OSSEC
Encyclopedia
OSSEC is a free
, open source
host-based intrusion detection system (IDS). It performs log analysis
, integrity checking, Windows registry
monitoring, rootkit
detection, time-based alerting and active response. It provides intrusion detection for most operating systems, including Linux
, OpenBSD
, FreeBSD
, Mac OS X
, Solaris and Windows
. It has a centralized, cross-platform architecture allowing multiple systems to be easily monitored and managed. It was written by Daniel B. Cid
and made public in 2004.
Features were added to OSSEC to meet certain requirements for Payment Card Industry Data Security Standard (PCI DSS) compliance. Details can be found documented in a PDF document provided by OSSEC.
In June 2008 the OSSEC project and all the copyright owned by the project leader, Daniel B. Cid, were acquired by Third Brigade, Inc. They promised to continue to contribute to the open source community and extend commercial support and training to the OSSEC open source community.
In May 2009 Trend Micro
acquired Third Brigade and the OSSEC project, with promises to keep it open source and free.
, and a web interface software component.
Free software
Free software, software libre or libre software is software that can be used, studied, and modified without restriction, and which can be copied and redistributed in modified or unmodified form either without restriction, or with restrictions that only ensure that further recipients can also do...
, open source
Open source
The term open source describes practices in production and development that promote access to the end product's source materials. Some consider open source a philosophy, others consider it a pragmatic methodology...
host-based intrusion detection system (IDS). It performs log analysis
Log analysis
Log analysis is an art and science seeking to make sense out of computer-generated records...
, integrity checking, Windows registry
Windows registry
The Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as the applications running on the platform: the kernel, device drivers, services, SAM, user...
monitoring, rootkit
Rootkit
A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications...
detection, time-based alerting and active response. It provides intrusion detection for most operating systems, including Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
, OpenBSD
OpenBSD
OpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution , a Unix derivative developed at the University of California, Berkeley. It was forked from NetBSD by project leader Theo de Raadt in late 1995...
, FreeBSD
FreeBSD
FreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...
, Mac OS X
Mac OS X
Mac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems...
, Solaris and Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
. It has a centralized, cross-platform architecture allowing multiple systems to be easily monitored and managed. It was written by Daniel B. Cid
Daniel B. Cid
Daniel B. Cid is the lead developer of the open source OSSEC HIDS and a principal researcher at Trend Micro, Inc. His interests range from intrusion detection, log analysis and secure development. He is an active member of the open source community, specially known for creating the OSSEC,...
and made public in 2004.
Features were added to OSSEC to meet certain requirements for Payment Card Industry Data Security Standard (PCI DSS) compliance. Details can be found documented in a PDF document provided by OSSEC.
In June 2008 the OSSEC project and all the copyright owned by the project leader, Daniel B. Cid, were acquired by Third Brigade, Inc. They promised to continue to contribute to the open source community and extend commercial support and training to the OSSEC open source community.
In May 2009 Trend Micro
Trend Micro
Trend Micro Inc. is a computer security company. It is headquartered in Tokyo, Japan and markets Trend Micro Internet Security, Trend Micro Worry-Free Business Security, OfficeScan, and other related security products and services...
acquired Third Brigade and the OSSEC project, with promises to keep it open source and free.
Software Components
OSSEC consists of a main application, a Windows agentSoftware agent
In computer science, a software agent is a piece of software that acts for a user or other program in a relationship of agency, which derives from the Latin agere : an agreement to act on one's behalf...
, and a web interface software component.
- Main Application: The main application, OSSEC, is required for distributed network or stand-aloneStand-aloneStandalone software can mean:* Computer software that can work offline, i.e. does not necessarily require network connection to function* Software that is not a part of some software bundle...
installations. It is supported by Linux, Solaris, BSD, and Mac environments.
- Windows Agent: The Windows Agent is provided for Microsoft Windows environments. An installation of the main application configured for server mode is required to support the Windows Agent.
