OSSEC – Page 3 – WindowsTechs.com

[SANS ISC] Using OSSEC Active-Response as a DFIR Framework

Posted on December 20, 2018 by Xavier

I published the following diary on isc.sans.edu: “Using OSSEC Active-Response as a DFIR Framework”: In most of our networks, endpoints are often the weakest link because there are more difficult to control (example: laptops are travelling, used at home, etc).They can also be located in different locations even countries for

[The post [SANS ISC] Using OSSEC Active-Response as a DFIR Framework has been first published on /dev/random]

Continue reading [SANS ISC] Using OSSEC Active-Response as a DFIR Framework→

“Hunting with OSSEC” at BruCON Spring Training

Posted on December 19, 2018 by Xavier

My training submission has been accepted at the BruCON Spring Training session in April 2019. This training is intended for Blue Team members and system/security engineers who would like to take advantage of the OSSEC integration capabilities with other tools and increase the visibility of their infrastructure behaviour. OSSEC is sometimes described as

[The post “Hunting with OSSEC” at BruCON Spring Training has been first published on /dev/random]

Continue reading “Hunting with OSSEC” at BruCON Spring Training→

Why would an OSSEC manager act as if it is an agent? [on hold]

Posted on September 24, 2018 by Forest J. Handford

I’m prototyping the use of FIM software and just installed OSSEC manager. I want to add a client but when I do I get the following agent menu:

sudo /var/ossec/bin/manage_agents

****************************************
* … Continue reading Why would an OSSEC manager act as if it is an agent? [on hold]→

[SANS ISC] Hunting for Suspicious Processes with OSSEC

Posted on September 20, 2018 by Xavier

I published the following diary on isc.sans.edu: “Hunting for Suspicious Processes with OSSEC“: Here is a quick example of how OSSEC can be helpful to perform threat hunting. OSSEC is a free security monitoring tool/log management platform which has many features related to detecting malicious activity on a live system like the

[The post [SANS ISC] Hunting for Suspicious Processes with OSSEC has been first published on /dev/random]

Continue reading [SANS ISC] Hunting for Suspicious Processes with OSSEC→

AIDE and OSSEC conflicts?

Posted on August 22, 2018 by jfran3

Being fairly new to both AIDE and OSSEC I’ve been trying to find out if there are any potential conflicts in having them both installed on one host (CentOS 7.5). It seems like they could work as a multi-layered approach, but … Continue reading AIDE and OSSEC conflicts?→

Training Announce: “Hunting with OSSEC”

Posted on August 20, 2018 by Xavier

I’m proud to have been selected to give a training at DeepSec (Vienna, Austria) in November: “Hunting with OSSEC“. This training is intended for Blue Team members and system/security engineers who would like to take advantage of the OSSEC integration capabilities with other tools and increase the visibility of their infrastructure behaviour.

[The post Training Announce: “Hunting with OSSEC” has been first published on /dev/random]

Continue reading Training Announce: “Hunting with OSSEC”→

Imap2TheHive: Support for Custom Observables

Posted on July 13, 2018 by Xavier

I’m using OSSEC to feed an instance of TheHive to investigate security incidents reported by OSSEC. To better categorize the alerts and merge similar events, I needed to add more observables. OSSEC alerts are delivered by email with interesting information for TheHive. This was an interesting use case to play

[The post Imap2TheHive: Support for Custom Observables has been first published on /dev/random]

Continue reading Imap2TheHive: Support for Custom Observables→

OSSEC configuration

Posted on July 3, 2018 by Terry

Let’s say you have a large environment of several thousand servers. You have the manager and agents configured.

I understand that you have an OSSEC.conf file and also a rules file.

Does the agent have a copy of the OSSEC co… Continue reading OSSEC configuration→

OSSEC-agent for monitoring interfaces

Posted on June 29, 2018 by Stephen

I have installed the Wazuh-ossec agent on one of my Linux systems, I would like to monitor one of the ethernet ports for unusual network activities such as port scans, vulnerability scans, etc

I’ve found the following articl… Continue reading OSSEC-agent for monitoring interfaces→

How different are Lynis and Wazuh solutions?

Posted on April 27, 2018 by Gatis

It seems both Cisofy’s Lynis and Wazuh’s OSSEC share a lot of functionalities. I’m completely newbie on both tools and yet I need to pick one (or both) to help achieve PCI DSS Compliance. Any thoughts?

Continue reading How different are Lynis and Wazuh solutions?→