Instant OSSEC Host-based Intrusion Detection

The content is great. I would suggest anyone that is going to install or use OSSEC to start here. Like my title suggests though. This is just a starting point. There is a lot more to learn that this book will not give you just keep in mind this is a starting point. A really good starting point.

perfect summary of OSSEC

This book is a great way to take your first steps into the world of Host-Based Intrusion Detection (HIDS) and OSSEC. It makes no assumptions about your knowledge - takes you through the terminology, reasoning behind the solution and the requirements to deploy it effectively. It also contains useful links to further your reading specific to your solution or operating system. As I had little knowledge of OSSEC or HIDS, it was exactly what I needed.The book systematically takes the reader through the core offerings from OSSEC. Topics covered include rule writing, alerting, file integrity monitoring, monitoring using Operating System commands and rootkit detection and active response features.It begins by describing in detail the OSSEC installation and follows with configuration examples for each of the aspects of a deployment; understanding and crafting your own rules; setting and tweaking alert levels; common deployment scenarios; automating the analysis of operating system commands; and bringing it all together.The book contained some useful information and links for readers to pursue their own agenda including references. There were some areas where some additional background information may have proved helpful. One example was around where or why a user may wish to integrate OSSEC to an enterprise SIEM solution. Additionally, the Monitoring Command Output chapter made no mention of Microsoft OS commands; however, a quick search confirmed that does indeed seem to be supported.The text identifies the potential pitfalls you may encounter and common mistakes, including those related to security, which people make when deploying HIDS, as well as leading the reader step-by-step through running and improving your deployment. Based on the content of the book, whilst there are a few minor areas which could improve what it offers to the OSSEC novice, it has certainly proved a valuable resource for a HIDS beginner.

I have a love/hate relationship with the OSSEC project.First-- let's get this out of the way.. what is OSSEC?"OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response." --ossec.netMy first exposure to the OSSEC project was with AlienVault SEIM. Integration with the IDS was seamless and setup was a breeze. So, I was able to get something up and running with pretty much zero effort on my part.Instant OSSEC Host-based Intrusion Detection System is another book from Packt's Instant series of books. It's a great book for just getting up and going with the tool without having to deal with aspects of books that tech writers think we really care about (like the history of the C language, etc). Tech people want to start working with code and configurations. This book does just that.This book tells you how to get up and going with setting up the OSSEC agent and server on Windows and Linux. Which brings me to the "hate" part of my relationship with OSSEC. Building it for OSX is quite aggravating. It would've been nice had the author covered getting it running on OSX, but that could've been another Instant book all on it's own. If you want to see what all is needed, check out xyna[dot]net's guide to get started.Overall, if you're looking to get up and going quickly with a OSSEC deployment, you can't go wrong with this book. From installation to configuration, to writing your own rules and implementing active response, this book has what you need in 50 pages or less.

It tells you how to install OSSEC for both manager and agents, and how to generate agent keys so agents and talk to the manager securely. It uses examples to explain how OSSEC rules work, and illustrates step-by-step how you can write your own custom decoders/rules and test them to verify that they work as expected. It goes further to describe how you can fine tune alert levels so you are not flooded with too many alerts, as well as how you can channel OSSEC output to third party log management systems in several de-facto standard formats.Another key feature of OSSEC, syscheck, is useful to perform integrity monitoring for files, directories, and Windows registry entries. Syscheck can also be extended to monitor the output of arbitrary commands by treating the output as log entries. A case-in-point is the implementation of OSSEC rootcheck, which utilizes the syscheck framework for rootkits detection. OSSEC ships with a default set of rootcheck rules; user extension is possible so you can be alerted with the newest threats.Finally, OSSEC active response is one step toward Host-based Intrusion Prevention System by using alerts to trigger defensive actions such as blocking traffic from offending IP addresses automatically. This book concludes by giving a scripting example of verifying alerts with active response. It pulls everything together and unleashes the full potential of OSSEC. With the scripting capability of OSSEC active response feature, the possibilities are endless.