As I understand it, OSSEC basically watches log files (by default, syslog, but you can add other logs to watch as well) and creates alerts when it notices certain strings. The things that it looks for are specified in rules files (look in /var/ossec/rules). For example, rule 5104, which looks like this:
Code:
<rule id="5104" level="8">
<if_sid>5100</if_sid>
<regex>Promiscuous mode enabled|</regex>
<regex>device \S+ entered promiscuous mode</regex>
<description>Interface entered in promiscuous(sniffing) mode.</description>
<group>promisc,</group>
</rule>
causes an alert to be created whenever the strings (regexes really) "Promiscuous mode enabled" or "device \S+ entered promiscuous mode" are detected in the log files.
OSSEC comes with a comprehensive set of rules, but if you want to add your own you can put them in file local_rules.xml. There's a bit of information on the OSSEC website about how to write rules, but I would recommend that you buy the OSSEC book if you really want to understand how to write rules. It's too complex to explain here really, and unfortunately the online documentation for OSSEC is not as good as it should be.
Keep in mind that pattern matching is not OSSEC's only strategy. It also periodically calculates file checksums in system directories to see if they've changed, and it checks for rootkits by looking for signatures...take a look /var/ossec/etc/shared/rootkit_files.txt and /var/ossec/etc/shared/rootkit_trojans.txt. You can add custom signatures there as well.
So to answer your question, OSSEC uses both pattern matching and anomaly checking because it uses several different strategies for detecting intrusions.
Bookmarks