bookmark_borderSample chapters of the OSSEC book

I don’t think I mentioned it before, but we have two free sample chapters of the OSSEC book available online.

The first one is chapter 2: http://searchsecuritychannel.techtarget.com/tip/0,289483,sid97_gci1323740,00.html

The second one is chapter 5: http://www.syngress.com/book_catalog/sample_159749240X.pdf

bookmark_borderOSSEC project acquired

I have very good news to share. Hope you all like it 🙂

First, from now I will be working full time on OSSEC, being fully
sponsored (and paid) by Third Brigade. As some of you know, for the last few years I have been working on OSSEC as a “second job”, during the evenings and at night, so hopefully now with more time we will see some awesome improvements in a short period of time (let’s clear our bugzilla :)).

Plus, the code will remain open source (GPL), and the project will continue running the way it is now (with a few improvements), so there is nothing to worry about.

Secondly, Third Brigade (same company sponsoring me to work full time on it), also acquired the project. That means that they will put more resources to work on the project and help us bring it to the next level. For the average user it will not change anything, but for any company interested in getting an enterprise-level support and additional commercial offerings (training, professional services, etc), it will be a huge benefit.

To clear up any questions you may have:

  • Yes, I WILL remain working 100% on the project!
  • The code WILL remain open source and community driven!

More information can be found on the FAQ about the acquisition:
http://www.ossec.net/main/acquisition-faq/

Press release:
http://www.thirdbrigade.com/news_events.aspx?id=770

Feel free to ask any questions you may have.

Thanks!

bookmark_borderOSSEC on Hackontest

OSSEC is part of the Hackontest, a 24-hour programming marathon
and we are looking for contributions…

First, you can register to request features that we would develop during this 24-hour period. I already added a couple, but the more the better. Second, you can vote on the submitted features and the one that receives more votes is going to be chosen.

Our page is at:

http://www.hackontest.org/index.php?action=Root-projectDetail(32)

If you are a developer, you can click on a feature and choose to help to implement it… If we are chosen, our team (whosoever registers to implement it) is going to Switzerland for the contest!

So, votes, features, ideas and developers are welcome..

bookmark_borderOSSEC articles

This blog has been slow lately (vacation time), but I would like to share some articles about OSSEC that were published in the last couple of months.

*If you wrote something about OSSEC, let us know and I will publish here

bookmark_borderOSSEC Book

It looks like that our first book about OSSEC is completed and should soon be released. Andrew Hay, Rory Bray and myself *wrote it during the last few months and we also got some great external contributions (more info to come). The book is already on **Amazon, so you can pre-order it from:

http://www.amazon.com/OSSEC-Host-Based-…

*Well, Andrew did a lot of work and pushed us a lot too, so he should get more credit for it.

**The information on Amazon is not completed, but they will hopefully update it soon.

bookmark_borderOSSEC + Snort Active Response

Rodrigo Montoro wrote a very interesting paper on how to execute custom active responses using Snort CVS output and OSSEC. It also shows how to write custom rules and decoders… Good read!

This paper won’t teach you to install or configure snort or OSSEC HIDS, my goal
here is to teach you use snort csv output and build rules at OSSEC for active response.
Ossec must be installed with active-response enabled…

English version: http://www.brc.com.br/artigos/ossec-snort-activeresponse_english.pdf
Portuguese version: http://www.brc.com

bookmark_borderOSSEC -> Sguil

David Bianco released a test version of an agent that can take events from
OSSEC and insert them into Sguil as alerts. This is his full msg to the ossec-list:

I’ve put together a test release of an agent that can take events from
the OSSEC alert.log and insert them into Sguil as alerts. It’s based
on the example agent that comes with sguil 0.7.0 (in CVS). It’s pretty
rough code at the moment, but I think I got most of the crash bugs out
of it. Still, I wouldn’t run it on production Sguil servers without
testing it yourself.

You can fetch the code from:

http://www.vorant.com/files/ossec_agent-0.01.tar.gz