Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

An Open Source Security Triple Play

ScuttleMonkey posted about 8 years ago | from the wake-me-up-when-things-are-goin-down dept.

65

Marcus Maciel writes to tell that Linux.com's Joe Barr recently took a look at OSSEC-HIDS, an open source host intrusion detection system. From the article: "According the OOSEC-HIDS Web site, it's more than a host intrusion detection system (IDS). It's also a security event manager and a security information manager, which makes it the security equivalent of a hat trick in hockey, a triple-play in baseball, or a rare triple-double in basketball. OSSEC-HIDS runs on both Windows and Linux/Unix. You can download the latest version along with the project's PGP public key, so you can verify the download." Linux.com and Slashdot are both owned by OSTG.

cancel ×

65 comments

Sorry! There are no comments related to the filter you selected.

Sporting Analogies (-1, Offtopic)

Anonymous Coward | about 8 years ago | (#15864614)

Why so many sporting analogies?

Re:Sporting Analogies (4, Funny)

Xserv (909355) | about 8 years ago | (#15864648)

Exactly. What makes them think we'll understand any of that? We're nerds. Basketball? Hmm. How about pong?

Xserv

Re:Sporting Analogies (1)

dnoyeb (547705) | about 8 years ago | (#15864774)

Or Mortal Kombat. "FATALITY!"

How about a double-jump... (1)

SpzToid (869795) | about 8 years ago | (#15864916)

...as in checkers?

--

Vote with all your heart, but get a healthy dosage of mass-media first. Or just don't vote at all!

Re:How about a double-jump... (1)

Xserv (909355) | about 8 years ago | (#15865101)

Blasphemy!! We're in the digital age! heh.

Re:Sporting Analogies (3, Insightful)

MaxInBxl (961814) | about 8 years ago | (#15864714)

Ok so it's a security tool with 3 different "modules". Fantastic, probably a first in the software industry.

Re:Sporting Analogies (2, Insightful)

Alioth (221270) | about 8 years ago | (#15865148)

Why couldn't they have just SAID that instead of this ridiculous sporting analogy which sounds like rapid-fire buzzwords from a marketdroid? I couldn't resist tagging the article 'badsportinganalogy'.

Re:Sporting Analogies (1)

ObsessiveMathsFreak (773371) | about 8 years ago | (#15864915)

Most people can not and will not understand anything at all unless it can be related to their everyday expieriences. And since most people spend more time consumed in sports than a korean Starcraft player spends in a games cafe, it's a safe bet that sports analogies will help carry the point across to those who would otherwise ignore it.

Re:Sporting Analogies (2, Insightful)

Shaper_pmp (825142) | about 8 years ago | (#15864966)

Except this is Slashdot, not ESPN. For clarity analogies should probably be restricted to politics, code, IT infrastructure and cars (failed).

Plus, of course, the analogy in the summary was so long by the time it finished I'd almost forgotten what the summary was about...

Re:Sporting Analogies (1)

shish (588640) | about 8 years ago | (#15865687)

cars (failed).

This is like a car with three wheels! (?)

Re:Sporting Analogies (1)

sootman (158191) | about 8 years ago | (#15866563)

OSSEC is like a car that can take you places, make you a sandwich, and perform oral sex on you while driving. Better?

Re:Sporting Analogies (2, Interesting)

ryanhornbeck (946367) | about 8 years ago | (#15864959)

Not to get anal, but a triple play is MUCH more rare than either a triple-double or a hat trick.

MLB: 30 teams x 162 games = 4860 games (possibly 2 triple plays per season or 1 every 2430 games)
NBA: 30 teams x 82 games = 2460 games (23 triple-doubles last season or 1 ever 106.95652173913043478260869565217 games)
NHL: 30 teams x 82 games = 2460 games (84 hat tricks last season or 1 every 29.285714285714285714285714285714 games)

Re:Sporting Analogies (1)

infosec_spaz (968690) | about 8 years ago | (#15865155)

GEEK!!!...Oh, wait, Like you didn't know that :o)

Re:Sporting Analogies (1)

ryanhornbeck (946367) | about 8 years ago | (#15865287)

Yeah, way geeky. Never could understand the disconnect between the average geek and sports statistics.

Re:Sporting Analogies (0)

Anonymous Coward | about 8 years ago | (#15865405)

Actually, since 2 teams are required for each game, there are only 1/2 as many games. So every thing you calculated is really 1/2 as likely as that. Also I am not a baseball fan, but I'm guessing there is little more than conjecture behind '2 triple plays per season'.

Re:Sporting Analogies (1, Insightful)

Anonymous Coward | about 8 years ago | (#15865288)

You are not a true geek (and far from being anal ;-). Number of games is not teams x games_a_team_plays_in_a_season. You cannot count the games twice.

