Trend Micro SecureCloud compliments OSSEC in securing the data in the cloud while checking if OSSEC is being used on the host in the cloud. We would like to invite the OSSEC community that is using cloud services to the SecureCloud beta.

SecureCloud provides the following features:

• Access control.
• Security information and event logging for the cloud.
• Control over own security regardless of hosted provider security controls.
• Protection from unauthorized access to data.
• Privacy of data.
• Data portability.
• Adherence to enterprise policy controls.

Sign up today for the beta!

www.trendbeta.com

What is new? We have lots of new features and bug fixes, but these are the main changes:

1. Added daily email summaries/reports. (more info)
2. Added option to alert when a log or command output changes - check_diff. (more info)
3. Added rules to ignore crawlers causing 404s (MSN, Google, Yahoo, etc).
4. Improved ossec-logtest to be used for the forensic analysis of log files (more info)
5. Added support for Microsoft Security Essentials logs.

And a few important bug fixes:

• Fixed a memory leak on the Windows agent that was not properly closing the sockets. It would cause a port exhaustion if the manager becames unavailable
  for a long period of time.
• Fixed performance issue when the FTS queue was too large.

Check out our v2.4 changelog for the complete list of new features and bugs fixed.

Download the new version from http://www.ossec.net/main/downloads

*Special thanks to our contributors Jeremy Rossi, Stephen Kreusch, Scott R. Shinn, Paul Southerington, Dan Parriott and Michael Starks and our beta testers Dan Parriott, Cristian Paul, Tobias Lott and David Dede

Wim Remes spoke about OSSEC at the Fosdem conference. The video of his presentation is on youtube:

 
Iñaki Rodríguez fromvirtualminds.es did a webmeeting about OSSEC in spanish. Slides in PDF:
http://www.virtualminds.es/uploads/charlas/ossec-slides.pdf

 
Wim Remes (yes, he again), wrote about OSSEC for the [IN]SECURE Magazine (2010 February edition):
http://www.net-security.org/insecuremag.php

 
Michael Starks from immutablesecurity.com posted a few interesting blog posts about OSSEC:
Using OSSEC for Encrypted Log Transport
Detecting Sensitive Info with OSSEC

Have you wrote something about OSSEC? Please, let us know and we will add in here.

What is new?

1. Log analysis rules for the Nginx web server
2. Log analysis rules for Suhosin (Hardened PHP)
3. Support for real time file integrity monitoring on Windows systems
4. Support for monitoring the output of commands (process monitoring)
5. And a lot more…

Check out our v2.3 changelog of the complete list of new features and bugs fixed.

Download the new version from http://www.ossec.net/main/downloads

*Special thanks to our contributors Jeremy Rossi, Fabio Paracchini and Michael Starks and our beta testers Dan Parriott, Michael Starks, Timo Vehvilainen and Jeremy Rossi.

From his blog:

As a service to the community and to coincide with my speaking on OSSEC at the Rochester Security Summit, every day during the week of October 25 through October 31, I’ll be posting a new tip on OSSEC based on my years of first-hand experience. These are the tips that make the software more usable for me and hopefully, it will for you, too. Have a tip that has helped you? Be sure to post it in the comments.

Links to the articles:

• Day 1: Detecting World-Writable Files
• Day 2: Detecting New Files
• Day 3: Using Variables
• Day 4: Using Groups
• Day 5: Reusing Rule IDs
• Day 6: Developing a Tuning Strategy
• Day 7: Developing a Workflow

Be sure to check it out to learn more about OSSEC. Thanks Michael for sharing your experience with us.

• Trend OSCE (Office scan) support - We added rules to properly monitor and analyze Trend logs
• Wordpress Monitoring - Wordpress is a popular blogging platform with very little logging by default. We create a plugin to extend its logging capabilities and created rules on OSSEC to monitor it.
• More Logging support - We added support for vpopmail, roundcube, Netscreen IDS and a few more log formats.

And much more… Check out the changelog to see all changes and contributors.

Download it from: http://www.ossec.net/main/downloads .

Special thanks to Aleksander Podsiad, Michael Starks and Dan Parriott for the contributions to this release.

