Introducing OSSEC
Anyone who knows me professionally knows better than to start asking questions about log analysis or OSSEC. They know I’m unlikley to stop talking for quite awhile, rambling away at all they’re missing out on by not using it. I thought it might be a good idea to post a general introduction to OSSEC and how I came to use it.
For the uninitiated, OSSEC is an open source HIDs, or Host-based Intrusion Detection software. OSSEC watches your logs for signs of intrusion, system availability problems or things that just don’t look right. It monitors your files and network devices for changes, your system for rootkits and can even block attackers in near real-time. OSSEC supports dozens of log formats and has hundreds of rules to detect the bad guys. It works on Windows and just about any ‘nix out there, all centrally managed. Connections with agents are encrypted and authenticated, or if you don’t want to use agents, that’s OK, too. Did I mention that it’s free?
I came across OSSEC several years ago when I was searching for a replacement for our commercial HIDs. We had been having problems for quite awhile and it looked like things weren’t going to improve any time soon. The budget was limited and I was tasked with finding a low-cost but effective solution that was cross-platform.
Most of the free and low-cost solutions I came across were heavily file-integrity oriented and mostly worked only on ‘nix. Almost none were centrally managable. In short, while they could be useful for certain, limited purposes, they weren’t real HIDs.
I came across OSSEC and it advertised literally everything I needed at the time. A bit skeptical, I tried it out at home for a few months before I recommended it to my employer. After a short demo and proof-of-concept, we were up and running. It wasn’t long before we were managing almost 100 servers.
Surprisingly, I was getting much more useful information from OSSEC than I did from the commercial HIDs. What OSSEC lacked in presentation, it far made up for in actual useful, actionable information. I got alerts which indicated things I really wanted to know about. And the more I tuned, the more relevant it became. I was expecting to have to make considerable concessions by not using a commercial HIDs; what I didn’t expect was to get far more value for free.
I continued and continue to use OSSEC to this day not only because it’s a fine piece of software, but because of the helpfulness of the community and its creator, Daniel Cid. I continue to contribute so as to give back to the community and to help others defend against the bad guys.
If you haven’t used OSSEC, maybe it’s time to take a look. You may find that it is the best option for your unique requirements, free or not.