Next Article in Journal
A Survey on Optical Technologies for IoT, Smart Industry, and Smart Infrastructures
Previous Article in Journal
Smart Agriculture Using IoT Multi-Sensors: A Novel Watering Management System
Previous Article in Special Issue
A Comprehensive Study of Security and Privacy Guidelines, Threats, and Countermeasures: An IoT Perspective
Open AccessArticle

OSSEC IDS Extension to Improve Log Analysis and Override False Positive or Negative Detections

1
Instituto Politécnico de Viana do Castelo, 4900-347 Viana do Castelo, Portugal
2
Instituto Politécnico de Viana do Castelo, 4900-347 Viana do Castelo and Centro Algoritmi, Universidade do Minho, 4800-058 Guimarães, Portugal
3
Instituto Politécnico de Viana do Castelo, 4900-347 Viana do Castelo, Portugal and atlanTTic, Universidade de Vigo, E36310 Vigo, Spain
4
Instituto Politécnico de Viana do Castelo, 4900-347 Viana do Castelo, ISMAI, and INESC TEC, 4200-465 Porto, Portugal
*
Author to whom correspondence should be addressed.
J. Sens. Actuator Netw. 2019, 8(3), 46; https://doi.org/10.3390/jsan8030046
Received: 18 July 2019 / Revised: 9 September 2019 / Accepted: 10 September 2019 / Published: 13 September 2019
(This article belongs to the Special Issue Sensors and Actuators: Security Threats and Countermeasures)
Intrusion Detection Systems (IDS) are used to prevent attacks by detecting potential harmful intrusion attempts. Currently, there are a set of available Open Source IDS with different characteristics. The Open Source Host-based Intrusion Detection System (OSSEC) supports multiple features and its implementation consists of Agents that collect and send event logs to a Manager that analyzes and tests them against specific rules. In the Manager, if certain events match a specific rule, predefined actions are triggered in the Agents such as to block or unblock a particular IP address. However, once an action is triggered, the systems administrator is not able to centrally check and obtain detailed information of the past event logs. In addition, OSSEC may assume false positive or negative detections and their triggered actions: previously harmless but blocked IP addresses by OSSEC have to be unblocked in order to reestablish normal operation or potential harmful IP addresses not previously blocked by OSSEC should be blocked in order to increase protection levels. These operations to override OSSEC actions must be manually performed in every Agent, thus requiring time and human resources. Both these limitations have a higher impact on large scale OSSEC deployments assuming tens or hundreds of Agents. This paper proposes an extension to OSSEC that improves the administrator analysis capability by maintaining, organizing and presenting Agent logs in a central point, and it allows for blocking or unblocking IP addresses in order to override actions triggered by false detections. The proposed extension aims to increase efficiency of time and human resources management, mainly considering large scale OSSEC deployments. View Full-Text
Keywords: IDS; OSSEC; cybersecurity; information security; attack detection; security events; intrusions IDS; OSSEC; cybersecurity; information security; attack detection; security events; intrusions
Show Figures

Figure 1

MDPI and ACS Style

Teixeira, D.; Assunção, L.; Pereira, T.; Malta, S.; Pinto, P. OSSEC IDS Extension to Improve Log Analysis and Override False Positive or Negative Detections. J. Sens. Actuator Netw. 2019, 8, 46.

Show more citation formats Show less citations formats
Note that from the first issue of 2016, MDPI journals use article numbers instead of page numbers. See further details here.

Article Access Map by Country/Region

1
Back to TopTop