IDS research

[mantarey]

Sorry about the previously misplaced post, so here goes again. Currently researching various linux based IDS systems. Looking for input as to what is being used and recommendations in what to what out for. Again - Thanks.

[IchNiSan]

I use snort, a network based IDS, can be found at www.snort.org

also,

Most linux installs now install Tripwire by default. Tripwire monitors the filesystem to determine if any files or directories have changed. You will probably want to make sure it is set up, to run everyday. And that it is set up to email you a report, in addition to the mail sent to the root@localhost default.

Tripwire requires a fairly large effort right at first to set up its scan policies, what directories to exclude, actions to take, severity of different files changing, etc. Also, it will need to have its database updated everytime you install/upgrade/remove packages.

Snort also requires quite a bit of effort right at first to filter out rules which create false alarms on normal traffic.

There are some good documents on the snort website. Including one which walks you through the whole process of setting snort up to log to mysql and uses the ACID web based console.

[mantarey]

Is Snort signature based or statistical behavior based? If signature based how often are updates posted?

[phishphreek]

I don't know a lot about Snort, but I'm tinkering with it.

You may want to have a look at the docs or FAQ for Snort .

There is a boat load of info right there. There is tons more too.

[IchNiSan]

Snort is signature based. Updates come whenever the community notices new signatures. Since the installed userbase is fairly large, updates are fairly frequent, i.e. once a month or so.

This is the bad part of any IDS, or antivirus app for that matter.

A known signature is almost required for either system.

It is possible to write rules/signatures so that new unknown attacks are noticed as they happen, but, these are not completely reliable.

I challenge anyone to give an example of an IDS or and antivirus system which is not rule based. Bottom line is, even the heuristic antivirus apps rely on a set of rules. IDS does the same thing, no matter which app you go with, paid vendor, open source, it doesnt matter. All of them must have access to the info coming from different attakcs.

If anyone says that they have a system which is not signature based, don't believe it. They may not be using "rules" but they are using some set of criteria to determine an attack, i.e. same thing as rules.

[mantarey]

IchNiSan - you hit the nail on the head w/ the Full of s*** statement. I have been looking at this for a year now, and not one of the propritary systems makes a solid case as to why they are the best. This goes for log management and correlation tools. They all want a ton of money for mediocre products.

I have been looking at snort, just haven't had any real bandwidth to play with it seriously. I want to see what others were doing.

Thanks for the reponses.

[nebulus200]

If you got some moolah to spend, there are a couple of interesting products out there:

Niksun NetDetector. Originally a sniffer, now has IDS functionality. It has the capability to completely record every packet entering/leaving your network and the capability to play it back. This is particularly interesting in that since it is recording everything (and it can play it back), you can see the complete attack and everything done afterwards whereas with a singnature based IDS, you only see that maybe an attack happened, and it can handle quite a bit of data throughput. IMHO cool, but it is waaaay expensive (> 30,000 US $)

ISS Site Protector with Fusion Module/ISS Scanner/RealSecure 7. From what I understand, it has the capability through its fusion module and scanner to, after seeing an attack, check the server automatically to see if the attack was successful. This to me is particularly cool because from what I have seen, no matter what IDS you are using, the biggest problem is the very, very, very large number of false positives (assuming you have a network of more than a few PC's), and this seems to be a smart way to check to eliminate false positives. The full deal is also ghastly expensive (which is why I haven't played too much with it other than demos).

Cisco NetRanger. I think it might be called something else now, and I havne't really gotten to play with it much, but I have heard some pretty good things about it.


/nebulus

[mantarey]

The Cisco product is now under the Cisco Secure product umbrella. I have checked it out and the sensors aren't too expensive, but the central management application stinks. It is called CSPM, but it too has now been folded into a new bundle. I am testing it now, but again a bandwidth issue to be able to get to it. Sometimes having a life outside of the cyber realm can get in the way, but I wouldn't give it up for anything.

The entire solution is still in the 30K range. Building a business case has been difficult, but I'm getting there. Thanks for the response Nebulus200. I will check out the Niksun product too.

Anyone touch the Entrasys Dragon System?

[El Diablo]

has anyone looked at the Otaka Stormwatch system? Looks interesting and I now have an evaluation copy to play around with. Supposedly they aren't signature based, but I'll have to delve the whitepaper some to figure out exactly what it is they are doing.



El Diablo

[IchNiSan]

El Diablo,

Do you mean Okena Stormwatcher? I didn't read much about it, but it appears to create its own signature of "normal" network activity, and then base its alerts on any activity which falls outside that scope. Sounds really interesting, but MY network always has odd things going on. If it starts alerting or blocking activity all the time, it would get a bit annoying, even counter productive.