Hi Lars,
Currently ossec does not have any rule or decoder for monit. If you have logs of monit that you can share, we can certainly add support to it. Regarding the rootkit detection engine, we decided to make our own because of three reasons: -chkrootkit is not modularized. If you want to add a new rootkit to detect, you need to go to the shell script and add it. With ossec, you just need to add a new entry in the rootkit_files.txt -chkrootkit is not scalable, so we would need to do a lot of changes to it to make it work well on multiple servers. In addition of that, we plan to port rootcheck to windows, so having it done in C is better than shell script. -We tried to focus more on kernel level rootkits and anomalies than on public known rootkits and their files... *I am not complaining or minimizing the value of chkrootkit, but rootcheck has different views and approaches to detect unix-based rootkits... *The same applies to the integrity checking module.. We could have used tripwire or other open source projects, but we decided to make our own. *Yep, we also have our own xml and regex parsing libraries :) shame on us for not reusing outside code :) Related to the ossec developers, we are very scattered around the globe. By just getting the 5 developers listed in the web site you can see it :) Daniel Cid - Canada Ahmet Ozturk - Turkey Meir Michanie - Israel Rafael Capovilla - Brazil Jorge Senger - Brazil In addition to that, we have contributors from China, Greece and Russia.. (interesting enough, we don't have many contributions from the usa or the rest of Europe). Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 8/4/06, Lars Scheithauer <[EMAIL PROTECTED]> wrote:
Good Morning! Does OSSEC already have the ability to extract monit-entries[1] from the syslog? That would be a nice (but quite extensive) healthcheck- function for servers. ----- I also have a short question about the rootkit-detection. There is a pretty good FOSS-project, chkrootkit[2], which performs a lot of tests. OSSEC is also doing quite some tests on detecting rootkits and - I guess - you use a lot of time on maintaining that function. I'd just like to know, why OSSEC implements an own rootkitdetection instead of relying on a project - like chkrootkit - specifically covering rootkitdetection, since the time for maintaining and extending the OSSEC-rootkitdetection could surely be used on other parts of OSSEC. I mean, time is (usually) the most limiting factor on FOSS-projects, so isn't it better to not do double work? ------ And one last one: Just out of curiousity, is there a concentration of OSSEC-developers in a certain region or are all the developers scattered around the globe? Lars ___________________________________ [1] http://www.tildeslash.com/monit/ [2] http://www.chkrootkit.org/ Am 04.08.2006 um 04:58 schrieb Daniel Cid: > > Hi Ruurd, > > Let me see if I can answer some of your questions... > > 1- Ossec has a very centralized approach when analyzing the data, so > there is not > much to configure in the agent side. However, in addition to > removing and adding > the agents, the ossec server sends parts of its own configuration to > them. If you > look at /var/ossec/etc/shared you will see some of the files that are > shared with > the agents (by default it includes the rootkit files list, the active > response files, > and the rootkit trojans list). > > 2- Great idea. I am adding a simple module to do "heath checks" of > the agents > and it will extract memory usage, cpu usage, free disk space and > uptime information. > If you have more ideas of health checks to perform, let us know and > we can add > them. I didn't fully understood what you meant by verifying if SSL > is active or > encryption is running (you mean apache with SSL?)... > > 3- You already contributed by giving us some ideas and feedback. > Other ways to > contribute include reporting false positives or errors in the rules, > providing logs > or new rules to the log analysis engine, contributing with new > code, reporting > any error that you may find or even donating financially to the > project. > > Hope it helps.. > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On 8/3/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: >> >> This morning we have seen the webcast from SANS regarding OSSEC. >> We found it >> very interesting and it has clarified some of our issues. Other >> issues >> however still remain. >> >> 1) In the webcast, Mike Poor is talking about Setup, configure, or >> remove >> agents from >> remote machines. We can add and remove agents, and give them a >> key. But >> that's it. >> >> We would like to know if there is a way to configure the agents >> (edit the >> ossec.conf) from the ossec server?. >> >> 2) The agent-info (in queue) contains the agent host OS. Is there >> a way to >> add more information like free disk space, encryption running, SSL >> active >> etc. >> >> >> 3) We are very enthusiastic about OSSEC. Is there anyway we can >> contribute >> to the project ? >> >> Thanks, >> >> Ruurd Bakker >> >> SecQuard Systems >> >> Mob?? +31(0)6 5262 5365 >> >> Email [EMAIL PROTECTED] >> >> Web?? www.xsguard.nl >> >> >
