Re: Logging Archival Solutions?

[Daniel Cid <danielcid () yahoo com br>]

Hi,

OSSEC (open source tool) can do the things you are
looking for. It allows your to execute active
responses based on the logs. So, if you it seems 
brute force attacks or multiple failed logins, it will
block the offender IP address on the firewall (or run
any other configured response). It also has a very
flexibly rule language allowing you to customize the
rules as you wish...

You should check it out.

More info:
http://www.ossec.net




--- jplee3 () yahoo com escreveu:

> Hi all,
>    Just wondering what your takes are on the logging
> solutions out there. Specifically as regards to PCI
> DSS. I know there are a TON of companies focusing
> their efforts on helping fulfill req 10 and audit
> trails. It seems like there are quite a few out
> there who can effectively correlate and perform
> forensics on log data. My concern is that it still
> seems there is a hole or something missing in the
> overall picture.
>
> Obviously, we're not all going to be monitoring
> these log servers/appliances 24/7 (unless you hire
> people to do 24/7 in shifts), so what if an attack
> (i.e. brute force ala TJ Maxx) successfully occurs
> over the weekend or when someone ISN'T watching or
> tending to their cellphone/pager/email/etc for
> whatever reason? 
> Yes, the logging appliance will capture the attack
> and record it, but assuming no action or
> intervention was taken, by that time the system(s)
> will have been compromised.
>
> So again, it seems like many companies are focusing
> in on the forensics aspect, which I believe is
> important, especially in court. But what about doing
> more actively to prevent attacks?  What about
> automated remediation and active response?
>
> I'm trying not to be biased here, but the only
> company I've seen who has taken big steps towards
> this is TriGeo. Has anyone else here heard of them?
> Or have any experience using their solution? I've
> only sat in on a demo and have read a bunch of
> whitepapers, and most other SIMs/logging
> solutions/etc pale in comparison. 
> It just seems easier/less confusing to use overall.
> I've also sat in on Cisco MARS, CSA, and RSA
> EnVision demos and wasn't nearly as impressed with
> any of these solutions. 
> CSA, potentially coming the closest in terms of
> endpoint security/policy enforcement, seems
> interesting, but not nearly as flexible or powerful
> in terms of policies, rule sets, and automated
> defined responses per a specific action.
>
> I'm just trying to get a sense here from what others
> have done, but it seems hard to find a good amount
> of people who can or are willing to share. Maybe
> it's because most of us are still working at it and
> have the same questions I do, or haven't even
> thought of it yet (in which case: you better get on
> it!). Or is it because many people are just
> secretive about the whole thing? I guess I could
> understand why if so... but why not just tell us a)
> what you're using, and b) why you like it - I don't
> see anything that could jeopardize your company in
> providing such information.
>
> Oh well, I'm really trying to push TriGeo with my
> managers but I've been finding it difficult. They're
> partial to Cisco MARS/CSA because we already have a
> Cisco contact/sales engineer and outside consultants
> who also strongly advise mostly Cisco stuff. I just
> think most people here are deep into the Cisco
> mindset. So sometimes it's  hard thinking outside
> the box. 
>
> Any opinions would be greatly appreciated.
>
>
> Thanks!
> -J



      Flickr agora em português. Você clica, todo mundo vê.
http://www.flickr.com.br/