• Centralized configuration - The agent.conf file was introduced to allow granular configuration of the agents directly on the manager side.
• Remote agent restart - Functionality was added to restart the agents remotely using the agent_control tool.
• Real time integrity checking - Real time integrity checking was added to Linux systems.
• New Log Rules Support - We added support for Windows DHCP logs and fixed/improved many of the other rules for different messages.

And much more… Check the changelog to see all changes and contributors.

Download it from: http://www.ossec.net/main/downloads .

Special thanks to Chris Bailes, Matt Goldsberry, phishphreek, Michael Starks, Danny Fullerton, Slava Semushin and Peter Wolanin for helping with this release.

In the open source world some projects have taken on beloved status by their loyal user base. OSSEC is one of them, and for good reason.

For those of you unfamiliar, OSSEC (pronounced Oh-Sec) is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

Over a year and a half ago I was tasked to review OSSEC as a potential acquisition for Third Brigade. I was of course, sufficiently impressed with OSSEC’s capabilities, but I was surprised at the level of respect it had developed in the community. I was curious as to why OSSEC had such a solid reputation.

Recently I have gotten to know the man who literally wrote the book on OSSEC, Andrew Hay. Andrew is a well respected figure in the security community and has authored several security texts in addition to his daily blogs. He thinks, “The key drivers to the product are 1) the cost, 2) the ease to deploy, and 3) the community wrapped around it”.

It’s true, like other popular open source security projects (like Snort), OSSEC has a strong community. Its members get involved by contributing to the wiki, communicating on the mailing-list, and discussing OSSEC on Twitter (where Andrew tries to get anyone who mentions OSSEC to buy his book).

I asked Wim Remes, who recently posted OSSEC in a Nutshell on his blog, and he said OSSEC succeeds because “it’s cross-platform, it’s free (the software is … not the implementation), it’s giga-flexible, it does what it promises to do”. ‘Giga-flexible’, I like that word. I’ll have to trademark it before Wim does! :) These sentiments are shared by many who have given OSSEC a try.

The acclaim for OSSEC extends to the press as well. In ‘07 LinuxWorld named OSSEC the #1 Open Source Security Tool. They explained, “The OSSEC HIDS project has been gaining widespread use and is quickly being deployed within organizations around the world as a method of protecting systems at the host level after attacks have made it past network defenses”. Recently ZDnet also covered OSSEC saying, “Danen singles out OSSEC as a solid, cross-platform tool for intrusion detection”. The OSSEC website has a large list of awards and reviews.

Clearly OSSEC is a solid, cross-platform piece of software at an unbeatable price, but it takes more than that to build a loyal following.

I think the real reason for OSSEC’s success is its creator Daniel Cid, and his roots.

The seeds for OSSEC were planted back when Daniel was a security engineer. He found that in his job he lacked information about the hosts he was protecting and started writing scripts that would give him a better picture of the state of the network. Because Daniel came from an operations background rather than a pure development background, he writes software to solve real problems he actually faced.

Still, it takes more than a problem solver. When I first met Daniel he was working a full time job, OSSEC was a side project. It was clear that he really cared about the project and supporting OSSEC users event if it meant many grueling nights and weekends. Users would send him new log samples to deal with and on his own time Daniel would dissect the logs, create decoders and rank the security relevant events. Daniel answers every email, deals with every bug, and considers every enhancement request. It doesn’t hurt that he’s a genuinely nice guy too!

So OSSEC’s real popularity comes from the fact that it does what users want it to do. That sounds like an incredibly obvious attribute which all software should strive for, but it’s much more attainable when it’s developed by someone who has been there and listens to feedback. This is something to keep in mind for all of the commercial software developers out there, like myself.

We need to walk a mile in the shoes of the end-user and listen when they have feedback.

Because of the positive experiences using OSSEC it continues to grow in popularity. Largely through word of mouth, OSSEC has grown to over 10,000 downloads a month!

Have you tried OSSEC? Maybe you’ll find that you’ll (HEART) OSSEC too.

The status of the next version of the OSSEC web interface is one of the more commonly asked questions on the mailing list and is currently #2 on the community requested feature list (http://ossec.uservoice.com).

