OSSEC Host-Based Intrusion Detection Guide (Paperback)

~ (Author), (Author), Rory Bray (Author)
Key Phrases: web user interface, integrity checking, decoder example, Getting Started, Microsoft Windows, Application Found (more...)

Editorial Reviews

Book Description

OSSEC (Open Source Security) is the most commonly used intrusion detection software used to detect unauthorized activity on a particular computer. This is the only book specifically devoted to this product and it is co-authored by Daniel Cid who is the founder and lead developer of OSSEC.

Product Description

This book is the definitive guide on the OSSEC Host-based Intrusion Detection system and frankly, to really use OSSEC you are going to need a definitive guide. Documentation has been available since the start of the OSSEC project but, due to time constraints, no formal book has been created to outline the various features and functions of the OSSEC product. This has left very important and powerful features of the product undocumented...until now! The book you are holding will show you how to install and configure OSSEC on the operating system of your choice and provide detailed examples to help prevent and mitigate attacks on your systems.
-- Stephen Northcutt
OSSEC determines if a host has been compromised in this manner by taking the equivalent of a picture of the host machine in its original, unaltered state. This ?picture? captures the most relevant information about that machine?s configuration. OSSEC saves this ?picture? and then constantly compares it to the current state of that machine to identify anything that may have changed from the original configuration. Now, many of these changes are necessary, harmless, and authorized, such as a system administrator installing a new software upgrade, patch, or application. But, then there are the not-so-harmless changes, like the installation of a rootkit, trojan horse, or virus. Differentiating between the harmless and the not-so-harmless changes determines whether the system administrator or security professional is managing a secure, efficient network or a compromised network which might be funneling credit card numbers out to phishing gangs or storing massive amounts of pornography creating significant liability for that organization.
Separating the wheat from the chaff is by no means an easy task. Hence the need for this book. The book is co-authored by Daniel Cid, who is the founder and lead developer of the freely available OSSEC host-based IDS. As such, readers can be certain they are reading the most accurate, timely, and insightful information on OSSEC.

* Nominee for Best Book Bejtlich read in 2008!
* http://taosecurity.blogspot.com/2008/12/best-book-bejtlich-read-in-2008.html


. Get Started with OSSEC
Get an overview of the features of OSSEC including commonly used terminology, pre-install preparation, and deployment considerations.
. Follow Steb-by-Step Installation Instructions
Walk through the installation process for the "local", "agent", and "server" install types on some of the most popular operating systems available.
. Master Configuration
Learn the basic configuration options for your install type and learn how to monitor log files, receive remote messages, configure email notification, and configure alert levels.
. Work With Rules
Extract key information from logs using decoders and how you can leverage rules to alert you of strange occurrences on your network.
. Understand System Integrity Check and Rootkit Detection
Monitor binary executable files, system configuration files, and the Microsoft Windows registry.
. Configure Active Response
Configure the active response actions you want and bind the actions to specific rules and sequence of events.
. Use the OSSEC Web User Interface
Install, configure, and use the community-developed, open source web interface available for OSSEC.
. Play in the OSSEC VMware Environment Sandbox
Use the OSSEC HIDS VMware Guest image on the companion DVD to implement what you have learned in a sandbox-style environment.
. Dig Deep into Data Log Mining
Take the "high art" of log analysis to the next level by breaking the dependence on the lists of strings or patterns to look for in the logs.

