We've certainly seen it. Can be a bit noisy in a production *nix environment. A lot of times we isolate this to say "PCI" systems or other compliance targets...
With that said, it's also interesting seeing those backup jobs running as root, or better yet seeing the backup jobs failing as root (ie not running.) Then running a report that shows that happening every night for the past month (doh!) I miss Squire... :) - Joe P.S. Who's not a lurker! (that'd be me..) Joe Magee Chief Technology Officer Cell +1-617-921-8671 Office +1-201-324-1800 x202 securing and enabling dynamic business www.thevigilant.com -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Ron Gula Sent: Tuesday, August 18, 2009 10:22 PM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] HIDS advice? I'm curious how many people enable process accounting on UNIX or Windows and feed these to their SIM? When you start seeing tcpdump being run by user 'www' at 2:00 am, things can get interesting. Ron Christopher Rimondi wrote: > I have used OSSEC for the past three years and believe it is an > excellent IDS. The rule set is expansive and flexible. It also > encrypts all communication between the agents and the server. Also, > check out the WUI. It has got pretty decent search functionality. Not > on the order of Splunk but, it gets the job done. > > Thanks, > > Chris Rimondi > > > ------------------------------------------------------------------------ > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com -- Ron Gula, CEO Tenable Network Security _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
