IDS?

IRJ

@stacksofplates said in IDS?:

Our new systems are going to have aide running. Just going to have a cronjob run the aide check every so often.

How soon do you want to find out if someone is doing something malicious? Are you alerted every 10 minutes, few hours, days, etc?

Also how long do you keep logs?

These are some of the IDS questions I find very hard to find out any information. Not many are willing to talk about how long they keep they logs, etc.

stacksofplates

@IRJ said in IDS?:

@stacksofplates said in IDS?:

Our new systems are going to have aide running. Just going to have a cronjob run the aide check every so often.

How soon do you want to find out if someone is doing something malicious? Are you alerted every 10 minutes, few hours, days, etc?

Also how long do you keep logs?

These are some of the IDS questions I find very hard to find out any information. Not many are willing to talk about how long they keep they logs, etc.

It's probably going to run every hour. It's an air gapped network. Logs are kept for a year.

travisdh1

I've been using AlienVault's OSSIM, basically the open source version. It's been good so far, but I just deployed the agents to each server/workstation and haven't setup any custom rules, so it just uses the rules for currently known threats.

IRJ

@travisdh1 said in IDS?:

I've been using AlienVault's OSSIM, basically the open source version. It's been good so far, but I just deployed the agents to each server/workstation and haven't setup any custom rules, so it just uses the rules for currently known threats.

Do you find the agents useful? I am still testing the agents in a test environment.

travisdh1

@IRJ said in IDS?:

@travisdh1 said in IDS?:

I've been using AlienVault's OSSIM, basically the open source version. It's been good so far, but I just deployed the agents to each server/workstation and haven't setup any custom rules, so it just uses the rules for currently known threats.

Do you find the agents useful? I am still testing the agents in a test environment.

OSSIM would be useless without them for me, honestly. without custom rules, or some way to get data besides the login, OSSIM is kinda crippled.

IRJ

@travisdh1 said in IDS?:

@IRJ said in IDS?:

@travisdh1 said in IDS?:

I've been using AlienVault's OSSIM, basically the open source version. It's been good so far, but I just deployed the agents to each server/workstation and haven't setup any custom rules, so it just uses the rules for currently known threats.

Do you find the agents useful? I am still testing the agents in a test environment.

OSSIM would be useless without them for me, honestly. without custom rules, or some way to get data besides the login, OSSIM is kinda crippled.

You use them for file integrity and registry change reporting, correct?

travisdh1

@IRJ said in IDS?:

@travisdh1 said in IDS?:

@IRJ said in IDS?:

@travisdh1 said in IDS?:

I've been using AlienVault's OSSIM, basically the open source version. It's been good so far, but I just deployed the agents to each server/workstation and haven't setup any custom rules, so it just uses the rules for currently known threats.

Do you find the agents useful? I am still testing the agents in a test environment.

OSSIM would be useless without them for me, honestly. without custom rules, or some way to get data besides the login, OSSIM is kinda crippled.

You use them for file integrity and registry change reporting, correct?

Yes. Mine has an internet connection, so it also gets the latest threat updates from the public pool.

IRJ

@travisdh1 said in IDS?:

@IRJ said in IDS?:

@travisdh1 said in IDS?:

@IRJ said in IDS?:

@travisdh1 said in IDS?:

I've been using AlienVault's OSSIM, basically the open source version. It's been good so far, but I just deployed the agents to each server/workstation and haven't setup any custom rules, so it just uses the rules for currently known threats.

Do you find the agents useful? I am still testing the agents in a test environment.

OSSIM would be useless without them for me, honestly. without custom rules, or some way to get data besides the login, OSSIM is kinda crippled.

You use them for file integrity and registry change reporting, correct?

Yes. Mine has an internet connection, so it also gets the latest threat updates from the public pool.

You do the updates through SSH, right?

IRJ

Sorry for so many questions. I have never used the open source version.

travisdh1

@IRJ said in IDS?:

Sorry for so many questions. I have never used the open source version.

No problem. I'm not responding as fast anymore because some imaging jobs finished.

@IRJ said in IDS?:

@travisdh1 said in IDS?:

@IRJ said in IDS?:

@travisdh1 said in IDS?:

@IRJ said in IDS?:

@travisdh1 said in IDS?:

I've been using AlienVault's OSSIM, basically the open source version. It's been good so far, but I just deployed the agents to each server/workstation and haven't setup any custom rules, so it just uses the rules for currently known threats.

Do you find the agents useful? I am still testing the agents in a test environment.

OSSIM would be useless without them for me, honestly. without custom rules, or some way to get data besides the login, OSSIM is kinda crippled.

You use them for file integrity and registry change reporting, correct?

Yes. Mine has an internet connection, so it also gets the latest threat updates from the public pool.

You do the updates through SSH, right?

Yep. You just might get introduced to my basic update script on the 16th.