RE: Snortcenter, Prelude-IDS
From: Matthew MacAulay (matthew.macaulay_at_cobweb.co.uk)
Date: 08/17/05
- Previous message: Bill Stout: "RE: A possible HIPS? Was: Looking for HIDS-only products for XP/2000Pro"
- Maybe in reply to: Sven Müller: "Snortcenter, Prelude-IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 17 Aug 2005 10:29:36 +0100 To: Sven Müller <smueller@magellan-net.de>, <focus-ids@securityfocus.com>
Hi Sven,
I too have started to steer away from Snortcenter for the same reasons as you. And like you I found Prelude.
I am in the process of installing and configuring it this week. So far so good. There are several things I like but one of the best is the log lackey.
You point it at log files you want to monitor like "message" or "everything" and any suspect events (like a failed login) get reported. I hope to expand on this to log successful logins too for some devices.
FreeBSD is great and everything but consider Gentoo.
Check out http://gentoo-wiki.com/HOWTO_IDS details all of the steps required to get Prelude-manager, prelude-lml and the GUi Prewikka working.
Unfortunately the bit about getting Snort to report to prelude is pending some input. I am following the instructions on the prelude site for configuring snort to log to prelude.
I am clearly new to Prelude so I may find the features I think are missing in the next few days. In Snort centre you could see a snapshot of the health of your remote IDS nodes. In Prelude IDS nodes are call Agents and beyond the status (online / offline) of the Prelude apps (Prelude-manager, prelude-lml) there is not much else, would be good to see a few basics like CPU, memory, disk space, Snort rule version....
From what I have read so far I think it is intended to have Nagios bolted on to SNMP monitor Agents and collect events from other remote nodes so I guess it is intended for Nagios to monitor IDS node health.
Regards,
Mat.
-----Original Message-----
From: Sven Müller [mailto:smueller@magellan-net.de]
Sent: 15 August 2005 09:44
To: focus-ids@securityfocus.com
Subject: Snortcenter, Prelude-IDS
Hello!
I'm planing to set up a new IDS environment. Up to now I always used
Snortcenter (http://users.pandora.be/larc/index.html) which worked quite
well for me. But I think the development of this tool stopped because the last
news entry on the web page is more the 2 years old. Does anyone have
some information about that?
However, I just visited the prelude homepage
(http://www.prelude-ids.org/) and this framework sounds very intersting
for me. Does anyone has some experinces with Prelude?
I like Snort very much and Prelude can be connected with Snort, so I
would have a centralized place for collecting and normalizing events.
Do you have any experiences with Prelude?
Mostly I prefer to use FreeBSD do you have any information about this
combination?
Thanks for you hints!
Regards, Sven
-- --------------------------------------------------------- MAGELLAN Netzwerke GmbH Dipl.-Ing. (FH) Sven Müller Network Security Engineer Max-Reichpietsch-Straße 2 51147 Köln Tel. : +49-2203-92263-0 Fax: +49-2203-92263-99 E-Mail: smueller@magellan-net.de Web: http://www.magellan-net.de --------------------------------------------------------- ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ---------------------------------------------------------------- The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you have received this communication in error please return it to the sender, then delete and destroy any copies of it. ---------------------------------------------------------------- ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
- Previous message: Bill Stout: "RE: A possible HIPS? Was: Looking for HIDS-only products for XP/2000Pro"
- Maybe in reply to: Sven Müller: "Snortcenter, Prelude-IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
