Michael Starks wrote: > OSSEC should be useful out of the box. It should ship with a default > ruleset like AV ships with DATs that are current at that time, then > updates as new rules are written or updated.
I think the analogy you use is only partially true, though. Because of how OSSEC currently works, there are problems with having all of the decoders and rules active at the same time. Some logs look just like others, even though they need to be treated differently. I would propose that the only default ruleset that OSSEC should have out of the box is a minimalistic one that only covers very basic, widely used services. So in such a model, I'd have a ruleset that covers a basic, minimalistic linux install without having rules for various ftp servers, web servers, etc. -- --------------------------- Jason 'XenoPhage' Frisvold [email protected] --------------------------- "Any sufficiently advanced magic is indistinguishable from technology.\" - Niven's Inverse of Clarke's Third Law -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
