From owner-freebsd-questions Thu Feb 7 3:35:57 2002 Delivered-To: freebsd-questions@freebsd.org Received: from web13306.mail.yahoo.com (web13306.mail.yahoo.com [216.136.175.42]) by hub.freebsd.org (Postfix) with SMTP id 9E8AF37B427 for ; Thu, 7 Feb 2002 03:35:51 -0800 (PST) Message-ID: <20020207113551.33491.qmail@web13306.mail.yahoo.com> Received: from [193.174.9.99] by web13306.mail.yahoo.com via HTTP; Thu, 07 Feb 2002 12:35:51 CET Date: Thu, 7 Feb 2002 12:35:51 +0100 (CET) From: =?iso-8859-1?q?m=20p?= Subject: Re: intrusion detection software... To: bsdneophyte@yahoo.com Cc: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG m p wrote: [to speak more clearly] > > Cliff Sarginson wrote: > > > > > On Thu, Feb 07, 2002 at 02:26:56AM -0800, Bsd Neophyte wrote: > > > > > i was at a cisco security/vpn seminar today... and all the speakers > > > stressed how important it was to have "host-level" IDS... > > > > > > soooooo.... can anyone recommend a good IDS for my FreeBSD box? > > > > > > "snort" is in the ports, my experience of it is pretty good, but that > > > was under *another* OS, although it does seem to throw a tantrum > > > occaionally and turn itself off. > > > Ok. > > Snort is "host-based" because it runs on *NIX. But that is not "host-based" > IDS rather than a "network" IDS. > > "Host-based" IDS means, there is a tool (or a bundle of tools) watching out > for intruders. > .. on a machine at process level. Network IDS means sniffing pakets. There are hybrids which do both. > You can reach this with the help of tripwire/AIDE, a logwatcher, some process > accounting and an carefull design of the machine. > Look out for some long gone threads for IDS and do a little google work for > yourself. I'm sure you will find something. ... and get and understanding what > IDS means. > > AFAIK there is no product at the moment which offers "host-based" IDS in one > product. .. for FreeBSD from any vendor as a commercial product. Of course there are a lot of open source projects in different states of development. But you have to checkout for yourself what fits your needs best. Do want to present managers colorful pictures "We suffered 4000 attacks last day but none succeeded" because your IDS reports Nimda on a apache ... or do you want a way to look for a break-in at filelevel _after_ it occured and someone gained root? Because IDS (like every layer of security) costs money managment wants to see some "attack data" because they paid for it ... So think twice about IDS .. meaning the buzzword or security. Marc __________________________________________________________________ Gesendet von Yahoo! Mail - http://mail.yahoo.de Ihre E-Mail noch individueller? - http://domains.yahoo.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message