Yep, that really sounds like the best way to go. OSSIM seems cool, too bad all the really cool stuff is in USM though.
On Friday, June 17, 2016 at 12:22:29 PM UTC-7, JDS wrote: > > The impression I get is that the answer is "tune your system to ignore or > supress alerts from known OK system events" > > So, a rule that suppresses the Puppet apply events. > > I'm not saying it's gonna be easy, but that's the approach I'm starting to > take atm. > > I've had this same basic question about Snort and OSSIM (a project that > incorporates OSSEC) and that's the gist of the responses I've gotten. > > -JDS > > On Wednesday, June 15, 2016 at 6:19:19 AM UTC-4, Tahir Hafiz wrote: >> >> We are tuning our OSSEC server/agent environment. >> We have multiple environments and use Puppet for configuration management >> and AWS for our cloud based systems. >> >> We baseline (run OSSEC) at the start of an environment build, and then do >> a Puppet apply. >> We seem to have thousands of alerts coming in (many to do with syscheck >> on subsequent Puppet applys). >> >> How do you guys deal with so many alerts - do you try and whitelist all >> of them in the local_rules.xml file or just let them all go in to the >> alerts file? >> How do you know if an intruder has compromised a system if you constantly >> have login sessions opened and closed by system users and have level 7 >> syscheck alerts by Puppet applys happening as part of the normal running of >> your environment? >> How do you have warning systems based on alerts set-up (e.g. a script >> that triggers to Nagios ? or something else?). >> >> Cheers >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
