OSSEC - HIDS

AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
Hi Folks,

Anyone out there using this? www.ossec.net . It looks pretty good for a free product and I'm just beginning to test it myself for possible deployment on our servers. I'm going through Syngress' "OSSEC Definitive Guide..." at the moment trying to absorb it.

Sooo, good.... bad...ugly?
We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?

Comments

  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    No no, don't all reply at once you might hurt yourselves icon_twisted.gif

    Well I finally got a test server and a few agents running properly and so far so good. No fancy network or application layer shims but then it is 'just' a HIDS and of course it's free. Quite a solid product actually and once I dusted off my woefully underused (Read: "crap") Linux chops it was easy enough to setup, just ran into one issue with DNS resolution of my SMTP server. I'm going to eventually deploy this to centrally monitor/email-alert for about 50 Windows and 2 Linux servers, Snort, Symantec AV and hopefully the Cisco devices over time (eventually adding active response on those)....as I presume that nice new Cisco MARS I asked for this year will be a no show.

    If anybody else has any interest in this I'd be happy to update this with progress reports and any gotchas over time.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • marco71marco71 Member Posts: 152 ■■■□□□□□□□
    yep, I used linux version couple of years ago... was pretty nice and all mail-reports were helpful
  • JDMurrayJDMurray Admin Posts: 13,089 Admin
    You might want to look at VMOSSIM instead. I'm evaluating it right now.
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Hmmmm....new toy to play with :D. My main goal here is for a lightweight HIDS and OSSEC does fit that bill but the extra features in VMOSSIM look very nice. I was planning on implementing OSSEC later in June when I visit the datacenter and also migrating the Snort box there to Linux since I finally learned enough of that to move it away from Win32 and recover a server license, I think maybe putting VMOSSIM on the old-Win32/new-Linux snort box would be well worth it. Thanks JD.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • RTmarcRTmarc Member Posts: 1,082 ■■■□□□□□□□
    JDMurray wrote:
    You might want to look at VMOSSIM instead. I'm evaluating it right now.
    Do you have the ISO for this? I tried downloading it from the VMware Virtual Appliance section but I come up with an empty page.
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    The VM hasn't been updated in a long time. Go to www.ossim.com and you can get the CD ISO. It's a very easy initial setup so the VM is kinda pointless - be prepared for a big learning curve though but it's worth it imho. I'm still working on it and have all the tools working properly and have just begun actually reconfiguring OSSIM itself to make sense of the data.
    It's also a resource hog :). The forums are a very good resource though, better than the docs in most cases.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • sexion8sexion8 Member Posts: 242
    Ahriakin wrote:
    Hi Folks,

    Anyone out there using this? www.ossec.net . It looks pretty good for a free product and I'm just beginning to test it myself for possible deployment on our servers. I'm going through Syngress' "OSSEC Definitive Guide..." at the moment trying to absorb it.

    Sooo, good.... bad...ugly?

    I used to use it exclusively before I threw up OSSIM - which uses OSSEC in it. As a standalone it's a pretty good tool used with OSSIM's reporting, monitoring capabilities and it has the potential to be a really good SEIM however you have to get used to the amounts of false positives it can report. You can tweak all day till your eyes turn blue but when doing assessments, be prepared to be overwhelmed. Also, if you're not used to configuring enterprise like managements tools, you can become lost in the sauce with the amount of things they put into to.
    "Everything we hear is an opinion, not a fact. Everything we see is a perspective, not the truth." - Marcus Aurelius
Sign In or Register to comment.