Firewall log server/monitor and IDS

[haknwak]

Need help finding a reasonably priced product that meets these requirements. (trying to avoid the major $$$ for Cisco Works)

I need to log and monitor firewall activity as well as need a full blown IDS system. The software must be compatible with M$ NT or Win2k. Have SQL servers for database storage and manipulation.

Have found plenty of firewall logservers but no IDS systems that will meet above requirements and use the text based logfiles created by those servers.

PIX 520 (two in failover mode)
6509 Switch

TIA

[iNViCTuS]

Why must it be on a windows platform. If you want a reasonably priced solution just use snort. I don't know of any good IDS's that will run on windows, even if you use Snort, I am sure you can probably still make use of SQL for your Snort logs (I know it can be done with mySQL), for your switch logs, I would recommend going with a standard syslog.

Also if you are looking for an IDS sensor, why not just get the IDS blade for your 6509?

[haknwak]

*embarassed sigh* no *nix boxes in-house, no $$$ to buy another box and, worst of allI know nothing about *nix nor do any of the other people in my co.

Oh and did I mention we are at risk of losing a major client due to lack of IDS and that it must be implemented and in demonstratable in one month.

thanks

[Geric]

Given your time and cash flow situation I would still have to say that SNORT is your best oprtion. I am in no way an expert on IDS but SNORT will get the job done and for nothing. However you might have a few late nights this month with some reading to do. Sorry this is the best answer I can think of. Good luck!

[AngryBob]

snort can and will run well on a windows box. also it can run with SQl, or if you have problems you can install mysql on windows and its free, so that solves the cost problems. it is a very easy setup and its not too cpu intensive, of course this depends on the amount of traffic it has to look through, as well as preprocessors that you choose to have snort run. if you have any problems just PM me and ill be glad to help.

[haknwak]

Much appreciated angrybob - I'm having a go at it as we speak.

[haknwak]

Thank you all who replied.

I have found a combo that is reasonably priced and works within our limited Microsnot world. All in all we got what we need for $4K as opposed to the $20K+++ for things like Symantec Enterprise security, CA's e-Trust IDS solution or Cisco Works or HP Openview.

PS - will get a linux box up and running. I'm so lame I dont even know that. Always learning.

Insideout - http://www.stonylakesolutions.com - reads native PIX format logs, ports them to MSSQL, gives nice graphicail displays and ability to drill down. Cumbersome but nice as an app for a limited number of machines (the customer in question only uses five of our servers). Also allows for manual report creation on the full PIX log - we have an expert team of programmers and MSSQL experts for this. They are reportedly creating a fulll IDS solution for this product.

$900

GFI Network Solutions LanGuard - Besides the security events logs, GFI LANguard S.E.L.M can also retrieve the application and system event logs, as well as the DNS server, Directory services and File replication event logs. Sends alerts via emial and text messaging on cell phones. Client is most concerned with attacks and activity from utside and this proggie grabs ALL win32 logfiles , the Collector Agent stores these events in a Microsoft SQL Server.

$2895 for 25 servers

KIWI syslog Daemon and Cat-Tools will log and archive router logs as well as backup device configs. Hopefully we can poke around and get useful info into MSSQL from here.

$195


Snort for win32 - all are very familiar with this one. This we will use internally as a forensic tool. We won't use it for customer reports at this time. They won't go for Snort - the client is too big and they will expect IDS to be done more with an industry standard (expensive) apps. We currently have it logging to file but plan to port it to MSSQL as well.

$free

We feel that with this combination we can produce reports on all server activity directly related to the client's servers. We also have several real-time packe sniffers that can easily be filtered to monitor and log only activity to their devices. Output in format such that it can easily be imported into a custom MSSQL dtabase and queried for real-time activity.

With our extensive MSSQL and programming experience in-house, we feel we can get their security audit team off our backs with this and it will give a good overall picture of potential malicious activity on their network devices.

We'll be able to write our own MSSQL queries and reports on everything going on and with a little hunting, Snort's signatures on exploit activity can easily be converted into MSSQL query strings and easily track and report on potential exploit activity in real-time using the PIX Logs and sniffer logs.

We also plan on evaluating Stonylakes IDS offering when it comes available.