OSSEC is an open source security program that checks for vulnerability and keeps guard from intrusions. The ability to thoroughly analyse the log files and keep a check at real time changes to the system integrals is what makes it a reliable program. The best feature is the ability to work across multiple platforms including windows and Linux. Another added advantage is that it can centrally manage multiple systems running different operating systems. The developer Daniel B. Cid publicly introduced it to the world wide web on may 2004.
The ability to manage such huge network and perform real time scanning is what makes it more favoured by online transacting companies. They need higher level of security and most importantly keep a constant check on all the systems for any major changes which can promote loopholes in the end.
By the start of July 2008 the main OSSEC development project was officially over taken by 3rd Brigade Incorporation. The company promised to maintain the same open source initiative with an added feature to provide commercial license for corporate clients. Later by the end of May 2008, the same company was merged with Trend Micro, a big fish in the security market. The policies remained unchanged and the program continued to grow as an open BSD project. The project is still available for open source Dev’s on the official OSSCE website.
OSSEC Major Components
There are three major software components/modules of the main OSSEC application. These are -
It is required for individual installations under distributed network architecture. It supports all Debian Linux, Mac, Ubuntu, BSD and Solaris based operating systems.
OSSEC Windows Agent:
As the name suggests, this module is required for installations on Windows based operating systems. The main server module runs the Main application with some customizations whereas the client systems needs to enable the windows agent to work with the server.
It is a separate Graphical user interface provided for web based applications. The module works in the same compatibility mode as that of the main application.
Creating Custom Rules OSSEC
It is of no doubt that the program can efficiently manage all the major logs and keep a tab on all the triggered events but the problem is that we need to define the path for which we want to extend the security aspect. Say for example we have an application specific trace log, we need to add it to the OSSSEC_config file. The program defines some custom variables which can be used to extend the level of security required.
Open the ossec.conf file and before the end of the ossec_config tag and just add these lines:
Following are the available values for log_format: syslog, snort-full, snort-fast, squid, iis, MySQL_log, postgresql_log, nmapg or Apache and event log for windows operating systems. For monitoring the date time stamp you need to understand the (date +%X) type of variables. For more info read the manual carefully.
OSSEC Custom Decoders
In order to parse log files this application uses decoders. It searches for the appropiate decoder and then parses the log files. The available options are inside the decoders.xml file in the “/var/ossec/etc/” path.
You must always remember the fact that you need to be very simple in applying the custom decoders and must not apply custom decoders or else it might create a problem. Also remember to restart OSSEC or else it will ignore the applied changes till it restarts next time.
OSSEC Manual, White papers and Tutorials
You can download the manual from the official support page. The white papers are also available for your help including some very good tutorials provided by the Dev’s. Since the program is an open source application you will be able to find all kind of support from the help forum. If you are a licensed user kindly contact the vendor for more support options.
OSSEC vs Snort
It has been debated for how long I just don’t care anymore. The basic principle of both these security scanner are totally different and the heuristic algorithms differ in large way. Snort is a network based Intrusion detection system whereas OSSEC is more host based security program. Always remember to set permission of local ossec server ip as the only one to upgrade or change files in the host.
For a better security I would advise the reader to use both of them. Snort is more efficient in working as a watch dog whereas OSSEC can monitor events in a more customized way. The best option would be to scan the Snort log files with OSSEC running only as log sniffer, and be more secure rather than having only one of them installed in your host system.
Ossec is available for download n tow versions – Free and licensed. You can download the free version from the official Trend micro download page. For ossec authentication key you need to order it with the trend micro online client.
Install and uninstall OSSEC
You can easily understand the installations instructions and load in this application. Using the default local configuration as prompted by the install.sh script. By default the installation directory is “/var/ossec”. You can also edit the configuration file by editing the ossec.conf file available in the “etc” directory.
You can easily uninstall OSSEC by simple running this script. Just remember to keep a back up of the ossec.cnfig in case you have made some custom rules. Just replace the file when you revert back to OSSEC. All your rules and custom decoders will be easily loaded back.