Sorry for the spam but I wrote a tiny article talking about ossec and malware detection. Maybe it could be interesting for you:
http://virtualminds.es/blog/index.php/2010/03/using-ossec-sec-for-malware-detection.html Greetings IƱaki R. On Fri, Apr 16, 2010 at 04:18:07AM -0700, Dave S wrote: > A common way viruses get past protections is by users plugging in > portable storage devices like USB drives. > If that's the case, OSSEC couldn't block that because OSSEC can only > respond to events *after* they happen. > > You could, however, detect more quickly when an infection occurs and > take an action like quarantining the node. > You could setup a test PC in a lab on an isolated network running > ossec agent, then infect the machine and see what system changes it > makes. > From this, you could create custom rules that target this infection > more precisely, tie those rules to an active response script that, for > example, shuts down the PC or sets the firewall to block everything. > Have it kick off an email to you, then you could check with the user > immediately to see what they did. > > > -- > Subscription settings: > http://groups.google.com/group/ossec-list/subscribe?hl=en
