IDS mailing list archives
Re: Setting up Arcsight/Tripwire
From: Mike Lococo <mikelococo () gmail com>
Date: Wed, 08 Apr 2009 15:21:59 -0400
I was wondering if anyone has any standard rules and policies which can be instantly deployed & added to Arcsight ESM for monitoring Windows, UNIX, database and network devices. I understand the rules vary and are specific to the OS and n/w devices. We have to setup the rules and commission Arcsight in our company. If anyone has prior hands-on using Arcsight or if you have any literature, please share. Also, if you have any docs on how to setup rules on Tripwire tool for file integrity checking please share the information. Thank you in advance.ArcSight doesn't so much depend on rules, like an IDS. The agents just grab log/event data and the main engine fondles it to make pretty charts and correlations. The real benefit is in writing/modifying policies to get you the info you want. Write me offlist if you'd like help with anything ArcSight.
ArcSight doesn't do *packet-inspection* like an IDS. It absolutely does depend on rules, or policies if that's what you'd rather call the series of criteria which must be met to fire off a correlation event. All of the Arcsight engineers I've spoken to call them rules, though.
I'm also not sure why the overposter is catching such flak for asking about community rules. It's certainly true that you should be getting training and documention on rule creation as part of your rollout, and it's likely true that Arcsight will give you some site specific rule-content as well. It still makes perfect sense to me to look for community-created rules from other sites that have overlapping needs. There are many examples of site-agnostic rules that would be widely applicable... rules correlating related Emerging Threats sigs for snort could cut down on falses significantly and would have very little site-dependence.
It may be that you're looking in the wrong place. Most of the useful information sharing regarding Arcsight seems to happen in the forums they host, which cannot be accessed without a support account.
If you don't have one, ask for one and look there. Thanks, Mike Lococo
Current thread:
- Setting up Arcsight/Tripwire venkatesh . selvaraju (Apr 07)
- Re: Setting up Arcsight/Tripwire Randal T. Rioux (Apr 08)
- Re: Setting up Arcsight/Tripwire Mike Lococo (Apr 08)
- Re: Setting up Arcsight/Tripwire Aseem Kumar (Apr 08)
- RE: Setting up Arcsight/Tripwire David Henning (Apr 13)
- Re: Setting up Arcsight/Tripwire Paul Schmehl (Apr 08)
- RE: Setting up Arcsight/Tripwire Rivera, Angel L. (Apr 08)
- Re: Setting up Arcsight/Tripwire Stephen Mullins (Apr 20)
- Re: Setting up Arcsight/Tripwire Randal T. Rioux (Apr 08)