• Centralized configuration - The agent.conf file was introduced to allow granular configuration of the agents directly on the manager side.
• Remote agent restart - Functionality was added to restart the agents remotely using the agent_control tool.
• Real time integrity checking - Real time integrity checking was added to Linux systems.
• New Log Rules Support - We added support for Windows DHCP logs and fixed/improved many of the other rules for different messages.

And much more… Check the changelog to see all changes and contributors.

Download it from: http://www.ossec.net/main/downloads .

Special thanks to Chris Bailes, Matt Goldsberry, phishphreek, Michael Starks, Danny Fullerton, Slava Semushin and Peter Wolanin for helping with this release.

In the open source world some projects have taken on beloved status by their loyal user base. OSSEC is one of them, and for good reason.

For those of you unfamiliar, OSSEC (pronounced Oh-Sec) is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

Over a year and a half ago I was tasked to review OSSEC as a potential acquisition for Third Brigade. I was of course, sufficiently impressed with OSSEC’s capabilities, but I was surprised at the level of respect it had developed in the community. I was curious as to why OSSEC had such a solid reputation.

Recently I have gotten to know the man who literally wrote the book on OSSEC, Andrew Hay. Andrew is a well respected figure in the security community and has authored several security texts in addition to his daily blogs. He thinks, “The key drivers to the product are 1) the cost, 2) the ease to deploy, and 3) the community wrapped around it”.

It’s true, like other popular open source security projects (like Snort), OSSEC has a strong community. Its members get involved by contributing to the wiki, communicating on the mailing-list, and discussing OSSEC on Twitter (where Andrew tries to get anyone who mentions OSSEC to buy his book).

I asked Wim Remes, who recently posted OSSEC in a Nutshell on his blog, and he said OSSEC succeeds because “it’s cross-platform, it’s free (the software is … not the implementation), it’s giga-flexible, it does what it promises to do”. ‘Giga-flexible’, I like that word. I’ll have to trademark it before Wim does! :) These sentiments are shared by many who have given OSSEC a try.

The acclaim for OSSEC extends to the press as well. In ‘07 LinuxWorld named OSSEC the #1 Open Source Security Tool. They explained, “The OSSEC HIDS project has been gaining widespread use and is quickly being deployed within organizations around the world as a method of protecting systems at the host level after attacks have made it past network defenses”. Recently ZDnet also covered OSSEC saying, “Danen singles out OSSEC as a solid, cross-platform tool for intrusion detection”. The OSSEC website has a large list of awards and reviews.

Clearly OSSEC is a solid, cross-platform piece of software at an unbeatable price, but it takes more than that to build a loyal following.

I think the real reason for OSSEC’s success is its creator Daniel Cid, and his roots.

The seeds for OSSEC were planted back when Daniel was a security engineer. He found that in his job he lacked information about the hosts he was protecting and started writing scripts that would give him a better picture of the state of the network. Because Daniel came from an operations background rather than a pure development background, he writes software to solve real problems he actually faced.

Still, it takes more than a problem solver. When I first met Daniel he was working a full time job, OSSEC was a side project. It was clear that he really cared about the project and supporting OSSEC users event if it meant many grueling nights and weekends. Users would send him new log samples to deal with and on his own time Daniel would dissect the logs, create decoders and rank the security relevant events. Daniel answers every email, deals with every bug, and considers every enhancement request. It doesn’t hurt that he’s a genuinely nice guy too!

So OSSEC’s real popularity comes from the fact that it does what users want it to do. That sounds like an incredibly obvious attribute which all software should strive for, but it’s much more attainable when it’s developed by someone who has been there and listens to feedback. This is something to keep in mind for all of the commercial software developers out there, like myself.

We need to walk a mile in the shoes of the end-user and listen when they have feedback.

Because of the positive experiences using OSSEC it continues to grow in popularity. Largely through word of mouth, OSSEC has grown to over 10,000 downloads a month!

Have you tried OSSEC? Maybe you’ll find that you’ll (HEART) OSSEC too.

The status of the next version of the OSSEC web interface is one of the more commonly asked questions on the mailing list and is currently #2 on the community requested feature list (http://ossec.uservoice.com).

While web interfaces are nice to have, many of us suffer from information island overload by having dedicated web interfaces for each application. This is why I was stoked when the syslog ouput feature was announced last summer (http://www.ossec.net/dcid/?p=139) and officially added in version 1.6. Now I can incorporate OSSEC alerts into my SIM/SIEM or log management tool of choice, which not only eliminates the need for a dedicated OSSEC web interface but also allows for simplified incident analysis through aggregation and correlation.

