Monday, November 19, 2012

OSSEC 2.7 Released

Go straight to Download page!

OSSEC 2.7 key features:

  1. Installation
    • Add hybrid mode – allows the same host to be both a server and an agent, useful for multi-tier OSSEC deployment.
    • Add  manage_agents -f option for bulk generation of client keys from an input file.
    • During Agent installation, allow the OSSEC server to be specified using hostname instead of IP.
  2. Syscheck
    • Add prelinking support – reduce confusion when a file change is the result of prelinking.
  3. Rootcheck
    • Add fine-grained configuration control – allows you to turn ON/OFF individual rootcheck tasks for more efficiency and flexibility. The default is all ON.
  4. Log monitoring/analysis
    • Add GeoIP lookup support – allows geographical city names to be associated with IP addresses in OSSEC alerts, for more intelligent correlation.
  5. Alert options and syslog output
    • Add syscheck MD5/SHA1 sum to alerts for easier integration with third-party file signature checking.
    • Support JSON and Splunk formats in syslog output.
  6. Rules and other notable changes/fixes
    • Windows 2000 logs support has been deprecated (but will probably still work fine). Vista and Windows Server 2008 logs are now officially supported.
    • Windows registry syscheck alert level has been reduced from 7 to 5 to reduce unnecessary noise from alerts which do not indicate a compromise.
    • Update decoders include: PIX, auditd, apache, pam, php.
    • Many updated rules, such as new checks for vulnerable web apps exploitation attempts.
    • Update rootcheck rules.
    • now allows for ‘reload’, in addition to ‘restart’
    • Many bug fixes…
  7. LICENSE text updated by adding exception clause for OpenSSL, while OSSEC is still under GPLv2

Friday, July 27, 2012

So You Want to Help OSSEC Development

Here is a list of tasks/areas you can help. The next release will be 2.7, focusing on bug fixes and small enhancements. Bigger enhancements are deferred for future release, marked as 3.0 for now. 'Doc' marks the areas for documentation. You can volunteer for any items marked with (TBD). 

  1. Bugs / enhancement requests
    • a) Document the current development process (jbcheng).
    • b) 2.7 - Release Coordinator (jbcheng)
    • c) 2.7 - BitBucket existing open issues prioritization (DONE mstarks01)
    • d) 2.7 - Work on one or more of the open issues (DONE,
    • e) 2.7 - Beta test volunteers (ALL Sep. 12 - Oct. 12, 2012) 
    • f) Anyone can submit new bugs/enhancement requests to BitBucket jbcheng repository, or to ossec-dev Google group.
    • g) 3.0 - An auto regression framework to make sure bug fixes do not break existing functionality (TBD). 
  2. Rules tuning - to reduce the noise level 
    • a) 2.7 - Linux rules are OK in general; but Windows rules can be tuned to reduce the number of alerts by default (Some adjustments have been done in v2.7-beta).
    • b) 2.x - Further gathering of feedback and adjustment of Windows rules. By default, email alerts should be meaningful and actionable (stay consistent and informative) while the rest can be viewed in a GUI (TBD).
    • c) 2.7 - To test whether the <do_not_group> configuration option for putting multiple alerts in one email works as expected or not (TBD).
    • d) 3.0 - Suggestion to tie rule alert levels with business risk factor for different assets, so non-critical assets do not trigger email notifications.
    • e) 3,0 - Suggestions to tie alert levels with different group characteristics. For example, admin group vs. normal groups.
  3. OSSEC deployment – Key exchange
    • a) Doc - Before ‘authd’ was available, deploying lots of OSSEC agents was very time consuming. ‘authd’ works on Linux, but some users experienced problems on Windows. Please write a success story of deploying Windows agents using ‘authd’ (TBD).
    • b) Doc - Write a success story of using Puppet for deploying OSSEC on Unix systems (TBD). 
    • c) Doc - Write a success story of using OCS-ng for OSSEC mass deployment (TBD). 
    • d) 3.0 - Making Windows Agent MSI build so users can leverage Active Directory group policy for Windows agent deployment (mstarks01)
    • e) 2.7 - RPM and other installation packages (TBD)
    • f) 3.0 - Make mass deployment easy. It should “just work” (TBD).
  4. More frequent Rule and Decoder Updates 
    • a) 3.0 - Current OSSEC rules are coupled with OSSEC releases. By decoupling them it will allow faster response to current and emerging threats with faster rule fixes. Need help on architectural design (TBD)
    • b) 2.7 - Decoders/Rules enhancements (DONE since 2.7-beta)
    • c) 2.7 - Decoders/Rules testing (TBD)
    • d) 2.7 - Releasing (jbcheng)
  5. WUI – Web User Interface (current release 0.3, next release 0.4)
    • a) 0.4 - Fix OSSEC WUI 0.3 where it is incompatible with OSSEC 2.6. For example,  IP address and Date field got mixed up (TBD).
    • b) 0.5 - Viewing alerts is currently via text display only. It would be nice to have CSV output option. 
    • c) 0.5 - WUI reporting can be enhanced to become more useful.
  6. Web site –
    • a) Doc - The web site has been restructured with a new look and better navigation. Anyone can report  broken links or missing information to (ANY). 
    • b) Doc - The Wiki feature on the old web site has been discontinued due to extensive spam trouble. Important content will be reproduced as static pages at user’s request (Vic, DONE in the new
    • c) Doc - Collect/create OSSEC tutorial video on YouTube (TBD) 
    • d) Demo - Create a live demo OSSEC server, ideally with agents in virtual machines (TBD)
    • e) Virtual machine - Re-visit the Virtual  Machine image effort which may contain OSSEC manager , WUI and even some 3rd party tools preinstalled (TBD).
  7. Interface with 3rd party tools
    • a) Doc - Write a blog about Snort –> OSSEC –> Splunk (TBD)
    • b) Doc - Write a blog about integrating OSSEC –> ELSA (TBD)
    • c) 3.0 - Investigate possible synergy between Hadoop and OSSEC (TBD)
    • d) Make syslog output enhancement – adding File Integrity checksum to alert output so it can be used for lookups (refer to : and (mstarks01, DONE in 2.7-beta1)

