Personal – OSSEC

New blog location

Posted on March 17, 2013July 3, 2020 by Daniel Cid

I won’t be using this blog anymore. For new content, go to http://dcid.me/notes/

Thanks!

Follow us on twitter

Posted on April 9, 2009July 2, 2020 by Daniel Cid

I couldn’t stay away from it very long, so I am twitting now too (or trying to). If you want to hear the latest on ossec development, follow us there:

twitter.com/danielcid(opens in a new tab)

Thanks!

Ugliest application logs ever

Posted on January 24, 2008July 2, 2020 by Daniel Cid

This is quite off topic, but too fun for me to ignore it. Great thread in the log analysis mailing list with the ugliest application logs ever.

Check it out:
LogAnalysis.org thread

Last message repeated X times (rant)

Posted on December 18, 2007July 2, 2020 by Daniel Cid

I don’t know about you, but I really hate this “last message repeated X times” on Syslog. Some say that it is useful to avoid floods (denial of services) with repeated messages. Others say it keeps your log files “clean”… For me, it is completely useless. If you syslog daemon supports disabling this feature (-c on FreeBSD), please do so. A few reasons why:

No log analysis tool will handle this correctly. Specially if we are talking about remote syslog.
It buffers your logs so they are not in real time anymore.
It doesn’t protect you against denial of service attacks (keep reading…)
The last message can be this annoying “last message repeated” log.

To prove my point, this simple command on your Linux/Unix server: (it will generate a simple log every second)
$ while [ 1 ]; do logger "annoying..."; sleep 1; done

Wait a few minutes and check your log:
Dec 17 19:44:08 enigma dcid: annoying... Dec 17 19:44:39 enigma last message repeated 31 times Dec 17 19:46:40 enigma last message repeated 115 times Dec 17 19:56:41 enigma last message repeated 589 times

The first thing you see is that the last message reported is not always the last message, but it can be the one before the last one (or more). Secondly, my logs were buffered for 40 seconds in the first time, 2 minutes in the second time and 10 minutes in the third time. Not very good for “real time” analysis (and down it goes on some compliance requirements).

As for the people who thinks it will protect you against denial of service attacks, try the following simple shell script:
$ i=0;while [ 1 ]; do logger "annoy. $i";i=`expr 1 + $i`;done

And enjoy your logs:
Dec 17 19:08:44 copacabana dcid: annoying... 1 Dec 17 19:08:45 copacabana dcid: annoying... 2 Dec 17 19:08:46 copacabana dcid: annoying... 3 Dec 17 19:08:47 copacabana dcid: annoying... 4

Dead blog?

Posted on November 21, 2007July 2, 2020 by Daniel Cid

No, I am not dead. Nor did I leave the project do so something else. I just took a few weeks off to rest (yes, even open source developers take vacation from time to time). Thanks for caring anyway 🙂

We are back now 100%.

New ossec member

Posted on March 15, 2007July 3, 2020 by Daniel Cid

I am happy to announce the arrival of a new member to the ossec team. He is only 51cm tall and weights around 3.4kg, but we expect great contributions from him as soon as he can start coding. He has no name yet, but we will find one soon (no one liked the “root” idea). The whole family is happy and doing well.

*Update (Mar 16) – Finally a name was chosen: Davi Cid

Microsoft and Novell partnership over Linux?

Posted on November 2, 2006July 3, 2020 by Daniel Cid

I know this is off-topic for this blog, but I can’t imagine why microsoft would want to build a partnership with Novell over Linux. I heard a comment that they are doing that just to cause troubles to the Oracle move to Linux… Comments?
More info here and here.

New blog

Posted on March 8, 2006July 3, 2020 by Daniel Cid

Since everyone now has a blog, I decided to create one to do not be left alone. 🙂

Actually, this is not the only reason why I am starting this. I plan to share some thoughts and information related to ossec, log analysis, HIDS and security in general.