Can OSSEC efficiency (Detection Rate & False Alarm Rate) be tested and how?

[Miroslav S]

Hello everyone

You might have seen my previous question here https://groups.google.com/d/msg/ossec-list/khKs7zgjTLU/fIuuC8gyBQAJ . This post is a follow up on that question.

Basically, as the subject says, I'm trying to figure out if OSSEC efficiency can be tested, and if yes how. By efficiency, I mean the Detection Rate (DR) of attacks, as well as the False Alarm Rate (FAR). The dataset I previously tried to use for it turned out to be a dead end as can be seen in the previous question, which left me in quite a predicament as I do not know how else it could be done and my research on the subject did not really yield any results, so I'm hoping that somebody here could point me in the right direction.

Thank you

Miroslav

[dan (ddp)]

You could push logs through it and track the success/failure rate. If
you plan on using it in a server/agent configuration, have agents push
logs to the server. Track how many logs go in, and how many are
correctly detected.
This isn't a simple question, but all I have is that overly simplistic
answer at the moment.

> Thank you
> Miroslav
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.