DeepSec 2019 Training: Threat Hunting with OSSEC – Xavier Mertens

Sanna/ October 26, 2019/ Training

OSSEC is sometimes described as a low-cost log management solution but it has many interesting features which, when combined with external sources of information, may help in hunting for suspicious activity occurring on your servers and end-points.

During this training, you will learn the basic of OSSEC and its components, how to deploy it and quickly get results. The second part will focus on the deployment of specific rules to catch suspicious activities. From an input point of view, we will see how easy it is to learn new log formats to increase the detection scope and, from an output point of view, how we can generate alerts by interconnecting OSSEC with other tools like MISP, TheHive or an ELK Stack / Splunk / … and add more contextual content with OSINT feeds.

We asked Xavier a few more questions about his talk.

Please tell us the top 5 facts about your training.

  1. It’s critical for organizations to be aware of what’s happening on their networks.
  2. The idea is to use information present on the Internet to increase the detection rates.
  3. Security controls can be implemented with free tools.
  4. The training has many labs and students will practice.
  5. Thee goal is to open the students’ eyes and make them have ideas to implement on their side.

How did you come up with it? Was there something like an initial spark that set your mind on creating this training?

I’m a big fan of OSSEC for years and already blogged a lot about it. I participated in the project (f.ex: I wrote the initial GeoIP support).
And, of course, I’m using it daily to monitor my infrastructure. Many (small) organizations do not have resources to implement or seem afraid to deploy solutions like OSSEC. I think it was time to wrap-up all this content and provide it as a training.

Why do you think this is an important topic?

Despite the fact that we deploy more and more security controls at our network boundaries, we still see compromised hosts, data leaks, etc. Keeping an eye on events is key to detect all suspicious activity as soon as possible.

Is there something you want everybody to know – some good advice for our readers maybe?

Sharing and integration of tools are a key point. Each of them has interesting data that can be reused by other tools to improve detection capabilities. The training could be interesting for Blue Team people or system/security engineers. Investing in tools like OSSEC will also raise your overall protection and, in case of an incident, you will already have some data to analyze.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your training in particular?

The problem with many organizations today: the business is running so fast that they can’t keep control of what’s deployed in their infrastructure. They loose the knowledge of what’s important. This is a key requirement to better protect yourself. With tools like OSSEC, you can at least collect information from your hosts and granularly implement  controls to detect / block bad guys at an early stage.


Xavier Mertens is a freelance cyber security consultant based in Belgium. His daily job focuses on protecting his customers assets by applying “defensive” security (incident handling, forensics, log management, SIEM, security visualisation, OSINT) but also “offensive” security (pentesting). However, his preferred domain is playing on the Blue Team side. Besides his daily job, Xavier is also a security blogger, a SANS Internet Storm Center handler and co-organizer of the BruCON security conference.

Share this Post