The impression I get is that the answer is "tune your system to ignore or supress alerts from known OK system events"
So, a rule that suppresses the Puppet apply events. I'm not saying it's gonna be easy, but that's the approach I'm starting to take atm. I've had this same basic question about Snort and OSSIM (a project that incorporates OSSEC) and that's the gist of the responses I've gotten. -JDS On Wednesday, June 15, 2016 at 6:19:19 AM UTC-4, Tahir Hafiz wrote: > > We are tuning our OSSEC server/agent environment. > We have multiple environments and use Puppet for configuration management > and AWS for our cloud based systems. > > We baseline (run OSSEC) at the start of an environment build, and then do > a Puppet apply. > We seem to have thousands of alerts coming in (many to do with syscheck on > subsequent Puppet applys). > > How do you guys deal with so many alerts - do you try and whitelist all of > them in the local_rules.xml file or just let them all go in to the alerts > file? > How do you know if an intruder has compromised a system if you constantly > have login sessions opened and closed by system users and have level 7 > syscheck alerts by Puppet applys happening as part of the normal running of > your environment? > How do you have warning systems based on alerts set-up (e.g. a script that > triggers to Nagios ? or something else?). > > Cheers > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
