我打算建立 OSSEC 并注意到似乎有两种主要风格:普通OSSEC和Wazuh fork。
根据我收集到的信息(来自 Wazuh 的网站和文档),Wazuh 的主要优势是:
我对在这个项目中使用 ELK 没有兴趣,但是我们已经有一个预先存在的 graylog 实例,我想将它与 OSSEC 连接起来,这在使用 syslog cef 格式的常规 OSSEC 中应该是可能的。
我假设即使我运行常规 OSSEC,我也可以使用改进的规则集,至少我没有看到任何其他指示。
至于 RESTful API,我仍然非常缺乏经验,而且我最近才听说 REST——我什至不知道我将如何开始使用它——所以我不确定我是否应该使用 Wazuh fork只是为了那个。
目标是在我们的云环境中的机器上运行 OSSEC 代理,并将它们指向一台机器中的 OSSEC 服务器,该机器已经用于同一网络上的日志管理和监控。
运行 Wazuh 而不是常规的 OSSEC 还有其他优势吗?还有什么我应该考虑的吗?
关于 Wazuh 与 OSSEC 的差异,Wazuh 团队正在努力更新文档以更好地解释这些(以及新版本和安装程序)。
Wazuh新版本(2.0,目前在master分支下)亮点有:
完整的变更日志可以在这里找到:
https://github.com/wazuh/wazuh/blob/master/CHANGELOG.md
如果你好奇,这里有一些 WUI 的截图。
https://github.com/wazuh/wazuh-documentation/tree/2.0/source/images/screenshots
同样值得一提的是,Wazuh 项目作为一个分支,是基于我们感谢 OSSEC 开发人员和贡献者所做的工作。Wazuh 计划通过错误修复继续为 OSSEC Github 存储库做出贡献,但我们也有自己的路线图,因此很可能这两个项目将以不同的方式发展。
虽然我的观点在这里可能有偏见(我是 Wazuh 团队的一员),但这里是关于 OSSEC 和 Wazuh 之间差异的更新:
Scalability and reliability
• Cluster support for managers to scale horizontally.
• Support for Puppet, Chef, Ansible and Docker deployments.
• TCP support for agent-manager communications.
• Anti-flooding feature to prevent large burst of events from being lost or negatively impact network performance.
• AES encryption used for agent-manager communications (instead of Blowfish).
• Multi-thread support for manager processes, dramatically increaing their performance.
Intrusion detection
• Improved log analysis engine, with native JSON decoding and ability to name fields dynamically.
• Increased maximum message size from 6KB to 64KB (being able to analyze much larger log messages).
• Updated ruleset with new log analysis rules and decoders.
• Native rules for Suricata, making use of JSON decoder.
• Integration with Owhl project for unified NIDS management.
• Support for IP reputation databases (e.g. AlienVault OTX).
• Native integration with Linux auditing kernel subsystem and Windows audit policies to capture who-data for FIM events.
Integration with cloud providers
• Module for native integration with Amazon AWS (pulling data from Cloudtrail or Cloudwatch).
• New rules and decoders for Amazon AWS.
• Module for native integration with Microsoft Azure.
• New rules and decoders for Microsoft Azure.
Regulatory compliance
• Alert mapping with PCI DSS and GPG13 requirements.
• Compliance dashboards for Elastic Stack, provided by Wazuh Kibana plugin.
• Compliance dashboards for Splunk, provided by Wazuh app.
• Use of Owhl project Suricata mapping for compliance.
• SHA256 hashes used for file integrity monitoring (in addition to to MD5 and SHA1).
• Module for integration with OpenScap, used for configuration assessment.
Elastic Stack integration
• Provides the ability to index and query data.
• Data enrichment using GeoIP Logstash module.
• Kibana plugin used to visualize data (integrated using Wazuh REStful API).
• Web user interface pre-configured extensions, adapting it to your use cases.
Incident response
• Module for collection of software and hardware inventory data.
• Ability to query for software and hardware via RESTful API.
• Module for integration with Osquery, being able to run queries on demand.
• Implementation of new output options for log collector component.
• Module for integration with Virustotal, used to detect the presence of malicious files.
Vulnerability detection and configuration assessment
• Dynamic creation of CVE vulnerability databases, gathering data from OVAL repositories.
• Cross correlation with applications inventory data to detect vulnerable software.
• Module for integration with OpenScap allows the user to remotely configured scans.
• Support for CIS-CAT, by Center of Internet Security scanner integration.
链接到文档:
https://documentation.wazuh.com/current/migrating-from-ossec/
这表明过去三年我们在 OSSEC 上做了很多工作,我相信这证明使用 Wazuh 是合理的。