It’s kind of strange to suggest adding security to OSSEC. The OSSEC project has security in its very name. However, as surprising as it may sound, while OSSEC may do some things well, it doesn’t do everything and some things it does so very poorly. It can give you a false sense of security. It includes tools to log and analyze security incidents, but it cannot analyze everything, like web attacks for example, and since its a userland process itself it cannot protect you against attacks like rootkits, buffer overflows and other attacks on the system itself. You have to bring your own security to truly make OSSEC shine and to protect it from attacks as well.
That is why Atomicorp ships an OSSEC package that includes additional security enhancements for OSSEC, real time malware protection, an actual web application firewall (WAF) and more. Today I’d like to talk about OSSEC and web attacks. OSSEC was designed to read log messages. In this sense, it can work with other tools, like a WAF, to respond to web attacks. What it cannot do is actually detect web attacks.
Some people think that simply reading your web logs will allow you to detect web attacks. This is simply not the case. Web servers don’t detect attacks. While they may be able to log some data about requests, that’s about all they can do. To detect web attacks, you need a WAF. One of the most popular today is ModSecurity. We’ve build a turn key ModSecurity module for OSSEC complete with our award winning ModSecurity rules that works with OSSEC. It was logical for us to combine the two and enable native web security within the OSSEC environment.
Security From the OSSEC Project Manager
The Atomicorp team knows more than a little about OSSEC. Our CTO, Scott Shinn, is the OSSEC project manager and has supported the program for over a decade. That is why he recognized early on that people were assuming OSSEC could detect web application attacks without a WAF, and how this could be a substantial problem. Scott and the Atomicorp team set out to address this vulnerability by adding ModSecurity and Atomicorp’s WAF rule sets. The rules provide a number of benefits such as:
- Real-time virtual patching
- Real-time blacklists
- Real-time malicious domain blocking
- Brute force protection
- Data loss prevention
- Real-time malware protection
These capabilities help to prevent web attacks such as SQL injection, cross-site scripting, code injection, CSRF, RFI/LFI, web shells, web spam, brute force and more. The WAF natively detects web attacks and malicious applications and stops them cold. It is the simplest way to lock down your OSSEC installation while maintaining maximum flexibility for the application.
Learn More About OSSEC Security
You can learn more about Atomic Secured OSSEC by clicking the buttons below. OSSEC is free and our standard ModSecurity rule set is also free. We also have a set of advanced rules as well as a full turn-key WAF that further enhances enterprise security for all users, including those that use OSSEC. Click the buttons below to learn more or to connect with one of our OSSEC engineers. We are securing some of the largest OSSEC installations worldwide and can walk you through the various security options.