Re: Best Host IDS Tools

From: Jerry (gll@inel.gov)
Date: 12/24/02

  • Next message: mb_lima: "Re: EXPERIMENTAL IPv6 decoder available in Snort"
    Date: Tue, 24 Dec 2002 10:16:57 -0700
    From: Jerry <gll@inel.gov>
    To: frank <chocobofrank@hotmail.com>
    
    

    frank wrote:

    > I have just setup my Web server on solaris platform and is planning to
    > deploy a freeware IDS. Now I am evaluating the below IDS tools :-
    > AIDE
    > Snort
    > Tripwire
    > Chkrootkit
    >
    >

    You have 4 different intent tools listed..

    AIDE is indeed a host ids...I have tested it, but not had the chance to
    really deploy it. AIDE looks at all aspects of the system,: file space
    (user induced DOS), password files, etc.

    Snort is a NETWORK IDS, not really a host IDS. Snort only alerts/captures
    based on network traffic.

    Tripwire is used to make sure critical files have not changed via checksum
    processes. This tool knows nothing of
    network intrusions, etc.

    Chkrootkit is a tool used to scan a system fro KNOWN traces of root kits.

    In truth, you need to deploy ALL of them for a nearly true secure
    environment.




    --
    ------------------------------------------------------------------
    Jerry Litteer
    Cyber Security Office e-mail: gll@inel.gov
    Idaho National Engineering and Environmental Lab. (INEEL)
    POB 1625 M.S. 3640 Phone: (208) 526-9117
    Idaho Falls, Id. 83415-3640 FAX: (208) 526-9366