bookmark_borderOSSEC Award daemon

Recieved a beautiful plaque from the OSSEC community (Michael Starks, I know it was your idea :)) and it says (in the OSSEC alert format):

OSSEC HIDS Notification
2010 Oct 20 15:10:04
Received from: ossec-community->/var/log/community.log
Rule: 1000000 (Level: 15) -> “A sincere thanks”
Portion of the log(s):

Oct 20 15:10:04 allhosts ossec-awardd[423]: To: Daniel Cid. From: OSSEC Community. Thank you for your tireless devotion to making our digital world a safer place.


It was the last think I was expecting and It meant a lot to me, thanks! This week of OSSEC is getting better each day 🙂

bookmark_border2WoO: Day 3: Contributing to OSSEC

here are many types of open source projects out there. Many have the code base open (GPL, BSD, etc), but not all of them have an open culture.

On OSSEC, we try to be fully open. Not only the source code, but open to contributions, open to new developers, open to new ideas and open (friendly) to new users. So if you want to become involved and participating in this project, we have a few recommendations.

These recommendations will probably be valid for most open source projects, not only OSSEC.

How to get started:

1-The first thing you have to do is to become an active OSSEC user. I mean, install it on as many machines as you can, try different setups, see things you don’t like and start from there. Become passionate about it if you want to make a difference.

2-Start small. As any project, it takes some time to get used to how it works and how the code is organized. So start from simple things. Even if you detect a typo, try to fix that first and send us the patch.

3-Consider contributing your customizations. If you had to add a simple local rule to ignore a noisy event, send that to us! Get the log that was causing the false alert and the rule you created and send to our development mailing list or to our IRC channel (details after).

4-Get involved on our mailing lists and on IRC to see the needs and issues most users have.

5-You don’t need to be a developer or code in C. You can contribute with documentation, with the rules/decoders or even testing it. We also have our web interface (PHP), active responses/install scripts (in shell) that you can help out. So no excuses 🙂

Getting involved:

1-Our code base is available on bit bucket:

2-Our documentation is also on bit bucket:

3-We are always on IRC (#ossec on That’s the best way to get quickly feedback from us and get to know everyone actively involved.

4-We also have a development mailing list, but via IRC is recommended.

If you don’t know how to access our repository on bit bucket, this link should help you:

Any questions, let us know.

bookmark_borderWeek of OSSEC (2WoO) – Oct 17-23

Taken from:

Week of OSSEC: Day -2
Michael Starks had the great idea to get everyone together and organize the second annual week of ossec. Last year he was the only one participating, but this year we hope to have many contributions.

To get started, Syngress decided to help out and release a few chapters of the OSSEC book for free. Plus, they are giving 30% off the book for anyone interested. Just go here and use the promotion code “43663″.

The PDF’s for the book can be downloaded here:

Chapter 2 – Installation
Chapter 3 – General configuration
Chapter 4 – Writing log analysis rules

For updates on the Week of OSSEC, I will be “tweeting” new articles: @danielcid and @ddpbsd as well.

Some blogs to follow for updates:

Michael Stark
Daniel Cid’
Dan Parriott
Xavier Mertens (he already started with a nice post).
Jason Frisvold
David Dede

And I am sure many others. If you plan on contributing, send me a note and I will add your blog/twitter link here.

bookmark_borderCommunity Update

Directly from:

The OSSEC community is on fire lately! We are very happy to see everyone talking and presenting about OSSEC. Those are some of the newest updates from our community:

Wim Remes spoke about OSSEC at the Fosdem conference. The video of his presentation is on youtube:

Iñaki Rodríguez did a webmeeting about OSSEC in spanish. Slides in PDF:

Wim Remes (yes, he again), wrote about OSSEC for the [IN]SECURE Magazine (2010 February edition):

Michael Starks from posted a few interesting blog posts about OSSEC:

Using OSSEC for Encrypted Log Transport
Detecting Sensitive Info with OSSEC

Have you wrote something about OSSEC? Please, let us know and we will add in here.

bookmark_borderOSSEC v2.3 released

Directly from

What is new?

  1. Log analysis rules for the Nginx web server
  2. Log analysis rules for Suhosin (Hardened PHP)
  3. Support for real time file integrity monitoring on Windows systems
  4. Support for monitoring the output of commands (process monitoring)
  5. And a lot more…

Check out our v2.3 changelog of the complete list of new features and bugs fixed.

Download the new version from

*Special thanks to our contributors Jeremy Rossi, Fabio Paracchini and Michael Starks and our beta testers Dan Parriott, Michael Starks, Timo Vehvilainen and Jeremy Rossi.

bookmark_borderOSSEC In the Enterprise Presentation Available

Michael Starks from Immutable Security just released his presentation “OSSEC in the Enterprise” (with more than 100 slides). It is very technical and well recommended for everyone interested to learn more about OSSEC.

Link: OSSEC Presentation Available

Direct download: ossec_in_the_enterprise-2009-mstarks.pdf

bookmark_borderOSSEC Survey & get a free shirt!

Directly from the ossec site:

OSSEC Usage Survey (& get a free OSSEC shirt!)

We need your help. In an effort to better understand how the OSSEC project is being used and look for ways to improve OSSEC moving forward, Trend Micro would like you to participate in a brief survey. Why is this coming from Trend Micro? The OSSEC project has been around since 2003. It was acquired by Third Brigade in 2008, and then Third Brigade was acquired by Trend Micro in 2009.

The first 500 OSSEC users to respond to this survey can provide their contact information to obtain a stylish OSSEC T-shirt that Trend Micro is happy to provide as a token of our thanks, and appreciation for your support of the OSSEC project. (Note: shirts available in Europe, Canada & the US for logistical reasons).

Please visit the following URL to start the 5 minute survey:

Thank you in advance for your participation and ongoing support!

bookmark_borderWeek of OSSEC

Michael Starks from Immutable Security finished today his series of articles about OSSEC called “Week of OSSEC“. It was meant to coincide with his speak on OSSEC at the Rochester Security Summit.

From his blog:

As a service to the community and to coincide with my speaking on OSSEC at the Rochester Security Summit, every day during the week of October 25 through October 31, I’ll be posting a new tip on OSSEC based on my years of first-hand experience. These are the tips that make the software more usable for me and hopefully, it will for you, too. Have a tip that has helped you? Be sure to post it in the comments.

– Michael Starks

Links to the articles:

Be sure to check it out to learn more about OSSEC. Thanks Michael for sharing your experience with us.

bookmark_borderQ&A: OSSEC, the open source host-based intrusion detection system

Mirko Zorz from Help Net Security did an interview with me regarding OSSEC, how it was created, evolved, etc.

Link to the interview:

Daniel B. Cid is the founder of the open source OSSEC HIDS and a principal researcher at Trend Micro. He has a special interest in intrusion detection, log analysis and secure development. In this interview he discusses the the open source host-based intrusion detection system in detail.

Give our readers some background on the OSSEC project. How did it all start and evolve?

OSSEC is an open source HIDS that merges log analysis, file integrity monitoring, rootkit detection and active responses. It started as a side-project to help me solve some problems that I had on a previous job (6-7 years ago)…

Thanks Mirko for the great questions and interview.