even found a way to put ossec in the middle as a relationship counselor. Very nice read…

OSSEC and GPLv3

Posted on July 12, 2007July 2, 2020 by Daniel Cid

When we release a new version of OSSEC and tell our users to update to it, what do you think they do? Well, most of them upgrade to the latest version without asking too many questions. However, some users with C and development experience go out and diff the code, look at the CVS changelog, and do a careful review to see if the new version fits their needs. But (big BUT), the user must know what he or she is doing to make an informed decision.

Anyway, what it has to do with GPL? Well, I am not a lawyer and I am not a license expert. If the FSF that wrote the GPLv2 (license that ossec currently uses), tells me to update to the GPLv3, what do you think I should do? If my expertise were in licenses, I would go and review the license before deciding, but since it is not, I will probably just trust them and update.

What does that mean? Unless there is a good reason not to do so, next version of OSSEC will be under the GPLv3. We trust the work that the FSF is doing for the open source community and the process to develop the GPLv3 was very good (open participation, lots of smart contributors, etc), so the final product must be good too.

Any comments? Any license expert willing to share your thoughts?

OSSEC CVS list

Posted on July 11, 2007July 2, 2020 by Daniel Cid

For those interested to follow our CVS commits and be more directly involved with ossec, we created a few days ago a mailing list for it. You can subscribe by sending an e-mail to ossec-cvs-subscribe at googlegroups.com or you can just browse the archives at googlegroups or the ossec site.

*note: this list is reading-only. Discussions about any commit should go to the ossec-dev list.

Control UI for the Windows agent

Posted on July 11, 2007July 2, 2020 by Daniel Cid

The next version of ossec for Windows will come with a very simple “control ui” to manage and configure some basic options in the windows agent (like server ip, auth keys, etc). The code is pretty much stable, but I would like some beta testers and some suggestions.

If you are interested, the executable can be downloaded from here. The source code is committed to CVS too. Just download it, play with it, try restarting, stopping, changing the configs, etc. Any feedback will be welcome.

Some screenshots:

*I am far from being a ui designer (especially on Windows), so help is also welcome to make it look/work better.