OSSEC rulesets for Zeus Webserver and ZXTM

post Category: Code, Internet, Security — Chris @ 2:27 pm — post
postMay 4, 2007

OSSEC is a leading Intrusion Detection System for Enterprise UNIX(-like) and Windows platforms. OSSEC is, by quite a way, the most innovative and customisable IDS product I have worked with.

As a result of it’s ease of customisations, the developer Daniel B. Cid, with a little bit of help from myself, have implemented supported rule-sets for my former employers’ products: Zeus WebServer and ZXTM. Both products are widely deployed across many enterprise environments; adding specific rulesets for their software is one which I hope assists all fellow sysadmins tasked with running infrastructure using Zeus software.

Download

You can download the latest snapshot of OSSEC from this page.

Implementation

After running install.sh you can add the Zeus rulesets as you would any other supported rule set.

Example:

<localfile>
<log_format>syslog</log_format>
<location>/usr/local/zeus/zxtm/zxtm/log/errors</location>

<localfile>
<log_format>syslog</log_format>
<location>/usr/local/zeus/zws/web/log</location>

Alerts

Below you can clearly see the ruleset alerting you, quickly and efficiently, to a failure.
 
OSSEC IDS Web Monitor

Help..

Any questions, just ask!

« Model Ship - HMS Illustrious
Gartner Magic Quadrant ADC, 2007. »

Sorry, no comments yet.

Write Your Comment

Comment Guidelines: Basic XHTML is allowed (a href, strong, em, code). All line breaks and paragraphs will be generated automatically.

You should have a name, right? 
Your email address, I promised I won't tell it to anyone. 
If you have a web site or blog, you can type the URL right here. 
This is where you type your comments. 
Remember my information for the next time I visit.
 

This is a captcha-picture. It is used to prevent mass-access by robots. (see: www.captcha.net)

You must read and type the 4 chars within 0..9 and A..F, and submit the form.

  

Oh no, I cannot read this. Please, generate a