Combine SNORT detection and log with active response OSSEC

Question

As far as i know, NIDS implemented in Network layer and HIDS in Host-based layer, Is it possible for NIDS( for example: Snort or suricata ) log that will included in HIDS(for example: OSSEC) log too ? Do the NIDS and HIDS are stand-alone system that cannot be integrated each other ?

The assumption is like below:

I Implemented both NIDS and HIDS in my server
NIDS for SNORT and HIDS for Ossec.
After, that let's say there are anomaly that could be found in network layer(i.e DDoS )
That's look like a job for NIDS (SNORT)
It should be triggered the SNORT rules.
SNORT Analyzed the anomaly, collected the information, and do some action that we assign in SNORT rules.
SNORT do some action for the anomaly that have been found.
After that, the information that SNORT collected will be send to Ossec.
If the attacker ( the anomaly ) can pass SNORT rules, there is a backup that handle the anomaly, and it was OSSEC

Is this possible ? or this is not a good idea ?

My motive by doing this is, i want to make a several security that located in Network and Host-based, so it make my Data center/server more safe than using one type of IDS

Do you only want to send logs to the central log server from HIDS or you want to take some actions upon HIDS logs? — JackSparrow, Oct 30 '17 at 08:34
@JackSparrow if possible, i want take some actions upon HIDS logs — gagantous, Oct 30 '17 at 10:49
@JackSparrow for example, there is an alert that canbe handle by using SNORT. Is this possible if the alert that SNORT have, can be handled to by using OSSEC ? — gagantous, Nov 01 '17 at 05:01

score 1 · Answer 1 · answered Oct 30 '17 at 10:14

1

There is a solution from https://www.alienvault.com/. They offer a product that incorporates HIDS and NIDS in a box. They actually use Suricata and Ossec.

answered Oct 30 '17 at 10:14

Sonic

21
3

we need to purchase to get those features ? – gagantous Oct 30 '17 at 10:55
Are there open source app that had features like Alien Vault ? – gagantous Oct 30 '17 at 10:57
1

They have an Open source product "OSSIM: The Open Source SIEM" Just check the website – Sonic Nov 01 '17 at 04:25
quick read the web about, so alien vault is an OS ?? – gagantous Nov 01 '17 at 05:05
No, it is not an OS. It is a software, based on Debian linux. You just download the image and install it bare metal. Actually, it would install Debian Linux with OSSIM software. You would be able to access it via web interface of by ssh, as well. You will have full root rights via ssh. – Sonic Nov 13 '17 at 08:37

score 1 · Answer 2 · answered Aug 11 '19 at 18:01

Maybe it's too late to come up with an answer here. But, I think I should write this to present my approach which might be helpful to the beginners trying to find the catch.

Snort can be configured only as a Network IDS and not Host IDS considering the fact that it's only capable of watching the network traffic and not what happens inside of the HOST. You will never find any rule in SNORT which involves files or directories inside of a HOST, hence it only talks about Network and not HOST.

While, OSSEC is very different from SNORT as it has it's focus only on activities surrounding the HOST.

Welcome on the site! You can answer a question any time later as it was asked. — peterh, Aug 11 '19 at 19:36

Combine SNORT detection and log with active response OSSEC

2 Answers2