[ISN] Open source IDS app gets an update

From: InfoSec News (alerts@private)
Date: Mon Mar 12 2007 - 22:28:45 PST


By Denise Dubie
Network World

IT managers who want to get a handle on their security logs but dont 
have the budget for big-ticket software can check out an updated version 
of the open source, host-based intrusion-detection system OSSEC.

OSSEC Version 1.1 performs log analysis, integrity checking, Windows 
registry monitoring, rootkit detection, time-based alerting and active 
response. Daniel Cid, lead developer and author of OSSEC, says the 
software is both an IDS as well as a log analysis and correlation tool, 
similar to products in the security event management market. Read the 
latest WhitePaper - Practical Email Governance Now: Meeting the Minimum 
Threshold to Regain Control Over Email

"The project was created on 2004, but it started to gain a lot of 
attention only at the end of 2005," Cid reports.

Cid this week made available Version 1.1, which he says adds features 
such as e-mail alerting, advanced log analysis and an active reponse 
mechanism to thwart attackers. This version includes "more advanced 
log-analysis rules for improved correlation and analysis," as well as 
new active response features that use "route null" to block detected 
attackers, he says.

OSSEC uses a client/server model with server software at a central 
location and distributed agent technology on managed devices. The 
software monitors file and directory modifications, provides 
accountability by storing authentication information, and triggers user 
alerts on failed authentication or questionable user additions.

The software runs on most operating systems, including Linux, OpenBSD, 
MacOS, Solaris and Windows. Users install the software on a server and 
then the agent is deployed on client machines using a Windows 
installation wizard.

"It has a centralized architecture, allowing one central server to 
manage and monitor the logs and integrity data from multiple agents," 
Cid explains. "The server/agent communication is encrypted/compressed so 
it saves a lot of bandwidth and keeps the privacy of the log data in 

The software also allows a local installation for users that are not 
interested in the server/agent architecture or just have one system to 
monitor. This release also adds support for Microsoft IIS 6, Cisco VPN 
concentrator, Cisco PIX VPN AAA, Cisco FWSM and Solaris 10 logs.

OSSEC Version 1.1 is available free for download under the GNU General 
Public License.

Copyright 2007 Network World Inc.

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Mon Mar 12 2007 - 22:37:25 PST