This is a guest article by Justin Foster of DevelopingSecurity.com

In the open source world some projects have taken on beloved status by their loyal user base. OSSEC is one of them, and for good reason.

For those of you unfamiliar, OSSEC (pronounced Oh-Sec) is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

Over a year and a half ago I was tasked to review OSSEC as a potential acquisition for Third Brigade. I was of course, sufficiently impressed with OSSEC’s capabilities, but I was surprised at the level of respect it had developed in the community. I was curious as to why OSSEC had such a solid reputation.

Recently I have gotten to know the man who literally wrote the book on OSSEC, Andrew Hay. Andrew is a well respected figure in the security community and has authored several security texts in addition to his daily blogs. He thinks, “The key drivers to the product are 1) the cost, 2) the ease to deploy, and 3) the community wrapped around it”.

It’s true, like other popular open source security projects (like Snort), OSSEC has a strong community. Its members get involved by contributing to the wiki, communicating on the mailing-list, and discussing OSSEC on Twitter (where Andrew tries to get anyone who mentions OSSEC to buy his book).

I asked Wim Remes, who recently posted OSSEC in a Nutshell on his blog, and he said OSSEC succeeds because “it’s cross-platform, it’s free (the software is … not the implementation), it’s giga-flexible, it does what it promises to do”. ‘Giga-flexible’, I like that word. I’ll have to trademark it before Wim does! :) These sentiments are shared by many who have given OSSEC a try.

The acclaim for OSSEC extends to the press as well. In ’07 LinuxWorld named OSSEC the #1 Open Source Security Tool. They explained, “The OSSEC HIDS project has been gaining widespread use and is quickly being deployed within organizations around the world as a method of protecting systems at the host level after attacks have made it past network defenses”. Recently ZDnet also covered OSSEC saying, “Danen singles out OSSEC as a solid, cross-platform tool for intrusion detection”. The OSSEC website has a large list of awards and reviews.

Clearly OSSEC is a solid, cross-platform piece of software at an unbeatable price, but it takes more than that to build a loyal following.

I think the real reason for OSSEC’s success is its creator Daniel Cid, and his roots.

The seeds for OSSEC were planted back when Daniel was a security engineer. He found that in his job he lacked information about the hosts he was protecting and started writing scripts that would give him a better picture of the state of the network. Because Daniel came from an operations background rather than a pure development background, he writes software to solve real problems he actually faced.

Still, it takes more than a problem solver. When I first met Daniel he was working a full time job, OSSEC was a side project. It was clear that he really cared about the project and supporting OSSEC users event if it meant many grueling nights and weekends. Users would send him new log samples to deal with and on his own time Daniel would dissect the logs, create decoders and rank the security relevant events. Daniel answers every email, deals with every bug, and considers every enhancement request. It doesn’t hurt that he’s a genuinely nice guy too!

So OSSEC’s real popularity comes from the fact that it does what users want it to do. That sounds like an incredibly obvious attribute which all software should strive for, but it’s much more attainable when it’s developed by someone who has been there and listens to feedback. This is something to keep in mind for all of the commercial software developers out there, like myself.

We need to walk a mile in the shoes of the end-user and listen when they have feedback.

Because of the positive experiences using OSSEC it continues to grow in popularity. Largely through word of mouth, OSSEC has grown to over 10,000 downloads a month!

Have you tried OSSEC? Maybe you’ll find that you’ll (HEART) OSSEC too.