OSSEC

OSSEC

Developer(s)	Daniel B. Cid
Stable release	2.6 / Jul 19, 2011
Operating system	Cross-platform
Type	Security / HIDS
License	GNU GPL v3
Website	www.ossec.net

Computer security portal

OSSEC is a free, open source host-based intrusion detection system (IDS). It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting and active response. It provides intrusion detection for most operating systems, including Linux, OpenBSD, FreeBSD, Mac OS X, Solaris and Windows. It has a centralized, cross-platform architecture allowing multiple systems to be easily monitored and managed. It was written by Daniel B. Cid and made public in 2004.

Features were added to OSSEC to meet certain requirements for Payment Card Industry Data Security Standard (PCI DSS) compliance.^[1] Details can be found documented in a PDF document provided by OSSEC.^[1]

In June 2008 the OSSEC project and all the copyright owned by the project leader, Daniel B. Cid, were acquired by Third Brigade, Inc. They promised to continue to contribute to the open source community and extend commercial support and training to the OSSEC open source community.

In May 2009 Trend Micro acquired Third Brigade and the OSSEC project, with promises to keep it open source and free.

Software Components

OSSEC consists of a main application, a Windows agent, and a web interface software component.

• Main Application: The main application, OSSEC, is required for distributed network or stand-alone installations. It is supported by Linux, Solaris, BSD, and Mac environments.

• Windows Agent: The Windows Agent is provided for Microsoft Windows environments. An installation of the main application configured for server mode is required to support the Windows Agent.

• Web Interface: A separate web interface application provides a graphical user interface. Like the main application, it is supported by Linux, Solaris, BSD, and Mac environments.

Capabilities

OSSEC has a very strong log analysis engine, being able to correlate and analyze logs from multiple devices and formats. The following are currently supported:

• Unix-only:
  • Unix PAM
  • sshd (OpenSSH)
  • Solaris telnetd
  • Samba
  • Su
  • Sudo

• FTP servers:
  • ProFTPd
  • Pure-FTPd
  • vsftpd
  • Microsoft FTP Server
  • Solaris ftpd

• Mail servers:
  • Imapd and pop3d
  • Postfix
  • Sendmail
  • vpopmail
  • Microsoft Exchange Server

• Databases:
  • PostgreSQL
  • MySQL

• Web servers:
  • Apache HTTP Server (access log and error log)
  • IIS web server (NSCA and W3C extended)
  • Zeus Web Server errors log

• Web applications:
  • Horde IMP
  • SquirrelMail
  • Modsecurity

• Firewalls:
  • Iptables firewall
  • Solaris IPFilter firewall
  • AIX ipsec/firewall
  • Netscreen firewall
  • Windows Firewall
  • Cisco PIX
  • Cisco FWSM
  • Cisco ASA

• NIDS:
  • Cisco IOS IDS/IPS module
  • Snort IDS (snort full, snort fast and snort syslog)

• Security tools:
  • Symantec AntiVirus
  • Nmap
  • Arpwatch
  • Cisco VPN Concentrator

• Others:
  • Named (BIND)
  • Squid proxy
  • Zeus eXtensible Traffic Manager

• Windows event logs (logins, logouts, audit information, etc.)
• Windows Routing and Remote Access logs
• Generic unix authentication (adduser, logins, etc.)

References

1. ^ ^{a b} http://www.ossec.net/ossec-docs/ossec-PCI-Solution.pdf

• OSSEC Documentation
• OSSEC Manual (outdated)
• OSSEC Project acquired
• Third Brigade Acquires OSSEC Open Source HIDS Project
• Trend Micro Acquires Third Brigade and OSSEC

External links

Free software portal

• Official website
• OSSEC Wiki
• Q&A with OSSEC founder Daniel B. Cid
• OSSEC Agentless scripts
• Week of OSSEC tips