Author Topic: OSSEC is an Open Source Host-based Intrusion Detection System  (Read 1781 times)

0 Members and 1 Guest are viewing this topic.

Software Santa

  • Administrator
  • *****
  • Posts: 4271
OSSEC is an Open Source Host-based Intrusion Detection System

Quote
Welcome to the Home of OSSEC

 
OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

It runs on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX and Windows.

OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS). It has a powerful correlation and analysis engine, integrating log analysis, file integrity checking, Windows registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting and active response.

It runs on most operating systems, including Linux, OpenBSD, FreeBSD, MacOS, Solaris and Windows. A list with all supported platforms is available here.

OSSEC is free

OSSEC is a free software and will remain so in the future; you can redistribute it and/or modify it under the terms of the GNU General Public License (version 3) as published by the FSF - Free Software Foundation. More details here.
Awards and Reviews

The OSSEC project has received some pretty good awards/reviews in the past. Check them out out our Awards page.

Easy to install

OSSEC is multi-platform and can be easily installed on most operating systems. Just follow some of our Install guides if you need some help.

Widely used

OSSEC is a growing project, with more than 5,000 downloads per month on average. It is being used by ISPs, universities, governments and even large corporate data centers as their main HIDS solution. In addition to being deployed as an HIDS, it is commonly used strictly as a log analysis tool, monitoring and analyzing firewalls, IDSs, web servers and authentication logs.

Active Development

OSSEC has a very active development, with a release cycle of every 3/4 months. Bugs and feature requests can be sent through our bugzilla or mailing lists and we will do our best to solve them. If you are interested in being a part of this project, we are always open to new contributors. Check out our FAQ entry “How to start helping with the project?” for more information.

Commercial Support

If you need an enterprise-class commercial support for OSSEC, Trend Micro, the company behind this great open source project, offers this option to our users.

OSSEC Architecture

 
OSSEC is composed of multiple pieces. It has a central manager monitoring everything and receiving information from agents, syslog, databases and from agentless devices.


Manager

The manager is the central piece of the OSSEC deployment. It stores the file integrity checking databases, the logs, events and system auditing entries. All the rules, decoders and major configuration options are stored centrally in the manager, making easy to administer even a large number of agents.


Agents

The agent is a small program installed on the systems you desire to monitor. It will collect information on real time and forward to the manager for analysis and correlation. It has a very small memory and CPU footprint by default, not affecting with the system’s usage.

Agent security: It runs with a low privilege user (created during the installation) and inside a chroot jail isolated from the system. Most of the agent configuration is pushed from the manager, with just some of them are stored locally on each agent. In case these local options are changed, the manager will receive the information and will generate an alert.


Agentless

For systems that you can’t install an agent, OSSEC allows you to perform file integrity monitoring on them without the agent installed. It can be very useful to monitor firewalls, routers and even Unix systems where you are not allowed to install the agent.


Virtualization/Vmware

OSSEC allows you to install the agent on the guest operating systems or inside the host (Vmware ESX). With the agent installed inside the VMware ESX you can get alerts about when a VM guest is being installed, removed, started, etc. It also monitors logins, logouts and errors inside the ESX server. In addition to that, OSSEC performs the CIS checks for Vmware, alerting if there is any insecure configuration option enabled or any other issue.


Firewalls, switches and routers

OSSEC can receive and analyze syslog events from a large variety of firewalls, switches and routers. It supports all Cisco routers, Cisco PIX, Cisco FWSM, Cisco ASA, Juniper Routers, Netscreen firewall, Checkpoint and many others.


Architecture

This diagram shows the central manager receiving events from the agents and system logs from remote devices. When something is detected, active responses can be executed and the admin is notified.

OSSEC Architecture
Internal Architecture

For technical and deep detailed information on how it works, please read the following documents:

OSSEC log analysis/inspection architecture - by Daniel Cid

Support

Everyone knows that support and technical expertise are critical in ensuring the success of any product deployment. With an open source project this is not different. If you need enterprise-class commercial support for OSSEC, Trend Micro, the company behind this great open source project, offers this option to our users.

The Manual:  http://www.ossec.net/main/manual/

http://www.ossec.net

 

email