Re: Dedicated intrusion detection system



In article <Xns978CF1127CCA6jbuserspc9org@xxxxxxxxxxxxxx>, Jem Berkes says...

We have a spare computer with a dead hard drive that I'd like to use
as a dedicated intrusion detection system.
I want it to boot a hardened distro from a CD, and then probe all our
production servers' ports and scan the hard drives with programs like
Aide and Samhain. It will compare against a read-only database on the
second CD drive. I'm sure a setup like this must have been created
hundreds of times already, so I'm hoping someone can point me to some
resources.

Have you considered using Snort
http://www.snort.org/

Depending on which modes you run it in, Snort can sniff (and log) packets
and analyze traffic to detect many types of active attacks. If you are
setting up a dedicated intrusion detection system I would suggest using a
different operating system than your main server, so there is some
diversity. e.g. if one is Linux, maybe run FreeBSD on the other.

I'd love to run Snort along with Oinkmaster, but the available box has only
128MB of memory.
Do you know of a live CD that incorporates any of these tools?

Thanks, Rick DeBay


--
NewsGuy.Com 30Gb $9.95 Carry Forward and On Demand Bandwidth

.