-3

As far as I know, OSSEC is a Open Source HIDS. It's a "Detection System". I read in journals, it collect logs and flag any anomaly that had been found in a system ( e.g. Debian Server ) and do some action with it.

Some of the OSSEC's rules, there's like a possible way for prevent the anomaly for doing it action like, prevent brute force by blocking an IP for 600 seconds if the authentication failed 2 times.

My question, How can OSSEC handle a virus that already spreading ? OSSEC is just like detect the anomaly and do some action. What could ossec do if this condition were happen. Is there any logic I can put into ossec rules that disconnect all the Network or there is another way ?. Is it possible ?

Gagantous
  • 89
  • 1
  • 2
  • 10

1 Answers1

1

OSSEC has an option called "active response". The active response will depend on the attack and how you want to prevent it (for example ip ban).

You need to read up on malware and rootkit detection. Look at also OSSEC's rootkit module. Basically there are various ways a system can be attacked or be infected but OSSEC is flexible enough to configure different ways to detecting issues. You can also look at rkhunter, tripwire.

Tux_DEV_NULL
  • 1,083
  • 7
  • 11