For the best in Secure Managed Hosting, call: 01904 500 272

Call now on: 01904 500 272

ha247 ha247

OSSEC & other intrusion detection systems

Published by Nick Fox

OSSEC & other intrusion detection systems

OSSEC & other intrusion detection systems
Host-based intrusion detection systems (HIDS) and network-based intrusion detection systems are two ways of managing security for computers and networks. While in HIDS, anti-threat software like firewalls, antivirus and spyware detection applications are installed separately on every computer in the network, in NIDS, anti-threat software is based only at specific crossroads, like servers that act as a liaison between the outside environment and the part of network that needs to be protected.

OSSIM BlogPost image1

Apart from its role as an intrusion detection system, host-based OSSEC is often used as a security information and event manager (SEM/SIM). It performs log analyses, integrity checking, rootkit detection, time-based alerting and active response. Its powerful log analysis engine made it popular with internet service providers, universities and large data centres, which use OSSEC HIDS to monitor and analyse their authentication logs, intrusion detection systems, firewalls and web servers. The latest 2.8.2. version was released on June 10.

Using protocol analysis, content searching and different pre-processors, Snort is able to detect thousands of worms, vulnerability exploit attempts, port scans and other suspicious behavior. This NIDS is perfect for traffic analysis and packet logging on IP networks. In the core of Snort’s code is a flexible rule-based language for describing traffic that it either records or ignores, as well as a modular detection engine. It comes with a free Basic Analysis and Security Engine, which is a web add-on for analysing Snort alerts. The latest version was released on July 23.

Developed by AlienVault, this Open Source Security Information and Event Management (SIEM) program offers a capable and comprehensive open source SIEM that provides event collection, normalization and correlation. The idea behind it came from security engineers who lacked available open source products. As such, it was developed with security professionals in mind, with a plethora of security controls. In addition, OSSIM includes the powerful AlienVault Open Threat Exchange, making it possible for users to contribute and be notified about malicious hosts in real time.
OSSIM BlogPost image2

ArcSight SIEM Platform
Among the SIEM tools developed by ArcSight, their ESM – Enterprise Security Manager is the brain of the whole platform. It analyses and correlates all the events that occur across the organization network – logins, logoffs, file access, database query, etc. which can then be presented graphically. After that, it can make accurate estimates of priority security risks and compliance violations. Using the powerful correlation engine, ArcSight ESM goes through millions of log records to identify relevant critical incidents. Unlike OSSEC HIDS and OSSIM, the ESC is a standalone applications that runs on Linux, Windows, AIX, and Solaris.

This network security analysis tool uses Network Security Monitoring (NSM) a concept developed by Richard Bejtlich, Director of Incident Response at General Electric, and a former Military Intelligence Officer with the USAF. This method involves the collection, analysis and escalation of warnings, so it can detect and respond to network intrusions. While it uses a traditional IDS, like Snort, as an alerting mechanism, it also analyses IDS events, session data and full packet capture, which help security officers decide whether an event is a false positive or calls for involvement of the incident response team.

An amazing open source multi-platform network protocol analyser, Wireshark lets you examine data from a live network or from a capture file. It offers interactive browsing of the capture data, so you can focus onto a level you are interested in. Among its powerful features you can find a rich display filter language as well as option for TCP sessions reconstructed stream view. In its running time, however, Wireshark was hampered by dozens of security holes so, make sure you are running the updated version, the latest one released on August 12.

In an ideal scenario, a corporate network should be shielded by both a HID and NID systems. The former acts as a last ditch protection for individual computers, while the latter maintains the secure network.

About the author: Dan Radak is a web hosting security professional with ten years of experience. He is currently working with a number of companies in the field of online security, closely collaborating with SecureLink. He is also co-author on several technology websites.


With a diverse range of features to discuss, it’s never too early to speak to one of our specialist advisors.

Just dial 01904 500 272 or get in touch via the form below.