Daniel Cid


About speaker:
Daniel B. Cid is the lead developer and author of OSSEC, an open source HIDS and log analysis tool. He has been working with network security and software development for many years and holds a special passion for log analysis and host-based intrusion detection.

Daniel is currently working at Q1 Labs as a software engineer and has in the past worked at Sourcefire, NIH and at a few other companies as a security consultant.

Daniel can be contacted at dcid @ ( at ) ossec.net .

Log analysis using ossec

OSSEC is an open source HIDS (host-based intrusion detection system), but what is not widely known about it, is that it is a very powerful solution for centralized security log analysis and correlation.

This presentation will provide a technical overview of how ossec works, how it does its internal analysis and correlation and how you can expand it for your own needs. The following topics will be covered:

1 What is ossec
2 How it works
2.1 Internal processes
2.2 Centralized architecture
2.3 Server/agents communication
3 Deep into log decoding (extracting useful data)
3.1 Decoding firewall, IDS and authentication logs
3.2 Creating FTS (also known as NBS) entries
4 Deep into log analysis rules
4.1 Examples of rules
4.2 Rules syntax
4.3 Correlating logs
4.4 Generating alerts
5 Customizing ossec
5.1 Active responses
5.2 Performance considerations
6 Log security monitoring
6.1 Interesting patterns
6.2 Reducing false positives