An Open Source Security Triple Play

Marcus Maciel writes to tell that Linux.com's Joe Barr recently took a look at OSSEC-HIDS, an open source host intrusion detection system. From the article: "According the OOSEC-HIDS Web site, it's more than a host intrusion detection system (IDS). It's also a security event manager and a security information manager, which makes it the security equivalent of a hat trick in hockey, a triple-play in baseball, or a rare triple-double in basketball. OSSEC-HIDS runs on both Windows and Linux/Unix. You can download the latest version along with the project's PGP public key, so you can verify the download." Linux.com and Slashdot are both owned by OSTG.

Re:Sporting Analogies

[Xserv]

Exactly. What makes them think we'll understand any of that? We're nerds. Basketball? Hmm. How about pong?

Xserv

Re:Sporting Analogies

[dnoyeb]

Or Mortal Kombat. "FATALITY!"

How about a double-jump...

[SpzToid]

...as in checkers?

--

Vote with all your heart, but get a healthy dosage of mass-media first. Or just don't vote at all!

Re:How about a double-jump...

[Xserv]

Blasphemy!! We're in the digital age! heh.

Re:Sporting Analogies

[MaxInBxl]

Ok so it's a security tool with 3 different "modules". Fantastic, probably a first in the software industry.

Re:Sporting Analogies

[Alioth]

Why couldn't they have just SAID that instead of this ridiculous sporting analogy which sounds like rapid-fire buzzwords from a marketdroid? I couldn't resist tagging the article 'badsportinganalogy'.

Re:Sporting Analogies

[ObsessiveMathsFreak]

Most people can not and will not understand anything at all unless it can be related to their everyday expieriences. And since most people spend more time consumed in sports than a korean Starcraft player spends in a games cafe, it's a safe bet that sports analogies will help carry the point across to those who would otherwise ignore it.

Re:Sporting Analogies

[Shaper_pmp]

Except this is Slashdot, not ESPN. For clarity analogies should probably be restricted to politics, code, IT infrastructure and cars (failed).

Plus, of course, the analogy in the summary was so long by the time it finished I'd almost forgotten what the summary was about...

Re:Sporting Analogies

[shish]

cars (failed).

This is like a car with three wheels! (?)

Re:Sporting Analogies

[sootman]

OSSEC is like a car that can take you places, make you a sandwich, and perform oral sex on you while driving. Better?

Re:Sporting Analogies

[ryanhornbeck]

Not to get anal, but a triple play is MUCH more rare than either a triple-double or a hat trick.

MLB: 30 teams x 162 games = 4860 games (possibly 2 triple plays per season or 1 every 2430 games)
NBA: 30 teams x 82 games = 2460 games (23 triple-doubles last season or 1 ever 106.95652173913043478260869565217 games)
NHL: 30 teams x 82 games = 2460 games (84 hat tricks last season or 1 every 29.285714285714285714285714285714 games)

Re:Sporting Analogies

[infosec_spaz]

GEEK!!!...Oh, wait, Like you didn't know that :o)

Re:Sporting Analogies

[ryanhornbeck]

Yeah, way geeky. Never could understand the disconnect between the average geek and sports statistics.

Re:Sporting Analogies

[Anonymous Coward]

You are not a true geek (and far from being anal ;-). Number of games is not teams x games_a_team_plays_in_a_season. You cannot count the games twice.

MLB: 162!/132!
NBA: 82!/52!
NHL: 82!/52!

Re:Sporting Analogies

[ryanhornbeck]

Each game counts as a game to each team. Each team plays 162 games in baseball, even if there are two teams per contest. You can only observe the opportunities to perform a triple play from the standpoint that you are playing defense half the time. You guys have confused your logic. Each game a team had the opportunity to defend for 27 outs. The other team has the exact same opportunity, except when the home team is winning after the top of the 9th inning is completed. Maybe this doesn't stand up the

I'm not a proper geek!

[HugePedlar]

I'm so embarassed. I truly thought this was about physical building security with cameras and PIRs and shit.

To whom to I report to hand back my geek membership card?

Re:I'm not a proper geek!

[Aladrin]

After so many sports analogies (none of which I understood, thank the heavens) I think you can be forgiven. The summary clearly wasn't aimed at us, so misunderstandings should be expected.

