On Thu, Oct 21, 2010 at 07:34:48AM -0500, Michael Starks wrote: > . What happens when a host is attacked?
Something get in our system >What are the usual > sequence of events that take place? How can OSSEC effectively detect > these while keeping the noise down? Some suspicious traffic may be understodd by snort.. First Time Seen ! , Scan fro many host to one, ports anomalies.. A netstat command looking for listen port changes A ps command lookig for new processes An unual average of logs per hour may be.. The clasic: new user new files files gone files changed Check a lot the httpd www data Sorry not post the rules that may refer to all this, but in the base ossec have the data, you just put the high level rules, thats why <group> is so powerfull tag to abstract your security univese :) > > -- > Michael Starks > [I] Immutable Security > http://www.immutablesecurity.com
signature.asc
Description: Digital signature
