User Testimonials

Kurt R. Hinson at Amazon.com (2008 Oct)

Oct 29 2008

“In these days of tight and/or frozen budgets, utilizing open source applications has become a must for many of us in the security realm. ``OSSEC is one such “must have” application that will give you visibility and insight into Windows, Mac and Linux machines on your network through the use of this Host Intrusion Detection application.`` There are many options, architectures and configuration variables and this book is an excellent resource that will guide you whether you are a seasoned professional or just starting to think about deploying host based intrusion detection in your environment. This book is a must have for any security engineer’s bookshelf and a quick way to get you on the road to compliance using powerful and FREE software.”

Full post at amazon.com

Aaron Bliss at brockport.edu (2008 Apr)

Apr 23 2008

“Hi everyone, I’ve been using ossec for a few months now and everything is working great (a truly excellent, robust application set).”

Full post at google groups

Mike at itadmins.org (2008 Mar)

Mar 28 2008

“After testing it out on several of my machines, I can officially say it.s exactly what I was looking for in an IDS: something lightweight, cross-platform, and well documented. ... This is absolutely what I was looking for in intrusion detection. Go check OSSEC out when you get a chance.”

Full article at http://itadmins.org/?p=58

Joe Bar at Linux.com (2008 Mar)

Mar 11 2008

“OSSEC is a <b>complete Host Intrusion Detection System, meant to detect any and all attempts at intrusion</b>. We reviewed OSSEC in 2006, when it was at the 0.9 release. But even though its much larger and more complex than the other two tools, <b>OSSEC installation is a breeze.”

Full article at http://www.linux.com/feature/128450

Steve McMaster (2007 Dec)

Dec 11 2007

“I heard a talk once where the presenter said the true strength of your network security comes when you take away your firewall; what happens to your network if someone adds an .Any to Any on Any Accept. rule to the top of your rulebase? Does your network fall apart and crumble? Obviously, that.s quite a blow to the defense of your network . but can you fight from one knee until reinforcements arrive? <b>One of the best tools you can get to help you out is software called OSSEC The idea behind OSSEC is simple . have software that watches your logs, understands what they mean, and reacts as necessary... Getting OSSEC running is surprisingly simple, considering how powerful it is</b>. All it takes is some knowledge of Linux, and knowing what logs you want to watch. Don.t worry, there is an agent for Windows servers, too; however, the server itself runs only on Linux...”

Full article at http://news.hurricanelabs.com/article.php?story=20071211101538488

Paul Sebastian Ziegler at observed.de (2007 Sep)

Sep 05, 2007

“During Defcon15 there was a new kind of contest called the ”?wn the box” competition where anyone who 0wned a box got to take it home. I was over there as a speaker so I thought it might be fun to try defending a box. My box was based on Gentoo-Linux and hardened using various techniques... So the results were recently published on the DC-Homepage (http://defcon.org/) - and if you look closely there is this line saying “Most evil entry: Tatsumori (Gentoo Hardened with arp poisoning evilness)” The arp-foo was actually done using scapy, but I scripted it as an active response for OSSEC 1.2. So part of my success to survive there (and really make people curse out while hacking) is OSSEC. It’s great modularity and easy extensibility makes creating kick-ass crazy dedicated solutions so much easier then it was ever before.”

Full comment at http://observed.de/?entnum=83

Anonymous comment at blog.gnist.org (2007 Aug)

Aug 18, 2007

“To anyone else reading this who hosts servers and is worried about getting attacked, i use http://www.ossec.net/ which is effectively a self defence program. If you try and brute force (more than n attempts in p seconds) or portscan my machine, it simply locks you out for 24 hours by denying that IP. It has other useful features and even lets me know when it’s being attacked - absolutely brilliant program and i have no hesitation in recommending it.”*

Full comment at http://blog.gnist.org/article.php?story=HollidayCrackingblog.gnist.org blog.gnist.org

Jeremy Melanson at lists.debian (2007 Aug)

Aug 17, 2007

“My company just got PCI certified (we’re on our way to CISP)... Here’s a run-down of the projects that I’ve implemented to achieve our PCI compliance... Host Intrusion Detection, File Integrity Monitor (OSSEC): I’m using OSSEC (http://www.ossec.net) to monitor the individual SysLog files for perceived security issues. OSSEC understands Snort, Cisco PIX, IPTables, and a host of others. Additionally, I have OSSEC agents running on each of my servers (including Windoze), which report back to a central OSSEC Server. The agents are primarily in charge of monitoring important files for changes (nice view during upgrades), and secondarily in charge of scanning for RootKits. OSSEC can also interface with IPTables and other host-based firewalls, as a means of implementing Real-time greylisting...

