On Sun, Nov 29, 2009 at 7:55 AM, Rob Kampen <rkampen at kampensonline.com>wrote: > David McGuffey wrote: > >> Starting with a fresh load and after I finish hardening the load >> following the Center for Internet Security (CIS) guidance, I'm wondering >> whether AIDE or OSSEC would be a better intrusion detection system. >> >> I installed AIDE and did a quick test of AIDE and after initializing the >> db and applying the recent cups update, I found that 1700+ files had >> changed. Those are a lot of changes to wade through to determine if >> they are legit or not. If that is all that AIDE can do, then it is not >> "manageable." >> >> Seems to me that any IDS must be tied to the yum update process so that >> one is not dealing with hundreds/thousands of changes that were brought >> in by a yum update that I choose to apply. >> >> Is OSSEC any less noisy? >> >> DaveM >> >> >> Also, check out http://ftimes.sourceforge.net/FTimes/index.shtml Even if you choose another tool, I recommend reading their paper. http://ftimes.sourceforge.net/FTimes/Papers.shtml And the related tools hashdig and XMagic are worth a look. > _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> http://lists.centos.org/mailman/listinfo/centos >> >> > I run both of these on my servers. > AIDE is noisy, however it is simple to scroll through the list of files > that it shows and determine that the folders with all the changes relate to > the yum update or install that I know about. After a yum update, I run > another aide --init and cp the new db over the old one - I do this once a > week after the logrotate takes place, thus most days have only two ~ ten > files to look at. > BUT the real outcome is I get to sleep easy knowing that something will > know about every file change. > OSSEC can also be noisy but it also adds some other useful monitoring and > emails me when certain events occur. > Most of these event I know about, thus I delete the email and life is good. > The real benefit is that if the number of log messages suddenly grows I get > warned, if I get 10 tries from one IP address to dovecot using different > hostnames I get warned etc... > I get to choose the level of response, by applying my experience and > expectations to the mix. > I do not think there is any tool you can just set and forget for IDS > functions. > HTH > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > > -- Drew Einhorn -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20091129/67d1fb89/attachment-0005.html>