I'm looking for advice about improving the signal/noise ratio for syscheck alerts. I just installed OSSEC and I'm loving it, but I know that if I can't improve the signal to noise ratio of syscheck, I'll have to turn it off.
As an example, yesterday I got an alert that sudoedit had changed. This is definitely from a OS update, and all the other alerts I've gotten from syscheck have been too. I know I'm going to start ignoring these alerts. At the same time, even if I'm vigilant, I'm concerned that once the OS updates this file three times, it'll auto-ignore itself, effectively disabling the system. Maybe that's OK, but it seems bad. I want to pay attention to syscheck alerts, I think they're an important part of OSSEC (maybe not?), but I won't pay attention for long with this level of noise. How do folks deal with this so that it's a useful feature they don't just ignore in practice? Maybe the idea is to just keep a log of the changes and rely on other things to alert you of an intruder? Mike -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/b2cc39cd-5bc3-4f20-ae21-39a997e55906n%40googlegroups.com.
