Has anyone tried OSSEC or Samhain? I'd be interested in hearing how it worked for you.
- Dustin -------- Original Message -------- Subject: Re: [SAGE] Evaluating OSSEC HIDS Date: Mon, 16 Jul 2007 15:30:49 -0600 From: Joshua Gimer <[EMAIL PROTECTED]> To: Jeremiah Johnson <jeremiah.johnson at gmail.com> CC: Bennett <a42n8k9 at dejazzd.com>, sage-members at sage.org References: <000701c7c798$69cbaa60$8164a8c0 at DOJO> <56B5E72A-BC7D-4364-B316-D613BA8214A2 at gmail.com> <701ea59b0707161305n5fced5e7u1e54a1176d060ffb at mail.gmail.com> Does Samhian do rootkit detection, log monitoring, and active response? Josh On Jul 16, 2007, at 2:05 PM, Jeremiah Johnson wrote: > Lets not forget Samhain > > http://www.la-samhna.de/samhain/ > > Samhain is a multiplatform, open source solution for centralized file > integrity checking / host-based intrusion detection on POSIX systems > (Unix, Linux, Cygwin/Windows). It has been designed to monitor > multiple hosts with potentially different operating systems from a > central location, although it can also be used as standalone > application on a single host. > > -miah > > On 7/16/07, Joshua Gimer <jgimer at gmail.com> wrote: >> I use it on all of the UNIX systems, It works great! >> >> I have been a fan since the initial release and there is good list >> support. >> >> It does frequent rootkit detection (Hourly), log monitoring (Kernel >> logs, application logs), integrity checking, active response >> (iptables, tcpwrappers, pf), and alerting. You can customize who >> alerts go to based off of system, and based off of level. >> >> I use it for a HIDS solution, and use snort for a network based >> solution. We currently have around 50 UNIX systems running it. >> >> Thanks >> Joshua Gimer >> >> On Jul 16, 2007, at 4:59 AM, Bennett wrote: >> >> > Has anyone tried OSSEC (http://www.ossec.net/)? >> > >> > I'm in the process of trying to standardize our Linux installs and >> > at the >> > point of HIDS evaluation. I had been going after things like >> > Tripwire, >> > LogCheck, Snort, etc. when I stumbled on this one. Looks like it >> > has a >> > little bit of everything wrapped up in it. >> > >> > One part that also attracted me was that it has Windows >> > components. We're a >> > mixed shop and this would allow for the use of a common tool across >> > the >> > board. >> > >> > Is this tool worth taking a deeper look? >> > >> > Thanks, >> > - Bennett >> > >> > >> >> -- Puryear IT, LLC Identity Management, Directory Services, Systems Integration Baton Rouge, LA * 225-706-8414 * http://www.puryear-it.com "Best Practices for Managing Linux and UNIX Servers" http://www.puryear-it.com/pubs/linux-unix-best-practices
