On 2014-07-31 9:43, Luc Paulin wrote:
Hi Everyone,
I am currenlty setting up OSSEC due to PCI requirement. Most of
everything is now fully setup, but now I have a questions
How do handle alert generated by the system ? I mean as per PCI my
understanding is that we must "prove" that for each alert generated,
we must have a way of proving that this was was corrected, either say
that it was a false alarm, or the issue is minor and does not affect
the security.
I'm not aware of that requirement in the DSS. Could you please
reference? My experience has been that you simply need to show that you
are being alerted to issues and taking action on them in some reasonable
way. This doesn't mean that every alert an IDS generates has to be
tracked. What I do is have alerts sent to a ticketing system for the
important, low false-positive stuff (e.g. Administrators group changed)
and then make a judgement call on everything else. Be very careful with
this as something like a Nessus scan could result in 1000 opened
tickets, so you really must use caution.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
