Thanks Yana. I guess I should have mentioned I took a look at those settings and read the docs and that I'm sort of seeing this as a UX problem. Right now, I think the default UX of the syscheck module is bad enough (many false positives leading to ignored true positives) that the syscheck module isn't all that useful — which is truly a shame!
What I was thinking about was some way to: 1. Stop false positives (maybe by integrating with updating software somehow? maybe by disabling emails in OSSEC during the daily update scripts? I'm surprised there aren't some recipes here.) 2. Keep true positives (maybe stop ignoring alerts after the third time except on a few boring files? Or maybe stopping false positives is all that's needed to make this OK?) Has any thought been put into this area? Seems really important to making the syscheck module trustworthy and useful instead of ignored and self-ignoring. Thanks for everything, Mike On Mon, Feb 22, 2021 at 4:41 AM Yana Zaeva <yana.za...@wazuh.com> wrote: > Hi Mike, > > The *syscheck *module can be kind of noisy, especially when you have > loads of agents registered. However, you can play with the rules a little > bit in order to adapt this module to your necessities and be alerted of the > events that are of greater importance for you. You can ignore some files > that you know that change quite a lot and monitor in realtime the ones that > do not. > > Also, if you are concerned about not being alerted when the file was > changed more than three times, you can change this option by changing > *<auto_ignore>yes</auto_ignore>* for *<auto_ignore>no</auto_ignore>. *If > you are unable to find this option in the *<syscheck> *module, add it, as > this option is set to *yes* by default. > > I will leave you some information about File Integrity Monitoring for > further information: > - Syscheck configuration options: > https://www.ossec.net/docs/manual/syscheck/index.html > - How syscheck works: > https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/how-it-works.html > > Let me know if you have any doubts. > Regards, > Yana. > > On Friday, February 19, 2021 at 8:20:55 PM UTC+1 mi...@free.law wrote: > >> >> I'm looking for advice about improving the signal/noise ratio for >> syscheck alerts. I just installed OSSEC and I'm loving it, but I know that >> if I can't improve the signal to noise ratio of syscheck, I'll have to turn >> it off. >> >> As an example, yesterday I got an alert that sudoedit had changed. This >> is definitely from a OS update, and all the other alerts I've gotten from >> syscheck have been too. I know I'm going to start ignoring these alerts. At >> the same time, even if I'm vigilant, I'm concerned that once the OS updates >> this file three times, it'll auto-ignore itself, effectively disabling the >> system. Maybe that's OK, but it seems bad. >> >> I want to pay attention to syscheck alerts, I think they're an important >> part of OSSEC (maybe not?), but I won't pay attention for long with this >> level of noise. How do folks deal with this so that it's a useful feature >> they don't just ignore in practice? Maybe the idea is to just keep a log of >> the changes and rely on other things to alert you of an intruder? >> >> Mike >> > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/9WdcRoc4kto/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/163d61fb-9fa3-48e3-8c0b-ef3b8827f27cn%40googlegroups.com > <https://groups.google.com/d/msgid/ossec-list/163d61fb-9fa3-48e3-8c0b-ef3b8827f27cn%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- Mike Lissner Executive Director Free Law Project https://free.law -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAKs1xOHT1mPFFyZwyZTKwP4oZxkfZ9kBm%3DDu5b1nKZbx%3DThEeA%40mail.gmail.com.
