[Nolug] [Fwd: Re: [SAGE] Evaluating OSSEC HIDS]

From: Dustin Puryear <dustin_at_puryear-it.com>
Date: Tue, 17 Jul 2007 10:52:21 -0500
Message-ID: <469CE5B5.1050300@puryear-it.com>

Has anyone tried OSSEC or Samhain? I'd be interested in hearing how it
worked for you.

- Dustin

-------- Original Message --------
Subject: Re: [SAGE] Evaluating OSSEC HIDS
Date: Mon, 16 Jul 2007 15:30:49 -0600
From: Joshua Gimer <jgimer@gmail.com>
To: Jeremiah Johnson <jeremiah.johnson@gmail.com>
CC: Bennett <a42n8k9@dejazzd.com>, sage-members@sage.org
References: <000701c7c798$69cbaa60$8164a8c0@DOJO>
<56B5E72A-BC7D-4364-B316-D613BA8214A2@gmail.com>
<701ea59b0707161305n5fced5e7u1e54a1176d060ffb@mail.gmail.com>

Does Samhian do rootkit detection, log monitoring, and active response?

Josh

On Jul 16, 2007, at 2:05 PM, Jeremiah Johnson wrote:

> Lets not forget Samhain
>
> http://www.la-samhna.de/samhain/
>
> Samhain is a multiplatform, open source solution for centralized file
> integrity checking / host-based intrusion detection on POSIX systems
> (Unix, Linux, Cygwin/Windows). It has been designed to monitor
> multiple hosts with potentially different operating systems from a
> central location, although it can also be used as standalone
> application on a single host.
>
> -miah
>
> On 7/16/07, Joshua Gimer <jgimer@gmail.com> wrote:
>> I use it on all of the UNIX systems, It works great!
>>
>> I have been a fan since the initial release and there is good list
>> support.
>>
>> It does frequent rootkit detection (Hourly), log monitoring (Kernel
>> logs, application logs), integrity checking, active response
>> (iptables, tcpwrappers, pf), and alerting. You can customize who
>> alerts go to based off of system, and based off of level.
>>
>> I use it for a HIDS solution, and use snort for a network based
>> solution. We currently have around 50 UNIX systems running it.
>>
>> Thanks
>> Joshua Gimer
>>
>> On Jul 16, 2007, at 4:59 AM, Bennett wrote:
>>
>> > Has anyone tried OSSEC (http://www.ossec.net/)?
>> >
>> > I'm in the process of trying to standardize our Linux installs and
>> > at the
>> > point of HIDS evaluation. I had been going after things like
>> > Tripwire,
>> > LogCheck, Snort, etc. when I stumbled on this one. Looks like it
>> > has a
>> > little bit of everything wrapped up in it.
>> >
>> > One part that also attracted me was that it has Windows
>> > components. We're a
>> > mixed shop and this would allow for the use of a common tool across
>> > the
>> > board.
>> >
>> > Is this tool worth taking a deeper look?
>> >
>> > Thanks,
>> > - Bennett
>> >
>> >
>>
>>

-- 
Puryear IT, LLC
Identity Management, Directory Services, Systems Integration
Baton Rouge, LA * 225-706-8414 * http://www.puryear-it.com
"Best Practices for Managing Linux and UNIX Servers"
  http://www.puryear-it.com/pubs/linux-unix-best-practices
___________________
Nolug mailing list
nolug@nolug.org
Received on 07/17/07

This archive was generated by hypermail 2.2.0 : 12/19/08 EST