• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Need Recommendation on Intrusion Detection Systems(IDS)

F

FreshPrince

Diamond Member
Any information on managed or un-managed systems will be appreciated.

Looking for enterprise scale solutions only.

thx!

Fresh
 
I second "snort" as the best tool for IDS.

You could try to built your own Free Linux/BSD firewall with Snort, Samba, Apache & SQL. Or download the Analysis Control for Intrusion Detection (ACID) frontend for snort from Sans Institute with your favorite Linux/Unix flavor. These method will let you uses Apache to send email alert when an occurent occur or an access threshold has been breach. There is also addon that let it send warning sound to your pc speaker, beeper, phone, or fax.

You can also download Smoothwall , a Linux distro that was design from the ground-up as a firewall & IDS system that uses snort as the detection tool with its own graphical & analyzes frontend. This setup lack the automate warning system, but still have a very slick interface that rival ACID.

Eat that you CISCO, Check Point lovers.................................................. 😛
 


<< How complex is ISS to install, configure and manage? >>



It can be a pain. I know watching over a couple hundred IIS Real Secure sensors is.

I personally like the snort idea, but if I needed something commercial (and only needed 1-3 sensors), I would go with Dragon. It is considered one of the best (although it is lacking in certain areas).
 
which of these solutions provide actions in addition to detection? In another words, it would have the means to detect and stop intrusions. thx
 
It is hard to tell if all monitor trafics are legit or illegal activities, but you could code extra line/script into the Ipchains/Iptables rule to log & deny access to the IP that surpass a predetermine threshold & send you an alert.
You then check the log to see if the traffic is legal or illegal to override the default rule. But, you still need to understand what action is normal & what action is not by study the logs an learn to analyze it.

I?m sorry that there is no quick and easy solution to your quest. Either you lean & spend time reading your logs every day, or farm it out the professionals services that analyzes & monitor firewall.
 
I seem to recall that BlackIce had a fully-featured IDS (I actually bought it at my last job, just never implemented it) that had some limited strikeback capabilities..

ISS also has some highly-touted features that allows it to make dynamic rule changes on a companion checkpoint firewall to block possible threats. Sounds like magic and I've never seen it work, but it might be something to investigate.

- G
 
I'm running checkpoint on linux now and have setup many rules. However, it does not seem to be enough anymore as hackers get smarter everyday and my time to monitor these activities seem to grow shorter. Therefore I need a solution that will monitor, report, and execute actions against threats. ISS actually offers a nice package, but costly. There are other companies out there that will provide 24x7 IDS service for around $15K/yr. I'd rather do it myself, but I don't have the time. Secureworks actually has a decent appliance that runs off linux and I'm looking into that now.

Fresh
 
Presinet is an inexpensive Firewall/IDS solution company that provide services base upon the number of client computers that you have. At $15k you could get about 3~5 years of service for the average company.
 
Use snort as your IDS, mysql as your database, and ACID for viewing your snort output. Get the latest snort 1.8.4 beta, as there is a known problem with snort 1.8.3 mangling certain packets when storing them to the database (might only be an issue on Linux, but I'm not sure of the details). Run it on a *BSD system if possible, as BSD has a significantly better IP stack than Linux, and is far less likely to end up dropping packets. If possible, run it in full capture mode. Make sure to get the latest snort rules from the snort web site, as the default sample rules that come with snort are pretty lightweight. Log to your database in binary mode, not ascii.

Snort does have a preprocessor with the capability to shut off connections in case of an attack, but almost all security professionals recommend against that action, as it makes it easier for an attacker to DoS your entire network, if they can figure out what you are cutting off and spoof some packets (particularly easy is the case of spoofing attacks from all the root DNS boxen, thereby cutting off your ability to do name lookups).

I use snort and ISS, and will likely soon use Cisco's IDS as well. Of the two I currently use, I find snort to be the better by far. It is easier to tune, easier to understand, and handles heavy loads much better. One of my ISS boxen locks up daily, even though it is on a 1 GHz box with 0.5 Gig memory. On the same network segment, seeing the same data, is my P-II 450 MHz box with 128 Meg of memory running snort. It has never caused me a problem. ISS is running on NT, snort on Linux.

That's just my preference.

RagManX
 
And in case management needs a company they can get support from in order to think about using snort, there is atleast one out there right now. silicondefense.com I think, check snort.org though.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top