Hi Robert -- First, you might want to pick up the OSSEC HIDS Guide on amazon or local bookstore - even for a networking guy it has tons of useful info.
Hard to say where the "10" alerts are coming from since it could be a number of sources. Bottom line, you are going to want to tune this a bit with the "local_rules.xml" file... If you can share which alerts you are getting we could help with the format for the rules you might want to tune a bit. The beauty of OSSEC is all the tuning is done on the server, and is pretty straight forward. ANd it is a great tool for meeting PCI compliance on so many levels. Cheers Kat On Apr 4, 10:03 am, Robert Smith <[email protected]> wrote: > Hello All, > > I am new to the ossec product. I just went through a PCI audit and they > required us to have IDS in our "In Scope" pci environment. I had read about > ossec in the past and thought I would give it a try. I have the server > loaded and the agent on 2 windows servers. I saw that they offered > "Commercial Support" but none of the TRendMicro resellers in my area have the > expertise. What adds to the madness is that I am not a server guy, but more > of a Cisco Networking guy. > > Some of my issues/concerns: > With just 2 servers, im receiving tons of "Alert 10" and not really sure if > they are a real concern. Most of them Audit failures. Where are these > rules? How do I know what to leave in and what to take out for PCI > compliance? Should I take out anything? > > Where can I find commercial support? > > Any advise would be appreciated. > > Robert L. Smith | TransCard > Systems Engineer > 4080 Jenkins Road | Suite 200 | Chattanooga, TN 37421 > Office: (423) 553-5214 | Mobile: (423) 463-0050 > [email protected] |www.transcard.com<http://www.transcard.com/>
