Importing OSSEC security rules

OSSEC is a host-based intrusion detection system, or a HIDS. It includes a monitoring and log analysis module. For more information, visit the OSSEC website.

SES Evolution is equipped with a similar analysis engine, which can monitor the following in real time:

  • Log files from third-party applications,
  • Windows events in event logs.

The aim of this type of monitoring is to extract information about SES Evolution agents in events and log lines, and to classify such information to identify abnormal or suspicious activity and generate alarms.

EXAMPLE
You can monitor password-based authentication attempts on a FileZilla server from the same IP address, and raise alarms when there are multiple failures followed by a successful authentication.

NOTE
OSSEC analysis options will not be covered in detail in this document. Please refer to the relevant OSSEC documentation.