Practical OSSEC

OSSEC is a simple to install host-based intrusion detection system. The difficulty is in tuning the installation so that the resulting alerts are pertinent to the environment. Agents can be installed on a variety of systems; Web servers, mail servers, VMWare servers, WAFs. All of these server types likely produce logs with very different syntax. Each log type requires custom decoders and rules to be created for OSSEC to alert appropriately if none are included by default or found within the community. Resulting alerts must be ranked by level of criticality based on not only one single log event but possibly the presence of other events occurring during small windows of time. All of this must result in notification being sent to the appropriate party and at the appropriate level to allow them to respond to the incident. This paper will briefly discuss installing OSSEC agents on both Windows and Linux systems. It will then explore how to configure rulesets and decoders for various commonly found enterprise servers. Finally, it will describe the process of tuning rulesets so that the resulting alerts are both valuable and pertinent.