No need to feel dirty, my geeky friend. Go on your way with a clear conscience.

Re:I'm not a proper geek!

[XaXXon]

I need to turn in mine, too.

I actually got all the sporting metaphors and wish to correct.. or at least clarify on them.

Many more basketball triple-doubles occur during the course of a basketball season and hat-tricks in a hockey/soccer/"football" season than do triple plays in baseball.

Tripls plays aren't about skill, they're about a very specificly hit ball under a fairly rare circumstance.

Triple Double

[prophase_j]

I just learned what that means! Yay Google.

Re:Triple Double

[adrianhensler]

It's what I get in my extra large Tim's. I don't get those sports analogies (being a True Geek); so let me try it my way: I like my IDS's like I like my coffee; sugary sweet and really hot.

Nope; still don't get it.

Triple Double (Defined)

[Hwyman]

From Wikipedia:

A triple-double is a basketball term, defined as an individual performance in a game in which a player accumulates double-digit totals (i.e., 10 or more) in any three of these categories: points, rebounds, assists, steals, and blocked shots.

The most common way for a player to achieve a triple-double is with points, rebounds, and assists, though on occasion elite defensive players may record 10 or more steals or blocked shots in a game.

A triple-double is seen as an indication of an excellent a

Good but could be improved

[datasetgo]

While OSSEC HIDS looks like the beginnings of a good solution (aside from the name - sheesh - sounds like a sneeze) I'd like to see integration of projects like DShield.org [dshield.org] and maybe some community-maintained updates for rootkit definitions and such. APF/BFD [rfxnetworks.com] does this - why not OSSEC HIDS?
Gesundheit.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Translation

[$RANDOMLUSER]

Onion is to hair dryer as (three) sports analogies is to security product.

OSSEC is great

[Darkael]

Here is a list of what OSSEC can do if you are too lazy to RTFA:
- Log Analysis, with a powerful xml-based rules system
- File integrity checker
- Rootkit detection
- Active response (automatically ban hosts on critical alerts)
- Mail reporting
- Server/clients or local installation

It's GPL and runs on many *nix OS. I've tried OSSEC for a few months to monitor a few servers and I must say I'm pretty impressed with it. Its log analysis system is powerful and easy to understand. I've met a few false positives, but you can easily define your own rules to ignore some events. The project is a bit young, but development is very active. Definitely worth trying if you are interested in Unix security.

Re:OSSEC is great

[ricotest]

Nagios [nagios.org] has been doing Open Source security since 1996 and looks much the same.

Re:OSSEC is great

[Farce Pest]

Uh, no. Nagios is great for monitoring network services and local services, but it is not an IDS, and it does not look at logs or look for modified files or rootkits. There are some plugins that allow at least one IDS (Prelude) to talk to Nagios, but that's a separate product.

Re:OSSEC is great

[Darkael]

Well, can Nagios detect a SSH brute force attack, report it to you by mail and ban the offending IP, out of the box with almost no configuration to do?

Last time I checked Nagios was a general-purpose monitoring system, a pain in the ass to configure and too bloated if all you want is just improving your security. An HIDS like OSSEC is better suited for this kind of task.

Re:OSSEC is great

[caluml]

Que? Nagios is tool for monitoring, and alerting. As far as I know, it doesn't do stuff like detect cracking attempts, and block them, etc.
Are you thinking of Snort, maybe?

For those who don't get how great this is

[CosmeticLobotamy]

It's true that it's like a hat trick, triple-double, and that other thing, but if you don't know what any of those things are, it's also like a hole-in-three in golf, or three goals in three non-consecutive games of soccer, or to go in a non-sporting direction, three pieces of ham on a ham sandwich. But I guess the simplest way to explain it is that it does three seperate things. Three! I know it's a bit complicated, so I can explain further using many, many more analogies if need be. Just let me know.

Re:For those who don't get how great this is

[Whiney Mac Fanboy]

three pieces of ham on a ham sandwich. **snip** I can explain further using many, many more analogies if need be. Just let me know.

I'm not sure I'm following here - is that brown bread or white bread? Smoked ham or honey cured?

Re:For those who don't get how great this is

[MrP-(at work)]

mmmm ham

Ironically...

[daBass]

The metaphores used in the summary indicate three *the same* things while the product in question does three *different* things.

Re:Ironically...

