bookmark_borderI (HEART) OSSEC

Justin Foster of wrote an amazing article for the OSSEC site:

In the open source world some projects have taken on beloved status by their loyal user base. OSSEC is one of them, and for good reason.

For those of you unfamiliar, OSSEC (pronounced Oh-Sec) is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

Over a year and a half ago I was tasked to review OSSEC as a potential acquisition for Third Brigade. I was of course, sufficiently impressed with OSSEC’s capabilities, but I was surprised at the level of respect it had developed in the community. I was curious as to why OSSEC had such a solid reputation.

Read in FULL: I heart OSSEC

bookmark_borderCompiling the Windows Agent from a Linux system

It has always been a pain to generate snapshots for Windows because it required me to open up my Windows VM (slow), push the code there, compile, etc. Well, until this week when I started to play with MinGW cross-compilation feature to completely build an Windows agent from Linux.

How it works? First, you need to install MinGW and makensis (to build the installer). On Ubuntu, it is just:

apt-get install mingw32 mingw32-binutils mingw32-runtime
apt-get install nsis

After that, download the latest snapshot: and generate the Windows package directory (where XX is the latest date):

tar -zxvf ossec-hids-xx.tar.gz
cd ossec-hids-xx/src/win32

Now, you will have the win-pkg directory under src. Just go there and run Your Windows agent package should be created in a few minutes:

cd ../win-pkg
sh ./

You will see the following in the screen:

Making windows agent
rootcheck/win-common.c: In function ‘__os_winreg_querykey’:
rootcheck/win-common.c:279: warning: pointer targets in passing argument 7 of ‘RegEnumValueA’ differ in signedness
win-registry.c: In function ‘os_winreg_querykey’:

Output: “ossec-win32-agent.exe”
Install: 7 pages (448 bytes), 3 sections (3144 bytes), 379 instructions (10612 bytes), 247 strings (42580 bytes), 1 language table (346 bytes).
Uninstall: 5 pages (320 bytes),
1 section (1048 bytes), 301 instructions (8428 bytes), 166 strings (2646 bytes), 1 language table (290 bytes).
Datablock optimizer saved 8371 bytes (~0.7%).

Which means that your agent executable ossec-win32-agent.exe has been created properly.

bookmark_borderCentralized agent configuration

If you wanted to be able to configure your agents remotely, you will be happy to know that we are supporting it now. Right now, we allow centralized configuration for file integrity checking (syscheckd), rootkit detection (rootcheck) and log analysis.

This is how it works.

Create the file /var/ossec/etc/shared/agent.conf

Inside the file you can configure the agent just as you would normally at ossec.conf


But you have a few more options. You can restrict the config by agent name or by operating system:

<agent_config name=”agent1|agent2″>

<agent_config os=”Linux|OpenBSD”>

<agent_config os=”Windows”>

And only the proper agent will read them, giving us great granularity to push the configuration to all your agents.

After you configured, the manager will push it to the agents. Note that it can take a while for it to complete (since the manager caches the shared files and only re-reads them every few hours). If you restart the manager the configuration will be pushed much quicker.

bookmark_borderOSSEC uservoice

We are always getting lots of feature suggestions and ideas for ossec and sometimes via email it is hard to track. We have our bugzilla, but most users find it too complicated to use.

Because of that, we are putting online an OSSEC user voice, where you can share your ideas, vote on other people ideas, add bugs, comments, etc. With the voting mechanism we will be able to get the most desirable features and work harder on them..



bookmark_borderSplunk + OSSEC Integration

This is a guest article by Dale Neufeld – at

The status of the next version of the OSSEC web interface is one of the more commonly asked questions on the mailing list and is currently #2 on the community requested feature list ( web interfaces are nice to have, many of us suffer from information island overload by having dedicated web interfaces for each application. This is why I was stoked when the syslog ouput feature was announced last summer ( and officially added in version 1.6. Now I can incorporate OSSEC alerts into my SIM/SIEM or log management tool of choice, which not only eliminates the need for a dedicated OSSEC web interface but also allows for simplified incident analysis through aggregation and correlation.

Full article at