Daniel Cid - Security notes

log4j honeypot logs - jndi exploit

Created a page on the NOC reputation checker to track the JNDI (log4j) exploits that are going around.

Posted in attack logs / 2021-12-16

DNS Database repository available

DNS Database repository available - search for any IPs and domains.

Posted in dns / 2021-11-14

CleanBrowsing Anycast Network is Growing

We are always expanding and improving the CleanBrowsing anycast network. More POPs launched.

Posted in cleanbrowsing / 2021-10-11

1st degree BJJ blackbelt

On some personal news, I just got the 1st degree on my BJJ blackbelt.

Posted in family bjj / 2021-06-11

Decentralize the web - again

Decentralize the web again. We are giving too much control and power to a few players.

Posted in thoughts / 2020-09-02

Mastodon Instance - noc.social

New Mastodon instance - noc.social - available for anyone to use.

Posted in mastodon / 2020-06-11

OSSEC conference - 2019 - The untold story of OSSEC

Presenting at OSSECcon2019, about the story and the beginning of OSSEC.

Posted in ossec presentation / 2019-03-20

WordPress Performance Optimization Guide

WordPress Performance Optimization Guide for the Sucuri Blog

Posted in sucuri wordpress / 2017-01-19

OSSEC v2016-04: Improving detection

As promised, I didn't let the momentum die off. Releasing today v2016-04 with multiple improvements to our log engine and rootcheck.

Posted in ossec releases / 2016-04-07

OSSEC v2016-02: New rules options + GeoIP by default

One more release to keep the momentum going. Included the last work with the different_* option in the rules, along with MaxMind by default and new rules.

Posted in ossec releases / 2016-02-03

OSSEC v2015-12: GeoIP + Integratord

I guess I didn’t keep my promise to push my OSSEC changes into the open source world as often as I would wanted. But at least I made up with some nice new features..

Posted in ossec releases / 2015-12-30

Sudo: The most misused security tool ever

Linux Sudo: The most misused security tool ever - NOPASSWD: ALL

Posted in security sudo / 2015-02-02

The S in HTTPS does not equal to a secure site

The S in HTTPS does not equal to a secure site - a lot more is needed to have a secure site.

Posted in https thoughts / 2014-10-26

Indicators of Compromised Behavior (IOCd-B)

Indicators of Compromised Behavior (IOCd-B) using log analysis.

Posted in logging thoughts / 2014-10-09

Always assume the worst

Always assume the worst - that someone might be watching what you do online.

Posted in thoughts / 2013-06-20

How to get start contributing to an open source project

How to get start and contribute to an open source project.

Posted in open-source / 2013-05-12

Using your phone SMS as 2FA

Using your phone and SMS as a 2FA - Why that might not be a good idea.

Posted in passwords thoughts / 2013-04-19

Sucuri WAF - Not your traditional WAF

Sucuri CloudProxy WAF - Not your traditional WAF.

Posted in sucuri / 2013-03-16

OSSEC rule for the PHP-CGI vulnerability

I am seeing many scans for the PHP-CGI vulnerability in the wild and put up a quick OSSEC rule to detect/block those.

Posted in ossec ossec-rules / 2012-05-09

Database Logging (PostgreSQL and MySQL)

Very few people pay attention to database logging, and in this article we will explain how to enable logging for PostgreSQL and MySQL.

Posted in logging databases / 2012-05-08

Setting up OSSEC - Step by step guide

Setting up OSSEC - A step by step guide on how to install and configure OSSEC.

Posted in ossec / 2012-04-21

3WoO: Alerting on DNS (IP Address) changes

An easy way to monitor the integrity of your DNS is by checking remotely that the A/AAAA records have not been changed.

Posted in ossec dns / 2011-10-25

Detecting outdated (web) applications with OSSEC

Detecting outdated open source (web) applications with OSSEC: WordPress, Joomla, etc.

Posted in ossec auditing / 2011-09-21

Improved reporting for file changes on OSSEC

Improved reporting for file changes on OSSEC to display the files and locations.

Posted in ossec syscheck / 2011-05-26

Running multiple OSSEC decoders on the same event

Running multiple OSSEC decoders on the same event to extract additional information from the logs.

Posted in ossec decoders / 2011-04-05

Blocking repeated offenders with OSSEC

Blocking repeated offenders with OSSEC by increasing the block timeout every time.

Posted in ossec responses / 2011-02-11

What is a good password?

What is a good password? Let's explore common knowledge of what is a bad and a good password.

Posted in passwords / 2011-02-01

Automatically creating and setting up the agent keys for OSSEC

Automatically creating and setting up the agent keys for authd on OSSEC

Posted in ossec / 2011-01-19

OSSEC Award daemon

I just got this award daemon via the mail today from the OSSEC community.

