Anche se la mia opinione è probabilmente parziale (faccio parte del team di Wazuh), ecco un aggiornamento sulle differenze tra OSSEC e Wazuh:
Scalability and reliability
• Cluster support for managers to scale horizontally.
• Support for Puppet, Chef, Ansible and Docker deployments.
• TCP support for agent-manager communications.
• Anti-flooding feature to prevent large burst of events from being lost or negatively impact network performance.
• AES encryption used for agent-manager communications (instead of Blowfish).
• Multi-thread support for manager processes, dramatically increaing their performance.
Intrusion detection
• Improved log analysis engine, with native JSON decoding and ability to name fields dynamically.
• Increased maximum message size from 6KB to 64KB (being able to analyze much larger log messages).
• Updated ruleset with new log analysis rules and decoders.
• Native rules for Suricata, making use of JSON decoder.
• Integration with Owhl project for unified NIDS management.
• Support for IP reputation databases (e.g. AlienVault OTX).
• Native integration with Linux auditing kernel subsystem and Windows audit policies to capture who-data for FIM events.
Integration with cloud providers
• Module for native integration with Amazon AWS (pulling data from Cloudtrail or Cloudwatch).
• New rules and decoders for Amazon AWS.
• Module for native integration with Microsoft Azure.
• New rules and decoders for Microsoft Azure.
Regulatory compliance
• Alert mapping with PCI DSS and GPG13 requirements.
• Compliance dashboards for Elastic Stack, provided by Wazuh Kibana plugin.
• Compliance dashboards for Splunk, provided by Wazuh app.
• Use of Owhl project Suricata mapping for compliance.
• SHA256 hashes used for file integrity monitoring (in addition to to MD5 and SHA1).
• Module for integration with OpenScap, used for configuration assessment.
Elastic Stack integration
• Provides the ability to index and query data.
• Data enrichment using GeoIP Logstash module.
• Kibana plugin used to visualize data (integrated using Wazuh REStful API).
• Web user interface pre-configured extensions, adapting it to your use cases.
Incident response
• Module for collection of software and hardware inventory data.
• Ability to query for software and hardware via RESTful API.
• Module for integration with Osquery, being able to run queries on demand.
• Implementation of new output options for log collector component.
• Module for integration with Virustotal, used to detect the presence of malicious files.
Vulnerability detection and configuration assessment
• Dynamic creation of CVE vulnerability databases, gathering data from OVAL repositories.
• Cross correlation with applications inventory data to detect vulnerable software.
• Module for integration with OpenScap allows the user to remotely configured scans.
• Support for CIS-CAT, by Center of Internet Security scanner integration.
Link alla documentazione:
link
Questo dimostra che c'è sicuramente molto lavoro che abbiamo svolto in OSSEC negli ultimi tre anni che, credo, giustifichi invece l'uso di Wazuh.