The best Intrusion Detection System

M0NkEY · #1 03-16-2003, 06:03 PM

Anyone know of a really good Intrusion Detection System???

Preferably Free

phactor · #2 03-16-2003, 06:10 PM

snort + acid?

M0NkEY · #3 03-16-2003, 06:15 PM

http://www.madisonlinux.org/help/snort.shtml ?

phactor · #4 03-16-2003, 06:17 PM

yes

i use it and is very good

good luck

Patrick · #5 03-16-2003, 06:34 PM

Hands down -- Snort.

Luxore · #6 03-16-2003, 08:33 PM

have they fixed that security problem in it yet?

M0NkEY · #7 03-16-2003, 09:00 PM

Quote:

Originally posted by Luxore
have they fixed that security problem in it yet?

*Raised Eyebrow*

cubision · #8 03-16-2003, 09:04 PM

Which security problem are you refering to? Every piece of software has security bugs ... maybe you are refering to one of the most recent, the buffer overflow one?

Luxore · #9 03-16-2003, 09:20 PM

yup yup

at cert, second one down on "new and notable"

inteltechs · #10 03-16-2003, 09:54 PM

I don't like snort at all... it will take all your cpu usage...

cubision · #11 03-16-2003, 11:12 PM

I haven't seen any abnormal CPU usage on machines with snort ... mind describing your experience? What version/what cpu loads were you experiencing?

RogelioH · #12 03-16-2003, 11:47 PM

Hi Intel,

Snort is a nice piece of cake, but are you sure you are running it right with correct config? Ive heard that if you run it wrong or configure it wrong it can hurt cpu.

M0NkEY · #13 03-16-2003, 11:54 PM

Hmmm... any suggestions for an IDS I can install easily on boxes with users already on them. One that will have a low risk of "funking" stuff up?

I've never installed snort and I don't want to practice on a box with customers on it.

timelord · #14 03-17-2003, 01:05 AM

There are two types of IDS systems - HIDS (host intrusion detection system) and NIDS (network intrusion detection system). An example of a HIDS would be tripwire, and example of NIDS would be snort or any of the standalone commerical products.

In independent testing (in 2002), snort beat the commericail products from Enteresys and Cisco. I can tell you that I had it running on a 400Mhz machine monitoring a full (always busy) T1 and it was taking about 30-40% of the CPU. However, I was having it log to a MySQL database, and I didn't perform some of the steps needed to mitigate the performance impact (since it wasn't an issue.)

Having said all that, I would not recommend putting ANY NIDS on an active machine - it should be on a dedicated machine. Several reasons for this, including the fact that if somebody DOES breakin to your system, having the IDS on it means that they can hide the evidence that they were there (the same way they can clean stuff from the log files.) Another thing to remember is that you could be recording user name and passwords, and you certainly don't want that on the same machine as your users. Get an old machine, run a strip down Linux on it (www.devil-linux.org has one that is perfect for this), and only have it run Snort (and the associated components like MySQL [to log the attack records], Acid, etc.).

And yes - the buffer overflow issue has been resolved.

voided · #15 03-17-2003, 01:13 AM

check out puresecure from demarc

www.demarc.com

its just amazing... free for personal use, a bit pricey for commercial though. i love it

The best Intrusion Detection System

Sponsored Links

Advertise Here

Internet Services

Web Development

Digital Marketing

Consumer Tech