Monthly Archives: December 2006

Is Open Source Rootkit Detection Behind The Curve?

The guys from matasano posted in their blog an entry about the current state of open source rootkit detection. While I agree that we are way behind the latest rootkit technologies (specially for windows), if you look at the public … Continue reading

Posted in ossec, rootkit | Leave a comment

Correlating multiple snort IDS with ossec

I was asked recently what is the best way to correlate multiple snort events with OSSEC. The idea would be to generate an ossec alert (by e-mail and possible an active response) if a specific number of snort rules are … Continue reading

Posted in log analysis, ossec, snort | Leave a comment

Fun with logs (#2)

Every log analyst is tired of having to decipher weird/useless log entries. However, we are not alone… Even “normal” people have to deal with strange logs too. To prove that, the dailywtf web site is constantly adding entries to their … Continue reading

Posted in fun, log analysis | Leave a comment

stdarg misuse (C tip #1)

I received some reports in the past about OSSEC segfaulting during startup on 64 bits systems. However, I was never able to reproduce this problem until last week.. I was happily enjoying my “vacation” and playing with ossec on an … Continue reading

Posted in c, programming | Leave a comment

Ossec snapshot available (alpha 2).

We have a new snapshot available for testing. It includes the following new features (in addition of multiple bug fixes): Rules for Symantec AV. More information to the active response scripts and changed them to log to the logs directory … Continue reading

Posted in ossec | 2 Comments