Well I think that as you said that showing that we take action on alerts in some reasonable way is good enought. I guess that the way to proceed is as you mention to send alert to a ticketing system and then take action on them from the ticketing system ..
-Luc Le jeudi 31 juillet 2014 10:52:58 UTC-4, Michael Starks a écrit : > > On 2014-07-31 9:43, Luc Paulin wrote: > > Hi Everyone, > > I am currenlty setting up OSSEC due to PCI requirement. Most of > > everything is now fully setup, but now I have a questions > > > > How do handle alert generated by the system ? I mean as per PCI my > > understanding is that we must "prove" that for each alert generated, > > we must have a way of proving that this was was corrected, either say > > that it was a false alarm, or the issue is minor and does not affect > > the security. > > I'm not aware of that requirement in the DSS. Could you please > reference? My experience has been that you simply need to show that you > are being alerted to issues and taking action on them in some reasonable > way. This doesn't mean that every alert an IDS generates has to be > tracked. What I do is have alerts sent to a ticketing system for the > important, low false-positive stuff (e.g. Administrators group changed) > and then make a judgement call on everything else. Be very careful with > this as something like a Nessus scan could result in 1000 opened > tickets, so you really must use caution. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
