OSSEC
OSSEC – the representative intrusion detection systems at the level hostallowing to analyze magazines, to check integrity of files and register, to detect rootkit and actively to react to attempts of cracking of a system. In functionality an opportunity to analyze local magazines of both the OS level, and separate applications, for example is put: SSH MS Exchange Apache Proofpoint Sendmail ARP Watch FTPD Microsoft IIS Squid.
OSSEC processes information on events which comes from other systems, from nodes with the set agents of OSSEC, from firewalls. On the basis of rules in the XML format notifications about suspicious actions are issued.
OSSEC can trace permissions, the size and the owner of the file. The hash functions of MD5 and SHA1 for files which it was specified to watch saves values. The database of all these values is stored on the server.
Pluses of OSSEC – simplicity of installation and work, ample opportunities and support of magazines from the different systems.
Minuses – difficulty of expansion of the knowledge base about the attacks.
See Also