MLB: 162!/132!
NBA: 82!/52!
NHL: 82!/52!

Re:Sporting Analogies (0)

Anonymous Coward | about 8 years ago | (#15865589)

Totally wrong. There are no factorials

  MLB: 162 x 30 / 2 (regular season)
      ~26 (league championships)
          4 (World series when Red Sox win)
    or 7 (normal World Series)

Re:Sporting Analogies (0)

Anonymous Coward | about 8 years ago | (#15865408)

Nitpick: you seem to have counted each game twice. That does not change your point, though.

Re:Sporting Analogies (1)

ryanhornbeck (946367) | about 8 years ago | (#15902103)

Each game counts as a game to each team. Each team plays 162 games in baseball, even if there are two teams per contest. You can only observe the opportunities to perform a triple play from the standpoint that you are playing defense half the time. You guys have confused your logic. Each game a team had the opportunity to defend for 27 outs. The other team has the exact same opportunity, except when the home team is winning after the top of the 9th inning is completed. Maybe this doesn't stand up the same with NBA or NHL teams due to variable lengths of possession, but it does in MLB. 30 teams x 162 *OPPORTUNITIES TO PERFORM A TRIPLE PLAY* (+/- 3 outs) = 4860 OPPORTUNITIES (2 in a season, or 1 every 2430). Suck on it.

Frosty piss! (-1, Troll)

Anonymous Coward | about 8 years ago | (#15864616)

NIGGA!

I'm not a proper geek! (2, Funny)

HugePedlar (900427) | about 8 years ago | (#15864632)

I'm so embarassed. I truly thought this was about physical building security with cameras and PIRs and shit.

To whom to I report to hand back my geek membership card?

Re:I'm not a proper geek! (1, Funny)

Aladrin (926209) | about 8 years ago | (#15864661)

After so many sports analogies (none of which I understood, thank the heavens) I think you can be forgiven. The summary clearly wasn't aimed at us, so misunderstandings should be expected.

No need to feel dirty, my geeky friend. Go on your way with a clear conscience.

Re:I'm not a proper geek! (1)

XaXXon (202882) | about 8 years ago | (#15864779)

I need to turn in mine, too.

I actually got all the sporting metaphors and wish to correct.. or at least clarify on them.

Many more basketball triple-doubles occur during the course of a basketball season and hat-tricks in a hockey/soccer/"football" season than do triple plays in baseball.

Tripls plays aren't about skill, they're about a very specificly hit ball under a fairly rare circumstance.

Triple Double (1)

prophase_j (545900) | about 8 years ago | (#15864672)

I just learned what that means! Yay Google.

Re:Triple Double (1)

adrianhensler (454654) | about 8 years ago | (#15864710)

It's what I get in my extra large Tim's. I don't get those sports analogies (being a True Geek); so let me try it my way: I like my IDS's like I like my coffee; sugary sweet and really hot.

Nope; still don't get it.

Triple Double (Defined) (1)

Hwyman (840955) | about 8 years ago | (#15866284)

From Wikipedia:

A triple-double is a basketball term, defined as an individual performance in a game in which a player accumulates double-digit totals (i.e., 10 or more) in any three of these categories: points, rebounds, assists, steals, and blocked shots.

The most common way for a player to achieve a triple-double is with points, rebounds, and assists, though on occasion elite defensive players may record 10 or more steals or blocked shots in a game.

A triple-double is seen as an indication of an excellent all-around individual performance. In the American National Basketball Association, they are rare but not unheard-of, as the top players can accumulate around 10 (out of a possible 82) in a season. It should be noted that the criteria for an assist has been relaxed over time, making triple-doubles more common in today's game than it was prior to the 1980's

Re:Triple Double (Defined) (0)

Anonymous Coward | about 8 years ago | (#15870314)

Way to copy/paste from the wikipedia article without attribution, dude.

Good but could be improved (4, Interesting)

datasetgo (751392) | about 8 years ago | (#15864673)

While OSSEC HIDS looks like the beginnings of a good solution (aside from the name - sheesh - sounds like a sneeze) I'd like to see integration of projects like DShield.org [dshield.org] and maybe some community-maintained updates for rootkit definitions and such. APF/BFD [rfxnetworks.com] does this - why not OSSEC HIDS?
Gesundheit.

Translation (2, Funny)

lisaparratt (752068) | about 8 years ago | (#15864675)

"It makes it the equivalent of massive hyperbole amongst rational discussion!"

Re:Translation (1)

$RANDOMLUSER (804576) | about 8 years ago | (#15864683)

Onion is to hair dryer as (three) sports analogies is to security product.

