Introduction

After a long and restful weekend, Marty rushed into work to check on the newly deployed OSSEC HIDS agents and servers. To his pleasant surprise, all the test servers were still running and there were no indications of any errors. Looking at the logs collected by the OSSEC HIDS servers, Marty also noted that his scripted attacks were detected by the OSSEC HIDS agents and reported to the OSSEC HIDS server. His scripted modifications to critical system files and brute force authentication attacks were also reported. “I can’t wait to tell Simran!” Marty thought. Marty scheduled a meeting to talk to Simran about the results of his testing, and she suggested involving the heads of some of the other departments, namely David Schuster and Antoine Joseph. David Schuster, the department head of operations, was responsible for the installation and maintenance of all servers, desktops, and networking equipment within the organization. Antoine Joseph, the department head for incident handling and response, was responsible for the monitoring of all systems within the organization and the teams deployed to “fight fires” in the event of an incident.

With Simran, Antoine, and David in the room, Marty began his presentation by familiarizing everyone with the current challenges and introducing the OSSEC HIDS as a solution. He explained how easy it is to deploy the OSSEC HIDS on multiple servers with different operating systems, how all events can be centralized to a single server, how additional servers can be added as the event load increased, and how alerts can be generated from the received events. “I’ve heard of applications like this in the past,” said Antoine. “What benefit does my team get from this product besides something else to support? I need something that’s going to alert me to potential incidents and not force me to sit someone in front of a dashboard 24/7.” Marty smiled, as he knew Antoine was going to raise this question early in the meeting. “Actually Antoine, the OSSEC HIDS allows you to configure alerts to be sent to individual email addresses, email groups, and even SMS-enabled devices like a cell phone or pager.” Marty paused to take a sip of water. “You can also configure the OSSEC HIDS to generate emails based on the severity of the alerts, the alert groupings, the subnet, or the agent. You can even limit the number of emails sent per hour so your analyst isn’t inundated with emails about the same issue.” Antoine nodded a couple of times to let everything sink in.