{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,25]],"date-time":"2026-02-25T15:15:32Z","timestamp":1772032532837,"version":"3.50.1"},"reference-count":24,"publisher":"MDPI AG","issue":"3","license":[{"start":{"date-parts":[[2019,9,13]],"date-time":"2019-09-13T00:00:00Z","timestamp":1568332800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["JSAN"],"abstract":"<jats:p>Intrusion Detection Systems (IDS) are used to prevent attacks by detecting potential harmful intrusion attempts. Currently, there are a set of available Open Source IDS with different characteristics. The Open Source Host-based Intrusion Detection System (OSSEC) supports multiple features and its implementation consists of Agents that collect and send event logs to a Manager that analyzes and tests them against specific rules. In the Manager, if certain events match a specific rule, predefined actions are triggered in the Agents such as to block or unblock a particular IP address. However, once an action is triggered, the systems administrator is not able to centrally check and obtain detailed information of the past event logs. In addition, OSSEC may assume false positive or negative detections and their triggered actions: previously harmless but blocked IP addresses by OSSEC have to be unblocked in order to reestablish normal operation or potential harmful IP addresses not previously blocked by OSSEC should be blocked in order to increase protection levels. These operations to override OSSEC actions must be manually performed in every Agent, thus requiring time and human resources. Both these limitations have a higher impact on large scale OSSEC deployments assuming tens or hundreds of Agents. This paper proposes an extension to OSSEC that improves the administrator analysis capability by maintaining, organizing and presenting Agent logs in a central point, and it allows for blocking or unblocking IP addresses in order to override actions triggered by false detections. The proposed extension aims to increase efficiency of time and human resources management, mainly considering large scale OSSEC deployments.<\/jats:p>","DOI":"10.3390\/jsan8030046","type":"journal-article","created":{"date-parts":[[2019,9,13]],"date-time":"2019-09-13T10:32:41Z","timestamp":1568370761000},"page":"46","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":9,"title":["OSSEC IDS Extension to Improve Log Analysis and Override False Positive or Negative Detections"],"prefix":"10.3390","volume":"8","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-9487-8572","authenticated-orcid":false,"given":"Diogo","family":"Teixeira","sequence":"first","affiliation":[{"name":"Instituto Polit\u00e9cnico de Viana do Castelo, 4900-347 Viana do Castelo, Portugal"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5490-9098","authenticated-orcid":false,"given":"Leonardo","family":"Assun\u00e7\u00e3o","sequence":"additional","affiliation":[{"name":"Instituto Polit\u00e9cnico de Viana do Castelo, 4900-347 Viana do Castelo, Portugal"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5845-4086","authenticated-orcid":false,"given":"Teresa","family":"Pereira","sequence":"additional","affiliation":[{"name":"Instituto Polit\u00e9cnico de Viana do Castelo, 4900-347 Viana do Castelo and Centro Algoritmi, Universidade do Minho, 4800-058 Guimar\u00e3es, Portugal"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5274-3733","authenticated-orcid":false,"given":"Silvestre","family":"Malta","sequence":"additional","affiliation":[{"name":"Instituto Polit\u00e9cnico de Viana do Castelo, 4900-347 Viana do Castelo, Portugal and atlanTTic, Universidade de Vigo, E36310 Vigo, Spain"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1856-6101","authenticated-orcid":false,"given":"Pedro","family":"Pinto","sequence":"additional","affiliation":[{"name":"Instituto Polit\u00e9cnico de Viana do Castelo, 4900-347 Viana do Castelo, ISMAI, and INESC TEC, 4200-465 Porto, Portugal"}]}],"member":"1968","published-online":{"date-parts":[[2019,9,13]]},"reference":[{"key":"ref_1","unstructured":"(2019, July 05). OSSEC\u2014Open Source Host-Based Intrusion Detection System. Available online: https:\/\/www.ossec.net."},{"key":"ref_2","unstructured":"(2019, July 05). Tripwire. Available online: https:\/\/www.tripwire.com."},{"key":"ref_3","unstructured":"(2019, July 05). Fail2ban. Available online: https:\/\/www.fail2ban.org."},{"key":"ref_4","unstructured":"(2019, July 05). Samhain Labs | Samhain. Available online: https:\/\/la-samhna.de\/samhain\/."},{"key":"ref_5","unstructured":"(2019, July 05). Snort\u2014Network Intrusion Detection Prevention System. Available online: https:\/\/www.snort.org."},{"key":"ref_6","unstructured":"(2019, July 05). Suricata | Open Source IDS\/IPS\/NSM Engine. Available online: https:\/\/suricata-ids.org."},{"key":"ref_7","unstructured":"(2019, July 05). OSSIM: The Open Source SIEM | AlienVault. Available online: https:\/\/www.alienvault.com\/products\/ossim."