Subject: Re: [plug] other IDS Tools
From: Rick Moen
Date: Tue, 10 Dec 2002 18:08:08 -0800

Quoting (

> Hi fellow pluggers! Could you recommend some other Intrusion Detection
> tools aside from snort?

As is frequently the case, the appropriate answer depends on what you
call an IDS.

Nessus is the leading large-scale network scanning and vulnerability
checking tool. It's graphical, client-server based, and accepts plug-ins. It's open-source.

nmap is an essential command-line tool to probe hosts to see what they
look like from the network. But, as such, it is usually not classified
as an IDS. However, it's extremely useful to probe your own network
with nmap: You find out things you'd otherwise perhaps never notice.

Snort is a fast, lightweight network packet logging and analysis tool, capable
of detecting a large variety of attacks and probes, using pattern-matching against its
(extensible) rulesets. Open-source.

The SAINT (Security Administrator's Integrated Network Tool) vulnerability
canner was an open-source alternative to Dan Farmer's famous SATAN tool, but
subsequently went proprietary. SATAN was issued under proprietary licensing, and
went moribund. A successor project, SARA (Security Auditor's Research Assistant)
seem more active.

Abacus Project stuff (LogCheck, PortSentry, and HostSentry) is
considered IDS-ish. Licence is proprietary, but generous. PortSentry
tries to find incoming probes in real time and react by denying access.
I consider the basic approach unwise: Someone can get you to DoS
yourself by spoofing attacks from your own IPs, or those of interest to
you. (Abacus Project / Psionic Technologies was bought by Cisco Systems and
discontinued, but some of the tools live on.)

AIDE, Radmind, Prelude IDS, and Integrit are classic host-based IDSes, similar to Tripwire.
I prefer AIDE, generally. Integrit is very new.

Long lists of IDSes: (and other packetstorm mirrors)

Be aware that IDSes divide conceptually into host-based vs. network-based
systems. The latter are sometimes called NIDSes.

(Any IDS that is administered without careful attention to its security
will be worse than useless, as it will give you false assurance.)

Cheers, "Transported to a surreal landscape, a young girl kills the first
Rick Moen woman she meets, and then teams up with three complete strangers to kill again." -- Rick Polito's That TV Guy column,
describing the movie _The Wizard of Oz_

From: Donncha O Caoimh
Organization: TradeSignals
Subject: Re: [ILUG] Network cracking toolkit?
Date: Wed, 11 Dec 2002 11:20:38 +0000

Don't use Portsentry:
Even though I advocated using Portsentry too:


From: David Allen
To: [a mailing list]
Date: Fri, 10 Oct 2003 14:02:49 -0700
Subject: RE: IDS software

John Mark Walker writes:

> So if any of you were going to install IDS (usual caveats about how
> IDS is not the only line of defense), which one would you install, or
> have you installed already?

Snort+mySQL+ACID(and maybe +swatch) would be my recommendation.

Prelude IDS at is interesting, too, but it's
not as commonly used as snort.

If you want to spend lots and lots of $$$, you can go with ISS,
Symantec, or Sourcefire.

Feel free to check out my LinuxWorld IDS presentation at