On Fri, Mar 21, 2014 at 12:57 PM, Jason Frisvold <[email protected]> wrote: > Michael Starks wrote: >> OSSEC should be useful out of the box. It should ship with a default >> ruleset like AV ships with DATs that are current at that time, then >> updates as new rules are written or updated. > > I think the analogy you use is only partially true, though. Because of > how OSSEC currently works, there are problems with having all of the > decoders and rules active at the same time. Some logs look just like > others, even though they need to be treated differently. > > I would propose that the only default ruleset that OSSEC should have out > of the box is a minimalistic one that only covers very basic, widely > used services. So in such a model, I'd have a ruleset that covers a > basic, minimalistic linux install without having rules for various ftp > servers, web servers, etc. >
Which rules do you propose exactly? > -- > --------------------------- > Jason 'XenoPhage' Frisvold > [email protected] > --------------------------- > > "Any sufficiently advanced magic is indistinguishable from technology.\" > - Niven's Inverse of Clarke's Third Law > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
