Snort vs. OSSEC

[Marty E. Hillman]

I am not trying to start a flame war here - just trying to get a better
sense of direction no how to best protect my network. Does anyone know
what the advantage to using OSSEC HIDS over Snort is?

I have been playing with OSSEC quite successfully for the past week in a
demo environment, but it seems to have stopped sending email alerts
sometime last evening. I thought since I would have to do a bunch of
rebuilding that I might give other products a shot.

I need to monitor Windows and Cisco devices and like the aggregation of
data and alerting functions within OSSEC. Does anyone have experiences
with other products that they would be willing to share?

Marty

This electronic mail (including any attachments) may contain information that
is privileged, confidential, and/or otherwise protected from disclosure to
anyone other than its intended recipient(s). Any dissemination or use of this
electronic email or its contents (including any attachments) by persons other
than the intended recipient(s) is strictly prohibited. If you have received
this message in error, please notify us immediately by reply email so that we
may correct our internal records. Please then delete the original message
(including any attachments) in its entirety. Thank you.

[Herb Commodore]

Marty,

Snort & OSSEC are two different layers of security. Using both
together would improve the overall security level of a site. Snort &
co watches for network events; OSSEC HIDS, from what I've been able to
tell, watches & coordinates host-based events. And you can
use OSSEC to monitor snort logs and send alerts based on those --
instead of using some other application to monitor the snort logs.

Basically, best practices would dictate using both a network-based IDS
such as snort, as well as a host-based IDS such as OSSEC.

-- Herb

--
Herb Commodore <he...@duke.edu> +1.919.660.6951
IT Security Office, OIT, Duke University
Box 104106, Durham NC 27708

[Marty E. Hillman]

Makes sense.

[Meir Michanie]

snort is blind to activity in you servers through encrypted connections as ssl and ssh

[Jorge Augusto Senger]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Marty,

There's a good explanation about network and host based IDS here:

http://www.snort.org/docs/iss-placement.pdf

Jorge

Marty E. Hillman escreveu:

- --

Jorge Augusto Senger
Gerência de TI
jo...@br10.com.br
42 32252888 / 84015330

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFE+4ZO+4ZieRTShIMRAijJAKC+hcAPFVeaitKk2Ziae1CyVXcUDACfQmsd
qpc7035Lton1yjz6fIMDSGE=
=1+ei
-----END PGP SIGNATURE-----

[technopundit]

Marty E. Hillman wrote:
<snip>

> I have been playing with OSSEC quite successfully for the past week in a
> demo environment, but it seems to have stopped sending email alerts
> sometime last evening.

I've noticed the same thing -- my internet service was out for several
hours, during which my logs say an alert happened that would normally
have resulted in an email being sent. Obviously, OSSEC was unable to
send an alert email due to the outage.

Now, OSSEC-HIDS has stopped sending emails altogether. Is there,
perhaps, a queue somewhere that needs to be emptied?

[Michael Fernandez]

Snort is slightly ahead of OSSEC because of its ability to operate on cross platforms. Snort also works along with your existing infra and doesn't put any burden on you for putting in any extra costs for replacement. Snort also filters data packets in real-time whereas OSSEC checks log files for detection of any threat.

https://wisdomplexus.com/blogs/snort-vs-ossec/