> Hi fellow pluggers! Could you recommend some other
> tools aside from snort?
As is frequently the case, the appropriate answer depends on
call an IDS.
Nessus is the leading large-scale network scanning and
checking tool. It's graphical, client-server based, and accepts plug-ins. It's open-source.
nmap is an essential command-line tool to probe hosts to see
look like from the network. But, as such, it is usually not classified
as an IDS. However, it's extremely useful to probe your own network
with nmap: You find out things you'd otherwise perhaps never notice.
Snort is a fast, lightweight network packet logging and analysis
of detecting a large variety of attacks and probes, using pattern-matching against its
(extensible) rulesets. Open-source.
The SAINT (Security Administrator's Integrated Network Tool)
canner was an open-source alternative to Dan Farmer's famous SATAN tool, but
subsequently went proprietary. SATAN was issued under proprietary licensing, and
went moribund. A successor project, SARA (Security Auditor's Research Assistant)
seem more active.
Abacus Project stuff (LogCheck, PortSentry, and HostSentry)
considered IDS-ish. Licence is proprietary, but generous. PortSentry
tries to find incoming probes in real time and react by denying access.
I consider the basic approach unwise: Someone can get you to DoS
yourself by spoofing attacks from your own IPs, or those of interest to
you. (Abacus Project / Psionic Technologies was bought by Cisco Systems and
discontinued, but some of the tools live on.)
AIDE, Radmind, Prelude IDS, and Integrit are classic host-based IDSes, similar to
I prefer AIDE, generally. Integrit is very new.
Long lists of IDSes:
http://packetstorm.widexs.nl/UNIX/IDS/ (and other packetstorm mirrors)
Be aware that IDSes divide conceptually into host-based vs.
systems. The latter are sometimes called NIDSes.
(Any IDS that is administered without careful attention to its
will be worse than useless, as it will give you false assurance.)
Cheers, "Transported to a surreal landscape, a young girl kills the first
Rick Moen woman she meets, and then teams up with three complete strangers
firstname.lastname@example.org to kill again." -- Rick Polito's That TV Guy column,
describing the movie _The Wizard of Oz_
From: Donncha O Caoimh email@example.com
To: Conor_D_Wynne@Dell.com, firstname.lastname@example.org, email@example.com
Subject: Re: [ILUG] Network cracking toolkit?
Date: Wed, 11 Dec 2002 11:20:38 +0000
Don't use Portsentry:
Even though I advocated using Portsentry too:
From: David Allen firstname.lastname@example.org
To: [a mailing list]
Date: Fri, 10 Oct 2003 14:02:49 -0700
Subject: RE: IDS software
John Mark Walker writes:
> So if any of you were going to install IDS (usual caveats
> IDS is not the only line of defense), which one would you install, or
> have you installed already?
Snort+mySQL+ACID(and maybe +swatch) would be my recommendation.
Prelude IDS at http://www.prelude-ids.org/ is
interesting, too, but it's
not as commonly used as snort.
If you want to spend lots and lots of $$$, you can go with
Symantec, or Sourcefire.
Feel free to check out my LinuxWorld IDS presentation at