am 4. Oktober 2013
First of all I want to say that I'm thankful for the opportunity to review a free copy of this book. I will try to not get biased towards this book by this circumstance.
OSSEC HIDS is a host based intrusion detection system with 2 main differences to similar systems. OSSEC has a simple method of responding to detected intrusions (blocking offending hosts via local firewall or route configuration) and is a simple intrusion prevention system as well. Furthermore OSSEC uses a client-server model which does not only provide easy centralised configuration management but enables ossec to block offending hosts on all clients even when only one of them detects the intrusion attempt. While it is clearly a Linux / Unix tool, OSSECs client can run on Microsoft Windows hosts, too.
Like any IDS/IPS system OSSEC is no easily set up fire-and-forget solution but a complex system which needs know-how to implement and run it. A book of this size can not be a full manual but it is a very good quickstart guide. OSSEC has to be installed and configured before you can dive into creating your own decoders (how to get information out of your logfiles), rules (how to interpret the information you got) and how to deal with other functionality of OSSEC (like FIM, file integrity and file meta data checks like tripwire or aide, rootkit detection, and so on). When you start with OSSEC you don't want to deal with the installer or where to get new binary releases or how to connect clients to the server. This book gives you a way around these important but time consuming tasks and will give you a running OSSEC installation on a server and clients which will provide some security out of the box. What I missed in this part is that you don't have to whitelist any client in your network but you can use OSSEC to detect if one
of your clients was compromised and lock this client out of all other clients.
Since IDS systems have to be customized to your environment and due to the shortness of the book you will not find a complete manual on how to secure your entire network with OSSEC but it will give you a good starting point with the before mentioned decoders and rules by showing you an example upon which you can build your own configuration. Furthermore, you'll see how to enable extra features like rootkit detection which do not need much configuration and an example for an active response (intrusion countermeasures - blocking attacking hosts via iptables). The last part shows an advanced topic: helping OSSEC see the difference between a legitimate change to roots crontab via puppet and changes made by an attacker. This part shows that you can use OSSEC to gather information from different sources so can use it to aggreg
ate information not only from standard OS logfiles but from very different sources of data like other security tools like fail2ban, Snort and many more so you can take action on your clients to based informat
ion from a vast amount of data.
What I miss is a part about the agent configuration that you can change on your server which get's sent to your clients. Especially about what information has to be added to the server configuration and what should be sent to the clients. It could show another great feature of OSSEC: You can define global configuration options as well as options just for some clients (e.g. OS based) on the server and the client executes only the applicable config.
The book is very short and it will not make you an IT security expert but it will give you a working OSSEC instance with a server and clients so you can test it and it will give you a good base to start your
I enjoyed reading this book and I found some new information. Especially about a new way to connect your clients to your server and the part about checking whether a change was made by puppet or an attacker. I will definitely use it as a quick reference when setting up a new OSSEC HIDS infrastructure. I tried some of the examples from the book and the rest is at least very similar to what I do on my own OSSEC installation (although I would not recommend piping a script via wget to sh but download the installer script, check and run it. Just a small hint I could not resist to give).