FOSDEM '10 is a free and non-commercial event organized by the community, for the community. Its goal is to provide Free and Open Source developers a place to meet. No registration necessary.


Interview: Wim Remes

Wim Remes will give a talk about OSSEC at FOSDEM 2010.

Could you briefly introduce yourself? And how are you involved in OSSEC?

I am a security consultant working in Belgium since 12 years. I started out as a systems engineer and have educated myself, mainly motivated by a passion for security. Both from the offensive and the defensive angle. I am not directly involved in the OSSEC project but I got interested when I first found out about the project. which must have been about 3 years ago. I used it in some projects and kept a close eye on its evolution.

Daniel and his (small) crew have gone a long way since then and while I'm a crappy programmer, I feel I can indirectly contribute to the project by spreading its name, using it in small and big deployments and providing feedback about our use cases to the project team and the community.

What will your talk be about, exactly?

One of the bigger problems in IT infrastructures (be it open or closed source) is logging, log management and event management. We have no real standards and unfortunately, logs are mainly used as a source of information in a reactive sense. I will first touch upon the general issues of logging, what we have now and what is in the pipeline, and what programmers in general can do to make sure their logging is not only usable by themselves. I'll try to keep this as short as possible. After that we will delve into the architecture of OSSEC and the power that lies within this solution. I will show some ways how people can get results very fast, both in large- and small-scale deployments. Rule hierarchy, Active Response, integrity checking are some of the features I will shine a brighter light on.

What do you hope to accomplish by giving this talk ? What do you expect?

Log management, unfortunately, is the type of project that is generally driven by a need for compliance. Some regulatory body requires you to perform log management. In order to get that box checked, companies will generally choose a proprietary solution that will (maybe) cover 60 to 80% of your log management needs. This is the typical type of problem that you can not buy a product for, hook it up in the network and forget about it. Log management (and especially event management) is hard work, no matter what this nice salesperson will tell you. I have had great results with this open source solution and I'm convinced that people can achieve the same results.

What's the history of the OSSEC project? How did it evolve?

Daniel started this project because he had a problem that he couldn't get solved with other solutions. In the early stages of OSSEC, which started out as 'syscheck', it merely centralized the events triggered by Tripwire. Daniel released a first open source version in 2005, which basically grouped seperate tools that were added to syscheck into the first OSSEC package and it has only gotten better since then.

The OSSEC project was acquired by Third Brigade in 2008 which allowed Daniel to increase the amount of time he could spend on the project and for customers brought the added advantage that they could buy official support contracts if they so wished. In 2009 Third Brigade got acquired by Trend Micro, which has vowed to keep OSSEC open source.

What are you using OSSEC for?

The environments I'm involved in range from about 50 systems upto thousands of systems. I use OSSEC to develop log and event management solutions for all these environments. It's really that scalable and that flexible. With OSSEC I'm not limited to the supported applications or operating systems. I have installed OSSEC on Windows, several Linux flavors, AIX, Solaris and analyzed logs from dozens of network appliances. You can write (custom) rules for about any application that does some kind of logging.

To me, as an outsider, it seems that OSSEC has a solid reputation in the community, even after it has been acquired by Third Brigade and later by Trend Micro. Is this observation correct? How is the collaboration between the OSSEC community and Trend Micro?

Yes, I think your observation is correct. I think this is because both Third Brigade and Trend Micro never tried to make OSSEC into a cashcow of sorts but allow the project to continue as it is going, for and with the community.

I personally have no experience dealing with Trend Micro itself. All communications from and about the project, including support on the mailing list and releases, come directly from Daniel. Nothing has changed on that level either.

What's, according to you, the unique selling point of OSSEC that makes it attractive as an intrusion detection system?

Firstly, it's support for a plethora of operating systems. The OSSEC installer deploys the solution on any box you might own. I still have to see the HIDS solution that installs on your *nix machines (Linux, Solaris, AIX, ...), Windows machines and eats about any logs coming in from this or that exotic appliance in your infrastructure. With that comes the support for events from dozens of applications and the flexibility for you to change any default rule or add your own ruleset as you wish. In this type of solutions flexibility is the key factor. You will need to mold your solution to the infrastructure as any (or too many) false positives will get ignored in the end, opening your system to compromise.

What are currently the downsides to OSSEC?

I obviously don't see many downsides in OSSEC as it is, for me, a building block in solutions I offer to my customers. Many might consider the lack of a GUI as a serious downside. Most xIDS solutions try to seduce you with eyecandy. OSSEC has a rudimentary webGUI that allows you to analyze events but it isn't competitive with standard solutions yet. OSSIM, a seperate project that includes OSSEC as one of it's building blocks, does a better job at displaying the data to users.

I also feel that the reporting feature that is currently available might use some additional development.

Which features can we expect in OSSEC in the near future?

Version 2.3 was just released in December and made a jump forward once again. I'm sure Daniel is already working on the next version, but I'm not aware of which features he plans to add or improve. I do hope he finds time to redo the WebGUI and maybe the reporting utility.

Apart from that, OSSEC had great support within Splunk 3.x, but the Splunk application has not been ported to Splunk 4.x yet. I hope to see progression, which is independent from the OSSEC project itself, on that part too.

Looking through the OSSEC mailing list, it struck me that you are actively helpîng other users, answering their questions. What motivates you to take time for this?

For me this comes naturally. When I started out using OSSEC, I relied on different sources for information as well. I've always been thankful to the people that devoted time to answer my questions. If we don't answer the questions that are asked, people will drop from OSSEC to another solution with the quickness. As it is a community solution, part of it's power lies in users helping other users out.

Have you enjoyed previous FOSDEM editions?

I must admit that I'm, before everything, a security geek. FOSDEM isn't the type of conference I would normally attend but as they have provided a very good security related track since years, I have made a place in my heart for this conference. I think the quality of the speakers and the atmosphere at the conference makes it very unique. I remember seeing people like H.D. Moore and Pete Herzog present here, in 2007 if I remember correctly, and some of the ideas I picked up there, I still put to work on a daily basis now.

Creative Commons License
This interview is licensed under a Creative Commons Attribution 2.0 Belgium License.