OSSEC is awesome! I first discovered it probably around 4 years ago when I was researching solutions for PCI Compliance at my previous company. I stumbled across OSSEC and started playing around with it, installing it on my home network. I never got approval to implement it at my previous company but I fastidiously pushed for it. No such luck during the 3 years I was there. All of my "POC" work was done on my home network, and even then it wasn't a very complex setup (aka, I had very little idea what I was doing, but it seemed cool!) It wasn't until I started at my current company, a year ago now, that I got more actively involved with OSSEC. It turned out that my company had deployed OSSEC before I came on but it wasn't very centralized and not fully configured or tailored to our environment as I thought it could be. Since then, I've worked towards larger centralization across hundreds of servers as well as fine tuning some rules and alerting. I've also setup active response to help deal with brute force attacks against our SSH servers, among other interesting things. It's been a long and slow process, but I've enjoyed every bit of it. OSSEC is probably one of the main catalysts that first got me interested, and has kept me interested, in the security arena. As a 'hobby' I enjoy tinkering with OSSEC at home and even started exploring how I can have it monitor my home alarm system (i.e. receive alerts and log every time a door opens or when the siren sounds). OSSEC is an extremely useful tool and I couldn't imagine life without it! Okay, I might be exaggerating a bit there, but it really has helped me think about security problems and issues we face today and ways in which we can practically deal with them.
On Mon, Oct 18, 2010 at 10:50 AM, Daniel Cid <[email protected]> wrote: > I will share my own story as well.... > > Many years ago (around 2002/2003), I had to manage hundreds > Linux/Solaris servers > and one of the requirements was file integrity checking / log analysis > on all of them. None of the solutions at the time allowed me to do > that from a centralized location, > so I decided to jump in and do it myself. > > The initial versions were all written in Perl and had the same concept > that we see > on OSSEC now. Small agents pushing events to a centralized manager for > alerting > and monitoring. Later on I decided to re-write it in C and released it > as open source. The project was initially named osaudit and you can > still catch the old page on sourceforge: > http://osaudit.sourceforge.net/ > > After a few versions I changed the name from osaudit to just ossec > hids and released > its first version on 2005 ( > http://marc.info/?l=loganalysis&m=112131235829527&w=2 ) > > Leaving the story on the side, OSSEC has helped on multiple projects, > giving me > visibility and actionable data that would be very hard to get > otherwise. Plus, the amount > of stuff I have learned from the OSSEC community is one of the things I > value > the most (mailing list discussions, IRC, patches, etc). > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Mon, Oct 18, 2010 at 12:45 PM, Derek Morris <[email protected]> > wrote: > > I started using Ossec around version 1.4 several years ago. At that time > my > > present employer had nothing for HID or event monitoring. Being a > > non-profit, money was tight, so I started out by building a > > Nagios/Ossec/MRTG Network Monitoring Server. The fact that Ossec was open > > source and free allowed me to really get really into it as there were no > > costs hold me back. The environment is mainly windows on the server side > and > > Cisco on the network side. From the moment Ossec/Nagios started up, my > > department went from being reactive to proactive in all areas, this > > immediately turned into HAPPY END USERS!!! Numerous issues were detected > > right away and fixed, in the past the issue would occur then my team > would > > have to poke around to find out where it was originating from and address > > the issue. > > > > Outside of work, I have been able to do "security consultation" based off > my > > experience with Ossec. It has allowed me to help other IT departments > deploy > > there own very inexpensive, very flexible "Monitoring Device" (Nagios and > > Ossec). It has given control back to IT staff. There are lots of > Commercial > > big dollar devices that some IT budgets just cannot afford, Ossec has > helped > > out tremendously in my travels. > > > > Hope I have shared a story that others can relate to!! > > > > > > > > -- Derek > > >
