Re: Best Host IDS Tools

From: Frank Cheong (frankcheong@ctimail3.com)
Date: 12/25/02

  • Next message: Rick Williams: "Re: Intrusion Prevention" 
    From: "Frank Cheong" <frankcheong@ctimail3.com>
To: <gll@inel.gov>, "Bryan Strong" <bstrong@packetshield.net>
Date: Wed, 25 Dec 2002 12:49:13 +0800

    Then what actually is snort do ? Coz my site is already behind a firewall,
    is snort still necessary in this case ?

    I have also got the below list from other, so what are they and how good
    they are ?
    Samhain
    Prelude
    Honeynet
    Emerald

    Are they free ?

    I also were being told to enable BSM auditing, what are they ? Any reference
    web site ?

    Frank
    ----- Original Message -----
    From: "Jerry" <gll@inel.gov>
    To: "frank" <chocobofrank@hotmail.com>
    Cc: <focus-ids@securityfocus.com>
    Sent: Wednesday, December 25, 2002 1:16 AM
    Subject: Re: Best Host IDS Tools

    > frank wrote:
    >
    > > I have just setup my Web server on solaris platform and is planning to
    > > deploy a freeware IDS. Now I am evaluating the below IDS tools :-
    > > AIDE
    > > Snort
    > > Tripwire
    > > Chkrootkit
    > >
    > >
    >
    > You have 4 different intent tools listed..
    >
    > AIDE is indeed a host ids...I have tested it, but not had the chance to
    > really deploy it. AIDE looks at all aspects of the system,: file space
    > (user induced DOS), password files, etc.
    >
    > Snort is a NETWORK IDS, not really a host IDS. Snort only
    alerts/captures
    > based on network traffic.
    >
    > Tripwire is used to make sure critical files have not changed via checksum
    > processes. This tool knows nothing of
    > network intrusions, etc.
    >
    > Chkrootkit is a tool used to scan a system fro KNOWN traces of root kits.
    >
    > In truth, you need to deploy ALL of them for a nearly true secure
    > environment.
    >
    >
    >
    >
    > --
    > ------------------------------------------------------------------
    > Jerry Litteer
    > Cyber Security Office e-mail: gll@inel.gov
    > Idaho National Engineering and Environmental Lab. (INEEL)
    > POB 1625 M.S. 3640 Phone: (208) 526-9117
    > Idaho Falls, Id. 83415-3640 FAX: (208) 526-9366
    >
    >
    >

    Relevant Pages

    • Re: Windows based (H)IDS
      ... It may seems so obvious that snort library is very ... Security but it is a commercial product. ... > softwares can be added to the ... > over a network. ...
      (Focus-IDS)
    • Re: Please Help - Strange problem with my servers - Locked out
      ... > The other server is directly connected to the Internet ... > I have a workstation on the WORK network. ... > The WORK network can talk to both HOME and COLO ... > Does snort drop packets? ...
      (comp.unix.bsd.freebsd.misc)
    • Re: Please Help - Strange problem with my servers - Locked out
      ... > The other server is directly connected to the Internet ... > I have a workstation on the WORK network. ... > The WORK network can talk to both HOME and COLO ... > Does snort drop packets? ...
      (comp.security.firewalls)
    • Re: use ipchains to block all ports > 60,000
      ... snort would be an idea. ... By temporarily breaking the network connection and inserting a hub there, ... certain knowlegebut want a clean slate. ...
      (comp.os.linux.security)
    • Re: unidentified DOS bad traffic
      ... large and/or small packets, and sometimes fragmented. ... flooding most gateways, and connects to an IRC channel as you describe. ... A particular host has been completely flooding the network ... My Snort output on this trace was filled with nothing but ...
      (Incidents)
    • Quantcast