Full post at http://lists.debian.org/debian-security/2007/08/msg00114.html

Chuck Little at Security Horizon (2007 Jul)

Jul 25, 2007

“Though OSSEC-HIDS is a fairly young project .., it.s approach to intrusion detection is based on commonsense, and extremely extensible. And that is something I think we have been missing from software products these days: common-sense. Most vendors seem more inclined to add features, and a sparkly/pretty GUI, and less inclined to fix their detection engine or refine signatures (for signaturebased IDS) to help reduce false positives. Hopefully OSSEC-HIDS will be a trend-setter in that other IDS vendors get back to their roots and use a more common-sense based approach to intrusion detection. <b>Forget the glitz and pretty graphs; just make something that works. OSSEC-HIDS is just that....it works; and has an added bonus of working well.

Full article at Security Horizon Summer 07

Clayton Dillard at OSSEC-list (2007 Jul)

Jul 25, 2007

“Also, I wanted to thank the folks involved with developing and maintaining the OSSEC project. We’ve had OSSEC in production for only a couple of months and it has already helped us identify several attacks and a few agent/host configuration issues. Thanks for a great product!”

Link here

Mraju at /muraliraju.info (2007 Jul)

Jul 01, 2007

“I am truly impressed with OSSEC when it comes to HIDS (Host intrusion Detection System) functions... OSSEC is a project from Daniel B. Cid (contact at ossec.net) who is the primary author of this great tool. I run OSSEC from a single box to cluster of machines ranging in the 100s, primarily running *NIX. Although, I primarily use it for HIDS (agent) setups, recently I am starting to see a benefit in using OSSEC for log analysis. This started with OSSEC reporting alerts from mod_security, which I use heavily as a WAF for Web Applications... “

Link to the blog post: HIDS with OSSEC

Matt Groves at blog.mattgroves.com (2007 Jun)

Jun 10, 2007

”.. I have several methods by which I achieve this, and I’m not going to advertise them all. One of the ways that I achieve proactive security monitoring and reactive system changes to cease attempts made by nasties on the internet getting access or extended information about the system, is to use a Host Based Intrusion Detection System (HIDS) and of all the packages that I have experienced, have stuck with, <b>and can highly recommend OSSEC - open source, free, regularly updated, virtually bug-free and a very good ruleset.</b> I’m listed as a donor now, too :-)”

Read full post at his blog entry

Christopher J. Buckley - cbuckley at redhat.com (2007 May)

May 04, 2007

“OSSEC is a leading Intrusion Detection System for Enterprise UNIX(-like) and Windows platforms. <b>OSSEC is, by quite a way, the most innovative and customisable IDS product I have worked with. *As a result of it.s ease of customisations, the developer Daniel B. Cid, with a little bit of help from myself, have implemented supported rule-sets for my former employers. products: Zeus WebServer and ZXTM. Both products are widely deployed across many enterprise environments; adding specific rulesets for their software is one which I hope assists all fellow sysadmins tasked with running infrastructure using Zeus software. *

Read full post at his blog entry

Cynthia Harvey at eSecurity Planet (2007 May)

May 01, 2007

“This host-based intrusion detection system (HIDS) has recently been gaining popularity among enterprise users, in part because of its high scalability. If an attack overcomes your network defenses, Ossec HIDS stops the attack at the host level, and it can be configured to notify the network administrator when an attack occurs. It’s compatible with many firewalls and all the major operating systems.”

Read full post at at the esecurityplanet article

Eric Hines at LinuxWorld (2007 Mar)

“I’ve selected OSSEC HIDS as the No. 1 open source tool due to its recent rapid growth in the enterprise. OSSEC HIDS is a rapidly evolving open source project that offers the first ever open source host intrusion detection and prevention system</b>, developed by Daniel Cid. The OSSEC HIDS project has been gaining widespread use and is quickly being deployed within organizations around the world as a method of protecting systems at the host level after attacks have made it past network defenses. .. Combined with open source Snort, OSSEC gives administrators a 360-degree holistic view of both the network and the endpoint systems they are monitoring. .. The OSSEC rules language is incredibly flexible and powerful allowing administrators to define their own custom rules to alert on any predefined text or patterns. Its detection capabilities do not stop at rules. It includes checks via syscheck for changes to user-specified directories, integrity checks on files and directories, MD5 checksum changes, file or directory sizes, file or directory ownership, and group, file and directory permissions. More importantly, OSSEC monitors the Windows registry, in which most trojans, spyware and backdoors are traditionally injected on Windows hosts..”

