Hi all, I'm attempting to replace my homebrew HIDS scripts with OSSEC for the sleek central management and alerting. So far the log monitoring and syscheck/rootcheck are working beautifully, but I can't figure how to do baselining and anomaly detection for certain key intrusion areas, such as process lists and listening TCP/UDP ports.
Currently I run a script to compare the current list of Windows server processes to the previous week's baseline. Basically it reports any new processes that were not present the week before (based on the md5sum of the process's image path). Seems like this sort of anomaly detection would fall under syscheck/rootcheck, but syscheck is for system files only (not command output, such as a process listing), and while rootcheck can look for specific "known bad/good" patterns, it doesn't seem to support baselining and anomaly detection. I also considered "manual process monitoring" (http://www.ossec.net/main/manual/manual-process-monitoring/), but again only pattern matching for known values is supported, and the frequency of these checks doesn't appear customizable. Any ideas? d. NOTICE: The information contained in this e-mail and any attachments is intended solely for the recipient(s) named above, and may be confidential and legally privileged. If you received this e-mail in error, please notify the sender immediately by return e-mail and delete the original message and any copy of it from your computer system. If you are not the intended recipient, you are hereby notified that any review, disclosure, retransmission, dissemination, distribution, copying, or other use of this e-mail, or any of its contents, is strictly prohibited. Although this e-mail and any attachments are believed to be free of any virus or other defects, it is the responsibility of the recipient to ensure that it is virus-free and no responsibility is accepted by the sender for any loss or damage arising if such a virus or defect exists.