[nadamsieee]

The metaphores used in the summary indicate three *the same* things while the product in question does three *different* things.

Actually, a triple-double [wikipedia.org] in basketball is when a player does three different things 10 or more times each in a single game.

Re:Ironically...

[daBass]

And people keep track of that sort of thing? They need to get a life; I though basket ball was one of the few sports that was actually exciting enough on its own with the need for annoracs to keep useless statistics! ;-)

Re:Ironically...

[MrPink2U]

Basketball is one word.

Re:Ironically...

[technococcus]

Ah, but the three "different" things all do the same thing: Increase security.

So, the analogy is more apt than it may at first seem.

Re:Ironically...

[daBass]

Not quite, really.

The goal of the sports is to increase the score, the cool thing is if someone does the same thing 3 times to achieve that.

The goal here is - as you say - to increase security. But here it is still being celebrated that three *different* things are done to achieve that. (except in the case of the "tripple double", but that is the exception that proves the rule. Plus it is a rediculous statistic anyway.)

Sorry, had to have the last word! :P

Re:For those who don't get how great this is

[dpiven]

Or, put another way, it's like having a wife, a girlfriend, AND an inflatable doll in your briefcase.

(If you just thought, "if I had a girlfriend, how would I get her to stay in my briefcase?", you might be a /.er)

Re:For those who don't get how great this is

[chawly]

My thought was "if I had a girlfriend, why would I want to fit her into my briefcase ?" This thought was immediately followed by "how would I carry the briefcase, one-handed and with a casual expression".

Re:For those who don't get how great this is

[Shaper_pmp]

I can't believe we haven't had a failed car analogy yet.

So... it's a bit like a car that goes forwards and backwards, right?

Re:For those who don't get how great this is

[krewemaynard]

So... it's a bit like a car that goes forwards and backwards, right?

AND it turns! HAT TRICK

Re:For those who don't get how great this is

[Shaper_pmp]

Except, y'know, now the analogy works, neatly ruining the joke.

(Shakes head sadly...)

Re:For those who don't get how great this is

[Lord Ender]

One... Two... FIVE!

Three, sir!

Three!

Re:For those who don't get how great this is

[elrous0]

it's also like a hole-in-three in golf

In former Soviet Russia, losing wrong golf game get you put in hole FOR three.

-Eric

Ok if playing against Yankees, Knicks or Rangers

[schwit1]

Hopefully your IT security has a bit less random chance than these sporting event's rare occurrences.

I suspect the black hats use the same metaphors to describe success, including goooooooooooooooooal!

how about...

[aquabat]

Is it anything like the ultra-rare "menage a quatre" of sexual intercourse?

Iv'e used this system for a while now...

[Victor Fors]

It's actually quite useful, and not only from a security/intrusion standpoint; it reads the system logs and reports on errors. And the best thing about it is, it's self-learning! It will count the number of times a certain (low-level, as in "cannot find file" type) system error is encountered, and then, if it appears often enough on a regular basis it learns to ignore it. Very neat.

Re:Iv'e used this system for a while now...

[cdep_illabout]

It's actually quite useful, and not only from a security/intrusion standpoint; it reads the system logs and reports on errors. And the best thing about it is, it's self-learning!

I for one, welcome our new, hard-to-say, tripple-ham-sandwhich overlords.

How soon before

[WindBourne]

there is a proper virus that works on Mac-Intel, Windows, and Linux?

Re:How soon before

[Pollardito]

if such a virus also worked on BSD it would be the viral equivalent of hitting for the cycle in baseball or winning the grand slam in tennis. i'm just trying to lend a hand to future editors of its introduction article

PGP "verification"

[jonabbey]

Of course we all remember that PGP verification only means that the download was signed off on by the person or persons in possession of the corresponding PGP private key, not that that person is necessarily competent or trustworthy.

PGP/GPG signing is great, and necessary, but not sufficient for trust.

doesn't seem to be any uninstall scripts

[boojumbadger]

just saying...

Tried it.. its soso

[zaqattack911]

Great install script... but seems to not work if I try an installation location other than /var/ossec The rule based "xml" for identifying problems in logfiles is great. the active response doesn't work. I've tried everything EVERYTHING. and injecting all sorts of attacks didn't even cause the firewall script to block the ip. I searched and tried, and fiddles, and cried. Nadda.