Rate the Intrusion Detection Systems?

Swannie asks: "The company I'm working for is looking into Intrusion Detection Systems. I was curious on how good/bad/ugly/cute/cuddly LIDS (Linux Intrusion Detection System) is when compared to other, commercial, systems like Cisco's NetRanger, etc. I'd be interested in information from my fellow geeks that have deployed LIDS in real world situations, as well as anyone that has switched to LIDS from a commercial solution, or vice-versa. Hopefully if I have some ammunition to go to the powers that be, I'll be able to utilize an open-source (and less expensive) Linux solution instead of a more expensive commercial one." Are there any other options out there which can be added to this comparison? In an odd bit of synchronicity, this article popped up before press time, which offers up another possible answer, in the form of Snort.

Some Outdated Answers

[Outland Traveller]

It's been a year since I've researched the subject, but some of this info still may be relevant. If not, I'm sure I'll be moderated down and/or corrected :)

LIDS and Snort do very different things. LIDS is more for host-based security. It is primarily used for locking down the kernel. For example, adding additional layers of security to prevent unauthorized kernel module loading, file access, etc. It foils common rootkits and can be used to make a hardened machine. The downside is that it works at a very low level. You have to patch your kernel to get it to work, and the LIDS package lag behind the linus tree. The configuration interface at the time I looked at it was in flux and poorly documented. It might be better now, but it looked like it took a lot of effort to customize a configuration to meet your particular needs.

Snort is a whole different story. It is used to report suspicious network activity, such as portscans, web server attacks, ftp overflow attacks, etc. The snort scanning engine is quite sophisticated and easily customizable by rules files. It appears to be every bit as effective as commercial equivalents if not better. The downside is that the reporting is very do-it-yourself. If you want to get something more than spammy SYSLOG alerts, you have to roll your own reporting/alert/reaction tool. To be fair there are lots of hooks and database-backend support for this, but it doesn't come with the base package. Perhaps someone will reply with a link to a third-party add on that fills this gap.

NetRanger

[andy@petdance.com]

I've got a soft spot in my heart for NetRanger. I know that everyone equates them with "Sister Christian", but don't ignore the other rockers like "Don't Tell Me You Love Me" and the harmonies behind "Sing Me Away" and "When You Close Your Eyes".

I saw 'em last fall at Taste Of Hanover Park [dynamitemetal.com], and they rocked like it was 1984. I expected them to come off as dinosaurs, but they held up well. Definitely worth the trip to the western suburbs.

Recent articles

[larien]

There was a series of articles on Security Focus [securityfocus.com] (which seems to be down ATM) recently on LIDS. Although it isn't really a comparison with anything else, it might give you an idea of what it can and can't do.

Re:Recent articles

[larien]

Yes, I'm replying to my own post. SF is back up, and here's [securityfocus.com] the index of IDS stuff, including the LIDS articles.

Tripwire...

[itwerx]

...is great for detecting if somebody got through your defenses/detection. It's by no means the first or only line of defense, but it's definitely a must-have.
(Plus if you have over-eager assistant admins it'll catch them mucking about as well. :)

Re:Tripwire...

[Bryan Andersen]

I've used tripwire on developer boxes where they had to have root. Combined with an initial install backup it works nicely to see what they are changing, etc. OpenBSD has a better system for monitering the contents of system configuration files. It will email you the differences between the old and new versions of a file.