- Web Interface: A separate web interface application provides a graphical user interface. Like the main application, it is supported by Linux, Solaris, BSD, and Mac environments.
Capabilities
OSSEC has a very strong log analysis engine, being able to correlate and analyze logs from multiple devices and formats. The following are currently supported:- UnixUnixUnix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
-only:- Unix PAMPluggable Authentication ModulesPluggable authentication modules are a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface . It allows programs that rely on authentication to be written independent of the underlying authentication scheme...
- sshd (OpenSSHOpenSSHOpenSSH is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol...
) - SolarisSolaris Operating SystemSolaris is a Unix operating system originally developed by Sun Microsystems. It superseded their earlier SunOS in 1993. Oracle Solaris, as it is now known, has been owned by Oracle Corporation since Oracle's acquisition of Sun in January 2010....
telnetd - SambaSamba (software)Samba is a free software re-implementation, originally developed by Andrew Tridgell, of the SMB/CIFS networking protocol. As of version 3, Samba provides file and print services for various Microsoft Windows clients and can integrate with a Windows Server domain, either as a Primary Domain...
- SuSu (Unix)The su command, also referred to as super user substitute user, spoof user, set user or switch user, allows a computer operator to change the current user account associated with the running virtual console....
- SudoSudosudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user...
- Unix PAM
- FTP servers:
- ProFTPd
- Pure-FTPdPure-FTPdPure-FTPd is a free FTP Server with a strong focus on software security. It can be compiled and run on a variety of Unix-like computer operating systems including Linux, OpenBSD, NetBSD, FreeBSD, DragonFly BSD, Solaris, Tru64, Darwin, Irix and HP-UX. It has also been ported to Android...
- vsftpdVsftpdvsftpd, which stands for "Very Secure FTP Daemon", is an FTP server for Unix-like systems, including Linux. It is licensed under the GNU General Public License...
- Microsoft FTP ServerInternet Information ServicesInternet Information Services – formerly called Internet Information Server – is a web server application and set of feature extension modules created by Microsoft for use with Microsoft Windows. It is the most used web server after Apache HTTP Server. IIS 7.5 supports HTTP, HTTPS,...
- Solaris ftpd
- Mail servers:
- Imapd and pop3d
- PostfixPostfix (software)In computing, Postfix is a free and open-source mail transfer agent that routes and delivers electronic mail. It is intended as a fast, easier-to-administer, and secure alternative to the widely-used Sendmail MTA....
- SendmailSendmailSendmail is a general purpose internetwork email routing facility that supports many kinds of mail-transfer and -delivery methods, including the Simple Mail Transfer Protocol used for email transport over the Internet....
- vpopmailVpopmailvpopmail is a free GPL software package, to provide an easy way to manage virtual e-mail domains and non /etc/passwd e-mail accounts on your qmail or Postfix mail servers...
- Microsoft Exchange ServerMicrosoft Exchange ServerMicrosoft Exchange Server is the server side of a client–server, collaborative application product developed by Microsoft. It is part of the Microsoft Servers line of server products and is used by enterprises using Microsoft infrastructure products...
- Databases:
- PostgreSQLPostgreSQLPostgreSQL, often simply Postgres, is an object-relational database management system available for many platforms including Linux, FreeBSD, Solaris, MS Windows and Mac OS X. It is released under the PostgreSQL License, which is an MIT-style license, and is thus free and open source software...
- MySQLMySQLMySQL officially, but also commonly "My Sequel") is a relational database management system that runs as a server providing multi-user access to a number of databases. It is named after developer Michael Widenius' daughter, My...
- PostgreSQL
- Web servers:
- Apache HTTP ServerApache HTTP ServerThe Apache HTTP Server, commonly referred to as Apache , is web server software notable for playing a key role in the initial growth of the World Wide Web. In 2009 it became the first web server software to surpass the 100 million website milestone...
