RE: Host based IDS methodology and testing

From: Abe L. Getchell (
Date: 10/27/01

From: "Abe L. Getchell" <>
To: "Curt Wilson" <>
Subject: RE: Host based IDS methodology and testing
Date: Sat, 27 Oct 2001 16:51:22 -0400
Message-ID: <>

Hi Curt,

I've successfully deployed Snort as a HIDS on a number of production servers
ranging from Windows 2000 to Red Hat Linux boxes. Snort works great in this
role, but being somewhat of a raw tool 'out of the box' can make centralized
administration and management (log collection, signature synchronization,
etc) a chore in a large deployment.

That being said, I'm currently working on set of tools to aid the
administration and management of Snort in a HIDS setup, for large
deployments, across a diverse set of platforms. Said tools are written in
Java, as it was the only language which met the requirements for what I am
trying to accomplish. I'm about 75% done with these tools (the
functionality is there, now I just need to add crypto and authentication
mechanisms) and will most likely make them publicly available when I'm
finished if there's enough interest.

Your basic requirements for a HIDS (cover a broad range of attacks and run
on multiple platforms) is almost identical to that of what my organization's
basic requirements were when we were evaluating products. We found that
Snort best fit what we were looking for... and had the added benefit of
being free. =)

Happy testing.


Abe L. Getchell
Security Engineer

> -----Original Message----- > From: Curt Wilson [] > Sent: Friday, October 26, 2001 4:20 PM > To: > Subject: Host based IDS methodology and testing > > > > We are in the process of reviewing various host based IDS tools. > So far, we've taken a look at Entercept (The Cisco version) and > are preparing to look at NetworkIce/ISS, and NFR Secure Log > Repository (SLR). Entercept and BlackIce seem to take a step > beyond the detection methodology and actually prevent attacks. > Then there are specific tools for IIS, such as SecureIIS and > urlscan, but we want something more broad that can cover more > ground. Ideally, the tool would work on nt/2k, and various > flavors of unix. > > In this process, I would like to put together or find a > methodology that others have used to test host based IDS. If I > can't find one I'll make one myself, but wanted to avoid > recreating the wheel if possible. > > Any production experience with any of the above products, or any > host ids products not mentioned, would also be helpful. Please > write me at or post to the list if appropriate. > > Thanks > > > > Curt Wilson > Security Engineer > Denmac Systems Inc. > > >

Relevant Pages

  • Re: Value of "richer" signatures?
    ... Snort, Dragon, and NFR, and I can tell you that they ... Here's an example of how the newer IDS signatures help ... Let's say you are using a simple packet grepping IDS ... > an FTP connection). ...
  • Re: ids inquisition
    ... Subject: ids inquisition ... Snort isn't one of them. ... Brian Caswell - CSV output plugin, ... Christian Lademann - active response, ...
  • RE: IDS recommendations
    ... Subject: IDS recommendations ... Snort is a relatively raw tool and that usually adds ... >> I can appreciate your comments on the ISS product. ...
  • RE: "Free" IDS
    ... I am very surprised noone mentioned Demarc PureSecure IDS solution. ... It cost less than 2000.00 and it runs off of the snort engine and has a big ... if you want to learn snort then just read up on it. ...
  • RE: Test tools for IDS
    ... "Sneeze" is great for Snort IDS. ... Captus Networks IPS 4000 ... Intrusion Prevention and Traffic Shaping Technology to: ...