4

I'm looking for an informed opinion on the advantages of ossec in comparison to snort/tripwire/nessus

Therefore anyone shed any light on what features ossec brings that cant be replicated via tripwire (or iwatch) and snort, perhaps with nessus used also ? Particually in regards to PCI compliance sections 10 and 11.

Moreover, would the snort etc hybrid setup bring any features which are not present in ossec ?

Sirex
  • 5,447
  • 2
  • 32
  • 54

3 Answers3

4

This isn't a fair comparison as not all these products are doing the same thing.

Snort is a Network Intrusion Detection System.

ossec is a host-based network intrusion system as is tripwire and iwatch as they monitor file/filesystem/system integrity for changes and anomalies.

Nessus is Tenable's vulnerability scanner, which scans over the network, authenticating where it can (and has been provided credentials), looking for known vulnerabilities and potential misconfigurations against a large "feed".

gravyface
  • 13,947
  • 16
  • 65
  • 100
  • ok, i guess really you are correct in it not being a like for like comparison. Ive used snort and tripwire in the past, but Im unaware of the advantages, if any, of ossec by comparison as i've not used it. From what i can tell it should be possible to replicate all of ossec's functionality in relation to PCI compliance with either tripwire or iwatch, and if so this would be my preffered option (and then layer nessus and snort on top). I just wonder if ossec has something which the others lack. – Sirex Jul 30 '10 at 15:38
  • 1
    Nessus is great for seeing how well Snort is working, but as with all intrusion detection system (host or network-based), you need to have a really quiet network and a rock-solid change management policy in _practice_ (not just written down in a binder somewhere) or you'll spend your time chasing down false positives and eventually tune it out (or turn it off) if it's "crying wolf" too often. – gravyface Jul 30 '10 at 15:48
3

I agree with the others that have posted, they have different goals in mind. Since your primary question seems to be about OSSEC I assume you are mostly looking for a centralized manager of sorts. OSSIM and Prelude are other options in that area, although I think OSSIM is a little nicer.

OSSIM ~ Prelude

Snorby is worth looking at in regards to Snort management and reporting.

Snorby

I found this page to be a (although slightly biased) good read as for as file system ID's are concerned.

A comparison of several host/file integrity monitoring programs

sinping
  • 2,055
  • 14
  • 12
1

As far as I can tell, tripwire watches filesystem changes which OSSEC does as well. But OSSEC watches logs as well and has a long list of rules to identify and notify of abnormal activity. This rules are easy to define, so you can have your own local rules as well.

OSSEC has a central manager where you can control configuration and activity of agents.

OSSEC has rules for snort, so you can chain them together and use OSSEC to filter through snort alerts.

Regarding PCI monitoring, OSSEC can help analyze logs in a automated way.

chmeee
  • 7,270
  • 3
  • 29
  • 43