Sakka:
We have deployed to 600 servers, have modified rules and severity
levels to meet the requirements of our environment and with the
exception of a few minor (but workable) issues, all seems to be good.
Nate:
We are split 50/50 between Windows and Redhat. I wrote some crude
scripts to push the installation media along with the preconfigured
ossec.conf files for each O/S out to each of our 600 boxes. Although
there are numerous ways I have seen (on the Linux side especially) to
do an automated
We have one install growing fast and currently running ~3300 agents (single
dedicated OSSEC server).
Things we did that helped:
- use ossec-authd (http://www.ossec.net/doc/programs/ossec-authd.html)
- increase maximum # of agents + system limits (per instruction at the
bottom of http://www.oss
It really wasn't. We could have deployed relatively easy using some
of the tools at our disposal but opted to go the manual route just for
"piece of mind" purposes. Our servers are high profile and provide
application support to our 25k employees so we felt it was better to
deploy individually ra
: [ossec-list] Re: OSSEC large scale deployment
Sakka:
We have deployed to 600 servers, have modified rules and severity
levels to meet the requirements of our environment and with the
exception of a few minor (but workable) issues, all seems to be good.
Major pain in the butt, got it. That's about what we're seeing.
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of MDACC-Luckie
Sent: Monday, May 14, 2012 10:30 AM
To: ossec-list
Subject: [ossec-list] Re: OSSEC large scale
How did you deal with the windows event ID issue in the rules? Some of the
ways the events are grouped do not make sense. It's not using the sub
event ID as far as I can tell so it is lumping alerts of differing kinds
together. This was something we found when putting the alerts into splunk,
thin
On 05/14/2012 11:26 AM, Zate wrote:
How did you deal with the windows event ID issue in the rules? Some of
the ways the events are grouped do not make sense. It's not using the
sub event ID as far as I can tell so it is lumping alerts of differing
kinds together. This was something we found whe
Sure thing.
Take "Windows DC Logon Failure"
it has a bunch of ID's associated, one of them is 4769
that id is "A kerberos ticket was requested", but has a bunch of result
codes, most of which we dont care about.
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=
On 05/16/2012 11:49 PM, Zate wrote:
So the rule is classsifying anything that is 4769 as Windows DC logon
Failure. Even that is too generic. Was is bad password? Bad username?
something else? Ideally I'd like to lump all the bad password
codes/sub codes together.
I don't remember if I wr
thanks for the replies Michael.
We are going to leave the decoder as is and just customize/regroup the
events I think and then do some post-filtering in splunk to weed out
anything else that we can't tune out in rules.
Got an example of the sub rule matching you mentioned?
thanks.
Zate
On Thu,
> You don't necessarily need a sub-decoder to do that. You can just write
> a subordinate rule that matches on the failure code string in the event.
> Decoders are only needed when you want to extract a specific part of the
> log and match it up with a specific tag for correlation purposes.
Hel
egroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of Sanders, Nate
Sent: Friday, May 18, 2012 11:21 AM
To: ossec-list@googlegroups.com
Subject: RE: [ossec-list] Re: OSSEC large scale deployment
> You don't necessarily need a sub-decoder to do that. You can just write
> a sub
---
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of Sanders, Nate
Sent: Friday, May 18, 2012 2:42 PM
To: ossec-list@googlegroups.com
Subject: RE: [ossec-list] Re: OSSEC large scale deployment
Thinking about it, I tried this in local_rules.xml
18105
4771
0x18
Why?
>
>
> -Original Message-
> From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
> Behalf Of Sanders, Nate
> Sent: Friday, May 18, 2012 11:21 AM
> To: ossec-list@googlegroups.com
> Subject: RE: [ossec-list] Re: OSSEC large scale deployment
>
On 05/18/2012 02:42 PM, Sanders, Nate wrote:
Thinking about it, I tried this in local_rules.xml
18105
4771
0x18
Failed Password
win_authentication_failed,
Multiple elements in a rule with concatenate into one match, so
in your case it would be the same as thi
On 05/18/2012 11:20 AM, Sanders, Nate wrote:
Help me wrap my brain around the actual design for this. It seems much more
complicated than it sounds.
If I am understanding this correctly, this is how I would do it. Let's
take this one by one (see below):
- alert for specific Event ID's that
We actually got it working well with Option #1. We were able to regroup
the alerts into groups that made more sense. "Windows DC Logon Failure"
just wasnt granular enough for us, there were thousands of events, some of
which we didnt care about and some of which were different typeof events,
depe
Zate,
I would love to see the ruleset you've come up with for Windows. I've been
trying to out the time towards this, but have not been able to yet.
Would you be willing to share what you've come up with?
Scott Klauminzer
Director of Information Technology & Security
Sent from my iPad
On May
Yeah I dont see a problem with sharing it. Nate actually did most of it,
and we are still tweaking it a little but give me a week or so to get the
bugs out and I dont mind sharing.
Zate
On Wed, May 23, 2012 at 9:23 AM, sklaumin...@gmail.com <
sklaumin...@gmail.com> wrote:
> Zate,
>
> I would l
20 matches
Mail list logo
