IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [ossec]

OSSEC is a free, open-source host-based intrusion detection system (HIDS).

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. It mixes together all the aspects of HIDS (host-based intrusion detection), log monitoring and SIM/SIEM together in a single system.

OSSEC provides intrusion detection for most operating systems, including Linux, OpenBSD, FreeBSD, OS X, Solaris and Windows. It has a centralized, cross-platform architecture allowing multiple systems to be easily monitored and managed.

13 questions
3
votes
2 answers

OSSEC capabilities for handle a virus that already spread into the deepest system

As far as I know, OSSEC is a Open Source HIDS. It's a "Detection System". I read in journals, it collect logs and flag any anomaly that had been found in a system ( e.g. Debian Server ) and do some action with it. Some of the OSSEC's rules, there's…
gagantous
  • 193
  • 12
1
vote
0 answers

Help in understnading HIDS OSSEC traces

I realized my system Ubuntu and windows dual boot might have been compromised. So, I installed OSSEC HIDS to try to look for issues. When I ran dmesg, i found the following trace: ------------[ cut here ]------------ [ 31.461050] Could not…
dawn
  • 111
  • 3
1
vote
0 answers

How do I create exceptions on Wazuh (OSSEC)?

I currently have a setup with OSSEC and AIDE running on our servers. We are currently receiving a daily alert for each agent when AIDE runs and changes audit.log. I want to make an exception for that, but I still want to be alarmed when other…
Thiago Escobar
  • 79
  • 7
1
vote
2 answers

Windows process documentation for tuning Sysmon

I recently installed Sysmon, which logs events to OSSEC and currently monitors several endpoints. I have been trying to whitelist benign processes such as Windows services. Many of these processes run with commandline arguments e.g. svchost.exe -k…
synthesis
  • 155
  • 1
  • 1
  • 15
1
vote
1 answer

AIDE and OSSEC conflicts?

Being fairly new to both AIDE and OSSEC I've been trying to find out if there are any potential conflicts in having them both installed on one host (CentOS 7.5). It seems like they could work as a multi-layered approach, but I haven't been able to…
jfran3
  • 111
  • 9
1
vote
1 answer

Why won't ossec block SSH connections when it seems to be configured correctly?

Why won't ossec block connections from another server? I installed ossec version 2.9.3 on Ubuntu 16.04. In the ossec.conf file I have these lines where x.x.x.x is the IP address of a second Linux server: firewall-drop
Jermoe
  • 11
  • 1
1
vote
0 answers

Identifying privilege escalation in OSSEC logs

I am working on an intrusion detection system which can prioritize and attribute the logs generated by OSSEC. So, how can I understand a privilege escalation case (or just the privileges a user has at that time) by looking at these logs?
qwerty
  • 111
  • 1
1
vote
1 answer

OSSEC - Can i centralize what file to check with centralized agent config?

I am starting with OSSEC for file integrity check in a bunch of Windows servers and CentOS. And I would like to keep a centralized configuration of what to check for all my agents, based on they OS. Rerearching about Centralized agent configuration…
JuliaVI
  • 13
  • 3
0
votes
0 answers

How to analyze/monitor OSSEC logs on Ubuntu

I'm using OSSEC server to monitor machines with OSSEC agents, which monitor this login via SSH, file creation, etc. I have configured OSSEC to send an email when it detects a problem, but this control mode is very bad for data control and…
Tom
  • 163
  • 4
0
votes
1 answer

Monitor logs managed by Wazuh and OSSEC

Today I use OSSEC as HIDS, but reading Wazuh's site it seems to be more modern and has more resources. I saw that it has an Elastic Stack integration, something I don't interested about due to using Java and using a lot of server resources. Does…
Tom
  • 163
  • 4
0
votes
0 answers

Which tests can I perform with OSSEC?

I would like to perform a few basic tests on a few of OSSEC's capabilities and be able to document them. I have no experience with HIDS and I am not really sure where I could start or which tests with OSSEC I can perform and document. My question…
Anon Name
  • 1
0
votes
1 answer

OSSEC Rules Group Explanation

I am new to OSSEC and Cyber Security in general and would like to understand it a bit better. OSSEC provides so called "Rules Groups" alerts get assigned to and I would like to understand those groups a bit…
0xDr0id
  • 11
0
votes
1 answer

How different are Lynis and Wazuh solutions?

It seems both Cisofy's Lynis and Wazuh's OSSEC share a lot of functionalities. I'm completely newbie on both tools and yet I need to pick one (or both) to help achieve PCI DSS Compliance. Any thoughts?
Igor Gatis
  • 131
  • 2