Good Morning! Does OSSEC already have the ability to extract monit-entries[1] from the syslog? That would be a nice (but quite extensive) healthcheck- function for servers.
----- I also have a short question about the rootkit-detection. There is a pretty good FOSS-project, chkrootkit[2], which performs a lot of tests. OSSEC is also doing quite some tests on detecting rootkits and - I guess - you use a lot of time on maintaining that function. I'd just like to know, why OSSEC implements an own rootkitdetection instead of relying on a project - like chkrootkit - specifically covering rootkitdetection, since the time for maintaining and extending the OSSEC-rootkitdetection could surely be used on other parts of OSSEC. I mean, time is (usually) the most limiting factor on FOSS-projects, so isn't it better to not do double work? ------ And one last one: Just out of curiousity, is there a concentration of OSSEC-developers in a certain region or are all the developers scattered around the globe? Lars ___________________________________ [1] http://www.tildeslash.com/monit/ [2] http://www.chkrootkit.org/ Am 04.08.2006 um 04:58 schrieb Daniel Cid: > > Hi Ruurd, > > Let me see if I can answer some of your questions... > > 1- Ossec has a very centralized approach when analyzing the data, so > there is not > much to configure in the agent side. However, in addition to > removing and adding > the agents, the ossec server sends parts of its own configuration to > them. If you > look at /var/ossec/etc/shared you will see some of the files that are > shared with > the agents (by default it includes the rootkit files list, the active > response files, > and the rootkit trojans list). > > 2- Great idea. I am adding a simple module to do "heath checks" of > the agents > and it will extract memory usage, cpu usage, free disk space and > uptime information. > If you have more ideas of health checks to perform, let us know and > we can add > them. I didn't fully understood what you meant by verifying if SSL > is active or > encryption is running (you mean apache with SSL?)... > > 3- You already contributed by giving us some ideas and feedback. > Other ways to > contribute include reporting false positives or errors in the rules, > providing logs > or new rules to the log analysis engine, contributing with new > code, reporting > any error that you may find or even donating financially to the > project. > > Hope it helps.. > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On 8/3/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: >> >> This morning we have seen the webcast from SANS regarding OSSEC. >> We found it >> very interesting and it has clarified some of our issues. Other >> issues >> however still remain. >> >> 1) In the webcast, Mike Poor is talking about Setup, configure, or >> remove >> agents from >> remote machines. We can add and remove agents, and give them a >> key. But >> that's it. >> >> We would like to know if there is a way to configure the agents >> (edit the >> ossec.conf) from the ossec server?. >> >> 2) The agent-info (in queue) contains the agent host OS. Is there >> a way to >> add more information like free disk space, encryption running, SSL >> active >> etc. >> >> >> 3) We are very enthusiastic about OSSEC. Is there anyway we can >> contribute >> to the project ? >> >> Thanks, >> >> Ruurd Bakker >> >> SecQuard Systems >> >> Mob?? +31(0)6 5262 5365 >> >> Email [EMAIL PROTECTED] >> >> Web?? www.xsguard.nl >> >> >
