PaulDotCom mailing list archives

HIDS advice?

From: jmagee at thevigilant.com (Joe Magee)
Date: Wed, 19 Aug 2009 17:16:13 -0400

We've certainly seen it. Can be a bit noisy in a production *nix environment. A lot of times we isolate this to say 
"PCI" systems or other compliance targets... 

With that said, it's also interesting seeing those backup jobs running as root, or better yet seeing the backup jobs 
failing as root (ie not running.) Then running a report that shows that happening every night for the past month (doh!)

I miss Squire... :)

- Joe

P.S. Who's not a lurker!  (that'd be me..)

Joe Magee
Chief Technology Officer
Cell +1-617-921-8671
Office +1-201-324-1800 x202
?
securing and enabling dynamic business
www.thevigilant.com


-----Original Message-----
From: pauldotcom-bounces at mail.pauldotcom.com [mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Ron Gula
Sent: Tuesday, August 18, 2009 10:22 PM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] HIDS advice?

I'm curious how many people enable process accounting on UNIX or Windows
and feed these to their SIM? When you start seeing tcpdump being run by
user 'www' at 2:00 am, things can get interesting.

Ron

Christopher Rimondi wrote:

I have used OSSEC for the past three years and believe it is an
excellent IDS.  The rule set is expansive and flexible.  It also
encrypts all communication between the agents and the server.  Also,
check out the WUI.  It has got pretty decent search functionality.  Not
on the order of Splunk but, it gets the job done.

Thanks,

Chris Rimondi


------------------------------------------------------------------------

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



-- 
Ron Gula, CEO
Tenable Network Security


_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

HIDS advice? lists at truthisfreedom.org.uk (Aug 17)
- HIDS advice? Erik Harrison (Aug 17)
- HIDS advice? Jason Wood (Aug 17)
- <Possible follow-ups>
- HIDS advice? Christopher Rimondi (Aug 18)
  - HIDS advice? Ron Gula (Aug 18)
    - HIDS advice? Joe Magee (Aug 19)
    - HIDS advice? Ron Gula (Aug 20)
    - HIDS advice? Dale Stirling (Aug 20)
    - HIDS advice? Mike Patterson (Aug 19)