},{"key":"ref_8","unstructured":"Lin, Y., Zhang, Y., and Ou, Y.-J. (2010, January 2\u20134). The Design and Implementation of Host-Based Intrusion Detection System. Proceedings of the 2010 Third International Symposium on Intelligent Information Technology and Security Informatics, Jinggangshan, China."},{"key":"ref_9","first-page":"41","article-title":"Analysis of Host-Based and Network-Based Intrusion Detection System","volume":"8","author":"Singh","year":"2014","journal-title":"Comput. Netw. Inf. Secur."},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Ajay Kumara, M.A., and Jaidhar, C.D. (2015, January 26\u201328). Hypervisor and virtual machine dependent Intrusion Detection and Prevention System for virtualized cloud environment. Proceedings of the 2015 1st International Conference on Telematics and Future Generation Networks (TAFGEN), Kuala Lumpur, Malaysia.","DOI":"10.1109\/TAFGEN.2015.7289570"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Vukalovic, J., and Delija, D. (2015, January 25\u201329). Advanced Persistent Threats - detection and defense. Proceedings of the 2015 38th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), Opatija, Croatia.","DOI":"10.1109\/MIPRO.2015.7160480"},{"key":"ref_12","unstructured":"(2019, July 05). Sguil\u2014Open Source Network Security Monitoring. Available online: https:\/\/bammv.github.io\/sguil\/index.html."},{"key":"ref_13","unstructured":"(2019, July 05). SIEM, AIOps, Application Management, Log Management, Machine Learning, and Compliance|Splunk. Available online: https:\/\/www.splunk.com."},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Jain, R.K., and Trivedi, P. (2016, January 23\u201325). OSSEC Based Authentication Process with Minimum Encryption and Decryption Time for Virtual Private Network. Proceedings of the 2016 8th International Conference on Computational Intelligence and Communication Networks (CICN), Tehri, India.","DOI":"10.1109\/CICN.2016.92"},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Venkatesan, R., Devi, D.R., Keerthana, R., and Kumar, A.A. (2018, January 6\u20137). A Novel Approach For Detecting DDoS Attack in H-IDS Using Association Rule. Proceedings of the 2018 IEEE International Conference on System, Computation, Automation and Networking (ICSCA), Pondicherry, India.","DOI":"10.1109\/ICSCAN.2018.8541174"},{"key":"ref_16","unstructured":"(2019, July 05). Wazuh \u00b7 The Open Source Security Platform. Available online: https:\/\/wazuh.com\/."},{"key":"ref_17","unstructured":"(2019, July 05). Migrating from OSSEC \u00b7 Wazuh \u00b7 The Open Source Security Platform. Available online: https:\/\/wazuh.com\/migrating-from-ossec\/."},{"key":"ref_18","unstructured":"(2019, July 05). OSSEC-WUI. Available online: https:\/\/github.com\/ossec\/ossec-wui."},{"key":"ref_19","unstructured":"(2019, July 05). Analogi. Available online: https:\/\/github.com\/ECSC\/analogi."},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Yen, T.F., Oprea, A., Onarlioglu, K., Leetham, T., Robertson, W., Juels, A., and Kirda, E. (2013, January 9\u201313). Beehive: Large-scale log analysis for detecting suspicious activity in enterprise networks. Proceedings of the 29th Annual Computer Security Applications Conference on\u2014ACSAC \u201913, New Orleans, LA, USA.","DOI":"10.1145\/2523649.2523670"},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Alqahtani, S.M., Balushi, M.A., and John, R. (2014, January 10\u201313). An Intelligent Intrusion Prevention System for Cloud Computing (SIPSCC). Proceedings of the 2014 International Conference on Computational Science and Computational Intelligence, Las Vegas, NV, USA.","DOI":"10.1109\/CSCI.2014.161"},{"key":"ref_22","unstructured":"(2019, July 05). Elastic Stack\u2014ELK-Stack. Available online: https:\/\/www.elastic.co\/elk-stack."},{"key":"ref_23","unstructured":"(2019, July 05). Manually Unblock IP Blackisted by Active-Reponse before Timeout Expiration. Available online: https:\/\/marc.info\/?l=ossec-list&m=135040227316697&w=2."},{"key":"ref_24","unstructured":"(2019, July 05). Debian\u2014OSSEC: Unblock an IP and Increase Threshold - Server Fault. Available online: https:\/\/serverfault.com\/questions\/356729\/ossec-unblock-an-ip-and-increase-tresshold."}],"container-title":["Journal of Sensor and Actuator Networks"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2224-2708\/8\/3\/46\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T13:19:48Z","timestamp":1760188788000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2224-2708\/8\/3\/46"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,9,13]]},"references-count":24,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2019,9]]}},"alternative-id":["jsan8030046"],"URL":"https:\/\/doi.org\/10.3390\/jsan8030046","relation":{},"ISSN":["2224-2708"],"issn-type":[{"value":"2224-2708","type":"electronic"}],"subject":[],"published":{"date-parts":[[2019,9,13]]}}}