OSSEC Reporting Tool
DongIT developed a reporting tool for OSSEC Intrusion Detection System which periodically generates a report with raised alerts. The reporting tool provides a convenient overview of raised security-related alerts and countermeasures taken.
An Intrusion Detection System is an automated system that detects hacking attempts and cases of unauthorized access to an information system or network. OSSEC is the leading open source Intrusion Detection System for information systems.
DigiD is the identity management system of the Dutch government. For organizations using DigiD, it is mandatory to make use of an Intrusion Detection System. Additionally, adequate inspection of the logging is required too. The reporting tool supports this additional requirement by providing convenient access to logged alerts in a web interface and by demanding actions to be taken on alerts above a certain level.
Alerts raised by a configurable level are automatically sent to the dashboard. Every alert on the dashboard represents a possible system security breach. To eliminate false positives, alerts need to be signed by one responsible (system administrator or security specialist) within a certain period, allowing countermeasures to be determined.
Per monitored system, a report can be generated which contains the following items:
- Explanation of the alert levels.
- Top 10 alerts.
- Alerts signed by a responsible person containing the description of actions taken.
- Non signed alerts.
Parameters for the report are the minimal alert level, and the start and end date.
The reporting tool allows for advanced searching. The logged events can be searched conveniently for events that occurred on a specific system, in a certain period, originating from a certain IP address and that have a certain minimum alert level.