[SOLVED] Opinions regarding Security application OSSEC and Samhain

metalaarif · 01-29-2012, 04:31 AM

Hello everyone,

Today I would like to ask a questions regarding Host-based Intrusion Detection System OSSEC and Samhain?

1) If anyone have worked or had any experience with OSSEC and Samhain, Can you please share your problems regarding those application and suggestion or recommendation to improve it.

Best Regards,
metalaarif

klearview · 01-29-2012, 09:07 AM

I evaluated these 2 a couple of (more?) years ago and OSSEC won. The reason was simple - OSSEC was easy to install and made itself clearly useful right away without any configuration on my part, as in - I started getting useful system information without even having learnt about custom rules. Samhain was the complete opposite when it came to configuration (install was easy as it was in repos) - I couldn't get anything useful out of it and since I already had OSSEC as an example I felt like I was wasting my time.

These days OSSEC is a staple tool on the servers of my company, useful not only for security but also for flagging up other potential system problems - my Blackberry used to do a fair share of its work on OSSEC's behalf

when I was directly responsible for managing servers.

metalaarif · 01-29-2012, 09:31 AM

Thanks for you suggestion klearview. As far as I have gone with these HIDS application.

I am certain that OSSEC is far more flexible than Samhain whereas, Samhain seems to be highly customisable and can be used for specific purpose.
Even if we talk about Rootkit detection mechanism, OSSEC has two type of detecting rootkit Application-level and kernel-level. But Samhain seems to have Kernel-level, which tries to monitor syscall table to find rootkits
The beauty of OSSEC is that it's alert notification level from 0 to 15.
And it's presentation of report format is well-structured or documented.

I highly doubt for Samhain cause its report are little lengthy and difficult to understand at first site.

These are just my views, I'm just comparing OSSEC and Samhain.

I would love to hear others comments and suggestion to make Samhain more effective.

unSpawn · 01-29-2012, 03:56 PM

As I said before and elsewhere you should not compare OSSEC with Samhain. In it's client role Samhain is a HIDS while OSSEC tries to do *a lot*: intrusion detection, log monitoring and act as a security event manager. If you want to compare it SIEM-like then compare OSSEC with say Samhain + Snort + Prelude. Or take a compare say the rootkit-checking component with Chkrootkit or Rootkit Hunter + rkdet + unhide.

Anyway. Since, at least on my watch, subjective opinions like "wasting time" will not ever replace fact-based comparison as the kind of criterion to base decisions on, here's what caught my eye while perusing the source. Let's diff https://bitbucket.org/dcid/ossec-hid...40af023.tar.gz (MD5: bfb1c3563b4c03c9afc90d50179ac59d) with http://www.ossec.net/files/ossec-hids-2.3.tar.gz (MD5: 7130049c5dd047966c786ad5f02e97f5).
Between 04/Dec/2009 and 04/Jan/2012 a total of 644 files were modified.
Narrow the scope to the src/rootcheck/ directory and that's still 35 files modified.
Excluding license changes (from GPLv3 to GPLv2) leaves 9 files.
Excluding code and web stack malware detection leaves just 2 files.

So what changed between 04/Dec/2009 and 04/Jan/2012? Well, 4 lines with additions actually:

Code:

--- ossec-hids-2.3/src/rootcheck/db/rootkit_files.txt   2009-01-29 17:53:37.000000000 +0100
+++ dcid-ossec-hids-21d1540af023/src/rootcheck/db/rootkit_files.txt     2012-01-06 13:28:54.000000000 +0100
@@ -1,4 +1,4 @@
-# @(#) $Id: rootkit_files.txt,v 1.21 2009/01/29 16:53:37 dcid Exp $
+# @(#) $Id$
 #
 # rootkit_files.txt, (C) Daniel B. Cid
 # Imported from the rootcheck project.
@@ -353,7 +353,6 @@
 # Cback Linux worm
 tmp/cback              ! cback worm ::/rootkits/cback.php
 tmp/derfiq             ! cback worm ::/rootkits/cback.php
-*/cback                ! cback worm ::/rootkits/cback.php
 
 
 # aPa Kit (from rkhunter)
--- ossec-hids-2.3/src/rootcheck/db/rootkit_trojans.txt 2009-06-03 21:18:32.000000000 +0200
+++ dcid-ossec-hids-21d1540af023/src/rootcheck/db/rootkit_trojans.txt   2012-01-06 13:28:54.000000000 +0100
@@ -1,4 +1,4 @@
-# @(#) $Id: rootkit_trojans.txt,v 1.20 2009/06/03 19:18:32 dcid Exp $
+# @(#) $Id$
 #
 # rootkit_trojans.txt, (C) Daniel B. Cid
 # Imported from the rootcheck project.
@@ -22,16 +22,16 @@
 sh                     !proc\.h|/dev/[0-9]|/dev/[hijkz]!
 uname          !bash|^/bin/sh|file\.h|proc\.h|^/bin/.*sh!
 date           !bash|^/bin/sh|file\.h|proc\.h|/dev/[^cln]|^/bin/.*sh!
-du                     !/dev|w0rm|/prof|file\.h!
+du                     !w0rm|/prof|file\.h!
 df                     !bash|^/bin/sh|file\.h|proc\.h|/dev/[^clurdv]|^/bin/.*sh!
-login          !bash|elite|SucKIT|xlogin|vejeta|porcao|lets_log|sukasuk!
+login          !elite|SucKIT|xlogin|vejeta|porcao|lets_log|sukasuk!
 passwd         !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[b-s,uvxz]!
 mingetty       !bash|Dimensioni|pacchetto!
 chfn           !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[a-s,uvxz]!
 chsh           !bash|file\.h|proc\.h|/dev/ttyo|/dev/[A-Z]|/dev/[a-s,uvxz]!
 mail           !bash|file\.h|proc\.h|/dev/[^nu]!
-su                     !bash|/dev/[d-s,abuvxz]|/dev/[A-D]|/dev/[F-Z]|/dev/[0-9]|satori|vejeta|conf\.inv!
-sudo           !bash|satori|vejeta|conf\.inv!
+su                     !/dev/[d-s,abuvxz]|/dev/[A-D]|/dev/[F-Z]|/dev/[0-9]|satori|vejeta|conf\.inv!
+sudo           !satori|vejeta|conf\.inv!
 crond          !/dev/[^nt]|bash!
 gpm                    !bash|mingetty!
 ifconfig       !bash|^/bin/sh|/dev/tux|session.null|/dev/[^cludisopt]!

Tell me what this says about the pace of development and attention to detail in comparison with what surfaced since 04/Dec/2009.