An Open Source Security Triple Play

Marcus Maciel writes to tell that Linux.com's Joe Barr recently took a look at OSSEC-HIDS, an open source host intrusion detection system. From the article: "According the OOSEC-HIDS Web site, it's more than a host intrusion detection system (IDS). It's also a security event manager and a security information manager, which makes it the security equivalent of a hat trick in hockey, a triple-play in baseball, or a rare triple-double in basketball. OSSEC-HIDS runs on both Windows and Linux/Unix. You can download the latest version along with the project's PGP public key, so you can verify the download." Linux.com and Slashdot are both owned by OSTG.

Sporting Analogies

Why so many sporting analogies?

Re:Sporting Analogies

[Xserv]

Exactly. What makes them think we'll understand any of that? We're nerds. Basketball? Hmm. How about pong?

Xserv

Re:Sporting Analogies

[MaxInBxl]

Ok so it's a security tool with 3 different "modules". Fantastic, probably a first in the software industry.

Re:Sporting Analogies

[dnoyeb]

Or Mortal Kombat. "FATALITY!"

Re:Sporting Analogies

[ObsessiveMathsFreak]

Most people can not and will not understand anything at all unless it can be related to their everyday expieriences. And since most people spend more time consumed in sports than a korean Starcraft player spends in a games cafe, it's a safe bet that sports analogies will help carry the point across to those who would otherwise ignore it.

Re:Sporting Analogies

[ryanhornbeck]

Not to get anal, but a triple play is MUCH more rare than either a triple-double or a hat trick.

MLB: 30 teams x 162 games = 4860 games (possibly 2 triple plays per season or 1 every 2430 games)
NBA: 30 teams x 82 games = 2460 games (23 triple-doubles last season or 1 ever 106.95652173913043478260869565217 games)
NHL: 30 teams x 82 games = 2460 games (84 hat tricks last season or 1 every 29.285714285714285714285714285714 games)

Re:Sporting Analogies

[Shaper_pmp]

Except this is Slashdot, not ESPN. For clarity analogies should probably be restricted to politics, code, IT infrastructure and cars (failed).

Plus, of course, the analogy in the summary was so long by the time it finished I'd almost forgotten what the summary was about...

Re:Sporting Analogies

[Alioth]

Why couldn't they have just SAID that instead of this ridiculous sporting analogy which sounds like rapid-fire buzzwords from a marketdroid? I couldn't resist tagging the article 'badsportinganalogy'.

Re:Sporting Analogies

[infosec_spaz]

GEEK!!!...Oh, wait, Like you didn't know that :o)

Re:Sporting Analogies

[ryanhornbeck]

Yeah, way geeky. Never could understand the disconnect between the average geek and sports statistics.

Re:Sporting Analogies

You are not a true geek (and far from being anal ;-). Number of games is not teams x games_a_team_plays_in_a_season. You cannot count the games twice.

MLB: 162!/132!
NBA: 82!/52!
NHL: 82!/52!

Re:Sporting Analogies

Actually, since 2 teams are required for each game, there are only 1/2 as many games. So every thing you calculated is really 1/2 as likely as that. Also I am not a baseball fan, but I'm guessing there is little more than conjecture behind '2 triple plays per season'.

Re:Sporting Analogies

Nitpick: you seem to have counted each game twice. That does not change your point, though.

Re:Sporting Analogies

Totally wrong. There are no factorials

  MLB: 162 x 30 / 2 (regular season)
      ~26 (league championships)
          4 (World series when Red Sox win)
    or 7 (normal World Series)

Re:Sporting Analogies

[shish]

cars (failed).

This is like a car with three wheels! (?)

Re:Sporting Analogies

[sootman]

OSSEC is like a car that can take you places, make you a sandwich, and perform oral sex on you while driving. Better?

Re:Sporting Analogies

[ryanhornbeck]

Each game counts as a game to each team. Each team plays 162 games in baseball, even if there are two teams per contest. You can only observe the opportunities to perform a triple play from the standpoint that you are playing defense half the time. You guys have confused your logic. Each game a team had the opportunity to defend for 27 outs. The other team has the exact same opportunity, except when the home team is winning after the top of the 9th inning is completed. Maybe this doesn't stand up the same with NBA or NHL teams due to variable lengths of possession, but it does in MLB. 30 teams x 162 *OPPORTUNITIES TO PERFORM A TRIPLE PLAY* (+/- 3 outs) = 4860 OPPORTUNITIES (2 in a season, or 1 every 2430). Suck on it.

Frosty piss!

NIGGA!

I'm not a proper geek!

[HugePedlar]

I'm so embarassed. I truly thought this was about physical building security with cameras and PIRs and shit.

To whom to I report to hand back my geek membership card?

Re:I'm not a proper geek!

[Aladrin]

After so many sports analogies (none of which I understood, thank the heavens) I think you can be forgiven. The summary clearly wasn't aimed at us, so misunderstandings should be expected.

