Re: Linux/*nix open source IDS

Matt.Carpenter_at_alticor.com
Date: 08/12/03

  • Next message: Mike Coliton: "Re: Gartner is Dead, nCircle, Fusion, asset-correlation--was-->False positives, negatives and don't cares" 
    To: clmail2000@yahoo.com
Date: Tue, 12 Aug 2003 12:27:33 -0400

    Snort is my personal favorite. It is capable of both HIDS and NIDS, with
    signature updates reasonably easily pulled and applied. But it is very
    different in nature from Tripwire. AFAIK Tripwire is more a "System File
    IDS" which creates a hash of files and compares to check for differences.
    Snort watches for bad traffic, and then either alerts or takes other
    actions, which allows it to act as an IDP solution of sorts. Definitely
    not as beautiful as a GUI from some vendor like NetScreen, but there are
    those available as well.

    Hello,

    I am interested in implementing an open source IDS for a Linux/*nix
    system and have been looking into various different ones and the
    sort of critiques they have received. Some of the products I am
    considering are Tripwire, AIDE, Samhain, Integrit, and Osiris.
    Because I had not been able to find very much commentary about
    such packages (except for Tripwire), I would like to ask what
    sort of experiences anyone has had with them and how they compare
    with one another. Alternatively, if you can point me to where I can
    find such information, that would also be much appreciated.

    Since the choice of an IDS depends on the system it is used to
    monitor, I should say I am presently just looking for something
    to protect my stand-alone Linux box, but I would like to learn
    what works for larger systems running any sort of *nix.

    ---------------------------------------------------------------------------
    Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Ensure Reliable Performance of Mission Critical Applications
    Precisely Define and Implement Network Security and Performance Policies
    **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    Visit us at: http://www.captusnetworks.com/ads/31.htm
    ---------------------------------------------------------------------------

  • Next message: Mike Coliton: "Re: Gartner is Dead, nCircle, Fusion, asset-correlation--was-->False positives, negatives and don't cares"

    Relevant Pages

    • Re: Server IDS?
      ... Well first of all you need to know that tripwire, AFAIK, is only a binary ... verification tool not a IDS. ... Some thing like snort is a Network Intrusion ...
      (Security-Basics)
    • Re: Info HIDS
      ... Snort will provide the kind of monitoring you are asking about. ... be configured to monitor an entire network, and output logs in tcp dump, ... >configure an HIDS (tripwire) to get intrusion's information about a Web ...
      (Security-Basics)
    • Re: OT: "a substantial piece of confectionery"
      ... I'll see your Glock-Sock - and raise you a Glockwork Chocolate Orange. ... You know what these sort of situations are like though - once the crims ...
      (uk.rec.motorcycles)
    • Re: snort or tripwire, which is best?
      ... > For a relative novice using Mandriva linux, which would be better, snort ... for me to install and configure on my system? ... your network interface while tripwire scans your filesystems. ...
      (comp.os.linux.security)
    • Re: snort or tripwire, which is best?
      ... >> your network interface while tripwire scans your filesystems. ... > So snort will not log or notify me if a system file is ... intruder has a chance to alter that system file. ...
      (comp.os.linux.security)