OSSEC, an open source, host intrusion detection system got a revamp yesterday, to feature better alerting and auto-response tools, according to its maker.

Daniel Cid, lead developer and author of OSSEC, said the software is both an IDS as well as a log analysis and correlation tool, similar to products in the security event management market.

OSSEC 1.1 performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting and active response.

"The project was created on 2004, but it started to gain a lot of attention only at the end of 2005," Cid said.

Cid yesterday made available Version 1.1, which he said adds email alerting, more advanced log analysis and an active response mechanism to thwart attackers. This mechanism uses "route null" to block detected attackers, he said.

OSSEC uses a client/server model with a central management server software and agents distributed on managed devices. The software monitors file and directory modifications, provides accountability by storing authentication information, and triggers user alerts on failed authentication or questionable user additions.

The software runs on most operating systems, including Linux, OpenBSD, MacOS, Solaris and Windows. Users install the software on a server and then the agent is deployed on client machines using a Windows installation wizard.

"It has a centralised architecture, allowing one central server to manage and monitor the logs and integrity data from multiple agents," Cid said. "The server/agent communication is encrypted/compressed so it saves a lot of bandwidth and keeps the privacy of the log data in transit."

The software also allows a local installation for users that are not interested in the server/agent architecture or just have one system to monitor. This release also adds support for Microsoft IIS 6, Cisco VPN concentrator, Cisco PIX VPN AAA, Cisco FWSM and Solaris 10 logs.

OSSEC Version 1.1 is available free for download under the GNU General Public License.