thanks all for the tips. Hope to be adding that USBSTOR rule I seen on the OSSEC website soon. :) Seems that would be a good thing to know in a PCI environment!
On Apr 4, 12:14 pm, Jeremy Lee <[email protected]> wrote: > Welcome to OSSEC :) > > What kind of errors are you seeing? Whatever you see should show up in your > Windows Event Log as that's one area OSSEC will monitor. So check the event > log to see if you can find the OSSEC alerts you are seeing so you can verify > this. To tune the alerts, if they are false positives, you can check the > rules out on the OSSEC server at /var/ossec/rules/ - this directory contains > all rule sets categorized by named XMLs. The ruleset for Windows is here: > /var/ossec/rules/msauth_rules.xml > > If you get the rule ID of the level 10 alert you're seeing you can look for > that rule ID in the msauth_rules.xml to find out exactly what it is. > > This will help get a start on things. > > In terms of PCI, take a look at the PCI DSS > (https://www.pcisecuritystandards.org/security_standards/documents.php) - > OSSEC, in general, covers at least these areas of PCI: File Integrity > Monitoring (section 11.5) and Log Monitoring (section 10). As far as it > being used as an "IDS" it's more of a "HIDS" (host-based IDS) and not in the > classic sense of "IDS" (as you would think of a network-based IDS). I think > you still may need a network-based IDS to monitor/sniff traffic in your > in-scope environment (wherever cardholder data traverses) but it also > doesn't hurt to have HIDS on the servers where CHD is traversing to/from > (i.e. database servers or other backend servers storing and transmitting > CHD). > > Hope that helps. > > Thanks, > Jeremy > > > > On Mon, Apr 4, 2011 at 8:03 AM, Robert Smith <[email protected]> wrote: > > Hello All, > > > I am new to the ossec product. I just went through a PCI audit and they > > required us to have IDS in our “In Scope” pci environment. I had read about > > ossec in the past and thought I would give it a try. I have the server > > loaded and the agent on 2 windows servers. I saw that they offered > > “Commercial Support” but none of the TRendMicro resellers in my area have > > the expertise. What adds to the madness is that I am not a server guy, but > > more of a Cisco Networking guy. > > > Some of my issues/concerns: > > > With just 2 servers, im receiving tons of “Alert 10” and not really sure if > > they are a real concern. Most of them Audit failures. Where are these > > rules? How do I know what to leave in and what to take out for PCI > > compliance? Should I take out anything? > > > Where can I find commercial support? > > > Any advise would be appreciated. > > > *Robert L. Smith | TransCard > > **Systems Engineer > > **4080 Jenkins Road | Suite 200 | Chattanooga, TN 37421 > > Office: (423) 553-5214 | Mobile: (423) 463-0050 > > **[email protected]** **|**www.transcard.com*- Hide quoted text - > > - Show quoted text -