No need to feel dirty, my geeky friend. Go on your way with a clear conscience.

Re:I'm not a proper geek!

[XaXXon]

I need to turn in mine, too.

I actually got all the sporting metaphors and wish to correct.. or at least clarify on them.

Many more basketball triple-doubles occur during the course of a basketball season and hat-tricks in a hockey/soccer/"football" season than do triple plays in baseball.

Tripls plays aren't about skill, they're about a very specificly hit ball under a fairly rare circumstance.

Triple Double

[prophase_j]

I just learned what that means! Yay Google.

Re:Triple Double

[adrianhensler]

It's what I get in my extra large Tim's. I don't get those sports analogies (being a True Geek); so let me try it my way: I like my IDS's like I like my coffee; sugary sweet and really hot.

Nope; still don't get it.

Good but could be improved

[datasetgo]

While OSSEC HIDS looks like the beginnings of a good solution (aside from the name - sheesh - sounds like a sneeze) I'd like to see integration of projects like DShield.org and maybe some community-maintained updates for rootkit definitions and such. APF/BFD does this - why not OSSEC HIDS?
Gesundheit.

Translation

[lisaparratt]

"It makes it the equivalent of massive hyperbole amongst rational discussion!"

Re:Translation

[$RANDOMLUSER]

Onion is to hair dryer as (three) sports analogies is to security product.

OSSEC is great

[Darkael]

Here is a list of what OSSEC can do if you are too lazy to RTFA:
- Log Analysis, with a powerful xml-based rules system
- File integrity checker
- Rootkit detection
- Active response (automatically ban hosts on critical alerts)
- Mail reporting
- Server/clients or local installation

It's GPL and runs on many *nix OS. I've tried OSSEC for a few months to monitor a few servers and I must say I'm pretty impressed with it. Its log analysis system is powerful and easy to understand. I've met a few false positives, but you can easily define your own rules to ignore some events. The project is a bit young, but development is very active. Definitely worth trying if you are interested in Unix security.

Re:OSSEC is great

[ricotest]

Nagios has been doing Open Source security since 1996 and looks much the same.

Re:OSSEC is great

[Farce+Pest]

Uh, no. Nagios is great for monitoring network services and local services, but it is not an IDS, and it does not look at logs or look for modified files or rootkits. There are some plugins that allow at least one IDS (Prelude) to talk to Nagios, but that's a separate product.

Re:OSSEC is great

[Darkael]

Well, can Nagios detect a SSH brute force attack, report it to you by mail and ban the offending IP, out of the box with almost no configuration to do?

Last time I checked Nagios was a general-purpose monitoring system, a pain in the ass to configure and too bloated if all you want is just improving your security. An HIDS like OSSEC is better suited for this kind of task.

Re:OSSEC is great

[caluml]

Que? Nagios is tool for monitoring, and alerting. As far as I know, it doesn't do stuff like detect cracking attempts, and block them, etc.
Are you thinking of Snort, maybe?

For those who don't get how great this is

[CosmeticLobotamy]

It's true that it's like a hat trick, triple-double, and that other thing, but if you don't know what any of those things are, it's also like a hole-in-three in golf, or three goals in three non-consecutive games of soccer, or to go in a non-sporting direction, three pieces of ham on a ham sandwich. But I guess the simplest way to explain it is that it does three seperate things. Three! I know it's a bit complicated, so I can explain further using many, many more analogies if need be. Just let me know.

Re:For those who don't get how great this is

[Whiney+Mac+Fanboy]

three pieces of ham on a ham sandwich. **snip** I can explain further using many, many more analogies if need be. Just let me know.

I'm not sure I'm following here - is that brown bread or white bread? Smoked ham or honey cured?

Re:For those who don't get how great this is

[MrP-(at+work)]

mmmm ham

Re:For those who don't get how great this is

[dpiven]

Or, put another way, it's like having a wife, a girlfriend, AND an inflatable doll in your briefcase.

(If you just thought, "if I had a girlfriend, how would I get her to stay in my briefcase?", you might be a /.er)

Re:For those who don't get how great this is

[chawly]

My thought was "if I had a girlfriend, why would I want to fit her into my briefcase ?" This thought was immediately followed by "how would I carry the briefcase, one-handed and with a casual expression".

Re:For those who don't get how great this is

[Shaper_pmp]

I can't believe we haven't had a failed car analogy yet.

So... it's a bit like a car that goes forwards and backwards, right?

Re:For those who don't get how great this is

[Lord+Ender]

One... Two... FIVE!

Three, sir!

Three!

Re:For those who don't get how great this is

It's like three girls on...

oh, forget it.

Re:For those who don't get how great this is

[elrous0]

it's also like a hole-in-three in golf

In former Soviet Russia, losing wrong golf game get you put in hole FOR three.

-Eric

Re:For those who don't get how great this is

[krewemaynard]

So... it's a bit like a car that goes forwards and backwards, right?

