OSSEC Overview

About

  • Most Widely Used Host-based Intrusion Detection System
  • Server Intrusion Detection for Every Platform
    • Open Source HIDS
    • Multiplatform HIDS
    • PCI Compliance

What is Host-based Intrusion Detection System?

  • Host-based intrusion detection systems are aimed at collecting information about activity on a particular single system, or host 
  • Monitors: “who accessed what,” ie. helping malicious or improper activities 
  • The term “host”refers to an individual computer, thus a separate sensor would be needed for every machine.
  • These host-based agents, which are sometimes referred to as sensors, would typically be installed on a machine that is deemed to be susceptible to possible attacks.
  • Sensors work by collecting data about events taking place on the system being monitored. This data is recorded by operating system mechanisms called audit trails
refer: Detailed comparison Host Based vs Network Based IDS

Possibilities using OSSEC:. It can perform..

  • log analysis,
  • integrity checking,
  • windows registry monitoring,
  • rootkit detection,
  • real-time alerting
  • and active response.

Cross-platform HIDS:. It runs on most operating systems like

  • Linux,
  • OpenBSD,
  • FreeBSD,
  • Mac OS X,
  • Solaris
  • and Windows.

Lab : OSSEC installation and working step by step