Internet Storm Center Infocon Status The Internet Traffic Report monitors the flow of data around the world. It then displays a value between zero and 100. Higher values indicate faster and more reliable connections.

Oct 12, 2006

OSSEC Host-based Intrusion Detection

I've used a lot of different file integrity monitoring programs (Samhain, Osiris, and Tripwire just to name a few), and I've messed with a number of different programs for log parsing and event correlation. Then I found , which takes all of these things to an entirely new level. Now instead of having to manage multiple different softare packages, I can do it in one. But that's not the coolest thing. OSSEC will allow you to monitor syslog and Windows event logs as well as Apache, IIS, Snort, and numerous other logs from a single location, and it has a very robust set of rules to do event correlation. If you are so inclined, you can even take advantage of the Active Response option and have OSSEC disable accounts, drop in firewall rules, etc., etc. Plus it does file integrity monitoring on top of it all.

The server must be installed on a Linux or UNIX box, but the agent installs on just about anything, including the ubiquitous Windows platform. The agents can be configured to encrypt all of their communication with the server, or for systems that you can't install the agent (networking gear, for example), you can configure syslog on these devices to forward their syslog entries to the OSSEC server. OSSEC then seemlessly integrates all of these and creates a single, cohesive alerts file as well as breaking down alerts into daily files for easy review. Overall, very impressive. My only complaint is the reporting. The alerts file is fairly straight forward, but it is a flat text file. OSSEC comes with a few contrib scripts that will generate some text reports for you, but again, just flat text files. Ideally, I'd like to see a way to generate HTML reports (both summary and detailed reports) that are much better for sending to management and/or those who are less technically inclined. I suspect I'll probably end up writing such a tool myself as I have been unable to find one.

At any rate, OSSEC is very powerful and very cool. It does a lot of stuff very effectively, very thoroughly, and relatively easily. Check it out.

AddThis Social Bookmark Button

Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)