OSSEC

OSSEC
Developer(s)	Daniel B. Cid et al.
Stable release	3.7.0 / 17 January 2022;2 years ago
Repository	github.com/ossec/ossec-hids ;
Written in	C
Operating system	Cross-platform
Type	Security / HIDS
License	GNU GPL v2
Website	www.ossec.net

Last updated November 20, 2024

OSSEC (Open Source HIDS SECurity) is a free, open-source host-based intrusion detection system (HIDS). It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and active response. It provides intrusion detection for most operating systems, including Linux, OpenBSD, FreeBSD, OS X, Solaris and Windows. OSSEC has a centralized, cross-platform architecture allowing multiple systems to be easily monitored and managed.^[2] OSSEC has a log analysis engine that is able to correlate and analyze logs from multiple devices and formats.^[3]

History

In June 2008, the OSSEC project and all the copyrights owned by Daniel B. Cid, the project leader, were acquired by Third Brigade, Inc. They promised to continue to contribute to the open source community and to extend commercial support and training to the OSSEC open source community.

In May 2009, Trend Micro acquired Third Brigade and the OSSEC project, with promises to keep it open source and free.

In 2018, Trend released the domain name and source code to the OSSEC Foundation.

The OSSEC project is currently maintained by Atomicorp who stewards the free and open source version and also offers a commercial version.

Characteristics

OSSEC consists of a main application, an agent, and a web interface.^[4]

Manager (or server), which is required for distributed network or stand-alone installations.
Agent, a small program installed on the systems to be monitored.
Agentless mode, can be used to monitor firewalls, routers, and even Unix systems.

Features

Log based Intrusion Detection (LID): Actively monitors and analyzes data from multiple log data points in real-time.
Rootkit and Malware Detection: Process and file level analysis to detect malicious applications and rootkits.
Active Response: Respond to attacks and changes on the system in real time through multiple mechanisms including firewall policies, integration with 3rd parties such as CDN's and support portals, as well as self-healing actions.
Compliance Auditing: Application and system level auditing for compliance with many common standards such as PCI-DSS, and CIS benchmarks.
File Integrity Monitoring (FIM): For both files and windows registry settings in real time not only detects changes to the system, it also maintains a forensic copy of the data as it changes over time.
System Inventory: Collects system information, such as installed software, hardware, utilization, network services, listeners and other information.^[2]

Related Research Articles

An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically either reported to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

A host-based intrusion detection system (HIDS) is an intrusion detection system that is capable of monitoring and analyzing the internals of a computing system as well as the network packets on its network interfaces, similar to the way a network-based intrusion detection system (NIDS) operates. HIDS focuses on more granular and internal attacks through focusing monitoring host activities instead of overall network traffic. HIDS was the first type of intrusion detection software to have been designed, with the original target system being the mainframe computer where outside interaction was infrequent.

rkhunter is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online databases, searching for default directories, wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD. rkhunter is notable due to its inclusion in popular operating systems

In the field of computer network administration, pcap is an application programming interface (API) for capturing network traffic. While the name is an abbreviation of packet capture, that is not the API's proper name. Unix-like systems implement pcap in the libpcap library; for Windows, there is a port of libpcap named WinPcap that is no longer supported or developed, and a port named Npcap for Windows 7 and later that is still supported.

Security testing is a process intended to detect flaws in the security mechanisms of an information system and as such help enable it to protect data and maintain functionality as intended. Due to the logical limitations of security testing, passing the security testing process is not an indication that no flaws exist or that the system adequately satisfies the security requirements.

Argus – the Audit Record Generation and Utilization System is the first implementation of network flow monitoring, and is an ongoing open source network flow monitor project. Started by Carter Bullard in 1984 at Georgia Tech, and developed for cyber security at Carnegie Mellon University in the early 1990s, Argus has been an important contributor to Internet cyber security technology over its 30 years..

Open Source Tripwire is a free software security and data integrity tool for monitoring and alerting on specific file change(s) on a range of systems originally developed by Eugene H. Spafford and Gene Kim. The project is based on code originally contributed by Tripwire, Inc. in 2000. It is released under the terms of GNU General Public License.

Database security concerns the use of a broad range of information security controls to protect databases against compromises of their confidentiality, integrity and availability. It involves various types or categories of controls, such as technical, procedural or administrative, and physical.

Zeek is a free and open-source software network analysis framework. Vern Paxson began development work on Zeek in 1995 at Lawrence Berkeley National Lab. Zeek is a network security monitor (NSM) but can also be used as a network intrusion detection system (NIDS). The Zeek project releases the software under the BSD license.

Log management is the process for generating, transmitting, storing, accessing, and disposing of log data. A log data is composed of entries (records), and each entry contains information related to a specific event that occur within an organization’s computing assets, including physical and virtual platforms, networks, services, and cloud environments.

Prelude SIEM is a Security information and event management (SIEM).

OpenBSD is a security-focused, free software, Unix-like operating system based on the Berkeley Software Distribution (BSD). Theo de Raadt created OpenBSD in 1995 by forking NetBSD 1.0. The OpenBSD project emphasizes portability, standardization, correctness, proactive security, and integrated cryptography.

Cisco Security Monitoring, Analysis, and Response System (MARS) was a security monitoring tool for network devices. Together with the Cisco Security Manager (CSM) product, MARS made up the two primary components of the Cisco Security Management Suite.

In computing, a firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted network and an untrusted network, such as the Internet.

Security information and event management (SIEM) is a field within computer security that combines security information management (SIM) and security event management (SEM) to enable real-time analysis of security alerts generated by applications and network hardware. SIEM systems are central to security operations centers (SOCs), where they are employed to detect, investigate, and respond to security incidents. SIEM technology collects and aggregates data from various systems, allowing organizations to meet compliance requirements while safeguarding against threats.

Tiger is a security software for Unix-like computer operating systems. It can be used both as a security audit tool and a host-based intrusion detection system and supports multiple UNIX platforms. Tiger is free under the GPL license and unlike other tools, it needs only of POSIX tools, and is written entirely in shell language.

Sagan is an open source (GNU/GPLv2) multi-threaded, high performance, real-time log analysis & correlation engine developed by Quadrant Information Security that runs on Unix operating systems. It is written in C and uses a multi-threaded architecture to deliver high performance log & event analysis. Sagan's structure and rules work similarly to the Sourcefire Snort IDS/IPS engine. This allows Sagan to be compatible with Snort or Suricata rule management softwares and give Sagan the ability to correlate with Snort IDS/IPS data.

Comparison of host-based intrusion detection system components and systems.

References

↑ "Release 3.7.0". 17 January 2022. Retrieved 25 October 2022.
1 2 "About". OSSEC Project Team. 2017. Retrieved 2018-05-10.
↑ "Log Samples". OSSEC Project Team. 2017. Retrieved 2018-05-10.
↑ "OSSEC Architecture". OSSEC Project Team. 2017. Retrieved 2018-05-10.

External links

Official website

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[wikidata-c1b79be2f557e68b56da5a41bdd396cf445374ce-v18-1] "Release 3.7.0". 17 January 2022. Retrieved 25 October 2022.

[:0-2] 1 2 "About". OSSEC Project Team. 2017. Retrieved 2018-05-10.

[3] "Log Samples". OSSEC Project Team. 2017. Retrieved 2018-05-10.

[4] "OSSEC Architecture". OSSEC Project Team. 2017. Retrieved 2018-05-10.

[1]

[2]

[3]

[4]