OSSEC Host-Based Intrusion Detection Guide
- Rory Bray, New Brunswick, Canada. Senior software engineer at Q1 Labs Inc., New Brunswick, Canada
- Daniel Cid, New Brunswick, Canada. Lead Developer of the OSSEC HIDS, New Brunswick, Canada
- Andrew Hay, Andrew leads a team of software developers at Q1 Labs Inc. integrating 3rd party event and vulnerability data into QRadar, their flagship network security management solution. Prior to joining Q1 Labs, Andrew was CEO and co-founder of Koteas Corporation, a leading provider of end to end security and privacy solutions for government and enterprise. His resume also includes such organizations as Nokia Enterprise Solutions, Nortel Networks, and Magma Communications, a division of Primus. Andrew is a strong advocate of security training, certification programs, and public awareness initiatives. He also holds several industry certifications including the CCNA, CCSA, CCSE, CCSE NGX, CCSE Plus, Security+, GCIA, GCIH, SSP-MPA, SSP-CNSA, NSA, RHCT, and RHCE.
-- Stephen Northcutt
OSSEC determines if a host has been compromised in this manner by taking the equivalent of a picture of the host machine in its original, unaltered state. This "picture" captures the most relevant information about that machine's configuration. OSSEC saves this "picture" and then constantly compares it to the current state of that machine to identify anything that may have changed from the original configuration. Now, many of these changes are necessary, harmless, and authorized, such as a system administrator installing a new software upgrade, patch, or application. But, then there are the not-so-harmless changes, like the installation of a rootkit, trojan horse, or virus. Differentiating between the harmless and the not-so-harmless changes determines whether the system administrator or security professional is managing a secure, efficient network or a compromised network which might be funneling credit card numbers out to phishing gangs or storing massive amounts of pornography creating significant liability for that organization.
Separating the wheat from the chaff is by no means an easy task. Hence the need for this book. The book is co-authored by Daniel Cid, who is the founder and lead developer of the freely available OSSEC host-based IDS. As such, readers can be certain they are reading the most accurate, timely, and insightful information on OSSEC.
All disc-based content for this title is now available on the Web.
The target audience for this book is network, system, and security administrators who are responsible for protecting assets in their infrastructure. This book is also for those involved in the incident handling and forensic analysis of servers and workstations. Network, system, and security administrators will use this book on a daily basis to monitor the overall well being of the machines on their network. First responders and forensic analysts will use this book to determine the nature, origin, and severity of an attack as well as to begin the mitigation and repair process.
- Published: March 2008
- Imprint: SYNGRESS
- ISBN: 978-1-59749-240-9