OSSEC is great (5, Informative)

Darkael (969121) | about 8 years ago | (#15864684)

Here is a list of what OSSEC can do if you are too lazy to RTFA:
- Log Analysis, with a powerful xml-based rules system
- File integrity checker
- Rootkit detection
- Active response (automatically ban hosts on critical alerts)
- Mail reporting
- Server/clients or local installation

It's GPL and runs on many *nix OS. I've tried OSSEC for a few months to monitor a few servers and I must say I'm pretty impressed with it. Its log analysis system is powerful and easy to understand. I've met a few false positives, but you can easily define your own rules to ignore some events. The project is a bit young, but development is very active. Definitely worth trying if you are interested in Unix security.

Re:OSSEC is great (1, Interesting)

ricotest (807136) | about 8 years ago | (#15864743)

Nagios [nagios.org] has been doing Open Source security since 1996 and looks much the same.

Re:OSSEC is great (3, Informative)

Farce Pest (67765) | about 8 years ago | (#15864812)

Uh, no. Nagios is great for monitoring network services and local services, but it is not an IDS, and it does not look at logs or look for modified files or rootkits. There are some plugins that allow at least one IDS (Prelude) to talk to Nagios, but that's a separate product.

Re:OSSEC is great (2, Interesting)

Darkael (969121) | about 8 years ago | (#15864828)

Well, can Nagios detect a SSH brute force attack, report it to you by mail and ban the offending IP, out of the box with almost no configuration to do?

Last time I checked Nagios was a general-purpose monitoring system, a pain in the ass to configure and too bloated if all you want is just improving your security. An HIDS like OSSEC is better suited for this kind of task.

Re:OSSEC is great (1)

caluml (551744) | about 8 years ago | (#15864899)

Que? Nagios is tool for monitoring, and alerting. As far as I know, it doesn't do stuff like detect cracking attempts, and block them, etc.
Are you thinking of Snort, maybe?

For those who don't get how great this is (5, Funny)

CosmeticLobotamy (155360) | about 8 years ago | (#15864721)

It's true that it's like a hat trick, triple-double, and that other thing, but if you don't know what any of those things are, it's also like a hole-in-three in golf, or three goals in three non-consecutive games of soccer, or to go in a non-sporting direction, three pieces of ham on a ham sandwich. But I guess the simplest way to explain it is that it does three seperate things. Three! I know it's a bit complicated, so I can explain further using many, many more analogies if need be. Just let me know.

Re:For those who don't get how great this is (3, Funny)

Whiney Mac Fanboy (963289) | about 8 years ago | (#15864763)

three pieces of ham on a ham sandwich. **snip** I can explain further using many, many more analogies if need be. Just let me know.

I'm not sure I'm following here - is that brown bread or white bread? Smoked ham or honey cured?

Re:For those who don't get how great this is (1)

MrP-(at work) (839979) | about 8 years ago | (#15864814)

mmmm ham

Re:For those who don't get how great this is (0)

Anonymous Coward | about 8 years ago | (#15865409)

It's like three girls on...

oh, forget it.

Ironically... (4, Insightful)

daBass (56811) | about 8 years ago | (#15864777)

The metaphores used in the summary indicate three *the same* things while the product in question does three *different* things.

Re:Ironically... (0)

Don853 (978535) | about 8 years ago | (#15865219)

Well, except for the triple double.

Re:Ironically... (1)

nadamsieee (708934) | about 8 years ago | (#15865290)

The metaphores used in the summary indicate three *the same* things while the product in question does three *different* things.

Actually, a triple-double [wikipedia.org] in basketball is when a player does three different things 10 or more times each in a single game.

Re:Ironically... (1)

daBass (56811) | about 8 years ago | (#15865524)

And people keep track of that sort of thing? They need to get a life; I though basket ball was one of the few sports that was actually exciting enough on its own with the need for annoracs to keep useless statistics! ;-)

Re:Ironically... (1)

MrPink2U (633607) | about 8 years ago | (#15868610)

Basketball is one word.

Re:Ironically... (1)

technococcus (990913) | about 8 years ago | (#15865443)

Ah, but the three "different" things all do the same thing: Increase security.

So, the analogy is more apt than it may at first seem.

Re:Ironically... (1)

daBass (56811) | about 8 years ago | (#15865765)

Not quite, really.

The goal of the sports is to increase the score, the cool thing is if someone does the same thing 3 times to achieve that.

The goal here is - as you say - to increase security. But here it is still being celebrated that three *different* things are done to achieve that. (except in the case of the "tripple double", but that is the exception that proves the rule. Plus it is a rediculous statistic anyway.)