While web interfaces are nice to have, many of us suffer from information island overload by having dedicated web interfaces for each application. This is why I was stoked when the syslog ouput feature was announced last summer (http://www.ossec.net/dcid/?p=139) and officially added in version 1.6. Now I can incorporate OSSEC alerts into my SIM/SIEM or log management tool of choice, which not only eliminates the need for a dedicated OSSEC web interface but also allows for simplified incident analysis through aggregation and correlation.

In my environment, we chose Splunk based on its quick search and endless customization. Getting OSSEC alerts into Splunk is a breeze. Just grab the free license version of Splunk, install the Splunk for OSSEC app, and point the OSSEC syslog output to your Splunk server. BAM! Instant wui 0.4.

The Splunk-for-OSSEC application is a community project that was started by myself and Elazar Broad. The initial goal of this application was to provide the same set of reports that can be obtained through ossec-reportd. From there we’ve also added several other useful features:

1. Top rules last 24 hrs
2. Top source IP last 24 hrs
3. Top user last 24 hrs
4. Bruteforce top source IP last 24 hrs
5. OSSEC rules for last hour
6. OSSEC alert levels for last 24 hrs
7. IP Geolocation lookups
8. whois lookups
9. rDNS lookups
10. web attack and bruteforce tags.

Screenshots:

OSSEC and Splunk configuration instructions

More details at the ossec wiki.

1. Inside ossec.conf add a syslog_output block specifying your Splunk system IP address and the port it is listening on:
   

   <syslog_output>
   <server>172.10.2.3</server>
   <port>10002</port>
   </syslog_output>

2. Now you need to enable the syslog_output module and restart OSSEC:
   

   #/var/ossec/bin/ossec-control enable client-syslog
   #/var/ossec/bin/ossec-control restart

3. On the Splunk side, add this stanza to inputs.conf:
   

   $SPLUNK_HOME/etc/system/local/inputs.conf

   [udp://172.10.2.4:10002] #IP address of OSSEC server
   disabled = false
   sourcetype = ossec

   By setting the sourcetype as OSSEC you’re ready to take advantage of the Splunk for OSSEC app which can be found here: http://www.splunkbase.com/apps/All/Security/app:Splunk+for+OSSEC.

4. Make sure you update any local or network firewalls that this communication is traversing and then restart Splunk.
   

   # $SPLUNK_HOME/bin/splunk restart

Splunk:
http://www.splunk.com/download

Splunk-for-OSSEC:
http://www.splunkbase.com/apps/All/Security/app:Splunk+for+OSSEC#

Feedback and feature requests are much appreciated!

If you’ve used the syslog ouput to send alerts to another SIM/SIEM or log management tool, we would love to hear from you so we can add configuration details to the wiki.

On April 29, 2009 Trend Micro announced a definitive agreement to acquire the business of Third Brigade, a privately-held security and compliance software company headquartered in Ottawa, Canada that owns the OSSEC project. The acquisition is subject to customary approvals and is expected to close in the 2nd quarter of 2009.

2. Who is Trend Micro?

Trend Micro Incorporated is a pioneer in secure content and threat management. Founded in 1988, Trend Micro provides individuals and organizations of all sizes with award-winning security software, hardware and services. With headquarters in Tokyo and operations in more than 30 countries, Trend Micro solutions are sold through corporate and value-added resellers and service providers worldwide. For additional information and evaluation copies of Trend Micro products and services, visit our Web site at www.trendmicro.com

.

3. Will OSSEC continue to be an open source project?

Yes. Trend Micro is committed to maintaining OSSEC as an open source project.

4. What impact will this acquisition have on an OSSEC user?

We don’t anticipate there will be any impact on OSSEC users from this acquisition. Like Third Brigade, Trend will help create broader awareness and further ensure the success of this thriving open source community through ongoing dedicated resources and extended support necessary for larger enterprise deployments.

5. Will Trend Micro continue to offer commercial support for OSSEC?

Yes, technical support will continue to be offered via the same two channels:

• Telephone: 8:00 am and 8:00 pm (Eastern Time), Monday to Friday.

