I think the guys responding so far are SUPER sharp with OSSEC so it probably comes very easily to them. I was completely new to the software 3 weeks ago so the learning curve has been steeper. I'd HIGHLY recommend grabbing a copy of Brad Lhotsky's book "OSSEC Host-based Intrusion Detection" as it holds your hand and steps you through setting up each component. I wish I'd started here. The website documentation is good for looking up stuff, but IMHO not great for getting a new user up and running.
Depending on the 'expert' I would say it's reasonable for that person to get everything configured within a day. Looking back at the stuff I've done over the last 3 weeks, I could now replicate the work in just a couple hours. The software is amazing and has a LOT of depth to what it can do. You could configure and tune it pretty much infinitely. Regarding false positives, I'd say that one of the strengths of the software is the ability to tune out the false positives. For example if you're monitoring a certain directory for file changes and a specific file gets changed a lot, OSSEC will automatically squash alerts after (I think) the 3rd time unless you specifically tell it you WANT to get all the alerts. That's been the biggest challenge for me. It works out of the box just fine, but as there are SOOOO many things you can do with it, the tuning takes the time. Just installing the software is only a few minutes work. Even deploying to clients and exchanging keys and all should take you under an hour to get it all "running". -Rick On Tuesday, April 21, 2015 at 8:16:14 PM UTC-7, gaucmuxb wrote: > > Thanks Brent and Mauricio for getting back to me. Your thoughts and > comments are really helpful. > > Brent, you asked what events I would like to monitor in #3. I want to know > if there is a hacker trying to get into my environment or has succeeded in > getting in. So I want an email saying "hey GM, hackers ahoy!!". > > Regarding the log decodes and rules that are used for decision making > (threat signatures): > - How sophisticated are they? For example, can it pick up ShellShoch or > other known vulnerabilities, or attacks such as brute force attacks on a > login page? > - Is there a community producing them? Where is the community, is there a > GitHub project or something where the log decodes and rules reside? > - Are there lots false positives generated, sending you on a wild goose > chase? > > Thanks again, GM > > > On Tuesday, April 21, 2015 at 4:01:04 AM UTC+12, Mauricio wrote: >> >> On Mon, Apr 20, 2015 at 11:28 AM, Brent Morris <[email protected]> >> wrote: >> > I'll take a shot at answering this... >> > >> > 1. How long do you think it will take to run up the OSSEC installation >> on 1 >> > VM and get 15-20 network components configured? >> > >> > This depends entirely on your approach. Install a Linux distribution >> and >> > install OSSEC won't take you very long at all. There's also an OVA >> virtual >> > appliance download as well if you use VirtualBox. If you use VMWare or >> > other... it will require some conversion and cost you more time than >> just >> > installing Linux and OSSEC separately. Installing Linux would be maybe >> an >> > hour? The OSSEC install is pretty fast!!! Maybe several minutes for >> that >> > piece... :) >> > >> > I would take it one step at a time. Get OSSEC installed and running.. >> then >> > add a client or two. >> > >> And then create issues on those (test) clients for ossec to >> find. Like hammer its ssh port or replace a binary. You want to get >> used with how it does its thing before spreading it all over the >> place. >> >> > 2. How skilled does somebody need to be to do the work, do they need >> > specialist knowledge or is it all pretty standard stuff? >> > >> > It looks like you have some Linux already running. General knowledge >> of >> > Linux is very helpful... editing text files, running binaries and >> scripts, >> > basic understanding of IP protocols, syslog, etc. Critical thinking, >> > general troubleshooting, and Internet research skills are also very >> helpful >> > as well... If you have Windows in your environment, then Active >> Directory >> > and/or Group Policy knowledge is also desirable. >> > >> > 3. If we got in a pro who had setup tools like OSSEC before, how long >> should >> > it take them? >> > >> > That entirely depends on your environment and what you want to monitor. >> If >> > you could take a moment to describe your general environment and goals, >> then >> > someone could take a better shot at answering this question. >> > >> I agree completely. If you are not sure about what you want to >> monitor, it will take a bit of time to get it right. If you have an >> idea of what you want to start monitoring, and run something like >> puppet/chef/ansible, you can get it deployed rather quickly. Still, I >> would test it first on a few machines before going production. >> >> > 4. Do you know how many threat signatures are provided out of the box? >> Like >> > how many scenarios are pre-packaged for event monitoring? >> > >> > Threat signatures would be a somewhat inaccurate term here... OSSEC >> uses >> > log decodes and rules as its basis for decision making. It does have >> > "rootkit" detection and does monitor clients for changes to key areas >> of a >> > given operating system. But basically, there are two primary ways >> OSSEC >> > uses to monitor systems. Client/Manager or syslog. So if your device >> can't >> > run the OSSEC client but can send logs via syslog, then OSSEC has the >> > ability to monitor those logs (caveat: you might have to write your own >> > decodes and rules if they don't already exist). OSSEC does have the >> ability >> > built-in to analyze many popular platforms. >> > >> > HTH! >> > >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
