I run snort as my IDS. I honestly do not see what good it dose. I cancled out all the stuff I do not need from it, or attempted to, yet my alert file is still huge. All different kinds of errors. I do not undertand what good it does if I cant get any real information. What IDS do you use and how do you make it most efficient?

You could also use a filesystem-based IDS rather than a network IDS. We use Fileysystem Saint http://www.unixgeeks.org/fss/ which, with a minor tweak, now only emails us if a system file has changed.

I've used snort on a couple of occassions and have found it to be very noisy. Just wait when someone hits your servers with a nessus scan and see the alerts build up.

I use Tripwire and logcheck. Logcheck monitors the logs and sends me unsual events. You can easily customize the filters by adding keywords to a text file. Tripwire monitors file changes for me. Tripwire takes some time to configure, but you are watching system files not network traffic.

I would evaluate your needs -- if you need instantaneous response to a possible intrusion, then you have to use a real-time network based system. If you just want to be alerted when something looks funny, then logcheck/tripwire works well. I run logcheck every 15 minute and tripwire once a day.

Dosent someone need a nessus account todo any scanning? I think im going to replace snort with tripwire, it was a pain to configure the last time I did it, but I think it is good software. :)

Originally posted by davidb
Dosent someone need a nessus account todo any scanning? I think im going to replace snort with tripwire, it was a pain to configure the last time I did it, but I think it is good software. :)

dude, snort and tripwire, TOTALLY different programs...they do different things.

snort == NIDS
tripwire == HIDS

I gave a talk about it at my local unix users group:
Powerpoint is here:
http://www.phreedom.net/~davidu/IDS_TALK-11_08_2000.ppt

-davidu (davidu@everydns.net)

ya, I know what each does, just a bad choice of words.