I am attempting to establish a defensive posture w/ an Ubuntu LAMP server [Dapper].
I have installed Firestarter and OSSEC.

I am running OSSEC ['local' install] on an Ubuntu LAMP server. Every thing went well during the install and I am receiving periodic e-mail notification.

If the system were to experience an attack—OSSEC--is going to recognize the signature, of the attack, and then notifies me. Signatures can only exist if they are known, therefore, if a new attack vector is used it will not match a pattern and OSSEC will not detect it!

It also utilizes a Analysis Engine[?] that will notice differences between normal patterns and abnormal patterns; if configured to do so.

Does anyone know what analysis method [pattern matching or anomaly matching] OSSEC uses?

Does anyone know how to properly configure OSSEC to recognize new attack signatures.


P.S. I have researched the OSSEC documentation to determine what detection methodologies are being used. Are the using a Pattern Statefull Matching Engine or Anomaly Based engine...no luck!