• Email: Third Brigade provides an initial response to a customer support request within one business day.

6. How does an OSSEC user buy support?

OSSEC users that would like to purchase support should continue to contact Third Brigade sales, at 1.866.684.7332 or ossec.purchase@thirdbrigade.com.

7. How are OSSEC support requests handled?

Requests for OSSEC support should continue to be directed to Third Brigade Support at 1.866.343.8077, and ossec.support@thirdbrigade.com

Thanks!

The rootcheck page is http://www.ossec.net/rootcheck/.

How to use it

Rootcheck is a very simple software. Just download, unpack, compile and execute it. It will scan the system and print if it found or not anything.

[root@ossec ~]# wget http://www.ossec.net/rootcheck/files/rootcheck-2.0.tar.gz
[root@ossec ~]# tar -zxvf rootcheck-2.0.tar.gz
[root@ossec ~]# cd rootcheck-2.0
[root@ossec ~]# make all
[root@ossec ~]# ./ossec-rootcheck
..

Downloads

v2.0     md5sum

• Centralized configuration - The agent.conf file was introduced to allow granular configuration of the agents directly on the manager side.
• Remote agent restart - Functionality was added to restart the agents remotely using the agent_control tool.
• Real time integrity checking - Real time integrity checking was added to Linux systems
• New Log Rules Support - We added support for Windows DHCP logs and fixed/improved many of the other rules for different messages.

And much more… Check the changelog to see all changes and contributors.

Download it from: http://www.ossec.net/main/downloads .

Special thanks to Chris Bailes, Matt Goldsberry, phishphreek, Michael Starks, Danny Fullerton, Slava Semushin and Peter Wolanin for helping with this release.

New features that will be introduced in version 2.0 are:

• Compiled Rules - Per popular demand, we are introducing the capability in the product to be able to use pre-compiled rules written in “C”. Customers who felt that the XML format for writing rules was very limiting, can now use the strong programming capabilities of C.
• Agentless Monitoring - Lot of enterprises are faced with the requirement to monitor devices where there are restrictions on Agents to be installed either because of scalability requirements or due to the lack of the native operating system support. In version 2.0, Ossec customers can perform integrity checking and real time logs inspection on remote systems (such as Linux based devices, firewall devices such as PIX and routers etc).
• New Language Support - In version 2.0, we will also start supporting Dutch
• New Log Rules Support - In version 2.0, we added support for Yum logs and fixed/improved many current rules for different messages.
• New reporting tool - In version 2.0, we added a new tool to create and help generate reports

Here is your opportunity to help shape the next release. We solicit and welcome your feedback. If there are features you will like to see in the version 2.0, Please send us an e-mail at features-request@ossec.net

For a list of features in the version 1.6, please visit: OSSEC v1.6 released.

For a list of issues that were solved, visit the Changelog.

Download it from: http://www.ossec.net/main/downloads .

Thanks!

–
Daniel B. Cid (in name of the OSSEC team).

• New multi-server architecture
• New platform support for Microsoft Vista (and Server 2008)
• New platform support for VMware ESX
• Added active response module for Windows
• CIS benchmarks on Linux (through the policy auditing)
• Added the VMWare Security hardening guideline to the policy auditing
• Added support for McAfee VirusScan Enterprise logs
• Added support for VMware ESX hostd logs
• Added support for Mac OS FTP server logs
• New tools to better manage the data stored (syscheck_control, rootcheck_control, log_test)

And much more… Check the changelog to see all changes and contributors.

Download it from: http://www.ossec.net/main/downloads .

Press release from Third Brigade: http://www.thirdbrigade.com/news_events.aspx?id=803

Special thanks to Michael Starks, Chris Buechler and Joachim Vorrath for the contributions and ChuckD (mdmonk), Daniel Medianero and John Ives for beta testing this release.

For a list of issues that were solved, visit the Changelog.

For information on the Third Brigade Acquisiton, visit: OSSEC Project Acquired.

Download it from: http://www.ossec.net/main/downloads .

Thanks to Dennis Golden, Chris Buechler, Andrew Storms and Doug Floer for the bug reports.

Thanks!

–
Daniel B. Cid (in name of the OSSEC team).