Open source IDS app gets an update

New version of OSSEC adds advanced log analysis, e-mail alerting and support for more vendor systems

IT managers who want to get a handle on their security logs but don’t have the budget for big-ticket software can check out an updated version of the open source host-based intrusion-detection system OSSEC.

IT managers who want to get a handle on their security logs but don’t have the budget for big-ticket software can check out an updated version of the open source, host-based intrusion-detection system OSSEC.

OSSEC Version 1.1 performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting and active response. Daniel Cid, lead developer and author of OSSEC, says the software is both an IDS as well as a log analysis and correlation tool, similar to products in the security event management market.

"The project was created on 2004, but it started to gain a lot of attention only at the end of 2005," Cid reports.

Cid this week made available Version 1.1, which he says adds features such as e-mail alerting, advanced log analysis and an active reponse mechanism to thwart attackers. This version includes "more advanced log-analysis rules for improved correlation and analysis," as well as new active response features that use "route null" to block detected attackers, he says.

OSSEC uses a client/server model with server software at a central location and distributed agent technology on managed devices. The software monitors file and directory modifications, provides accountability by storing authentication information, and triggers user alerts on failed authentication or questionable user additions.

The software runs on most operating systems, including Linux, OpenBSD, MacOS, Solaris and Windows. Users install the software on a server and then the agent is deployed on client machines using a Windows installation wizard.

"It has a centralized architecture, allowing one central server to manage and monitor the logs and integrity data from multiple agents," Cid explains. "The server/agent communication is encrypted/compressed so it saves a lot of bandwidth and keeps the privacy of the log data in transit."

The software also allows a local installation for users that are not interested in the server/agent architecture or just have one system to monitor. This release also adds support for Microsoft IIS 6, Cisco VPN concentrator, Cisco PIX VPN AAA, Cisco FWSM and Solaris 10 logs.

OSSEC Version 1.1 is available free for download under the GNU General Public License.

Learn more about this topic

Catalogue lets users browse open source projects


Renamed firm rolling out open source security appliance for SMBs


German IT agency to release open source security suite


Users at LinuxWorld talk up security


6 hot technologies for 2006: IPS


Must read: 11 hidden tips and tweaks for Windows 10
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies