Tip

OSSEC Host-Based Intrusion Detection Guide

Rory Bray, Daniel Cid and Andrew Hay

Service provider takeaway: Open source security (OSSEC) a commonly used host-based intrusion detection software that detects unauthorized activity on any particular computer. This section of the chapter excerpt from the book OSSEC Host-Based Intrusion Detection Guide

    Requires Free Membership to View

will provide an introduction to host-based OSSEC.

Download the .pdf of the chapter here.

Simran Singh looks at her watch in disgust as she leaves the meeting room. "I told Bob this would happen," she says calmly to Marty Feldman, her second in command and confidant. "But did they listen? Now I have to somehow try to install safeguards on all our systems with what's left of our department's budget."

Simran rose through the ranks of North America's premier defense company due to her mix of business savvy, security knowledge, and track record for fixing impossible solutions. She is known throughout the company for never having to ask for more money than her department is allocated. Simran is also the most respected security mind in the company. During her first week, she was immediately dedicated as part of the incident handling team responsible for handling a companywide worm outbreak. Her superiors were so impressed by the way she operated, before long she was leading the teams of handlers for all the critical incidents in the organization. Within two years, she was head of the department and continued to prove herself by reducing enterprise-wide incidents by 66%.

It was no surprise to her employees, peers, and senior managers when she was unanimously nominated for the recently vacated Chief Information Security Officer (CISO) position. Although Simran would prefer to receive the promotion under less hostile circumstances, she completely understands why out-going CISO Bob Rogers is no longer a viable option to continue in the role. Bob spends most of his time on the golf course instead of listening to the department warnings about difficult to protect network entry points. His failure to listen to his team is his downfall. The completely preventable breach, which resulted in the theft of top-secret ballistic missile guidance software, had cost the company its largest contract in 10 years and damaged its reputation with all existing customers.

"What's the plan, boss?" Marty asked Simran, already knowing that her mind was spinning and formulating a plan of attack.

"Well, we used our entire budget on those redundant perimeter firewalls and intrusion prevention systems to help mitigate denial of service attacks," mused Simran.

"So we have a hard candy shell and a soft, chewy center?" laughed Marty.

"And we're all out of money for nougat!" exclaimed Simran.

"What about that open source HIDS tool we saw on the SANS Institute webinar a few weeks back?" asked Marty. "Do you think that would do the trick?"

Simran remembered that OSSEC sounded like a very capable and feature-rich HIDS, and had jotted some notes in her notebook to follow up on at a later time. "Good idea, Marty," said Simran, thinking that this was the exact reason why you should always surround yourself with smart people. Smart people come up with creative ideas, and creative ideas must be considered. "Can you do some further investigation into this OSSEC application and get back to me by the end of the week?"

Marty looked at his Smartphone and noted that it was already Thursday. Marty didn't miss a beat and simply answered, "Can do, boss!" Marty knows that the end of this week is a hard deadline. He has worked for Simran long enough to know when something was important enough to be asked to pull an all-nighter. As Marty exited the elevator he thought, "If I can't get this done by Friday, there might be another witch hunt upstairs next week." Marty chuckled under his breath, "If I don't play my cards right, then I might be promoted next." Never had the thought of a promotion had such ominous overtones.

"Boss! Boss!!" Marty yelled as he ran across the lobby toward Simran.

"Have you been here all night?" asked Simran, already knowing the answer. Marty was unshaved, wearing yesterday's clothes, and had enough caffeine in him that he could probably fl y around the world a few times on his own power.

"Of course I've been here all night!" raced Marty. His eyes were blinking faster than his lips were moving. Simran laughed and wondered if he was trying to use his eyes to explain his findings using Morse code at the same time he was talking to her.

"I listened to the webcast again, went to the OSSEC Web site, downloaded the software, read the documentation, joined the mailing list, and then searched the mailing list archives, and you know what?" Marty said, his mouth starting to get dry, and seemingly waiting for a response.

"What, Marty?" asked Simran.

"Hey! It's raining out?" asked Marty, staring past Simran.

Simran snapped her fingers. "Stay on target, stay on target," said Simran, knowing Marty would appreciate the Star Wars reference.

"Ha! Sorry, running on fumes here!" exclaimed Marty. "There are quite a few OSSEC deployments out there and lots of people are using the deployments in an enterprise environment. Even some Telco-sized organizations have deployed OSSEC on thousands of machines and couldn't be happier with it and they say that scalability isn't a problem, which we are always worried about because we're a huge company and we're starting to grow and our number of systems is growing exponentially, am I right or what? Boy I could use a coffee." Simran handed her latte to Marty. "Cheers!" exclaimed Marty, taking a huge gulp.

"Will it work in a mixed environment?" asked Simran.

"Totally! It works on Windows, Linux, Unix, Solaris, OS X, and a bunch of others!" yelled Marty, oblivious to the stares he was drawing from others in the lobby.

"Indoor voice, Marty," said Simran. "So you've already installed it on some test servers, I assume?"

Marty took another chug of his newly acquired latte, "Fifty or so…wait…maybe sixty-five…no fifty-five…sixty, definitely sixty!"

Simran couldn't believe it. "That's quite the deployment for a test bed."

Marty shrugged. "I had the time." He laughed. "It only took about five minutes per machine, which gave me plenty of time to tunnel into my boxes at home and install it on them as well. I guess that makes the total count sixty-five, if we include my systems."

Simran smiled. "Marty, I think we've done it again. Let's have these systems run over the weekend and I'll draft a proposal to present on Monday. If all goes well," winked Simran, "we'll be deploying on our production servers in no time at all."


OSSEC Host-Based Intrusion Detection Guide
  Introduction
  Downloading OSSEC HIDS
  Performing local installation
 Performing server agent installations
 Installing the Windows agent
 Streamlining the installations
 Summary and FAQs

About the book

OSSEC Host-Based Intrusion Detection Guide is specifically devoted to Open Source Security (OSSEC) and is a comprehensive and exhaustive guide to the often complicated procedures of installing and implementing such an intrustion detection software. Purchase the book from Syngress Publishing.

Printed with permission from Syngress, a division of Elsevier. Copyright 2008. "OSSEC Host-Based Intrusion Detection Guide" by Rory Bray, Daniel Cid and Andrew Hay. For more information about this title and other similar books, please visit www.elsevierdirect.com.


This was first published in August 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.