Daniel is currently working at Q1 Labs as a software engineer and has in the past worked at Sourcefire, NIH and at a few other companies as a security consultant.

Daniel can be contacted at dcid @ ( at ) ossec.net .


Talk:
Log analysis using ossec

Abstrakt:
OSSEC is an open source HIDS (host-based intrusion detection system), but what is not widely known about it, is that it is a very powerful solution for centralized security log analysis and correlation.

This presentation will provide a technical overview of how ossec works, how it does its internal analysis and correlation and how you can expand it for your own needs. The following topics will be covered:

1 What is ossec
2 How it works
2.1 Internal processes
2.2 Centralized architecture
2.3 Server/agents communication
3 Deep into log decoding (extracting useful data)
3.1 Decoding firewall, IDS and authentication logs
3.2 Creating FTS (also known as NBS) entries
4 Deep into log analysis rules
4.1 Examples of rules
4.2 Rules syntax
4.3 Correlating logs
4.4 Generating alerts
5 Customizing ossec
5.1 Active responses
5.2 Performance considerations
6 Log security monitoring
6.1 Interesting patterns
6.2 Reducing false positives