IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Setting up Arcsight/Tripwire

From: Mike Lococo <mikelococo () gmail com>
Date: Wed, 08 Apr 2009 15:21:59 -0400
I was wondering if anyone has any standard rules and policies which can
be instantly deployed & added to Arcsight ESM for monitoring Windows,
UNIX, database and network devices. I understand the rules vary and are
specific to the OS and n/w devices. We have to setup the rules and
commission Arcsight in our company. If anyone has prior hands-on using
Arcsight or if you have any literature, please share.  Also, if you have
any docs on how to setup rules on Tripwire tool for file integrity
checking please share the information. Thank you in advance.


ArcSight doesn't so much depend on rules, like an IDS. The agents just
grab log/event data and the main engine fondles it to make pretty charts
and correlations. The real benefit is in writing/modifying policies to get
you the info you want. Write me offlist if you'd like help with anything
ArcSight.
ArcSight doesn't do *packet-inspection* like an IDS. It absolutely does depend on rules, or policies if that's what you'd rather call the series of criteria which must be met to fire off a correlation event. All of the Arcsight engineers I've spoken to call them rules, though.
I'm also not sure why the overposter is catching such flak for asking about community rules. It's certainly true that you should be getting training and documention on rule creation as part of your rollout, and it's likely true that Arcsight will give you some site specific rule-content as well. It still makes perfect sense to me to look for community-created rules from other sites that have overlapping needs. There are many examples of site-agnostic rules that would be widely applicable... rules correlating related Emerging Threats sigs for snort could cut down on falses significantly and would have very little site-dependence.
It may be that you're looking in the wrong place. Most of the useful information sharing regarding Arcsight seems to happen in the forums they host, which cannot be accessed without a support account. 
If you don't have one, ask for one and look there.

Thanks,
Mike Lococo
Previous By Date Next
Previous By Thread Next

Current thread: