How should I classify PADS New Asset alerts?
343 views
Skip to first unread message
6st...@gmail.com
Aug 1, 2014, 1:44:06 PM8/1/14
to securit...@googlegroups.com
I'm trying out the PRADS session and assets data being sent to Sguil. Now that I have the 'PADS New Asset' alerts, what do I do with them? They don't seem to fit any of the Categories.
Thank you,
Steve
Thank you,
Steve
Doug Burks
Aug 1, 2014, 1:49:33 PM8/1/14
to securit...@googlegroups.com
Hi Steve,
You can classify events as whatever Category you think best fits. The
main thing is to be consistent.
One thing to consider. PRADS session/asset data may work great for
you if you have a small network and/or small number or sensors.
However, if you're on a large network and/or have a large number of
sensors, you may find that sending all of that data to a single
central database doesn't scale that well. For that reason, most large
deployments disable PRADS/pads_agent/sancp_agent and rely on Bro/ELSA
for session/asset data.
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
You can classify events as whatever Category you think best fits. The
main thing is to be consistent.
One thing to consider. PRADS session/asset data may work great for
you if you have a small network and/or small number or sensors.
However, if you're on a large network and/or have a large number of
sensors, you may find that sending all of that data to a single
central database doesn't scale that well. For that reason, most large
deployments disable PRADS/pads_agent/sancp_agent and rely on Bro/ELSA
for session/asset data.
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Reply all
Reply to author
Forward
0 new messages