AND it turns! HAT TRICK

Re:For those who don't get how great this is

[Shaper_pmp]

Except, y'know, now the analogy works, neatly ruining the joke.

(Shakes head sadly...)

Ironically...

[daBass]

The metaphores used in the summary indicate three *the same* things while the product in question does three *different* things.

Re:Ironically...

[Don853]

Well, except for the triple double.

Re:Ironically...

[nadamsieee]

The metaphores used in the summary indicate three *the same* things while the product in question does three *different* things.

Actually, a triple-double in basketball is when a player does three different things 10 or more times each in a single game.

Re:Ironically...

[technococcus]

Ah, but the three "different" things all do the same thing: Increase security.

So, the analogy is more apt than it may at first seem.

Re:Ironically...

[daBass]

And people keep track of that sort of thing? They need to get a life; I though basket ball was one of the few sports that was actually exciting enough on its own with the need for annoracs to keep useless statistics! ;-)

Re:Ironically...

[daBass]

Not quite, really.

The goal of the sports is to increase the score, the cool thing is if someone does the same thing 3 times to achieve that.

The goal here is - as you say - to increase security. But here it is still being celebrated that three *different* things are done to achieve that. (except in the case of the "tripple double", but that is the exception that proves the rule. Plus it is a rediculous statistic anyway.)

Sorry, had to have the last word! :P

Re:Ironically...

[MrPink2U]

Basketball is one word.

Ok if playing against Yankees, Knicks or Rangers

[schwit1]

Hopefully your IT security has a bit less random chance than these sporting event's rare occurrences.

I suspect the black hats use the same metaphors to describe success, including goooooooooooooooooal!

So, erm...

... How many things does it do again?

how about...

[aquabat]

Is it anything like the ultra-rare "menage a quatre" of sexual intercourse?

How about a double-jump...

[SpzToid]

...as in checkers?

--

Vote with all your heart, but get a healthy dosage of mass-media first. Or just don't vote at all!

Re:How about a double-jump...

[Xserv]

Blasphemy!! We're in the digital age! heh.

Iv'e used this system for a while now...

[Victor+Fors]

It's actually quite useful, and not only from a security/intrusion standpoint; it reads the system logs and reports on errors. And the best thing about it is, it's self-learning! It will count the number of times a certain (low-level, as in "cannot find file" type) system error is encountered, and then, if it appears often enough on a regular basis it learns to ignore it. Very neat.

Re:Iv'e used this system for a while now...

[cdep_illabout]

It's actually quite useful, and not only from a security/intrusion standpoint; it reads the system logs and reports on errors. And the best thing about it is, it's self-learning!

I for one, welcome our new, hard-to-say, tripple-ham-sandwhich overlords.

Mmmmm....BEER!

[infosec_spaz]

I just love this stuff!!! This is to me, what a good Duff is to Homer Simpson!!!

How soon before

[WindBourne]

there is a proper virus that works on Mac-Intel, Windows, and Linux?

Re:How soon before

[Pollardito]

if such a virus also worked on BSD it would be the viral equivalent of hitting for the cycle in baseball or winning the grand slam in tennis. i'm just trying to lend a hand to future editors of its introduction article

PGP "verification"

[jonabbey]

Of course we all remember that PGP verification only means that the download was signed off on by the person or persons in possession of the corresponding PGP private key, not that that person is necessarily competent or trustworthy.

PGP/GPG signing is great, and necessary, but not sufficient for trust.

doesn't seem to be any uninstall scripts

[boojumbadger]

just saying...

Triple Double (Defined)

[Hwyman]

From Wikipedia:

A triple-double is a basketball term, defined as an individual performance in a game in which a player accumulates double-digit totals (i.e., 10 or more) in any three of these categories: points, rebounds, assists, steals, and blocked shots.

The most common way for a player to achieve a triple-double is with points, rebounds, and assists, though on occasion elite defensive players may record 10 or more steals or blocked shots in a game.

A triple-double is seen as an indication of an excellent all-around individual performance. In the American National Basketball Association, they are rare but not unheard-of, as the top players can accumulate around 10 (out of a possible 82) in a season. It should be noted that the criteria for an assist has been relaxed over time, making triple-doubles more common in today's game than it was prior to the 1980's

Re:Triple Double (Defined)

Way to copy/paste from the wikipedia article without attribution, dude.

Articles should relate to existing work...

• Can this system serve as a prelude sensor? How about commercial aggregators?
• How does it compare to other log summarizing tools?
• Do any security monitoring services support it?

Tried it.. its soso

[zaqattack911]

Great install script... but seems to not work if I try an installation location other than /var/ossec The rule based "xml" for identifying problems in logfiles is great. the active response doesn't work. I've tried everything EVERYTHING. and injecting all sorts of attacks didn't even cause the firewall script to block the ip. I searched and tried, and fiddles, and cried. Nadda.