See all Editorial Reviews

Product Details

• Paperback: 416 pages
• Publisher: Syngress (March 17, 2008)
• Language: English
• ISBN-10: 159749240X
• ISBN-13: 978-1597492409
• Product Dimensions: 9.1 x 7.5 x 0.9 inches
• Shipping Weight: 1.5 pounds (View shipping rates and policies)
• Average Customer Review: 4.6 out of 5 stars  See all reviews (5 customer reviews)
• Amazon.com Sales Rank: #349,446 in Books (See Bestsellers in Books)

Customer Reviews

Most Helpful Customer Reviews

6 of 6 people found the following review helpful:

5.0 out of 5 stars Excellent book on a very powerful open source tool, October 26, 2008

By	Richard Bejtlich "TaoSecurity.com" (Metro Washington, DC) - See all my reviews (TOP 500 REVIEWER)    (REAL NAME)

I'm surprised no one has offered serious commentary on the only book dedicated to OSSEC, an incredible open source host-based intrusion detection system. I first tried OSSEC in early 2007 and wrote in my blog: "OSSEC is really amazing in the sense that you can install it and immediately it starts parsing system logs for interesting activity." Stephen Northcutt of SANS quotes this post in his foreword to the book on p xxv. Once you start using OSSEC, especially with the WebUI, you'll become a log addict. OSSEC HIDS Guide (OHG) is your ticket to taking OSSEC to the next level, even though a basic installation will make you stronger and smarter.

I have to congratulate the author team for OHG. Writing a book for Syngress with many contributors is usually a recipe for disaster. OHG features three lead authors, four contributors, and one foreword author -- and they don't step on each others' toes. Each of the main chapters was coherent and well-written, with solid Frequently Asked Questions sections at the end. The chapters are well-formatted with a mix of tables, figures, clear screen captures, and plenty of configuration examples. The authors even include a DVD with a ready-to-run VMWare image of a Linux system running OSSEC and the WebUI. Please note the .rtf packaged on the DVD mentions visiting a "osui" directory on the Linux Web server in order to view the OSSEC WebUI. The correct URL is "oswui". The Camtasia videos walking viewers through OSSEC installation are a nice touch for the visually-inclined.

I had very few issues with OHG. I think two of the references to "/tmp" on p 203 should really be "tmp/", i.e., references to the tmp/ directory in the WebUI directory. Upgrading OSSEC is trivial (it detects a previous installation and asks the user how to proceed), but I would have liked to see that process mentioned explicitly in the book.

I appreciated the citation for my first book on p 256, but I think the author (hi Anton) missed a crucial point about Network Security Monitoring (NSM): data makes the expert. A ninja with no data isn't very effective. A newbie with data may not be a ninja, but he/she will be more likely to detect and respond to intrusions than the data-less ninja.

This is a simple review to write. If you use OSSEC, you should buy OHG. You'll learn how everything works, how to move beyond the simple (yet still powerful) out-of-the-free-box OSSEC feature set, and find more suspicious and malicious activity in your enterprise. In a future edition I would like to see discussions of integrating OSSEC with other log tools like Splunk.

5.0 out of 5 stars Worth the price, excellent book, indepth guide plus more, April 27, 2009

By	Goofy Foot "Goofyfoot" (If I told you where I was, would you really visit me? :-() - See all my reviews

I bought this book for 2 reasons. One was as a main reference for a term paper I am writing in the Masters program I am taking at ECU and the other was to learn more about this open source HIDS for my own personal use. The book, I feel, goes into great detail about the software from the download to writing a policy. Most books will not say anything about a policy, they just talk about the software and leave you at that. If you are using, thinking about using or want to learn about HIDS then I suggest buying this book. A big bonus is that Daniel Cid is one of the authors. Most books may only reference the creator of the software, few actually have the creator as an author. Awesome book.

5.0 out of 5 stars The Guide to Doing More with Less, October 29, 2008

By	Kurt R. Hinson (Tucson, Arizona) - See all my reviews (REAL NAME)

In these days of tight and/or frozen budgets, utilizing open source applications has become a must for many of us in the security realm. OSSEC is one such "must have" application that will give you visibility and insight into Windows, Mac and Linux machines on your network through the use of this Host Intrusion Detection application. There are many options, architectures and configuration variables and this book is an excellent resource that will guide you whether you are a seasoned professional or just starting to think about deploying host based intrusion detection in your environment. This book is a must have for any security engineer's bookshelf and a quick way to get you on the road to compliance using powerful and FREE software.