I’ve finally found a decent IDS


Linc Fessenden from the Linux Link Tech Show mentioned OSSEC a few weeks ago and recommended everyone check it out. According to the project’s about page:

OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS). It has a powerful correlation and analysis engine, integrating log analysis, file integrity checking, Windows registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting and active response.

It runs on most operating systems, including Linux, OpenBSD, FreeBSD, MacOS, Solaris and Windows. A list with all supported platforms is available here.

After testing it out on several of my machines, I can officially say it’s exactly what I was looking for in an IDS: something lightweight, cross-platform, and well documented. My setup involved installing it as a local instance on every machine, rather than the centralized config. Viewing the logs for every machine in one place doesn’t really appeal to me. I just need something that will nag me and say, “Hey, Dummy! You misconfigured that install you attempted at 3am. Fix it!” The added benefit of receiving the alerts offsite is that the existing records are stored in my Gmail. Even if someone did manage to root a computer, the logs wouldn’t be on the box and the creator of the kit wouldn’t be able to bury his/her tracks.

My hope is to test the centralized configuration in the future, but for the moment there is no benefit.

This is absolutely what I was looking for in intrusion detection. Go check OSSEC out when you get a chance.

Leave a Reply

Your email address will not be published. Required fields are marked *