I concur with Jeremy, you probably want to look to something like Snort as well for IDS needs.
As to Audit events... I would suggest looking at the events one at a time to address them. They likely are telling you about real issues that you want to correct rather than simply squelching. For instance, the following would lead to frequent level 10 alerts: * You have unnecessary open ports (RDP, for instance) and hackers are running dictionary attacks. * You have a service on a workstation or server with bad credentials (for instance, someone installed a service to log in as them, then didn't know to update it when their password changed. I will say, though, that I personally am seeing 18153 alerts triggered by multiple 18139 alerts on 4769 failure events with Failure Code 0xe. I believe that these are harmless and should be squelched, though doing so was difficult for me. evidence that 18152 on 0xe is harmless: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/a487286d-bd35-4e5b-8c60-761565fe29b5/ thread where I have difficult squelching: http://groups.google.com/group/ossec-list/browse_thread/thread/f3c1aa124a30e5c2/fb4b95870903420c#fb4b95870903420c On Apr 4, 9:03 am, Robert Smith <[email protected]> wrote: > Hello All, > > I am new to the ossec product. I just went through a PCI audit and they > required us to have IDS in our "In Scope" pci environment. I had read about > ossec in the past and thought I would give it a try. I have the server > loaded and the agent on 2 windows servers. I saw that they offered > "Commercial Support" but none of the TRendMicro resellers in my area have the > expertise. What adds to the madness is that I am not a server guy, but more > of a Cisco Networking guy. > > Some of my issues/concerns: > With just 2 servers, im receiving tons of "Alert 10" and not really sure if > they are a real concern. Most of them Audit failures. Where are these > rules? How do I know what to leave in and what to take out for PCI > compliance? Should I take out anything? > > Where can I find commercial support? > > Any advise would be appreciated. > > Robert L. Smith | TransCard > Systems Engineer > 4080 Jenkins Road | Suite 200 | Chattanooga, TN 37421 > Office: (423) 553-5214 | Mobile: (423) 463-0050 > [email protected] |www.transcard.com<http://www.transcard.com/>
