Monthly Archives: December 2006

Is Open Source Rootkit Detection Behind The Curve?

Posted on December 27, 2006 by danielcid

The guys from matasano posted in their blog an entry about the current state of open source rootkit detection. While I agree that we are way behind the latest rootkit technologies (specially for windows), if you look at the public … Continue reading →

Posted in ossec, rootkit | Leave a comment

Correlating multiple snort IDS with ossec

Posted on December 26, 2006 by danielcid

I was asked recently what is the best way to correlate multiple snort events with OSSEC. The idea would be to generate an ossec alert (by e-mail and possible an active response) if a specific number of snort rules are … Continue reading →

Posted in log analysis, ossec, snort | Leave a comment

Fun with logs (#2)

Posted on December 21, 2006 by danielcid

Every log analyst is tired of having to decipher weird/useless log entries. However, we are not alone… Even “normal” people have to deal with strange logs too. To prove that, the dailywtf web site is constantly adding entries to their … Continue reading →

Posted in fun, log analysis | Leave a comment

stdarg misuse (C tip #1)

Posted on December 19, 2006 by danielcid

I received some reports in the past about OSSEC segfaulting during startup on 64 bits systems. However, I was never able to reproduce this problem until last week.. I was happily enjoying my “vacation” and playing with ossec on an … Continue reading →

Posted in c, programming | Leave a comment

Ossec snapshot available (alpha 2).

Posted on December 6, 2006 by danielcid

We have a new snapshot available for testing. It includes the following new features (in addition of multiple bug fixes): Rules for Symantec AV. More information to the active response scripts and changed them to log to the logs directory … Continue reading →

Posted in ossec | 2 Comments