HIDS - Choosing between regular OSSEC or Wazuh fork

Regarding Wazuh differences with OSSEC, the Wazuh team is working on updating the documentation to explain those better (and on a new release and installers).

Wazuh new version (2.0, currently found under the master branch) highlights are:

  • OpenSCAP integrated as part of the agent, allowing users to run OVAL checks.
  • New WUI on top of Kibana 5, and integrated with the RESTful API to monitor configuration of the manager, rules and status of the agents.
  • Improved log analysis and FIM capabilities.
  • Ruleset with compliance mapping.
  • Agent-manager communications over TCP supported. A modules manager that will allow future integration of other tools (in the roadmap is OSquery and Threat Intelligence sources)

Complete changelog can be found here:

https://github.com/wazuh/wazuh/blob/master/CHANGELOG.md

If you are curious, here are some screenshots of the WUI.

https://github.com/wazuh/wazuh-documentation/tree/2.0/source/images/screenshots

As well it is worth mentioning that Wazuh project, as a fork, is based on the work done by OSSEC developers and contributors to which we are thankful. Wazuh plans to continue contributing to OSSEC Github repository with bug fixes, but we also have our own roadmap so, most likely, both projects will evolve in different ways.


Although my opinion is probably biased here (I am part of the Wazuh team), here is an update on the differences between OSSEC and Wazuh:

Scalability and reliability
•   Cluster support for managers to scale horizontally.
•   Support for Puppet, Chef, Ansible and Docker deployments.
•   TCP support for agent-manager communications.
•   Anti-flooding feature to prevent large burst of events from being lost or negatively impact network performance.
•   AES encryption used for agent-manager communications (instead of Blowfish).
•   Multi-thread support for manager processes, dramatically increaing their performance.

Intrusion detection
•   Improved log analysis engine, with native JSON decoding and ability to name fields dynamically.
•   Increased maximum message size from 6KB to 64KB (being able to analyze much larger log messages).
•   Updated ruleset with new log analysis rules and decoders.
•   Native rules for Suricata, making use of JSON decoder.
•   Integration with Owhl project for unified NIDS management.
•   Support for IP reputation databases (e.g. AlienVault OTX).
•   Native integration with Linux auditing kernel subsystem and Windows audit policies to capture who-data for FIM events.

Integration with cloud providers
•   Module for native integration with Amazon AWS (pulling data from Cloudtrail or Cloudwatch).
•   New rules and decoders for Amazon AWS.
•   Module for native integration with Microsoft Azure.
•   New rules and decoders for Microsoft Azure.

Regulatory compliance
•   Alert mapping with PCI DSS and GPG13 requirements.
•   Compliance dashboards for Elastic Stack, provided by Wazuh Kibana plugin.
•   Compliance dashboards for Splunk, provided by Wazuh app.
•   Use of Owhl project Suricata mapping for compliance.
•   SHA256 hashes used for file integrity monitoring (in addition to to MD5 and SHA1).
•   Module for integration with OpenScap, used for configuration assessment.

Elastic Stack integration
•   Provides the ability to index and query data.
•   Data enrichment using GeoIP Logstash module.
•   Kibana plugin used to visualize data (integrated using Wazuh REStful API).
•   Web user interface pre-configured extensions, adapting it to your use cases.

Incident response
•   Module for collection of software and hardware inventory data.
•   Ability to query for software and hardware via RESTful API.
•   Module for integration with Osquery, being able to run queries on demand.
•   Implementation of new output options for log collector component.
•   Module for integration with Virustotal, used to detect the presence of malicious files.

Vulnerability detection and configuration assessment
•   Dynamic creation of CVE vulnerability databases, gathering data from OVAL repositories.
•   Cross correlation with applications inventory data to detect vulnerable software.
•   Module for integration with OpenScap allows the user to remotely configured scans.
•   Support for CIS-CAT, by Center of Internet Security scanner integration.

Link to the documentation:

https://documentation.wazuh.com/current/migrating-from-ossec/

This shows that there is definitely a lot of work we have done on top of OSSEC over the last three years that, I believe, justify using Wazuh instead.