Posted in ossec love / 2010-10-20

How to contribute to OSSEC

How to contribute to OSSEC and any other open source project.

Posted in ossec open-source / 2010-10-19

OSSEC v2.5 released

We are very happy to announce the availability of OSSEC version 2.5.

Posted in ossec releases / 2010-09-27

OSSEC v2.4 released

We are very happy to announce the availability of OSSEC version 2.4.

Posted in ossec releases / 2010-04-01

OSSEC Alerting when a log or output of a command changes

If you want to create OSSEC alerts when a log or the output of a command changes, take a look at the new check_diff option.

Posted in ossec check_diff / 2010-03-11

New member of the OSSEC team: Priscila Cid

I am happy to announce the arrival of the newest member of the OSSEC team: Priscila!

Posted in ossec family / 2010-02-09

OSSEC v2.3 released

We are very happy to announce the availability of OSSEC version 2.3.

Posted in ossec releases / 2009-12-07

Process monitoring with OSSEC

How to monitor process and their output with OSSEC

Posted in ossec / 2009-11-05

Q&A: OSSEC interview with Daniel Cid

Q&A: OSSEC, the open source host-based intrusion detection system with Daniel Cid

Posted in ossec interview / 2009-08-21

Compiling the Windows Agent from a Linux system

How to compile the OSSEC Windows agent from a Linux system using Mingw.

Posted in ossec windows / 2009-06-12

OSSEC v2.0 released

We are very happy to announce the availability of OSSEC version 2.0.

Posted in ossec releases / 2009-02-27

OSSEC book as Best Book Bejtlich Read in 2008

I was glad to read that Richard Bejtlich considered the OSSEC book one of his best reads of 2008.

Posted in ossecbook / 2009-01-02

Sending OSSEC alerts via syslog

We just added support to allow you to send OSSEC alerts to a remote syslog server.

Posted in ossec syslog / 2008-07-25

Third Brigade acquires OSSEC

OSSEC project acquired by Third Brigade

Posted in ossec acquisition / 2008-06-17

OSSEC v1.5 released

We are very happy to announce the availability of OSSEC version 1.5

Posted in ossec releases / 2008-05-01

Ugliest application logs ever

Ugliest application logs ever. Can we have a winner?

Posted in logging / 2008-01-24

OSSEC book is out

OSSEC book is out and ready for pre-order.

Posted in ossec book / 2008-01-23

Syslog - Last message repeated X times (rant)

Syslog - Last message repeated X times. One of the least useful features on syslog daemons.

Posted in syslog / 2007-12-18

OSSEC at the 'Own the Box' competition

OSSEC helping at Defcon's 'Own the Box' competition.

Posted in ossec defcon / 2007-09-05

Bruce Schneier on log analysis

Bruce Schneier on log analysis - did you know he is a fan of logging?

Posted in logging schneier / 2007-08-20

OSSEC switching to GPLv3

OSSEC will be switching to the GPLv3 in the next release.

Posted in ossec gpl / 2007-07-12

Hidden ports on Linux

Hidden ports on Linux - used but not showing on netstat

Posted in linux c_dev / 2007-06-29

Remote log injection paper

Remote log injection paper - attacking log analysis tools just released.

Posted in logging hacking / 2007-06-06

OSSEC Presentations at AusCERT/Confidence

During the month of May I went to AusCERT and Confidence to talk about OSSEC (i.e. Log analysis using OSSEC).

Posted in ossec presentations / 2007-06-02

Daily/Chained checksum of OSSEC alerts

Daily/Chained checksum of ossec alerts for log integrity.

Posted in ossec / 2007-05-01

OSSEC performance testing (v2)

Performance testing results for OSSEC v1.1 - expanded.

Posted in ossec performance / 2007-04-10

New member of the OSSEC team: Davi Cid

I am happy to announce the arrival of the newest member of the OSSEC team: Davi!

Posted in ossec family / 2007-03-18

Security monitoring with your Logs

Security monitoring and log analysis to complement your other intrusion detection tools.

Posted in logging / 2007-01-10

2006 OSSEC download numbers

2006 OSSEC download numbers from from version 0.5 to 0.9.3

Posted in ossec stats / 2007-01-09

Logging authentication events from Cisco IOS

Logging authentication events from Cisco IOS routers

Posted in logging cisco / 2006-11-13

Log analysis for intrusion detection

In this paper, we will investigate log analysis techniques and its use for intrusion detection.

Posted in log-analysis ids / 2006-05-02

Analysis of SSH brute force attacks

Username and password analysis of SSH brute force scans and attacks.

Posted in ossec releases / 2006-03-20

Daniel's blog