To: plug@lists.q-linux.com
Subject: Re: [plug] other IDS Tools
From: Rick Moen rick@linuxmafia.com
Reply-To: plug@lists.q-linux.com
Date: Tue, 10 Dec 2002 18:08:08 -0800
Quoting oarojo@intermediacorp.com (oarojo@intermediacorp.com):
> Hi fellow pluggers! Could you recommend some other
Intrusion Detection
> tools aside from snort?
As is frequently the case, the appropriate answer depends on
what you
call an IDS.
Nessus is the leading large-scale network scanning and
vulnerability
checking tool. It's graphical, client-server based, and accepts
plug-ins. It's open-source.
http://www.nessus.org/
nmap is an essential command-line tool to probe hosts to see
what they
look like from the network. But, as such, it is usually not
classified
as an IDS. However, it's extremely useful to probe your own
network
with nmap: You find out things you'd otherwise perhaps never
notice.
http://www.insecure.org/nmap/
Snort is a fast, lightweight network packet logging and analysis
tool, capable
of detecting a large variety of attacks and probes, using pattern-matching
against its
(extensible) rulesets. Open-source.
http://www.snort.org/
The SAINT (Security Administrator's Integrated Network Tool)
vulnerability
canner was an open-source alternative to Dan Farmer's famous SATAN
tool, but
subsequently went proprietary. SATAN was issued under proprietary
licensing, and
went moribund. A successor project, SARA (Security Auditor's Research
Assistant)
seem more active.
http://www.saintcorporation.com/products/saint_engine.html
Abacus Project stuff (LogCheck, PortSentry, and HostSentry)
is
considered IDS-ish. Licence is proprietary, but generous.
PortSentry
tries to find incoming probes in real time and react by denying
access.
I consider the basic approach unwise: Someone can get you to
DoS
yourself by spoofing attacks from your own IPs, or those of
interest to
you. (Abacus Project / Psionic Technologies was bought by Cisco
Systems and
discontinued, but some of the tools live on.)
AIDE, Radmind, Prelude IDS, and Integrit are classic host-based IDSes, similar to
Tripwire.
I prefer AIDE, generally. Integrit is very new.
http://www.cs.tut.fi/~rammer/aide.html
http://rsug.itd.umich.edu/software/radmind/
http://www.prelude-ids.org/
http://integrit.sourceforge.net/
Long lists of IDSes:
http://users.pandora.be/discofreq/Links/security_intrusiondetectionsystems.html
http://packetstorm.widexs.nl/UNIX/IDS/
(and other packetstorm mirrors)
Be aware that IDSes divide conceptually into host-based vs.
network-based
systems. The latter are sometimes called NIDSes.
(Any IDS that is administered without careful attention to its
security
will be worse than useless, as it will give you false
assurance.)
--
Cheers, "Transported to a surreal landscape, a young girl kills
the first
Rick Moen woman she meets, and then teams up with three complete
strangers
rick@linuxmafia.com to
kill again." -- Rick Polito's That TV Guy column,
describing the movie _The Wizard of Oz_
From: Donncha O Caoimh donncha.ocaoimh@tradesignals.com
Organization: TradeSignals
To: Conor_D_Wynne@Dell.com,
cout@eircom.net, ilug@linux.ie
Subject: Re: [ILUG] Network cracking toolkit?
Date: Wed, 11 Dec 2002 11:20:38 +0000
Don't use Portsentry:
http://www.linux.ie/articles/portsentryandsnortcompared.php
Even though I advocated using Portsentry too:
http://cork.linux.ie/articles/safe.php3
Donncha.
From: David Allen webinfo@crconsulting.com
To: [a mailing list]
Date: Fri, 10 Oct 2003 14:02:49 -0700
Subject: RE: IDS software
John Mark Walker writes:
> So if any of you were going to install IDS (usual caveats
about how
> IDS is not the only line of defense), which one would you
install, or
> have you installed already?
Snort+mySQL+ACID(and maybe +swatch) would be my recommendation.
Prelude IDS at http://www.prelude-ids.org/ is
interesting, too, but it's
not as commonly used as snort.
If you want to spend lots and lots of $$$, you can go with
ISS,
Symantec, or Sourcefire.
Feel free to check out my LinuxWorld IDS presentation at
http://linuxmafia.com/presentations