Quantcast

Hello and Greetings

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Hello and Greetings

Michael Starks
Hello everyone,

It was suggested that I take a moment to introduce myself and get to
know others on the list...

Very briefly, I am one of the "OSSEC guys." For those of you that don't
know, OSSEC is an open source HIDS with log analysis as its core
strength. I mainly contribute things like rules, decoders, installer
work, integration, etc, as well as advocate for it. In my work for
OSSEC, I sometimes get frustrated at how much of a chore deciphering log
files can be. Even supposed standard syslog from large companies cannot
always be counted on to be consistent, so writing support for this stuff
is like an art form. And documentation of the log format? Meh! It should
just not be this difficult. Dealing with these issues takes time away
from more valuable pursuits like attack taxonomy sharing, adding support
for new threats, etc.

I have been watching CEE with interest (along with stuff like CEF) and
it seems like CEE is the way to go. So, I guess I'll hang my hat here
for awhile, learn and hopefully be able to contribute in a meaningful
way. Let's fix this!

Regards,
Michael
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Hello and Greetings

Evan Rempel
This is very reassuring. We only had about a week to decide on which "convention" to follow when profiling out log streams and tried to do a meaningful eval of OSSEC and CEE from documentation only (experience would be much better) and had decided on CEE. Looks like we did it right.

Now onto syslog-ng and the new syslog RFC spec that allows metadata transport, which syslog-ng adhears to.

Our hope is that with the CEE and syslog-ng ruleset we can profile (a heavy task) all of the messages at or near the source and leave all of  the attack taxonomy and correlation (the intelegence) to the smart end.

I agree, it should not be this difficult, but I see the light at the end of the tunnel now :-) We can coerce the logs to a CEE format until such time that the vendors write syslog streams with CEE metadata directly to the log infrastructure.

I'll be a strong advocate.

Evan.

Michael Starks <[hidden email]> wrote:


Hello everyone,

It was suggested that I take a moment to introduce myself and get to
know others on the list...

Very briefly, I am one of the "OSSEC guys." For those of you that don't
know, OSSEC is an open source HIDS with log analysis as its core
strength. I mainly contribute things like rules, decoders, installer
work, integration, etc, as well as advocate for it. In my work for
OSSEC, I sometimes get frustrated at how much of a chore deciphering log
files can be. Even supposed standard syslog from large companies cannot
always be counted on to be consistent, so writing support for this stuff
is like an art form. And documentation of the log format? Meh! It should
just not be this difficult. Dealing with these issues takes time away
from more valuable pursuits like attack taxonomy sharing, adding support
for new threats, etc.

I have been watching CEE with interest (along with stuff like CEF) and
it seems like CEE is the way to go. So, I guess I'll hang my hat here
for awhile, learn and hopefully be able to contribute in a meaningful
way. Let's fix this!

Regards,
Michael
Loading...