I think OSSEC should be a good logging daemon. How do you generate alerts if you can't guarantee you get the logs, if the alerts are based on central processing of the logs? This seems like a huge gaping hole in IDS to me - if I was attacking an OSSEC endpoint, first thing I'd do once I realized it was running OSSEC would be to see if I can block it's network access to the OSSEC server without killing my access. Now the org running OSSEC is effectively blinded to my work unless there's something else running.
-- James Pulver CLASSE Computer Group Cornell University -----Original Message----- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Jeremy Rossi Sent: Wednesday, June 18, 2014 8:49 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] logall > > * James M. Pulver <jmp...@cornell.edu> [2014-06-18 12:03:15 +0000]: > >> Maybe I???m crazy, but I think OSSEC is like a log daemon +??? >> It???s cross platform, it includes encryption, it has built in filtering and >> can do active response. Why would it make sense to duplicate log shipping if >> you need it to do the security stuff? I.e. OSSEC ought to be a good log >> aggregator to serve it???s primary security goal IMO. I don't know :) part of why I am asking. All the features you list don't in my mind make it a loggin daemon. Active response, encryption, cross platform etc make it a good HIDS. But the feature of reading the log files fast and efficiently and moving them to central server are very much log daemon-ish. But this feature is used to centrally process not do anything more. (Outside of logall). We don't keep the encrypted bytes for confirming message has not been modified or for verification of the host it came from. We don't store any metadata about where the log file was gathered from. Basically it is missing a huge pile of features to make it a •good• logging daemon. Do we want to make this a •good• logging daemon tool and spend that time and effort to build and support this feature set and direction? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