(access log and error log) - IIS web server (NSCA and W3C extended)
- Zeus Web ServerZeus Web ServerZeus Web Server is a proprietary web server for Unix and Unix-like platforms . Support for AIX, Tru64, and Mac OS X was dropped on 10 June 2008....
errors log
- Apache HTTP Server
- Web applications:
- Horde IMP
- SquirrelMailSquirrelMailSquirrelMail is an Open Source project that provides both a web-based email application and an IMAP proxy server.The webmail portion of the project was started by Nathan and Luke Ehresman in 1999 and is written in the PHP scripting language...
- Modsecurity
- Firewalls:
- IptablesIptablesiptables is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall and the chains and rules it stores...
firewall - Solaris IPFilterIPFilterIPFilter is an open source software package that provides firewall services and network address translation for many UNIX-like operating systems. The author and software maintainer is Darren Reed. IPFilter supports both IPv4 and IPv6 protocols, and is a stateful firewall.IPFilter is delivered...
firewall - AIX ipsec/firewall
- Netscreen firewall
- Windows FirewallWindows FirewallWindows Firewall is a software component of Microsoft Windows that provides firewalling and packet filtering functions. It was first included in Windows XP and Windows Server 2003...
- Cisco PIXCisco PIXCisco PIX is a popular IP firewall and network address translation appliance. It was one of the first products in this market segment....
- Cisco FWSMCisco FWSMFirewall Services Module is a firewall module integrated by Cisco into its Catalyst 6500 Switches and 7600 Series Routers.Installed inside a Cisco Catalyst 6500 Series Switch or Cisco 7600 Internet Router, the FWSM allows any VLAN on the switch to be passed through to the device to operate as a...
- Cisco ASACisco ASAIn computer networking, Cisco ASA 5500 Series Adaptive Security Appliances, or simply Cisco ASA 5500 Series, is Cisco's line of network security devices introduced in 2005, that succeeded three existing lines of popular Cisco products:...
- Iptables
- NIDS:
- Cisco IOSCisco IOSCisco IOS is the software used on the vast majority of Cisco Systems routers and current Cisco network switches...
IDS/IPS module - SnortSnort (software)Snort is a free and open source network intrusion prevention system and network intrusion detection system , created by Martin Roesch in 1998...
IDS (snort full, snort fast and snort syslog)
- Cisco IOS
- Security tools:
- Symantec AntiVirusSymantec AntivirusIn corporate environments:*Symantec Endpoint Protection*Symantec Hosted Endpoint ProtectionFor home users:*Norton Internet Security*Norton 360...
- NmapNmapNmap is a security scanner originally written by Gordon Lyon used to discover hosts and services on a computer network, thus creating a "map" ofthe network...
- ArpwatchArpwatcharpwatch is a computer software tool for monitoring Address Resolution Protocol traffic on a computer network. It generates a log of observed pairing of IP addresses with MAC addresses along with a timestamp when the pairing appeared on the network...
- CiscoCiscoCisco may refer to:Companies:*Cisco Systems, a computer networking company* Certis CISCO, corporatised entity of the former Commercial and Industrial Security Corporation in Singapore...
VPN Concentrator
- Symantec AntiVirus
- Others:
- Named (BINDBINDBIND , or named , is the most widely used DNS software on the Internet.On Unix-like operating systems it is the de facto standard.Originally written by four graduate students at the Computer Systems Research Group at the University of California, Berkeley , the name originates as an acronym from...
) - SquidSquid cacheSquid is a proxy server and web cache daemon. It has a wide variety of uses, from speeding up a web server by caching repeated requests; to caching web, DNS and other computer network lookups for a group of people sharing network resources; to aiding security by filtering traffic...
proxy - Zeus eXtensible Traffic Manager
- Named (BIND
- Windows event logs (logins, logouts, audit information, etc.)
- Windows Routing and Remote Access logs
- Generic unix authentication (adduser, logins, etc.)