IT managers who want to get a handle on their security logs but don't have the budget for big-ticket software can check out an updated version of the open source, host-based intrusion detection system (IDS) OSSEC.
OSSEC Version 1.1 performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting and active response. Daniel Cid, lead developer and author of OSSEC, says the software is both an IDS as well as a log analysis and correlation tool, similar to products in the security event management market.
"The project was created on 2004, but it started to gain a lot of attention only at the end of 2005," Cid reports.
Cid this week made available Version 1.1, which he says adds features such as email alerting, advanced log analysis and an active response mechanism to thwart attackers. This version includes "more advanced log-analysis rules for improved correlation and analysis," as well as new active response features that use "route null" to block detected attackers, he says.
OSSEC uses a client/server model with server software at a central location and distributed agent technology on managed devices. The software monitors file and directory modifications, provides accountability by storing authentication information, and triggers user alerts on failed authentication or questionable user additions.
The software runs on most operating systems, including Linux, OpenBSD, Mac, Solaris and Windows operating systems. Users install the software on a server and then the agent is deployed on client machines using a Windows installation wizard.
"It has a centralised architecture, allowing one central server to manage and monitor the logs and integrity data from multiple agents," Cid explains. "The server/agent communication is encrypted/compressed so it saves a lot of bandwidth and keeps the privacy of the log data in transit."
The software also allows a local installation for users that are not interested in the server/agent architecture or just have one system to monitor. This release also adds support for Microsoft IIS 6, Cisco VPN concentrator, Cisco PIX VPN AAA, Cisco FWSM and Solaris 10 logs.
OSSEC Version 1.1 is available free for download under the GNU General Public Licence.