Importing OSSEC security rules
OSSEC is a host-based intrusion detection system, or a HIDS. It includes a monitoring and log analysis module. For more information, visit the OSSEC website.
SES Evolution is equipped with a similar analysis engine, which can monitor the following in real time:
- Log files from third-party applications,
- Windows events in event logs.
The aim of this type of monitoring is to extract information about SES Evolution agents in events and log lines, and to classify such information to identify abnormal or suspicious activity and generate alarms.
EXAMPLE
You can monitor password-based authentication attempts on a FileZilla server from the same IP address, and raise alarms when there are multiple failures followed by a successful authentication.
NOTE
OSSEC analysis options will not be covered in detail in this document. Please refer to the relevant OSSEC documentation.
Limitations and differences with OSSEC
The Stormshield analysis engine and OSSEC differ in several ways:
- OSSEC collects logs on agents and analyzes them on the server while SES Evolution analyzes each agent. Events of the same nature occurring on separate agents therefore cannot be correlated.
- Unlike OSSEC, SES Evolution does not allow decoders and custom rules to be compiled. However, the rule is_simple_http_request, which OSSEC provides as an example but uses in standard configurations, is supported in SES Evolution.
For further information regarding all the OSSEC functions that SES Evolution supports, refer to Supported OSSEC functions