IDS mailing list archives

RE: Setting up Arcsight/Tripwire

From: "Rivera, Angel L." <arivera () mitre org>
Date: Wed, 8 Apr 2009 12:48:58 -0400

I concur with getting help and training configuring Arcsight

I will say that out of the box Arcsight can receive data from al the devices you mention but you have quite a bit of 
homework before you even touch Arcsight - for each device you need to determined what is it that you want to 
"capture/filter"  - in other words what events in particular are you interested in (e.g., logons & log offs, access 
failures, successful access to critical files).  Then you need to configure each device to generate the events onto 
audit trails/logs - for windows for example you need to turn audit on and for each file that you want to track you need 
to go and turn audit for that file.  Once you do all this then you can look at Arcsight to receive/forward/filter logs 
and generate report/alerts.  

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Paul Schmehl
Sent: Tuesday, April 07, 2009 12:27 PM
To: venkatesh.selvaraju () gmail com; focus-ids () securityfocus com
Subject: Re: Setting up Arcsight/Tripwire

--On Tuesday, April 07, 2009 02:15:13 -0600 venkatesh.selvaraju () gmail com wrote:

Dear All,

I was wondering if anyone has any standard rules and policies which can be
instantly deployed & added to Arcsight ESM for monitoring Windows, UNIX,
database and network devices. I understand the rules vary and are specific to
the OS and n/w devices. We have to setup the rules and commission Arcsight in
our company. If anyone has prior hands-on using Arcsight or if you have any
literature, please share.  Also, if you have any docs on how to setup rules
on Tripwire tool for file integrity checking please share the information.
Thank you in advance.


Arcsight is an expensive product.  Surely you got training and access to docs 
with your licenses?  If you're just now deploying, Arcsight should be assisting 
you with that - especially your salesperson.

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
Check the headers before clicking on Reply.

Current thread:

Setting up Arcsight/Tripwire venkatesh . selvaraju (Apr 07)
- Re: Setting up Arcsight/Tripwire Randal T. Rioux (Apr 08)
  - Re: Setting up Arcsight/Tripwire Mike Lococo (Apr 08)
  - Re: Setting up Arcsight/Tripwire Aseem Kumar (Apr 08)
    - RE: Setting up Arcsight/Tripwire David Henning (Apr 13)
- Re: Setting up Arcsight/Tripwire Paul Schmehl (Apr 08)
  - RE: Setting up Arcsight/Tripwire Rivera, Angel L. (Apr 08)
  - Re: Setting up Arcsight/Tripwire Stephen Mullins (Apr 20)