Thanks Brent and Mauricio for getting back to me. Your thoughts and comments are really helpful.
Brent, you asked what events I would like to monitor in #3. I want to know if there is a hacker trying to get into my environment or has succeeded in getting in. So I want an email saying "hey GM, hackers ahoy!!". Regarding the log decodes and rules that are used for decision making (threat signatures): - How sophisticated are they? For example, can it pick up ShellShoch or other known vulnerabilities, or attacks such as brute force attacks on a login page? - Is there a community producing them? Where is the community, is there a GitHub project or something where the log decodes and rules reside? - Are there lots false positives generated, sending you on a wild goose chase? Thanks again, GM On Tuesday, April 21, 2015 at 4:01:04 AM UTC+12, Mauricio wrote: > > On Mon, Apr 20, 2015 at 11:28 AM, Brent Morris <[email protected] > <javascript:>> wrote: > > I'll take a shot at answering this... > > > > 1. How long do you think it will take to run up the OSSEC installation > on 1 > > VM and get 15-20 network components configured? > > > > This depends entirely on your approach. Install a Linux distribution > and > > install OSSEC won't take you very long at all. There's also an OVA > virtual > > appliance download as well if you use VirtualBox. If you use VMWare or > > other... it will require some conversion and cost you more time than > just > > installing Linux and OSSEC separately. Installing Linux would be maybe > an > > hour? The OSSEC install is pretty fast!!! Maybe several minutes for > that > > piece... :) > > > > I would take it one step at a time. Get OSSEC installed and running.. > then > > add a client or two. > > > And then create issues on those (test) clients for ossec to > find. Like hammer its ssh port or replace a binary. You want to get > used with how it does its thing before spreading it all over the > place. > > > 2. How skilled does somebody need to be to do the work, do they need > > specialist knowledge or is it all pretty standard stuff? > > > > It looks like you have some Linux already running. General knowledge of > > Linux is very helpful... editing text files, running binaries and > scripts, > > basic understanding of IP protocols, syslog, etc. Critical thinking, > > general troubleshooting, and Internet research skills are also very > helpful > > as well... If you have Windows in your environment, then Active > Directory > > and/or Group Policy knowledge is also desirable. > > > > 3. If we got in a pro who had setup tools like OSSEC before, how long > should > > it take them? > > > > That entirely depends on your environment and what you want to monitor. > If > > you could take a moment to describe your general environment and goals, > then > > someone could take a better shot at answering this question. > > > I agree completely. If you are not sure about what you want to > monitor, it will take a bit of time to get it right. If you have an > idea of what you want to start monitoring, and run something like > puppet/chef/ansible, you can get it deployed rather quickly. Still, I > would test it first on a few machines before going production. > > > 4. Do you know how many threat signatures are provided out of the box? > Like > > how many scenarios are pre-packaged for event monitoring? > > > > Threat signatures would be a somewhat inaccurate term here... OSSEC > uses > > log decodes and rules as its basis for decision making. It does have > > "rootkit" detection and does monitor clients for changes to key areas of > a > > given operating system. But basically, there are two primary ways OSSEC > > uses to monitor systems. Client/Manager or syslog. So if your device > can't > > run the OSSEC client but can send logs via syslog, then OSSEC has the > > ability to monitor those logs (caveat: you might have to write your own > > decodes and rules if they don't already exist). OSSEC does have the > ability > > built-in to analyze many popular platforms. > > > > HTH! > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
