Rate the Intrusion Detection Systems? 14
Swannie asks: "The company I'm working for is looking into Intrusion Detection Systems. I was curious on how good/bad/ugly/cute/cuddly LIDS (Linux Intrusion Detection System) is when compared to other, commercial, systems like Cisco's NetRanger, etc. I'd be interested in information from my fellow geeks that have deployed LIDS in real world situations, as well as anyone that has switched to LIDS from a commercial solution, or vice-versa. Hopefully if I have some ammunition to go to the powers that be, I'll be able to utilize an open-source (and less expensive) Linux solution instead of a more expensive commercial one." Are there any other options out there which can be added to this comparison? In an odd bit of synchronicity, this article popped up before press time, which offers up another possible answer, in the form of Snort.
Some Outdated Answers (Score:3, Informative)
LIDS and Snort do very different things. LIDS is more for host-based security. It is primarily used for locking down the kernel. For example, adding additional layers of security to prevent unauthorized kernel module loading, file access, etc. It foils common rootkits and can be used to make a hardened machine. The downside is that it works at a very low level. You have to patch your kernel to get it to work, and the LIDS package lag behind the linus tree. The configuration interface at the time I looked at it was in flux and poorly documented. It might be better now, but it looked like it took a lot of effort to customize a configuration to meet your particular needs.
Snort is a whole different story. It is used to report suspicious network activity, such as portscans, web server attacks, ftp overflow attacks, etc. The snort scanning engine is quite sophisticated and easily customizable by rules files. It appears to be every bit as effective as commercial equivalents if not better. The downside is that the reporting is very do-it-yourself. If you want to get something more than spammy SYSLOG alerts, you have to roll your own reporting/alert/reaction tool. To be fair there are lots of hooks and database-backend support for this, but it doesn't come with the base package. Perhaps someone will reply with a link to a third-party add on that fills this gap.
NetRanger (Score:3, Funny)
I saw 'em last fall at Taste Of Hanover Park [dynamitemetal.com], and they rocked like it was 1984. I expected them to come off as dinosaurs, but they held up well. Definitely worth the trip to the western suburbs.
Recent articles (Score:3, Informative)
Re:Recent articles (Score:3, Informative)
Tripwire... (Score:2, Insightful)
(Plus if you have over-eager assistant admins it'll catch them mucking about as well.
Re:Tripwire... (Score:3, Insightful)