off the top of my head:
- OSSEC is built into Amazon EC2 instances out of the box, with useful decoders and rules. by default each instance is pre-wired as an agent and pre-wired to talk to your server instance. Perhaps using user-data as key exchange or config bootstraping method. - OSSEC (or OSSEC Pro) is has a coorelation engine to use an IP address reputation service to calculate and return the risk of an IP address detected by OSSEC. (OSSEC Pro could include the use of Trend Micro's service, for example, and the open source version could simply have an API or framework to work with anything) - OSSEC is available as an RPM, bundled with popular linux distros - OSSEC includes an API at installation to configure its agent keys automatically using a DHCP or similar discovery mechanism
