Sorry to dig up old threads, but I just put OSSEC HIDS on one of our linux FTP servers that sits out in the DMZ.
Installation was easy as pie, it pretty much configured itself... I didn't run into any problems even though it's an older Redhat box. Main usage is to block SSH and FTP brute force attacks, which I was using DenyHosts for previously. DenyHosts worked great for SSH (and I've recently read about SSH DoS vulnerabilities with it, so I'm glad I've dumped it) but even with help from the creator of DenyHosts, I couldn't get it to detect and block FTP login failures using the custom regex features. Honestly, I haven't even scratched the surface of the abilities of OSSEC HIDS with what I need it for, as I've just done a 'local' installtion on one linux box, but I'll be testing other features soon. cb -----Original Message----- From: Kennedy, Jim [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 11, 2007 1:52 PM To: NT System Admin Issues Subject: RE: event log management FWIW our auditors suggested that one. I couldn't remember the name or I would have spoken up sooner. > -----Original Message----- > From: Kurt Buff [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 11, 2007 2:42 PM > To: NT System Admin Issues > Subject: Re: event log management > > On that note, I just remembered about OSSEC - it's an open source > HIDS, using logs and such to monitor systems. > > I'll be looking into it soon, as I think it has lots of potential. > > On Dec 11, 2007 10:03 AM, Bill Songstad (WCUL) > <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > They say it is to be another level of intrusion detection. I think I > may be > > able to get away with just servers, routers and firewalls though. But > since > > I have to find something, I might as well try to find what they want. > > > > > > > > Somehow I get the feeling though, that many people are paying little > more > > attention to their logs than they were before they implemented a log > > management solution. There are times that I remember from the past > where > > having a log alert could have saved me a lot of pain, especially in > the case > > of dieing disks. Or failed services... So as much as I don't enjoy > finding a > > solution, I expect to get a certain amount of value from it. what I > don't > > want to do is purchase some monster to please the auditors, when some > > smaller program provides the same effective functionality. If people > aren't > > realizing an IDS value from their solutions, why would I want a > solution > > that boasts great IDS capability? > > > > > > > > > > Bill Songstad > > > > > > > > -----Original Message----- > > From: Louis, Joe [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, December 11, 2007 9:41 AM > > To: NT System Admin Issues > > Subject: RE: event log management > > > > > > > > > > > > There was one on sourceforge I saw a few months ago that I cant find > for the > > life of me (not Nagios). I do use Snare for some of my servers. > > > > > > > > Do they really want you to monitor event logs of workstations too? > > > > > > ________________________________ > > > > > > > > From: Bill Songstad (WCUL) [mailto:[EMAIL PROTECTED] > > Sent: Monday, December 10, 2007 5:26 PM > > To: NT System Admin Issues > > Subject: event log management > > > > > > > > My auditors are whining like, well, like whining auditors, about my > log > > management and reporting strategy. You see, currently I look to the > logs > > after something goes wrong. Apparently, they want me to monitor all > the > > logs on my workstations, servers and network devices 24-7-365 and use > that > > endless stream of mind numbing data to predict when something bad is > about > > to happen. Apparently that way I can answer my phone and respond to > an > > emergency only a few minutes after it has crippled my systems, rather > than > > sleeping through the night to deal with the crippled system in the > morning > > after a good night's sleep. But I digress... > > > > > > > > I doubt that many of you are telling the future with your log > management > > solutions, but I'm interested to know if there are any log management > > products or services that are leaving a particularly memorable taste > in > > anybody's mouth. > > > > > > > > Bill Songstad ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
