I’ve been running OSSEC for about six weeks now. General thoughts – it’s pretty easy to get up and running. The server client is sitting on my fedora mail/web/firewall/sql server and I have two of the windows client apps sitting on the fishcam box and my workstation desktop.
Setup was easy, only took a few minutes.
The good:
– Advanced monitoring clued me into a bunch of spammers who kept trying to use me for recursive lookups for gmail.
– Alert messages whined about the postmaster account not having a valid destination until I finally fixed it. Wow, I now get over a thousand spam messages a day (domain, uucp, ftp, ntp, webmaster .. all drain into that mailbox). Gmail’s anti-spam system has held up remarkably well, worst day I got about 12 spam – which was annoying until I realized what a massively high percentage it was getting right.
The bad:
– I setup a motion activated webcam at one point that would email copies of the pictures every time it detection movement. When the connection attempt violated the anti-relay mail policy, ossec dropped it’s public ip address into it’s hosts.deny file. That was unpleasant until I manually whitelisted it. In retrospect, whitelisting your own ip address makes sense – and would probably happen automatically if I wasn’t doing a goofy double nat thing with another router.
– Getting a flood of emails everytime I run an update is annoying, but I’m willing to live with it.
In general, I think every office should have something like this running. I’d bet it would be even more interesting if there was a real client/server network going with a bunch of MS boxes chatting back and forth to each other. You’d have to be willing to deal with that additional noise it brings to the experience however.