By Denise Dubie
IT managers who want to get a handle on their security logs but dont
have the budget for big-ticket software can check out an updated version
of the open source, host-based intrusion-detection system OSSEC.
OSSEC Version 1.1 performs log analysis, integrity checking, Windows
registry monitoring, rootkit detection, time-based alerting and active
response. Daniel Cid, lead developer and author of OSSEC, says the
software is both an IDS as well as a log analysis and correlation tool,
similar to products in the security event management market. Read the
latest WhitePaper - Practical Email Governance Now: Meeting the Minimum
Threshold to Regain Control Over Email
"The project was created on 2004, but it started to gain a lot of
attention only at the end of 2005," Cid reports.
Cid this week made available Version 1.1, which he says adds features
such as e-mail alerting, advanced log analysis and an active reponse
mechanism to thwart attackers. This version includes "more advanced
log-analysis rules for improved correlation and analysis," as well as
new active response features that use "route null" to block detected
attackers, he says.
OSSEC uses a client/server model with server software at a central
location and distributed agent technology on managed devices. The
software monitors file and directory modifications, provides
accountability by storing authentication information, and triggers user
alerts on failed authentication or questionable user additions.
The software runs on most operating systems, including Linux, OpenBSD,
MacOS, Solaris and Windows. Users install the software on a server and
then the agent is deployed on client machines using a Windows
"It has a centralized architecture, allowing one central server to
manage and monitor the logs and integrity data from multiple agents,"
Cid explains. "The server/agent communication is encrypted/compressed so
it saves a lot of bandwidth and keeps the privacy of the log data in
The software also allows a local installation for users that are not
interested in the server/agent architecture or just have one system to
monitor. This release also adds support for Microsoft IIS 6, Cisco VPN
concentrator, Cisco PIX VPN AAA, Cisco FWSM and Solaris 10 logs.
OSSEC Version 1.1 is available free for download under the GNU General
Copyright 2007 Network World Inc.
Visit the InfoSec News Security Bookstore