In my environment, we chose Splunk based on its quick search and endless customization. Getting OSSEC alerts into Splunk is a breeze. Just grab the free license version of Splunk, install the Splunk for OSSEC app, and point the OSSEC syslog output to your Splunk server. BAM! Instant wui 0.4.

The Splunk-for-OSSEC application is a community project that was started by myself and Elazar Broad. The initial goal of this application was to provide the same set of reports that can be obtained through ossec-reportd. From there we’ve also added several other useful features:

1. Top rules last 24 hrs
2. Top source IP last 24 hrs
3. Top user last 24 hrs
4. Bruteforce top source IP last 24 hrs
5. OSSEC rules for last hour
6. OSSEC alert levels for last 24 hrs
7. IP Geolocation lookups
8. whois lookups
9. rDNS lookups
10. web attack and bruteforce tags.

Screenshots:

OSSEC and Splunk configuration instructions

More details at the ossec wiki.

1. Inside ossec.conf add a syslog_output block specifying your Splunk system IP address and the port it is listening on:
   

   <syslog_output>
   <server>172.10.2.3</server>
   <port>10002</port>
   </syslog_output>

2. Now you need to enable the syslog_output module and restart OSSEC:
   

   #/var/ossec/bin/ossec-control enable client-syslog
   #/var/ossec/bin/ossec-control restart

3. On the Splunk side, add this stanza to inputs.conf:
   

   $SPLUNK_HOME/etc/system/local/inputs.conf

   [udp://172.10.2.4:10002] #IP address of OSSEC server
   disabled = false
   sourcetype = ossec

   By setting the sourcetype as OSSEC you’re ready to take advantage of the Splunk for OSSEC app which can be found here: http://www.splunkbase.com/apps/All/Security/app:Splunk+for+OSSEC.

4. Make sure you update any local or network firewalls that this communication is traversing and then restart Splunk.
   

   # $SPLUNK_HOME/bin/splunk restart

Splunk:
http://www.splunk.com/download

Splunk-for-OSSEC:
http://www.splunkbase.com/apps/All/Security/app:Splunk+for+OSSEC#

Feedback and feature requests are much appreciated!

If you’ve used the syslog ouput to send alerts to another SIM/SIEM or log management tool, we would love to hear from you so we can add configuration details to the wiki.

On April 29, 2009 Trend Micro announced a definitive agreement to acquire the business of Third Brigade, a privately-held security and compliance software company headquartered in Ottawa, Canada that owns the OSSEC project. The acquisition is subject to customary approvals and is expected to close in the 2nd quarter of 2009.

2. Who is Trend Micro?

Trend Micro Incorporated is a pioneer in secure content and threat management. Founded in 1988, Trend Micro provides individuals and organizations of all sizes with award-winning security software, hardware and services. With headquarters in Tokyo and operations in more than 30 countries, Trend Micro solutions are sold through corporate and value-added resellers and service providers worldwide. For additional information and evaluation copies of Trend Micro products and services, visit our Web site at www.trendmicro.com

.

3. Will OSSEC continue to be an open source project?

Yes. Trend Micro is committed to maintaining OSSEC as an open source project.

4. What impact will this acquisition have on an OSSEC user?

We don’t anticipate there will be any impact on OSSEC users from this acquisition. Like Third Brigade, Trend will help create broader awareness and further ensure the success of this thriving open source community through ongoing dedicated resources and extended support necessary for larger enterprise deployments.

5. Will Trend Micro continue to offer commercial support for OSSEC?

Yes, technical support will continue to be offered via the same two channels:

• Telephone: 8:00 am and 8:00 pm (Eastern Time), Monday to Friday.

• Email: Third Brigade provides an initial response to a customer support request within one business day.

6. How does an OSSEC user buy support?

OSSEC users that would like to purchase support should continue to contact Third Brigade sales, at 1.866.684.7332 or ossec.purchase@thirdbrigade.com.

7. How are OSSEC support requests handled?

Requests for OSSEC support should continue to be directed to Third Brigade Support at 1.866.343.8077, and ossec.support@thirdbrigade.com

Thanks!