Tuesday, June 5, 2012

OSSEC Symposium

OSSEC CON 2013, July 25, Cupertino, CA

Trend Micro continued previous year's OSSEC Symposium with OSSEC CON 2013. The conference was again a huge success and the attendees tripled compared to 2012. The user community response was excellent and many from outside the US requested to have future OSSEC CON's in places near their countries of origin.  If you missed OSSEC CON 2013, see the recap page for a high level summary and keynote presentation slides. 

OSSEC Symposium Summer 2012, July 12-13, Cupertino, CA

Trend Micro has announced the first OSSEC Symposium to the open source community. It's a two-day event to be held in Cupertino, California, USA on July 12-13, 2012. The agenda includes Trend Micro managers talking about the future direction of OSSEC project, expert OSSEC developers presenting their experience, and fellow OSSEC users sharing their success stories as well as pain points. 

The symposium was a big success and a complete recap along with the presentation slides are available at

JB Cheng

Friday, June 1, 2012


Besides the obvious must-have of OSSEC package you downloaded, what other things do I need to extend OSSEC capabilities?
  1. Graylog2 is an open source log management solution that stores your logs in elasticsearch and provides web-based GUI. It utilizes logstash.
  2. Splunk can receive OSSEC alerts via syslog. There is a free version which allows you to index up to 500 megabytes of data per day, and make the data ready for query and correlation. Splunk for OSSEC is an app which offers parsing logic, saved searches, and dashboards. Here is a blog for the installation of OSSEC & Splunk.
  3. ELSA ( Enterprise Log Search and Archive) is a centralized syslog framework built on Syslog-NG, MySQL, and Sphinx full-text search. It provides a fully asynchronous web-based query interface that normalizes logs and makes searching billions of them for arbitrary strings as easy as searching the web. 
  4. OSSIM (Open Source SIEM) provides event collection, normalization, correlation and incident response. There is an OSSIM Tutorial: OSSEC Quick Start Guide.
  5. ArcSight integration help can be found at this blog OSSEC Speaks ArcSight.
  6. AnaLogi  (Analytical Log Interface) was built to sit on top of OSSEC (since OSSEC 2.6) and requires 0 modifications to OSSEC or the database schema that ships with OSSEC. AnaLogi requires a Webserver sporting PHP and MySQL.  Remy van Elst blogged about a nice tutorial which covers the basic installation of OSSEC 2.8 server on Ubuntu 14.04, as well as OSSEC WebUI and Analogi dashboard. Nice job!
  7. To uninstall OSSEC, check out the blog by Remy van Elst here.

Wednesday, April 18, 2012

So you want to know about OSSEC

This blog is about OSSEC (Open Source Security), an Open Source Host-based Intrusion Detection System. So you heard about it and want to know more about it.  You have come to the right place.

  1. First, you can start from Wikipedia, which gives you a nice overview, and links to the following:
  2. A bit of history from an 2009 interview Q&A blog with the founder.
  3. How OSSEC was acquired and stayed open source and free.
  4. A link to the official web site, where you can download the latest released source code.
  5. The founder - Daniel Cid's blog
  6. Brazil: Jeronimo Zucco shared his slides on Implementing OSSEC, and the video (6 hours, in Portuguese) can be downloaded here.
  7. Belgium FOSDEM 2010: Wim Remes presented an OSSEC overview and the recorded video is available on YouTube.
  8. Nicolas Zin wrote a free ebook OSSEC HOWTO - The Quick and Dirty Way
Your friend,
JB Cheng

Chengle Community Intelligence Corp.