Review: Instant OSSEC Host-Based Intrusion Detection System

OSSEC Host-based Intrusion Detection nsystemThe guys from Packt Publishing asked me to review a new book from their “Instant” collection: “OSSEC Host-Based Intrusion Detection“. This collection proposes books with less than 100 pages about multiple topics. The goal is to go straight forward to the topic. OSSEC being one of my favorite application, I could not miss this opportunity! The book author is Brad Lhotsky, a major contributor to the OSSEC community. Amongst the list of reviewers, we find JB Cheng, the OSSEC project manager responsible for OSSEC releases. It is a guarantee of quality for the book!

Writing a book about OSSEC is a challenge! The topic of log management and SIEM is so large. Brad’s approach was to present some quick examples which explain how OSSEC works and, most important, leave open doors to more ideas to expand the usage of the tool. A good idea in the table of contents, all chapters are tagged with a level (simple, intermediate or advanced). With a classic approach, the first chapters address the deployment of an OSSEC solution: from the installation (from the source tree or packages) to the configuration of agents.

Then, the author dives into the core features of OSSEC: decoders and rules. Decoders are used to parse the log files and extract useful information like program name, IP addresses, application codes, users. Alerts are generated via a set of rules (some simple, other more complex). With all components put together, the author demonstrates how to catch a classic attack: Detecting a SSH brute-force attack. In the other chapters, the following features are reviewed:

  • File integrity monitoring
  • Monitoring command output
  • Rootkit detection
  • Active-response

All those chapters have the same structure with the following organization: “Getting ready” (how to prepare your environment), “How to do it” (how to configure OSSEC to achieve this), “How is works” (a clear description of the process) and “There’s more” (extra features or ideas if you need to investigate this topic deeper).

The book is a quick read and give a very good introduction of OSSEC. It is targeting “techies” who need to deploy a log management solution. It is not intended for managers who need an introduction to log management. Even if I’m using OSSEC daily, I wrote down some ideas and keywords during my reading! To conclude, the book is a very good introduction but be warned: Once you read it, it will take (quite some) time to have an optimized OSSEC infrastructure! Collecting and processing logs is time consuming..

9 comments

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.