13

I intend to set up OSSEC and noticed there seem to be two main flavours: plain OSSEC and Wazuh fork.

From what I've been able to gather (from Wazuh's website and documentation), the main advantages of Wazuh are:

  • its ability to integrate with ELK
  • an improved ruleset
  • restful API

I have no interest in using ELK for this project, but we already have a preexisting graylog instance that I'd like to hook up with OSSEC, which should be possible in regular OSSEC using syslog cef format.

I assume I can use the improved ruleset even if I run regular OSSEC, atleast I haven't seen anything that indicates otherwise.

As for the restful API, I'm still very inexperienced and I've only recently heard about REST - I don't even know how I would begin putting it to use - so I'm not sure if I should use the Wazuh fork just for that.

The objective is to run OSSEC agents on the machines in our cloud environment and point them to an OSSEC Server in a machine that's already being used for log management and monitoring on the same network .

Are there any other advantages to running Wazuh instead of the regular OSSEC? Is there anything else I should take into consideration?

simoesf
  • 133
  • 1
  • 1
  • 6
  • It's almost 2019 and we'd like more clarity on the direction of OSSEC separate from Wazuh. I simply refer to it as Wazuh-OSSEC at this point (referring only to Wazuh), but YMMV. atomicorp.com still provides commercial support for classic OSSEC (not sure if or when they recommend Wazuh-OSSEC) – atdre Dec 13 '18 at 18:14

2 Answers2

7

Regarding Wazuh differences with OSSEC, the Wazuh team is working on updating the documentation to explain those better (and on a new release and installers).

Wazuh new version (2.0, currently found under the master branch) highlights are:

  • OpenSCAP integrated as part of the agent, allowing users to run OVAL checks.
  • New WUI on top of Kibana 5, and integrated with the RESTful API to monitor configuration of the manager, rules and status of the agents.
  • Improved log analysis and FIM capabilities.
  • Ruleset with compliance mapping.
  • Agent-manager communications over TCP supported. A modules manager that will allow future integration of other tools (in the roadmap is OSquery and Threat Intelligence sources)

Complete changelog can be found here:

https://github.com/wazuh/wazuh/blob/master/CHANGELOG.md

If you are curious, here are some screenshots of the WUI.

https://github.com/wazuh/wazuh-documentation/tree/2.0/source/images/screenshots

As well it is worth mentioning that Wazuh project, as a fork, is based on the work done by OSSEC developers and contributors to which we are thankful. Wazuh plans to continue contributing to OSSEC Github repository with bug fixes, but we also have our own roadmap so, most likely, both projects will evolve in different ways.

snaow
  • 86
  • 2
  • 3
    When talking about a product, please make your relationship with the product clear. You are on the development team: https://github.com/orgs/wazuh/people – schroeder Aug 23 '18 at 13:48
3

Although my opinion is probably biased here (I am part of the Wazuh team), here is an update on the differences between OSSEC and Wazuh:

Scalability and reliability
•   Cluster support for managers to scale horizontally.
•   Support for Puppet, Chef, Ansible and Docker deployments.
•   TCP support for agent-manager communications.
•   Anti-flooding feature to prevent large burst of events from being lost or negatively impact network performance.
•   AES encryption used for agent-manager communications (instead of Blowfish).
•   Multi-thread support for manager processes, dramatically increaing their performance.

Intrusion detection
•   Improved log analysis engine, with native JSON decoding and ability to name fields dynamically.
•   Increased maximum message size from 6KB to 64KB (being able to analyze much larger log messages).
•   Updated ruleset with new log analysis rules and decoders.
•   Native rules for Suricata, making use of JSON decoder.
•   Integration with Owhl project for unified NIDS management.
•   Support for IP reputation databases (e.g. AlienVault OTX).
•   Native integration with Linux auditing kernel subsystem and Windows audit policies to capture who-data for FIM events.

Integration with cloud providers
•   Module for native integration with Amazon AWS (pulling data from Cloudtrail or Cloudwatch).
•   New rules and decoders for Amazon AWS.
•   Module for native integration with Microsoft Azure.
•   New rules and decoders for Microsoft Azure.

Regulatory compliance
•   Alert mapping with PCI DSS and GPG13 requirements.
•   Compliance dashboards for Elastic Stack, provided by Wazuh Kibana plugin.
•   Compliance dashboards for Splunk, provided by Wazuh app.
•   Use of Owhl project Suricata mapping for compliance.
•   SHA256 hashes used for file integrity monitoring (in addition to to MD5 and SHA1).
•   Module for integration with OpenScap, used for configuration assessment.

Elastic Stack integration
•   Provides the ability to index and query data.
•   Data enrichment using GeoIP Logstash module.
•   Kibana plugin used to visualize data (integrated using Wazuh REStful API).
•   Web user interface pre-configured extensions, adapting it to your use cases.

Incident response
•   Module for collection of software and hardware inventory data.
•   Ability to query for software and hardware via RESTful API.
•   Module for integration with Osquery, being able to run queries on demand.
•   Implementation of new output options for log collector component.
•   Module for integration with Virustotal, used to detect the presence of malicious files.

Vulnerability detection and configuration assessment
•   Dynamic creation of CVE vulnerability databases, gathering data from OVAL repositories.
•   Cross correlation with applications inventory data to detect vulnerable software.
•   Module for integration with OpenScap allows the user to remotely configured scans.
•   Support for CIS-CAT, by Center of Internet Security scanner integration.

Link to the documentation:

https://documentation.wazuh.com/current/migrating-from-ossec/

This shows that there is definitely a lot of work we have done on top of OSSEC over the last three years that, I believe, justify using Wazuh instead.