Michael Starks had the great idea to get everyone together and organize the third annual week of ossec. Last year we had many contributions and we hope to have even more on this one.

These are just some of the posts we had in the first 2 days:

• 3WoO: OSSEC Documentation by Dan Parriott
• Mapping OSSEC Alerts with AfterGlow by Xavier Mertens
• 3WoO: Alerting on DNS (IP Address) changes by Daniel B. Cid
• 3WoO Day 2: Calculating Your EPS By Michael Starks

Dan Parriott is also keeping an update list of articles here: Third Annual Week of OSSEC

If you are writing something about OSSEC, let me know I will add it in here too.

In our effort to fully support IPv6, the OSSEC.net web site is now IPv6 ready as well:

$ host -t AAAA ossec.net
ossec.net has IPv6 address 2001:470:1c:6f1::2

So if you have IPv6, try it out and let us know if you find any issues.

This has been a long release cycle, but it is here now with some good new features and very stable (thanks to our beta users). Our manual for the new version is also live at http://www.ossec.net/doc/.

What is new?

1. Added IPv6 support
2. Lots of new rules (OpenBSD, Clamav, BRO-ids, active response logs, etc, etc)
3. Added os-authd – For automatically creating and setting up the agent keys
4. Added CEF support to client syslog
5. Improved reporting for file changes
6. Added option to Block repeated offenders with OSSEC
7. Many bug fixes

And a lot more. You can download the new version from: http://www.ossec.net/main/downloads.

This was also the release with the biggest number of contributors and we have to thank them all for the help.

Specially to Dan Parriott for all the work on the rules and documentation, Michael Starks for lots of new rules, Jeremy Rossi, the guys over at Atomicorp, Christopher Moraes, Xavier Mertens, Scott R. Shinn, Dean Proctor, Jason Frisvold, Paul Southerington, Anh Ky Huynh, Trey Dockendorf and many others. If I missed anyone, let me know and I will fix it.

Thanks!
Daniel B. Cid (in name of the OSSEC + Trend team)

• Improved reporting for file changes (syscheck) by Daniel Cid
• Emergency Phone Number Dialed (good use of OSSEC) by Michael Starks
• A request to cloud providers: Give us the logs By Gudado
• Encrypting OSSEC Alert Emails by Dan Parriott
• OSSEC speaks ArcSight by Xavier Mertens
• Using OSSEC for FIM (file integrity monitoring) by Steve R. Smith
• Protecting web servers with OSSEC by Treydock
• OSSEC training (pdf) by colorado.edu (don’t know the authors name)

That’s it. Some good reading for the weekend.

• Blackhat OSSEC workshop by Wim Remes and Xavier Mertens
• Building an OSSEC decoder from scratch by Wim Remes
• Every Windows Security Event Log Documented by Michael Starks
• Blocking repeated offenders with OSSEC by Daniel Cid
• Tracking Malicious IP & Users with OSSEC by Xavier Mertens
• Splunk for OSSEC – v4 released by Splunk

That’s it. If we missed something, let us know.

• Auditing MySQL DB Integrity with OSSEC by by Xavier Mertens
• Sending OSSEC events safely to the cloud (loggly) by Xavier Mertens
• Security Onion: OSSEC and Sguil working together by Doug Burks
• Automatically creating and setting up the agent keys by Daniel Cid
• How to completely automate ossec deployment via puppet by Myron Davis
• OSSEC was represented at the SANS log analysis summit (Dec 2010) by Daniel Cid

That’s it. If I missed something, let me know.

These are some of the blog posts and discussions so far. If I missed something, let me know and I will add to here.

Day 4:
2WoO Day 4: Five Tips & Tricks for OSSEC Ninjas! – Michael Starks
OSSEC Award daemon – Daniel Cid
Work in Progress OSSEC Rules – Dan Parriott
Second Annual Week of OSSEC Roundup: Day 4 – Dan Parriott
WoO Day 4 : Spot the Difference – Jason Frisvold
Mailing list discussion: Day 4: What bugs you: problems, challenges and room for improvement. – More than 15 responses

Day 3:
WoO Day 3 : Meet The Agent – Jason Frisvold
OSSEC decoders 101 – Dan Parriott
2WoO: Contributing and participating in the OSSEC community – Daniel Cid
Abusing OSSEC the Countermeasures – Michael Starks
Second Annual Week of OSSEC Roundup: Day 3 – Dan Parriott
Using Bigfix for mass deployments of OSSEC – Shawn Jefferson

Day 2:

This Blog is Monitored by OSSEC by Xavier Mertens
WoO Day 2 : In The Beginning … by Jason Frisvold
2WoO Day 2: Abusing OSSEC by Michael Starks
Second Week of OSSEC Roundup: Day 1 by Dan Parriott
Second Week of OSSEC Day 2: Rule 1002 by Dan Parriott
Mailing list discussion: Day 2: Tell your story. How has OSSEC helped you?

Day 1:
Crowdsourcing Log Integrity & Non-repudiation by Michael Starks
WoO Day 1 : Introduction to OSSEC by Jason Frisvold

Day -2:
OSSEC v2.5.1 released – by Daniel Cid
Chapters of the OSSEC book opened – by Syngress

Some other articles (not part of the week of OSSEC) that can be useful:
OSSEC by Russ McRee

Thanks!

Michael Starks had the great idea to get everyone together and organize the second annual week of ossec. Last year he was the only one participating, but this year we hope to have many contributions.

To get started, Syngress decided to help out and release a few chapters of the OSSEC book for free. Plus, they are giving 30% off the book for anyone interested. Just go here and use the promotion code “43663″.

The PDF’s for the book can be downloaded here:

  Chapter 2 – Installation
  Chapter 3 – General configuration
  Chapter 4 – Writing log analysis rules

For updates on the Week of OSSEC, I will be “tweeting” new articles: @danielcid and @ddpbsd as well.

Some blogs to follow for updates:

  Michael Stark
  Daniel Cid’
  Dan Parriott
  Xavier Mertens (he already started with a nice post).
  Jason Frisvold
  David Dede

And I am sure many others. If you plan on contributing, send me a note and I will add your blog/twitter link here.

This has been a long release cycle (5 months), but it comes out pretty stable and with many new features. We also had many contributors, showing how much our community is growing and getting stronger. In addition to that, our documentation and manual has been moved to http://www.ossec.net/doc/ .

What is new?

1. Added support for “report_changes” on syscheck to show what was changed in the file modification alert.
2. Added support for cdb lists inside the rules.
3. Added support for drop-in rules and decoders directory.
4. Added a Rule unit testing framework (in python) and inside logtest
5. Added support for a generic multi-line log reader.
6. Added granular Windows rules.
7. Added option to restrict integrity checking to a set of files.
8. Added alias option to the command monitoring.
9. Added silent switch for windows installer.
10. Added variable expansion in command output monitoring.
11. Fixed several windows installer bugs.

And a lot more. Check the full change log here.

Download the new version from http://www.ossec.net/main/downloads

*Special thanks to Jeremy Rossi, Dan Parriott, Scott R. Shinn and Michael Starks for the many contributions, patches and tests.

Trend Micro SecureCloud compliments OSSEC in securing the data in the cloud while checking if OSSEC is being used on the host in the cloud. We would like to invite the OSSEC community that is using cloud services to the SecureCloud beta.

SecureCloud provides the following features:

• Access control.
• Security information and event logging for the cloud.
• Control over own security regardless of hosted provider security controls.
• Protection from unauthorized access to data.
• Privacy of data.
• Data portability.
• Adherence to enterprise policy controls.

Sign up today for the beta!

www.trendbeta.com