Has anyone tried OSSEC or Samhain? I'd be interested in hearing how it
worked for you.
- Dustin
-------- Original Message --------
Subject: Re: [SAGE] Evaluating OSSEC HIDS
Date: Mon, 16 Jul 2007 15:30:49 -0600
From: Joshua Gimer <jgimer@gmail.com>
To: Jeremiah Johnson <jeremiah.johnson@gmail.com>
CC: Bennett <a42n8k9@dejazzd.com>, sage-members@sage.org
References: <000701c7c798$69cbaa60$8164a8c0@DOJO>
<56B5E72A-BC7D-4364-B316-D613BA8214A2@gmail.com>
<701ea59b0707161305n5fced5e7u1e54a1176d060ffb@mail.gmail.com>
Does Samhian do rootkit detection, log monitoring, and active response?
Josh
On Jul 16, 2007, at 2:05 PM, Jeremiah Johnson wrote:
> Lets not forget Samhain
>
> http://www.la-samhna.de/samhain/
>
> Samhain is a multiplatform, open source solution for centralized file
> integrity checking / host-based intrusion detection on POSIX systems
> (Unix, Linux, Cygwin/Windows). It has been designed to monitor
> multiple hosts with potentially different operating systems from a
> central location, although it can also be used as standalone
> application on a single host.
>
> -miah
>
> On 7/16/07, Joshua Gimer <jgimer@gmail.com> wrote:
>> I use it on all of the UNIX systems, It works great!
>>
>> I have been a fan since the initial release and there is good list
>> support.
>>
>> It does frequent rootkit detection (Hourly), log monitoring (Kernel
>> logs, application logs), integrity checking, active response
>> (iptables, tcpwrappers, pf), and alerting. You can customize who
>> alerts go to based off of system, and based off of level.
>>
>> I use it for a HIDS solution, and use snort for a network based
>> solution. We currently have around 50 UNIX systems running it.
>>
>> Thanks
>> Joshua Gimer
>>
>> On Jul 16, 2007, at 4:59 AM, Bennett wrote:
>>
>> > Has anyone tried OSSEC (http://www.ossec.net/)?
>> >
>> > I'm in the process of trying to standardize our Linux installs and
>> > at the
>> > point of HIDS evaluation. I had been going after things like
>> > Tripwire,
>> > LogCheck, Snort, etc. when I stumbled on this one. Looks like it
>> > has a
>> > little bit of everything wrapped up in it.
>> >
>> > One part that also attracted me was that it has Windows
>> > components. We're a
>> > mixed shop and this would allow for the use of a common tool across
>> > the
>> > board.
>> >
>> > Is this tool worth taking a deeper look?
>> >
>> > Thanks,
>> > - Bennett
>> >
>> >
>>
>>
-- Puryear IT, LLC Identity Management, Directory Services, Systems Integration Baton Rouge, LA * 225-706-8414 * http://www.puryear-it.com "Best Practices for Managing Linux and UNIX Servers" http://www.puryear-it.com/pubs/linux-unix-best-practices ___________________ Nolug mailing list nolug@nolug.orgReceived on 07/17/07
This archive was generated by hypermail 2.2.0 : 12/19/08 EST