Read full post at LinuxWorld (ossec #1 security tool in the enterprise)

David Bianco at Computer World (2007 Feb)

“We were able to get a lot of out-of-the-box functionality,” </i>says David Bianco, cybersecurity analyst for Thomas Jefferson National Accelerator Facility in Newport News, Va. <i>”OSSEC immediately started parsing our firewall logs and alerting on Internet scans and probes. It’s also helping track failed logins, system account changes, IDS alerts and a few other things – all with very little work on our part.”

Read full post at Computer World

Sifu Kurt at InfoSec Kwoon (2006 Oct)

Oct 12, 2006

“I’ve used a lot of different file integrity monitoring programs (Samhain, Osiris, and Tripwire just to name a few), and I’ve * *messed with a number of different programs for log parsing and event correlation. <b>Then I found OSSEC, which takes all of these * *things to an entirely new level</b>. Now instead of having to manage multiple different softare packages, I can do it in one. But * *that’s not the coolest thing. OSSEC will allow you to monitor syslog and Windows event logs as well as Apache, IIS, Snort, and numerous other logs from a single location, and it has a very robust set of rules to do event correlation. If you are so inclined, * *you can even take advantage of the Active Response option and have OSSEC disable accounts, drop in firewall rules, etc., etc. Plus * *it does file integrity monitoring on top of it all...”

Read full post at his blog entry

Marc Bayerkohler (2006 Aug)

Aug 25, 2006

“GREAT SOFTWARE

First, thanks for publishing this software. the OSSEC HIDS project looks great so far. * *It fills a serious need. I do PCI (payment card industry) consulting, and every client * *needs to have a centralized log server and file integrity solution. The windows/unix * *ability is perfect. This could save people a lot of money and get used.

Also, the installation was really fast.”

Read his message at this mailing list archive

Pilou (2006)

“Nice soft.

I’ve testing this hids on a Debian (kernel 2.6.17) and on a Red Hat Enterprise 3 (kernel 2.4). It’s works without problems. I’ve use Nessus to testing it, and, it’s wonderfull. Iptables and hosts.deny was use without troubles, and Nessus can’t report some trouble or else.

Great.

Best regard Pilou”

fak3r at osnews.com (Sep 2006)

Sep 20, 2006

I’ve been running this on my FreeBSD server for 2 months now, and it’s been fantastic. * *If I so much as modify one file in /etc I get an email telling me about it. It watches * *a ton of other things, and is very configurable, but don’t be deterred, it runs fine on * *the default settings while you learn the system, and install is a snap. While the above * *HOWTO looks good, I installed w/o any problems from the OSSEC install doc:

http://www.ossec.net/en/manual.html#install

I would like to see this project get more attention, as computer security should not end at the firewall or snort.

fak3r

Read full post at osnews.com

His profile here.

Marty Hillman, IT Director - MCSE, GCIH

“OSSEC is now monitoring traffic from all DC and business critical servers so that I can monitor file access to specific files and illegal access attempts such as invalid login attempts and account lockouts. It is also monitoring all IIS logs so that I can see any potential *intrusion attempt. *

It has even come in handy with the departure of an employee in the past week who tried * *accessing the system using accounts of other users. I was notified immediately of the account used and the originating IP information so that I could immediately go after the guy. Though still a reactive solution, it has cut my reaction time to virtually nothing...”

Anonymous at Mexico

“I started using ossec after watching the SANS webcast about it. I tried it for a few days in a demo environment and then decided to deploy it on all my network. I had a few Linux servers (Redhat), one Solaris system and a dozen Windows desktops. I am glad I deployed it.. Just after the install, ossec found some rootkits on one of my linux servers that had an FTP server installed and the presence of a some suspicious *files on the web server. *

After some investigation I found that the web server was running an old version of a CMS software and that it had a bot installed. In addition to that, it helped me discover some problems on my web server (crashing constantly) and to control FTP/SSH brute force attacks. Thanks for the software...”