Re: Best Host IDS Tools

From: Jerry (gll@inel.gov)
Date: 12/24/02

  • Next message: mb_lima: "Re: EXPERIMENTAL IPv6 decoder available in Snort"
    Date: Tue, 24 Dec 2002 10:16:57 -0700
    From: Jerry <gll@inel.gov>
    To: frank <chocobofrank@hotmail.com>
    
    

    frank wrote:

    > I have just setup my Web server on solaris platform and is planning to
    > deploy a freeware IDS. Now I am evaluating the below IDS tools :-
    > AIDE
    > Snort
    > Tripwire
    > Chkrootkit
    >
    >

    You have 4 different intent tools listed..

    AIDE is indeed a host ids...I have tested it, but not had the chance to
    really deploy it. AIDE looks at all aspects of the system,: file space
    (user induced DOS), password files, etc.

    Snort is a NETWORK IDS, not really a host IDS. Snort only alerts/captures
    based on network traffic.

    Tripwire is used to make sure critical files have not changed via checksum
    processes. This tool knows nothing of
    network intrusions, etc.

    Chkrootkit is a tool used to scan a system fro KNOWN traces of root kits.

    In truth, you need to deploy ALL of them for a nearly true secure
    environment.




    --
    ------------------------------------------------------------------
    Jerry Litteer
    Cyber Security Office e-mail: gll@inel.gov
    Idaho National Engineering and Environmental Lab. (INEEL)
    POB 1625 M.S. 3640 Phone: (208) 526-9117
    Idaho Falls, Id. 83415-3640 FAX: (208) 526-9366




    Relevant Pages

    • Re: IDS is dead, etc
      ... is there any way to make the quality of data coming out of the IDS ... I'm working on just such a program/product called RNA (Real-time Network ... on the Sourcefire web site. ... > to see an snort Ethereal plugin as I regularly take a raw packet dump of our ...
      (Focus-IDS)
    • Re: New to Snort !!!
      ... There's really two schools of thought on where to place an IDS, ... are coming through your edge and into your "trusted" network, ... Snort 2.0 Intrusion Detection or Snort 2.1 Intrusion detection Second ...
      (Focus-IDS)
    • Re: IDS and NMS
      ... Start by designing and installing a network. ... Next, a more detailed view of the network is required, so a NMS is ... the network administrator wants to see what ... This is where integrating the IDS console into the NMS makes sense. ...
      (Focus-IDS)
    • Re: "false positive" inanity
      ... So Mr. Snyder is asking for an IDS that does not need to be configured? ... maximum control of his/her network. ... attack. ... > assuming that it is not an intrusion. ...
      (Focus-IDS)
    • Re: Secure Network Design (DMZ, LAN, etc)
      ... I'd like one outside the firewall and one ... I assumed I could make the first IDS ... should I have the IDS listening on the 192.168.1.0/24 network as well (web ... >Since the whole world will need access to your web servers, ...
      (Security-Basics)