A few weeks ago Mischael Starks msg'd me on IRC (#ossec on freenode!) about a crazy idea he had. He wanted to present Daniel Cid (creator of OSSEC, but you knew that) with a plaque to thank him for all of the work he's done. Here's dcid's blog post with information about the plaque: OSSEC Award daemon
Showing appreciation for the developers of your favorite projects is important. They work hard, often using their precious free time to make their creation the best that it can be. Most of the time they see the reported problems, critical blog posts, or angry tweets. They probably don't see a lot of the good stories, and I bet it can be a bit of a drag. So send them a thank you email, or submit a patch, buy them something from their Amazon wish list, or get them a beverage of their choice the next time you see them at a conference. I hear buying them pizza is a good idea.
I know I owe the OSSEC developers a big big thank you to a lot of developers for a lot of projects, but this post is about OSSEC. So a big thank you to dcid, jrossi, mstarks, atomicturtle, and others I can't think of at the moment! OSSEC's great because of you guys. OSSEC Team CONTRIBUTORS
2WoO Day 5: Taming File Integrity Alerts by Michael Starks has some great information on syscheck alerts. The syscheck_control -u kind of helps you create a new baseline. Although this will leave a window of time when syscheck won't be able to help you.
WoO Day 5 : Decoders Unite! by Jason Frisvold is a nice basic introduction to OSSEC decoders. I just want to remind everyone that we love user contributions! Feel free to send changes and additions to the mailing list, that's how OSSEC gets support for more logs.
OSSEC got a mention in the Internet Storm Center's Tools updates - Oct 2010 post! Thanks to Jim Clausing and the rest of the ISC handlers for the great resource!
And last but not least, here's the mailing list discussion for the day. The topic is '2WoO Day 5: Shared intelligence: what does an attack.' I'd love to see the OSSEC logs from a real penetration test (or even a real attack), but I doubt anyone would release that kind of information. Maybe in the future one of the capture the flag (CTF) competitions would do us the favor of installing OSSEC on a target?
If I see anything else posted, I'll update.