Sorry, had to have the last word! :P

Re:For those who don't get how great this is (4, Funny)

dpiven (518007) | about 8 years ago | (#15864831)

Or, put another way, it's like having a wife, a girlfriend, AND an inflatable doll in your briefcase.

(If you just thought, "if I had a girlfriend, how would I get her to stay in my briefcase?", you might be a /.er)

Re:For those who don't get how great this is (1)

chawly (750383) | about 8 years ago | (#15864850)

My thought was "if I had a girlfriend, why would I want to fit her into my briefcase ?" This thought was immediately followed by "how would I carry the briefcase, one-handed and with a casual expression".

Re:For those who don't get how great this is (1)

Shaper_pmp (825142) | about 8 years ago | (#15864978)

I can't believe we haven't had a failed car analogy yet.

So... it's a bit like a car that goes forwards and backwards, right?

Re:For those who don't get how great this is (1)

krewemaynard (665044) | about 8 years ago | (#15865569)

So... it's a bit like a car that goes forwards and backwards, right?

AND it turns! HAT TRICK

Re:For those who don't get how great this is (1)

Shaper_pmp (825142) | about 8 years ago | (#15872972)

Except, y'know, now the analogy works, neatly ruining the joke.

(Shakes head sadly...)

Re:For those who don't get how great this is (1)

Lord Ender (156273) | about 8 years ago | (#15865396)

One... Two... FIVE!

Three, sir!

Three!

Re:For those who don't get how great this is (1)

elrous0 (869638) | about 8 years ago | (#15865454)

it's also like a hole-in-three in golf

In former Soviet Russia, losing wrong golf game get you put in hole FOR three.

-Eric

Ok if playing against Yankees, Knicks or Rangers (1)

schwit1 (797399) | about 8 years ago | (#15864829)

Hopefully your IT security has a bit less random chance than these sporting event's rare occurrences.

I suspect the black hats use the same metaphors to describe success, including goooooooooooooooooal!

So, erm... (0)

Anonymous Coward | about 8 years ago | (#15864842)

... How many things does it do again?

how about... (1)

aquabat (724032) | about 8 years ago | (#15864848)

Is it anything like the ultra-rare "menage a quatre" of sexual intercourse?

Iv'e used this system for a while now... (3, Informative)

Victor Fors (987095) | about 8 years ago | (#15864977)

It's actually quite useful, and not only from a security/intrusion standpoint; it reads the system logs and reports on errors. And the best thing about it is, it's self-learning! It will count the number of times a certain (low-level, as in "cannot find file" type) system error is encountered, and then, if it appears often enough on a regular basis it learns to ignore it. Very neat.

Re:Iv'e used this system for a while now... (1)

cdep_illabout (992133) | about 8 years ago | (#15868982)

It's actually quite useful, and not only from a security/intrusion standpoint; it reads the system logs and reports on errors. And the best thing about it is, it's self-learning!
I for one, welcome our new, hard-to-say, tripple-ham-sandwhich overlords.

Mmmmm....BEER! (0)

infosec_spaz (968690) | about 8 years ago | (#15865138)

I just love this stuff!!! This is to me, what a good Duff is to Homer Simpson!!!

How soon before (1)

WindBourne (631190) | about 8 years ago | (#15865614)

there is a proper virus that works on Mac-Intel, Windows, and Linux?

Re:How soon before (1)

Pollardito (781263) | about 8 years ago | (#15867160)

if such a virus also worked on BSD it would be the viral equivalent of hitting for the cycle in baseball or winning the grand slam in tennis. i'm just trying to lend a hand to future editors of its introduction article

PGP "verification" (1)

jonabbey (2498) | about 8 years ago | (#15865865)

Of course we all remember that PGP verification only means that the download was signed off on by the person or persons in possession of the corresponding PGP private key, not that that person is necessarily competent or trustworthy.

PGP/GPG signing is great, and necessary, but not sufficient for trust.

doesn't seem to be any uninstall scripts (1)

boojumbadger (949542) | about 8 years ago | (#15866013)

just saying...

Articles should relate to existing work... (0)

Anonymous Coward | about 8 years ago | (#15867652)

  • Can this system serve as a prelude [prelude-ids.org] sensor? How about commercial aggregators?
  • How does it compare to other log summarizing tools?
  • Do any security monitoring services support it?

Tried it.. its soso (1)

zaqattack911 (532040) | about 8 years ago | (#15874910)

Great install script... but seems to not work if I try an installation location other than /var/ossec The rule based "xml" for identifying problems in logfiles is great. the active response doesn't work. I've tried everything EVERYTHING. and injecting all sorts of attacks didn't even cause the firewall script to block the ip. I searched and tried, and fiddles, and cried. Nadda.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>