On Mon, Apr 20, 2015 at 11:28 AM, Brent Morris <[email protected]> wrote:
> I'll take a shot at answering this...
>
> 1. How long do you think it will take to run up the OSSEC installation on 1
> VM and get 15-20 network components configured?
>
> This depends entirely on your approach. Install a Linux distribution and
> install OSSEC won't take you very long at all. There's also an OVA virtual
> appliance download as well if you use VirtualBox. If you use VMWare or
> other... it will require some conversion and cost you more time than just
> installing Linux and OSSEC separately. Installing Linux would be maybe an
> hour? The OSSEC install is pretty fast!!! Maybe several minutes for that
> piece... :)
>
> I would take it one step at a time. Get OSSEC installed and running.. then
> add a client or two.
>
And then create issues on those (test) clients for ossec to
find. Like hammer its ssh port or replace a binary. You want to get
used with how it does its thing before spreading it all over the
place.
> 2. How skilled does somebody need to be to do the work, do they need
> specialist knowledge or is it all pretty standard stuff?
>
> It looks like you have some Linux already running. General knowledge of
> Linux is very helpful... editing text files, running binaries and scripts,
> basic understanding of IP protocols, syslog, etc. Critical thinking,
> general troubleshooting, and Internet research skills are also very helpful
> as well... If you have Windows in your environment, then Active Directory
> and/or Group Policy knowledge is also desirable.
>
> 3. If we got in a pro who had setup tools like OSSEC before, how long should
> it take them?
>
> That entirely depends on your environment and what you want to monitor. If
> you could take a moment to describe your general environment and goals, then
> someone could take a better shot at answering this question.
>
I agree completely. If you are not sure about what you want to
monitor, it will take a bit of time to get it right. If you have an
idea of what you want to start monitoring, and run something like
puppet/chef/ansible, you can get it deployed rather quickly. Still, I
would test it first on a few machines before going production.
> 4. Do you know how many threat signatures are provided out of the box? Like
> how many scenarios are pre-packaged for event monitoring?
>
> Threat signatures would be a somewhat inaccurate term here... OSSEC uses
> log decodes and rules as its basis for decision making. It does have
> "rootkit" detection and does monitor clients for changes to key areas of a
> given operating system. But basically, there are two primary ways OSSEC
> uses to monitor systems. Client/Manager or syslog. So if your device can't
> run the OSSEC client but can send logs via syslog, then OSSEC has the
> ability to monitor those logs (caveat: you might have to write your own
> decodes and rules if they don't already exist). OSSEC does have the ability
> built-in to analyze many popular platforms.
>
> HTH!
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
