- Jun 13, 2000
- 26,391
- 1,780
- 126
OSSEC is a HIDS/LIDS system. Host-based Intrusion Detection System /Log-based Intrusion Detection System
www.ossec.net
I'm going to start off by saying I really like this product. What it does is read your logs for you and detects trends in them based on pre-defined rules. The rules are rated by different alert levels and the system can be configured to Email you if a rule is violated. I'm starting to like the program because it's allowing me to get very close to real-time feedback.
My standard health scripts always run daily or weekly via cron and don't give me the same kind of information.
OSSEC tells me if a particular client has attempted to access multiple pages via Apache that don't exist...or when s new user logs in...or when someone access ssh. These are all things that you can find the in the logs, but they're also things that often get buried. OSSEC's ratings make it much easier to distinguish what's really going on.
Does anyone else use it? I've configured the WebGUI on 2 Linux servers....one monitors the linux agents and one monitors the Windows agents (DC's create a lot of login/logoff nonsense...so I separated them from the linux agents for better clarity and easier sorting)
* I just wanted to add that if you do use the WebGUI....don't forget to limit access via a password (htaccess or otherwise) or via iptables. If a hacker were to figure out that you're running OSSEC, they would have a pretty clear picture of what's going on in your logs when they run an attack on the server. Typically in linux, many log files cannot be viewed unless you're root for that very reason....
www.ossec.net
I'm going to start off by saying I really like this product. What it does is read your logs for you and detects trends in them based on pre-defined rules. The rules are rated by different alert levels and the system can be configured to Email you if a rule is violated. I'm starting to like the program because it's allowing me to get very close to real-time feedback.
My standard health scripts always run daily or weekly via cron and don't give me the same kind of information.
OSSEC tells me if a particular client has attempted to access multiple pages via Apache that don't exist...or when s new user logs in...or when someone access ssh. These are all things that you can find the in the logs, but they're also things that often get buried. OSSEC's ratings make it much easier to distinguish what's really going on.
Does anyone else use it? I've configured the WebGUI on 2 Linux servers....one monitors the linux agents and one monitors the Windows agents (DC's create a lot of login/logoff nonsense...so I separated them from the linux agents for better clarity and easier sorting)
* I just wanted to add that if you do use the WebGUI....don't forget to limit access via a password (htaccess or otherwise) or via iptables. If a hacker were to figure out that you're running OSSEC, they would have a pretty clear picture of what's going on in your logs when they run an attack on the server. Typically in linux, many log files cannot be viewed unless you're root for that very reason....
Facebook
Twitter