Welcome to OSSEC :) What kind of errors are you seeing? Whatever you see should show up in your Windows Event Log as that's one area OSSEC will monitor. So check the event log to see if you can find the OSSEC alerts you are seeing so you can verify this. To tune the alerts, if they are false positives, you can check the rules out on the OSSEC server at /var/ossec/rules/ - this directory contains all rule sets categorized by named XMLs. The ruleset for Windows is here: /var/ossec/rules/msauth_rules.xml
If you get the rule ID of the level 10 alert you're seeing you can look for that rule ID in the msauth_rules.xml to find out exactly what it is. This will help get a start on things. In terms of PCI, take a look at the PCI DSS ( https://www.pcisecuritystandards.org/security_standards/documents.php) - OSSEC, in general, covers at least these areas of PCI: File Integrity Monitoring (section 11.5) and Log Monitoring (section 10). As far as it being used as an "IDS" it's more of a "HIDS" (host-based IDS) and not in the classic sense of "IDS" (as you would think of a network-based IDS). I think you still may need a network-based IDS to monitor/sniff traffic in your in-scope environment (wherever cardholder data traverses) but it also doesn't hurt to have HIDS on the servers where CHD is traversing to/from (i.e. database servers or other backend servers storing and transmitting CHD). Hope that helps. Thanks, Jeremy On Mon, Apr 4, 2011 at 8:03 AM, Robert Smith <[email protected]> wrote: > Hello All, > > > > I am new to the ossec product. I just went through a PCI audit and they > required us to have IDS in our “In Scope” pci environment. I had read about > ossec in the past and thought I would give it a try. I have the server > loaded and the agent on 2 windows servers. I saw that they offered > “Commercial Support” but none of the TRendMicro resellers in my area have > the expertise. What adds to the madness is that I am not a server guy, but > more of a Cisco Networking guy. > > > > Some of my issues/concerns: > > With just 2 servers, im receiving tons of “Alert 10” and not really sure if > they are a real concern. Most of them Audit failures. Where are these > rules? How do I know what to leave in and what to take out for PCI > compliance? Should I take out anything? > > > > Where can I find commercial support? > > > > Any advise would be appreciated. > > > > *Robert L. Smith | TransCard > **Systems Engineer > **4080 Jenkins Road | Suite 200 | Chattanooga, TN 37421 > Office: (423) 553-5214 | Mobile: (423) 463-0050 > **[email protected]** **|** www.transcard.com* > > >
