Home page logo

basics logo Security Basics mailing list archives

Re: Logging Archival Solutions?
From: Daniel Cid <danielcid () yahoo com br>
Date: Wed, 29 Aug 2007 23:12:17 -0300 (ART)


OSSEC (open source tool) can do the things you are
looking for. It allows your to execute active
responses based on the logs. So, if you it seems 
brute force attacks or multiple failed logins, it will
block the offender IP address on the firewall (or run
any other configured response). It also has a very
flexibly rule language allowing you to customize the
rules as you wish...

You should check it out.

More info:

--- jplee3 () yahoo com escreveu:

Hi all,
   Just wondering what your takes are on the logging
solutions out there. Specifically as regards to PCI
DSS. I know there are a TON of companies focusing
their efforts on helping fulfill req 10 and audit
trails. It seems like there are quite a few out
there who can effectively correlate and perform
forensics on log data. My concern is that it still
seems there is a hole or something missing in the
overall picture.

Obviously, we're not all going to be monitoring
these log servers/appliances 24/7 (unless you hire
people to do 24/7 in shifts), so what if an attack
(i.e. brute force ala TJ Maxx) successfully occurs
over the weekend or when someone ISN'T watching or
tending to their cellphone/pager/email/etc for
whatever reason? 
Yes, the logging appliance will capture the attack
and record it, but assuming no action or
intervention was taken, by that time the system(s)
will have been compromised.

So again, it seems like many companies are focusing
in on the forensics aspect, which I believe is
important, especially in court. But what about doing
more actively to prevent attacks?  What about
automated remediation and active response?

I'm trying not to be biased here, but the only
company I've seen who has taken big steps towards
this is TriGeo. Has anyone else here heard of them?
Or have any experience using their solution? I've
only sat in on a demo and have read a bunch of
whitepapers, and most other SIMs/logging
solutions/etc pale in comparison. 
It just seems easier/less confusing to use overall.
I've also sat in on Cisco MARS, CSA, and RSA
EnVision demos and wasn't nearly as impressed with
any of these solutions. 
CSA, potentially coming the closest in terms of
endpoint security/policy enforcement, seems
interesting, but not nearly as flexible or powerful
in terms of policies, rule sets, and automated
defined responses per a specific action.

I'm just trying to get a sense here from what others
have done, but it seems hard to find a good amount
of people who can or are willing to share. Maybe
it's because most of us are still working at it and
have the same questions I do, or haven't even
thought of it yet (in which case: you better get on
it!). Or is it because many people are just
secretive about the whole thing? I guess I could
understand why if so... but why not just tell us a)
what you're using, and b) why you like it - I don't
see anything that could jeopardize your company in
providing such information.

Oh well, I'm really trying to push TriGeo with my
managers but I've been finding it difficult. They're
partial to Cisco MARS/CSA because we already have a
Cisco contact/sales engineer and outside consultants
who also strongly advise mostly Cisco stuff. I just
think most people here are deep into the Cisco
mindset. So sometimes it's  hard thinking outside
the box. 

Any opinions would be greatly appreciated.


      Flickr agora em português. Você clica, todo mundo vê.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]