bookmark_borderIntroducing OSSEC

Michael Starks published a very interesting blog post on why he uses OSSEC.

Surprisingly, I was getting much more useful information from OSSEC than I did from the commercial HIDs. What OSSEC lacked in presentation, it far made up for in actual useful, actionable information. I got alerts which indicated things I really wanted to know about. And the more I tuned, the more relevant it became. I was expecting to have to make considerable concessions by not using a commercial HIDs; what I didn’t expect was to get far more value for free.

The guys at Hacker Target published a good document on installing OSSEC: http://hackertarget.com/2009/08/ossec-introduction-and-installation-guide/ and Sucuri posted another interesting article showing the benefits of log analysis: http://blog.sucuri.net/2009/08/curiosity-killed-cat.html

bookmark_borderI (HEART) OSSEC

Justin Foster of DevelopingSecurity.com wrote an amazing article for the OSSEC site:

In the open source world some projects have taken on beloved status by their loyal user base. OSSEC is one of them, and for good reason.

For those of you unfamiliar, OSSEC (pronounced Oh-Sec) is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

Over a year and a half ago I was tasked to review OSSEC as a potential acquisition for Third Brigade. I was of course, sufficiently impressed with OSSEC’s capabilities, but I was surprised at the level of respect it had developed in the community. I was curious as to why OSSEC had such a solid reputation.

Read in FULL: I heart OSSEC

bookmark_borderOSSEC uservoice

We are always getting lots of feature suggestions and ideas for ossec and sometimes via email it is hard to track. We have our bugzilla, but most users find it too complicated to use.

Because of that, we are putting online an OSSEC user voice, where you can share your ideas, vote on other people ideas, add bugs, comments, etc. With the voting mechanism we will be able to get the most desirable features and work harder on them..

Link:
http://ossec.uservoice.com/

Thanks,

bookmark_borderSplunk + OSSEC Integration

This is a guest article by Dale Neufeld – canuck.eh at gmail.com

The status of the next version of the OSSEC web interface is one of the more commonly asked questions on the mailing list and is currently #2 on the community requested feature list (http://ossec.uservoice.com).While web interfaces are nice to have, many of us suffer from information island overload by having dedicated web interfaces for each application. This is why I was stoked when the syslog ouput feature was announced last summer (http://www.ossec.net/dcid/?p=139) and officially added in version 1.6. Now I can incorporate OSSEC alerts into my SIM/SIEM or log management tool of choice, which not only eliminates the need for a dedicated OSSEC web interface but also allows for simplified incident analysis through aggregation and correlation.

Full article at http://www.ossec.net/main/splunk-ossec-integration

bookmark_borderTrend Micro to Acquire Third Brigade

Fresh news from http://www.ossec.net/main/trend-micro-to-acquire-third-brigade:

On April 29, 2009 Trend Micro announced a definitive agreement to acquire the business of Third Brigade, a privately-held security and compliance software company headquartered in Ottawa, Canada that owns the OSSEC project. The acquisition is subject to customary approvals and is expected to close in the 2nd quarter of 2009.

So basically, they will be acquiring Third Brigade and the OSSEC project. They are committed to maintaining OSSEC as an open source project.

More updates soon…

Thanks,

bookmark_borderAnother book review

I just saw another review of the OSSEC book, this time by Kurt R. Hinson:

In these days of tight and/or frozen budgets, utilizing open source applications has become a must for many of us in the security realm. OSSEC is one such “must have” application that will give you visibility and insight into Windows, Mac and Linux machines on your network through the use of this Host Intrusion Detection application…

Full review at amazon.com

bookmark_borderOSSEC book as ‘Best Book Bejtlich Read in 2008′

I was glad to read that Richard Bejtlich considered the OSSEC book one of his best reads of 2008. From the post:

by Rory Bray, Daniel Cid and Andrew Hay. I have to congratulate the author team for OHG. Writing a book for Syngress with many contributors is usually a recipe for disaster. OHG features three lead authors, four contributors, and one foreword author — and they don’t step on each others’ toes.

Full review: amazon.com.

Andrew Hay also posted about it here.

bookmark_borderOSSEC presentation at Ottsec

Last month I did a presentation about OSSEC for the Ottawa security group and showed some custom rules that I have been using for a while (to monitor MSN usage, internal http user agents, etc). The core of the presentation starts at slide 11, if you want to skip through the definitions of HIDS, OSSEC, etc.

Link: http://ossec.net/ossec-docs/ossec-ottsec.pdf