OSSEC - HIDS

Hi Folks,

Anyone out there using this? www.ossec.net . It looks pretty good for a free product and I'm just beginning to test it myself for possible deployment on our servers. I'm going through Syngress' "OSSEC Definitive Guide..." at the moment trying to absorb it.

Sooo, good.... bad...ugly?

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

Ahriakin

No no, don't all reply at once you might hurt yourselves

Well I finally got a test server and a few agents running properly and so far so good. No fancy network or application layer shims but then it is 'just' a HIDS and of course it's free. Quite a solid product actually and once I dusted off my woefully underused (Read: "crap") Linux chops it was easy enough to setup, just ran into one issue with DNS resolution of my SMTP server. I'm going to eventually deploy this to centrally monitor/email-alert for about 50 Windows and 2 Linux servers, Snort, Symantec AV and hopefully the Cisco devices over time (eventually adding active response on those)....as I presume that nice new Cisco MARS I asked for this year will be a no show.

If anybody else has any interest in this I'd be happy to update this with progress reports and any gotchas over time.

marco71

yep, I used linux version couple of years ago... was pretty nice and all mail-reports were helpful

JDMurray

You might want to look at VMOSSIM instead. I'm evaluating it right now.

Ahriakin

Hmmmm....new toy to play with

. My main goal here is for a lightweight HIDS and OSSEC does fit that bill but the extra features in VMOSSIM look very nice. I was planning on implementing OSSEC later in June when I visit the datacenter and also migrating the Snort box there to Linux since I finally learned enough of that to move it away from Win32 and recover a server license, I think maybe putting VMOSSIM on the old-Win32/new-Linux snort box would be well worth it. Thanks JD.

RTmarc

JDMurray wrote:

You might want to look at VMOSSIM instead. I'm evaluating it right now.

Do you have the ISO for this? I tried downloading it from the VMware Virtual Appliance section but I come up with an empty page.

Ahriakin

The VM hasn't been updated in a long time. Go to www.ossim.com and you can get the CD ISO. It's a very easy initial setup so the VM is kinda pointless - be prepared for a big learning curve though but it's worth it imho. I'm still working on it and have all the tools working properly and have just begun actually reconfiguring OSSIM itself to make sense of the data.
It's also a resource hog

. The forums are a very good resource though, better than the docs in most cases.

sexion8

Ahriakin wrote:

Hi Folks,

Anyone out there using this? www.ossec.net . It looks pretty good for a free product and I'm just beginning to test it myself for possible deployment on our servers. I'm going through Syngress' "OSSEC Definitive Guide..." at the moment trying to absorb it.

Sooo, good.... bad...ugly?

I used to use it exclusively before I threw up OSSIM - which uses OSSEC in it. As a standalone it's a pretty good tool used with OSSIM's reporting, monitoring capabilities and it has the potential to be a really good SEIM however you have to get used to the amounts of false positives it can report. You can tweak all day till your eyes turn blue but when doing assessments, be prepared to be overwhelmed. Also, if you're not used to configuring enterprise like managements tools, you can become lost in the sauce with the amount of things they put into to.