ISSA Belgium Chapter Meeting: Introduction to OSSEC

Back from the first ISSA Belgium Chapter Meeting of 2010. Today’s topic was “Introduction to OSSEC : Log Analysis and Host Intrusion Detection“. A very interesting topic for me. First because I’m involved in lot of SIEM projects. But especially because Wim Remes, the speaker, is a friend of mine.

Wim is a fan of OSSEC. This open-source tool is defined on the web site as “an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.“.

Wim’s choice was to split his talk in two big sections. First, a theoretical part, where he explained to the audience why a good log management solution is a must-have for all organizations (must they have to be compliant or not). Then, he dove into the tool and demonstrated via examples the power of OSSEC. The choice of two distinguished sections was the right one: everybody was able to understand the product (managers as executives).

Before this meeting, I had a very limited knowledge of OSSEC. For me, it was “just” an HIDS (“Host-based Intrusion Detection System). But it can perform much more interesting things! Using simple configuration files, it’s possible to setup basic events correlation. Example:

<rule id=”100016″ frequency=”4″ level=”10″ timeframe=”180″>
  <if_matched_sid>100015</if_matched_sid>
  <same_source_ip/>
  <description>Multiple snort alerts with the watched ids</description>
</rule>

OSSEC is certainly not as performant as a true SIEM solution. It does not integrate retention policies for events, it does not collect events from lot of devices but, with the help of other tools, it’s possible to start an interesting log management solution and for an unbeatable price. Example: the integration of OSSEC & Splunk. And once you learned how to manage your events, why not switch to a real SIEM product?

Given the high number of questions asked during and after the presentation, it was really a nice topic! Well done Wim! I suppose that the slides will be available on SlideShare soon.

One comment

  1. Xavier,

    thanks for the blogpost 🙂

    Yes, I will put the slides on slideshare at http://www.slideshare.net/wremes . The talk I gave at Excaliburcon last year is already on there.

    Again, thanks for your presence. It’s always a pleasure to see you and really, such an interactive audience can save the worst talk in the world 😉

    Cheers,

    Wim

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.