OSSEC is a popular host-based intrusion detection system (HIDS). One of the factors driving OSSEC’s popularity is that it is an open-source project, meaning that it’s available at no cost. Able to run on Windows, Linux, MacOS, Solaris, HP-UX and AIX, OSSEC is a HIDS that nearly everyone can take advantage of.
The program itself monitors the traffic that occurs between hosts and the networks that connect to them. OSSEC performs log analysis, monitors policy, checks file integrity, provides rootkit detection and also delivers alerts in real-time. Having the reputation of being the only open-source truly full-featured HIDS tool, OSSEC is a very popular choice among systems administrators.
Understanding Signature Detection vs. Anomaly Detection
When talking about network monitoring, there are two types of network intrusion detection systems (IDS). These are signature detection and anomaly detection.
Signature-based IDS monitors traffic for any patterns that reflect known malicious traffic. Think DDoS, malware and scanning activity here. Once these potentially threatening traffic patterns are identified, the ISD issues an alert. The problem with this is that signature-based IDS are built using what is already known, so they won’t be able to detect the new activity conducted by what could actually be malicious traffic.
Anomaly-based IDS focuses less on the traffic patterns and more on the activity of that traffic based on a pre-established profile. In this scenario, the ISD tool is looking for indicators in baselines rather than signatures. What these tools deem to be “usual activity” is determined by statistical averages of previous activities, so when something like an uptick in HTTP activity occurs, an anomaly-based ISD would be triggered.
The Ability to Combine Signature & Anomaly Detection
OSSEC offers both signature-based and profile behavior detection. It is available in several environments, including many types of servers. Each of these environments must be configured to create appropriate alerts for differing situations. For instance, what may appear as problematic on a VMWare server would be totally different from an issue experienced with, say, a mail server. Getting OSSEC set up properly in each of these environments can be a daunting task, but the detection services offered therein are absolutely worth the initial hassle.
If you’re looking to beef up security on your network, check out OSSEC’s documentation and decide if this popular HIDS is right for you.
Luis Pichardo says:
Great information! Thank you for sharing. I’m implementing this on my VPS boxes and dedictaed servers!
Chad Stewart says:
Thanks Luis! Glad you found this useful.