bookmark_borderOSSEC Award daemon

Recieved a beautiful plaque from the OSSEC community (Michael Starks, I know it was your idea :)) and it says (in the OSSEC alert format):

OSSEC HIDS Notification
2010 Oct 20 15:10:04
Received from: ossec-community->/var/log/community.log
Rule: 1000000 (Level: 15) -> “A sincere thanks”
Portion of the log(s):

Oct 20 15:10:04 allhosts ossec-awardd[423]: To: Daniel Cid. From: OSSEC Community. Thank you for your tireless devotion to making our digital world a safer place.


It was the last think I was expecting and It meant a lot to me, thanks! This week of OSSEC is getting better each day 🙂

bookmark_border2WoO: Day 3: Contributing to OSSEC

here are many types of open source projects out there. Many have the code base open (GPL, BSD, etc), but not all of them have an open culture.

On OSSEC, we try to be fully open. Not only the source code, but open to contributions, open to new developers, open to new ideas and open (friendly) to new users. So if you want to become involved and participating in this project, we have a few recommendations.

These recommendations will probably be valid for most open source projects, not only OSSEC.

How to get started:

1-The first thing you have to do is to become an active OSSEC user. I mean, install it on as many machines as you can, try different setups, see things you don’t like and start from there. Become passionate about it if you want to make a difference.

2-Start small. As any project, it takes some time to get used to how it works and how the code is organized. So start from simple things. Even if you detect a typo, try to fix that first and send us the patch.

3-Consider contributing your customizations. If you had to add a simple local rule to ignore a noisy event, send that to us! Get the log that was causing the false alert and the rule you created and send to our development mailing list or to our IRC channel (details after).

4-Get involved on our mailing lists and on IRC to see the needs and issues most users have.

5-You don’t need to be a developer or code in C. You can contribute with documentation, with the rules/decoders or even testing it. We also have our web interface (PHP), active responses/install scripts (in shell) that you can help out. So no excuses 🙂

Getting involved:

1-Our code base is available on bit bucket:

2-Our documentation is also on bit bucket:

3-We are always on IRC (#ossec on That’s the best way to get quickly feedback from us and get to know everyone actively involved.

4-We also have a development mailing list, but via IRC is recommended.

If you don’t know how to access our repository on bit bucket, this link should help you:

Any questions, let us know.

bookmark_borderOSSC v2.5.1 released

Early this week we pushed OSSEC v2.5.1 out, but forgot to mention here in the blog. If you had issues with v2.5, you can download the new version here:

Some of the things we fixed/added:

-Logcollector crashing when using some globs.
-Logcollector crashing with the alias command monitoring.
-Analysisd crashing with report_changes enabled + local ignore rules.
-Some Windows rules were not matching properly.
-Added no_ar option to the rules (by Jeremy Rossi and Scott at
-Docs fixed by Michael Starks.

Also, if you are having issues with HPUX, try this snapshot where we fixed it:
(didn’t get included on v2.5.1).

bookmark_borderWeek of OSSEC (2WoO) – Oct 17-23

Taken from:

Week of OSSEC: Day -2
Michael Starks had the great idea to get everyone together and organize the second annual week of ossec. Last year he was the only one participating, but this year we hope to have many contributions.

To get started, Syngress decided to help out and release a few chapters of the OSSEC book for free. Plus, they are giving 30% off the book for anyone interested. Just go here and use the promotion code “43663″.

The PDF’s for the book can be downloaded here:

Chapter 2 – Installation
Chapter 3 – General configuration
Chapter 4 – Writing log analysis rules

For updates on the Week of OSSEC, I will be “tweeting” new articles: @danielcid and @ddpbsd as well.

Some blogs to follow for updates:

Michael Stark
Daniel Cid’
Dan Parriott
Xavier Mertens (he already started with a nice post).
Jason Frisvold
David Dede

And I am sure many others. If you plan on contributing, send me a note and I will add your blog/twitter link here.