For the best in Secure Managed Hosting, call: 01904 500 272

Call now on: 01904 500 272

ha247ha247

OSSEC & other intrusion detection systems

Published by Nick Fox

OSSEC & other intrusion detection systems

OSSEC & other intrusion detection systems
Host-based intrusion detection systems (HIDS) and network-based intrusion detection systems are two ways of managing security for computers and networks. While in HIDS, anti-threat software like firewalls, antivirus and spyware detection applications are installed separately on every computer in the network, in NIDS, anti-threat software is based only at specific crossroads, like servers that act as a liaison between the outside environment and the part of network that needs to be protected.

OSSIM BlogPost image1

OSSEC
Apart from its role as an intrusion detection system, host-based OSSEC is often used as a security information and event manager (SEM/SIM). It performs log analyses, integrity checking, rootkit detection, time-based alerting and active response. Its powerful log analysis engine made it popular with internet service providers, universities and large data centres, which use OSSEC HIDS to monitor and analyse their authentication logs, intrusion detection systems, firewalls and web servers. The latest 2.8.2. version was released on June 10.

Snort
Using protocol analysis, content searching and different pre-processors, Snort is able to detect thousands of worms, vulnerability exploit attempts, port scans and other suspicious behavior. This NIDS is perfect for traffic analysis and packet logging on IP networks. In the core of Snort’s code is a flexible rule-based language for describing traffic that it either records or ignores, as well as a modular detection engine. It comes with a free Basic Analysis and Security Engine, which is a web add-on for analysing Snort alerts. The latest 2.9.7.5 version was released on July 23.

OSSIM
Developed by AlienVault, this Open Source Security Information and Event Management (SIEM) program offers a capable and comprehensive open source SIEM that provides event collection, normalization and correlation. The idea behind it came from security engineers who lacked available open source products. As such, it was developed with security professionals in mind, with a plethora of security controls. In addition, OSSIM includes the powerful AlienVault Open Threat Exchange, making it possible for users to contribute and be notified about malicious hosts in real time.
OSSIM BlogPost image2

ArcSight SIEM Platform
Among the SIEM tools developed by ArcSight, their ESM – Enterprise Security Manager is the brain of the whole platform. It analyses and correlates all the events that occur across the organization network – logins, logoffs, file access, database query, etc. which can then be presented graphically. After that, it can make accurate estimates of priority security risks and compliance violations. Using the powerful correlation engine, ArcSight ESM goes through millions of log records to identify relevant critical incidents. Unlike OSSEC HIDS and OSSIM, the ESC is a standalone applications that runs on Linux, Windows, AIX, and Solaris.

Sguil
This network security analysis tool uses Network Security Monitoring (NSM) a concept developed by Richard Bejtlich, Director of Incident Response at General Electric, and a former Military Intelligence Officer with the USAF. This method involves the collection, analysis and escalation of warnings, so it can detect and respond to network intrusions. While it uses a traditional IDS, like Snort, as an alerting mechanism, it also analyses IDS events, session data and full packet capture, which help security officers decide whether an event is a false positive or calls for involvement of the incident response team.

Wireshark
An amazing open source multi-platform network protocol analyser, Wireshark lets you examine data from a live network or from a capture file. It offers interactive browsing of the capture data, so you can focus onto a level you are interested in. Among its powerful features you can find a rich display filter language as well as option for TCP sessions reconstructed stream view. In its running time, however, Wireshark was hampered by dozens of security holes so, make sure you are running the updated version, the latest one released on August 12.

In an ideal scenario, a corporate network should be shielded by both a HID and NID systems. The former acts as a last ditch protection for individual computers, while the latter maintains the secure network.

About the author: Dan Radak is a web hosting security professional with ten years of experience. He is currently working with a number of companies in the field of online security, closely collaborating with SecureLink. He is also co-author on several technology websites.

Back

Find out how we help. CALL 01904 500272.

Or fill out the fields below and we will call you back.