December 20th, 2002 07:43 PM
Sorry about the previously misplaced post, so here goes again. Currently researching various linux based IDS systems. Looking for input as to what is being used and recommendations in what to what out for. Again - Thanks.
December 20th, 2002 08:26 PM
I use snort, a network based IDS, can be found at www.snort.org
Most linux installs now install Tripwire by default. Tripwire monitors the filesystem to determine if any files or directories have changed. You will probably want to make sure it is set up, to run everyday. And that it is set up to email you a report, in addition to the mail sent to the root@localhost default.
Tripwire requires a fairly large effort right at first to set up its scan policies, what directories to exclude, actions to take, severity of different files changing, etc. Also, it will need to have its database updated everytime you install/upgrade/remove packages.
Snort also requires quite a bit of effort right at first to filter out rules which create false alarms on normal traffic.
There are some good documents on the snort website. Including one which walks you through the whole process of setting snort up to log to mysql and uses the ACID web based console.
December 23rd, 2002 12:58 AM
Is Snort signature based or statistical behavior based? If signature based how often are updates posted?
December 23rd, 2002 02:11 AM
I don't know a lot about Snort, but I'm tinkering with it.
You may want to have a look at the docs or FAQ for Snort .
There is a boat load of info right there. There is tons more too.
is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
December 23rd, 2002 04:53 AM
Snort is signature based. Updates come whenever the community notices new signatures. Since the installed userbase is fairly large, updates are fairly frequent, i.e. once a month or so.
This is the bad part of any IDS, or antivirus app for that matter.
A known signature is almost required for either system.
It is possible to write rules/signatures so that new unknown attacks are noticed as they happen, but, these are not completely reliable.
I challenge anyone to give an example of an IDS or and antivirus system which is not rule based. Bottom line is, even the heuristic antivirus apps rely on a set of rules. IDS does the same thing, no matter which app you go with, paid vendor, open source, it doesnt matter. All of them must have access to the info coming from different attakcs.
If anyone says that they have a system which is not signature based, don't believe it. They may not be using "rules" but they are using some set of criteria to determine an attack, i.e. same thing as rules.
December 23rd, 2002 02:58 PM
IchNiSan - you hit the nail on the head w/ the Full of s*** statement. I have been looking at this for a year now, and not one of the propritary systems makes a solid case as to why they are the best. This goes for log management and correlation tools. They all want a ton of money for mediocre products.
I have been looking at snort, just haven't had any real bandwidth to play with it seriously. I want to see what others were doing.
Thanks for the reponses.
December 23rd, 2002 03:14 PM
If you got some moolah to spend, there are a couple of interesting products out there:
Niksun NetDetector. Originally a sniffer, now has IDS functionality. It has the capability to completely record every packet entering/leaving your network and the capability to play it back. This is particularly interesting in that since it is recording everything (and it can play it back), you can see the complete attack and everything done afterwards whereas with a singnature based IDS, you only see that maybe an attack happened, and it can handle quite a bit of data throughput. IMHO cool, but it is waaaay expensive (> 30,000 US $)
ISS Site Protector with Fusion Module/ISS Scanner/RealSecure 7. From what I understand, it has the capability through its fusion module and scanner to, after seeing an attack, check the server automatically to see if the attack was successful. This to me is particularly cool because from what I have seen, no matter what IDS you are using, the biggest problem is the very, very, very large number of false positives (assuming you have a network of more than a few PC's), and this seems to be a smart way to check to eliminate false positives. The full deal is also ghastly expensive (which is why I haven't played too much with it other than demos).
Cisco NetRanger. I think it might be called something else now, and I havne't really gotten to play with it much, but I have heard some pretty good things about it.
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
December 23rd, 2002 03:59 PM
The Cisco product is now under the Cisco Secure product umbrella. I have checked it out and the sensors aren't too expensive, but the central management application stinks. It is called CSPM, but it too has now been folded into a new bundle. I am testing it now, but again a bandwidth issue to be able to get to it. Sometimes having a life outside of the cyber realm can get in the way, but I wouldn't give it up for anything.
The entire solution is still in the 30K range. Building a business case has been difficult, but I'm getting there. Thanks for the response Nebulus200. I will check out the Niksun product too.
Anyone touch the Entrasys Dragon System?
December 23rd, 2002 04:19 PM
has anyone looked at the Otaka Stormwatch system? Looks interesting and I now have an evaluation copy to play around with. Supposedly they aren't signature based, but I'll have to delve the whitepaper some to figure out exactly what it is they are doing.
December 23rd, 2002 06:50 PM
Do you mean Okena Stormwatcher? I didn't read much about it, but it appears to create its own signature of "normal" network activity, and then base its alerts on any activity which falls outside that scope. Sounds really interesting, but MY network always has odd things going on. If it starts alerting or blocking activity all the time, it would get a bit annoying, even counter productive.