Q&A: OSSEC, the open source host-based intrusion detection system
by Mirko Zorz - Friday, 22 August 2009.
Daniel B. Cid is the founder of the open source OSSEC HIDS and a principal researcher at Trend Micro. He has a special interest in intrusion detection, log analysis and secure development. In this interview he discusses the the open source host-based intrusion detection system in detail.

Give our readers some background on the OSSEC project. How did it all start and evolve?

OSSEC is an open source HIDS that merges log analysis, file integrity monitoring, rootkit detection and active responses. It started as a side-project to help me solve some problems that I had on a previous job (6-7 years ago). They had the need to do integrity checking on multiple systems (Linux, Solaris AIX, etc) and Tripwire just didn't scale for us. We were forced to make it scale, and started using it because was the only solution available at the time, but it was a pain to manage individually on 100+ servers.

To minimize my problems, I decided to spend some nights developing a solution that would act like a centralized Tripwire, with all the files, checksums and alerts on one system only. It was meant to be more secure and easy to manage and that's how the Syscheck project was born.

Next, I needed was something like chkrootkit, but centralized and easy to add/remove stuff. A shell script with more than 1,000 lines didn't do it for me. That's how my second project, Rootcheck was born - it did all that chkrootkit did, but in a centralized and more elegant manner, with all the checks specified in configuration files centrally (later it evolved to system auditing and more advanced tests).

Being an open source fan, I released both as open source and created the OSSEC project to host them. My idea was to use OSSEC as my repository of open source security projects. A little while after, I released a centralized log analysis tool, osaudit, with a rule engine to analyze, decode and correlate logs.

Having these three projects separated and constantly installing the three on all my systems, I thought, why not merge them all together in a full HIDS package? That's how the OSSEC HIDS started and we first released it as a full HIDS in 2005. Later we added active responses, Windows support, agentless options to monitor routers and switches a quite a few more.

Last year Third Brigade acquired the project and that helped even more with our development. Since then I can work on OSSEC during the day and have the luxury of sleep during the nights (when before it was the only time available to develop it).

When looking at OSSEC, what features would you emphasize as the most important? What do your users appreciate the most?

Many projects (especially commercial ones), add features based on market requirements or just based on the latest trend. Coming from a system admin background, I like to add features that makes the job of admins and security analysts easier. That's the end goal of OSSEC.

I think what most users appreciate are the fact that we actually try to make their life easier and we listen to them. The installation is simple. I spent months trying to make a cross-platform installation script that would work everywhere (Linux, Solaris, AIX, HP-UX, Mac, etc). And one of the most common compliments I hear is that the installation is a breeze and secure by default. We create privilege separation users, setup a chroot jail, fix the permissions, all automatically (same with upgrades).

We also try to make our community very open and friendly. You can chat with active users on IRC almost any time of the day, and we do help out a lot.


Banking botnets persist despite takedowns

More than 90 percent of all Trojans targeted financial institutions located in US, followed by the UK, Germany, Italy, Spain and Australia.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Apr 24th