We all respect Bruce Schneier’s opinion (if you don’t be careful) and I found very interesting his take on log analysis:
Whenever someone attacks you, they leave footprints… All of these products have audit logs and they produce audit messages (Millions of messages a day). Most of them are a complete waste of time, like printer out of toner. So what?
But some of them are very important. In those audit logs are footprint of attacks. If you can monitor those on real time you can watch the attacker as he is attacking. If you can understand what is going on fast enough, you can kick him out before he does more damage…
I was also playing with IMG2TXT and it is generating some very good ascii-based logos for ossec. Check out one example here.
On a side note, RichM fromEthical Hacker posted a “Quick and dirty tutorial on getting OSSEC, the open source IDS that’s #2 on insecure.org, running on the Business Card ISO of Debian. Now go out there and start keeping an eye on your network.” .. Good stuff!
Special thanks to Michael Starks, Brian Wang, Serge Dubrouski, Logan O’Sullivan Bruns and Dave Lowe for the contributions and Dennis Borkhus-Veto, John Ives and Liliane Cid for beta testing this release.