BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Intrusion Detection System

Subject: Intrusion Detection System
From: jjohnson at sunrise-linux.com (miah)
Date: Tue Aug 10 13:56:06 2004
In-reply-to: <20040810172549.70434.qmail@web41212.mail.yahoo.com>
References: <20040810172549.70434.qmail@web41212.mail.yahoo.com>

Depends on what you mean by intrusion detection.  LIDS is not really
an intrusion detection system.  Its really more of a prevention
system, it just has a horrible name.  Last time I reviewed the
software I couldnt really say that it was something I'd use on my
systems.  I use Grsecurity and a number of ACL's, which I feel does
the job better.  Grsecurity includes PaX (which helps protect against
stack-smashing attacks), a MDAC, and a number of other important
patches to the kernel.

www.grsecurity.net

Anwyays, there is Host based intrustion detection,
which is something that samhain or tripwire does (though tripwire is
crap), and there is network based intrusion detection, which is what
snort, and prelude do.

Most HIDS detect file changes on your system, samhain uses
crytographic checksums to detect changes, it also monitors for suid
executables, and can detect kernel rootkits.  It supports centralized
logging, storing, and updates, supports a stealth mode of operation,
all databases and configuration files can be pgp signed, etc.

http://la-samhna.de/samhain/index.html

Tripwire just looks for file changes, most people keep the db on the
system, so its really easy to play with (just update the db after your
done changing files). Overall, tripwire is very basic, and its better
than nothing, but you might as well go with something opensource that
'doesnt suck'.  Tripwire isn't really free anymore, they have a
unmaintained opensource version that is really behind the times, or
you can buy into their product and waste lots of money.

http://www.tripwire.com/
http://sourceforge.net/projects/tripwire/
(last update was march 3 2001!)

NIDS on the other hand look for packets on your network.  Each packet
it receives is analyzed and run against a list of rules that is either
predefined, or built by you.  Based on the result of the rules, either
a pattern is matched and a alert is triggered, or the packet is fine
and all is well.  Snort is probably the most popular in this area, it
has a active community behind it, lots of signatures, and tools to
bolt onto it, web front ends, etc.  Prelude is the newcomer which I've
heard is good, but I haven't tried it msyelf.  Much like the
opensource NIDS, there are several commercial products like NFR,
Enterasys Intrusion Defense (used to be known as dragon ids), and
Cisco IDS.

www.snort.org
www.prelude-ids.org/

-miah

On Tue, Aug 10, 2004 at 10:25:49AM -0700, Dava Peters wrote:
> Hi all,
> 
> Any suggestion for Open Source Linux base Intrusion
> Detection Systems? I found two - LIDS (Linux Intrusion
> Detection System from lids.org) and SNIRT from
> snort.org.
> 
> --
> DP
> 
> 
> 		
> __________________________________
> Do you Yahoo!?
> New and Improved Yahoo! Mail - Send 10MB messages!
> http://promotions.yahoo.com/new_mail 
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://www.blu.org/mailman/listinfo/discuss
>

References:
- Intrusion Detection System
  - From: gameslover987 at yahoo.com (Dava Peters)

Prev by Date: Remote presentation
Next by Date: Remote presentation
Previous by thread: Intrusion Detection System
Next by thread: Interest level for open house
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org