IDS Question

Printable View

October 1st, 2002, 10:16 PM
Slim

IDS Question

Hey guys! I've been reading the forum for a few weeks now and think this may be the best place to get some feedback. I am in the market for a host based IDS and was wondering if anyone has had any experiences (good or bad) with such systems. The more info the better, but if you just want to post the names of some good IDS products I will do the research. Thanks a bunch for the help!

Slim
October 1st, 2002, 10:29 PM
alittlebitnumb

Well, JP uses Real Secure (http://www.iss.net/products_services...ork/sensor.php), and from what I read, is really good software for the enterprise. I do not know the prices, the site was not clear on that.

I have tried is snort www.snort.org works pretty well and is open source.

hope this helps.
October 1st, 2002, 10:31 PM
prodikal

What OS are you running i use snort for an intrusion detection system *yes i got it set up eventually :D*
well you can get it here for linux and win check it out here http://www.snort.org i havent found out all its uses but it has been doing well logging alerts and such check it out

EDIT albn we posted at the same time you must type faster :)
October 1st, 2002, 10:38 PM
nebulus200

The realsecure JP uses is, I think, geared more towards NIDS (network intrusion detection vs host based), or at least that is what the brief signature snippet I can see looks like. ISS is obscenely expensive, although it does have host based IDS capabilities (I personally would stick to a NIDS, but, to answer your question: it depends.

It depends on what you are trying to look for, are you looking for a log checker, a system checker, a network watcher ?

Good starting points: Tripwire (I think you can still get a version for free)
Psionic PortSentry (very good imho, listens to network ports and can block based on what it sees), they also make logwatch, swatch and something else, the name eludes me at the moment. I am wanting to say that they are all free.

/Neb
October 1st, 2002, 10:46 PM
Slim

Thanks for the feedback guys! I looked into Snort and Real Secure for Network based IDS solutions, but eventually went with another vendor. Now I am in the market for something Host based to sit on the actual servers in my DMZ and monitor logfiles and system events etc... I am looking for some feedback on products such as Tripwire www.tripwire.com and Osiris http://osiris.shmoo.com/ Anyone have any experience with any of these?

Thanks again,
Slim

thanks neb I will check into Psionic PortSentry you posted as I was writing my response lol....
October 1st, 2002, 10:52 PM
nebulus200

Never played with Osiris, but Tripwire is pretty good.

The Psionic product line is my current favourite and highly recommend it :)

Out of curiousity, what NIDS vendor did you go with ?

Neb
October 2nd, 2002, 12:02 AM
t2k2

Looking for IDS

I use Trip Wire, and I like it. It seems very robust and pretty efficient for our purposes. If you are looking to monitor event logs on multiple servers and such, you may want to look into something like ELM Log Manager here . Let us know what you decide and how it goes. I'm curious to know...hope all goes well and that we have helped at least a bit.... ;)