Although I've only been using OSSEC for a couple of weeks, I believe it's one of the best tools I've used! I have three environments in which I wish to deploy it. The first, an environment comprised of mainly Windows Server 2003, is now being monitored and I feel that all is going well so far. The other two environments, however, are Windows 2008, which brings me to my first question.
1. Is Windows 2008 supported by OSSEC? I don't seem to see rules that are written specifically for Windows 2008, and unfortunately Microsoft did renumber all/most of the event IDs in this iteration of the OS. This Microsoft help and support page lists the event IDs: http://support.microsoft.com/default.aspx?scid=kb;EN-US;947226, and this useful third party article expounds on the problem quite a bit: http://blogs.manageengine.com/eventloganalyzer/2008/12/08/windows-vista- and-2008-server-events/ 2. I'm far from thoroughly acquainted with the OSSEC documentation just yet, but I have been over it enough that I'm writing some simple rules and doing some other tuning. However, I haven't quite figured out the alert levels yet. It seems that by default I'm supposed to receive emails when the alert level is 7 or higher... however, I get many alerts for level 3 and such. Why is this? On a related note, I've read that the packaged rules use alert levels 0-15, but other than learning that a higher alert level represents a more concerning event have not seen any list of what the various levels are intended to mean so that I may gain an understanding of how an alert level was assigned to each rule (and therefore know how to assign alert levels to my own rules). Is there such an explanation somewhere? Thanks for your assistance. Chris Kolb Manager of Information Security GDSX, Ltd. Phone: 972-612-7121 Fax: 972-612-7021 Confidentiality Notice: This e-mail contains information that is confidential. It is intended for the exclusive use of the individual or entity to whom it is addressed. If you are not the named recipient, disclosure or distribution of the information transmitted herewith is strictly prohibited and may be subject to legal restriction or sanction. Please notify the sender, by return e-mail or telephone, of any unintended recipients and delete the original message without making any copies.
