From owner-freebsd-questions Sun Aug 11 9:38:53 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6828537B401 for ; Sun, 11 Aug 2002 09:38:51 -0700 (PDT) Received: from argus.volker.de (pD9504DBF.dip.t-dialin.net [217.80.77.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7B6E643E3B for ; Sun, 11 Aug 2002 09:38:44 -0700 (PDT) (envelope-from freebsd@secspace.de) Received: from argus.volker.de (localhost [127.0.0.1]) by argus.volker.de (8.12.5/8.12.5) with SMTP id g7BGceJg000604; Sun, 11 Aug 2002 18:38:42 +0200 (CEST) (envelope-from freebsd@secspace.de) Date: Sun, 11 Aug 2002 18:38:40 +0200 From: Volker Kindermann To: freebsd-questions@freebsd.org Cc: freebsd-questions@freebsd.org Subject: Re: aide-0.7_1 docs? Message-Id: <20020811183840.3f97eff3.freebsd@secspace.de> In-Reply-To: <1029070581.38776.180.camel@Demon.vickiandstacey.com> References: <20020810180914.Y9801-100000@x1-6-00-80-c8-3a-b8-46> <1029018608.38776.126.ca mel@Demon.vickiandstacey.com> <20020811115009.01fa251a.freebsd@secspace.de> <1029061905.38776.139.camel@Demon.vickiandstacey.com> <0a5f01c24130$c1cd7b60$6401a8c0@crotchett.com> <1029070581.38776.180.camel@Demon.vickiandstacey.com> X-Mailer: Sylpheed version 0.8.1claws (GTK+ 1.2.10; i386-portbld-freebsd4.6) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi Stacey, > Its good of you all to get back to me. At this point, I am beginning to > believe that maybe I'm thinking of *something else* here, when I say > Intrusion Detection System. well, it depends, as so often. There are two groups of Intrusion Detection Systems, network-based and host-based. Tools like tripwire or aide are of the second group, but they specialize in file integrity checking. They are not the tools that will report you an ongoing attack but after that, they will help to understand the way that attack worked and they will hopefully save you time in rebuilding the system. The only free host-based intrusion detection system that I know for unixlike computers that will alert you of ongoing attacks is hostsentry (www.psionic.com). Realtime attack alerting is more the job of the network-based systems as Dru wrote you (e.g. snort). -volker To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message