From owner-freebsd-security Sun Jan 13 10:38:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from chaos.evolve.za.net (chaos.evolve.za.net [196.34.172.107]) by hub.freebsd.org (Postfix) with ESMTP id 0B83B37B41A for ; Sun, 13 Jan 2002 10:38:39 -0800 (PST) Received: from DAVE ([192.168.0.56]) by chaos.evolve.za.net (8.11.6/1.1.3) with SMTP id g0DIcEF09944; Sun, 13 Jan 2002 20:38:15 +0200 (SAST) (envelope-from dave@raven.za.net) Message-ID: <019601c19c61$121dfb00$3800a8c0@DAVE> From: "Dave Raven" To: "Simon Siemonsma" , References: <200201131755.SAA05886@smtp.hccnet.nl> Subject: Re: Which intrusion detection to use? Date: Sun, 13 Jan 2002 20:35:25 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Snort is probably what your looking for. I wouldnt recommend running portsentry as it can lead to fairly dangerous DoS. Tripwire and AIDE are good products; read up on them to decide. I think youre going overboard. If you default deny anything in and have no unsafe things running what are you worried about? just tail -f your firewall logs. ----- Original Message ----- From: "Simon Siemonsma" To: Sent: Sunday, January 13, 2002 9:00 PM Subject: Which intrusion detection to use? > I have a FreeBSD box at home which I primairily use for internet access. > All unneccesary deamon's are switched of (I have inetd turned off) and I make > use of IPFW. > To even increase the security more I want to add a few things: > 1. software that warns me when I'm under attack. I understood snort is a > Network based Intrusion Detection System (NIDS), so not usefull on a host. > What are the alternatives on a host? I did read about portsentry but don't > understand what the added benefit it over a tightly configured firewall. I > mean I use statefull packet filtering, allowing connections to be build up > from me to the internet and not the other way round. Further my ports are > stealthed. > 2. software which will detect that I'm hacked. Tripware is a well know name, > but AIDE clames to do more. Integrit claimes to be simpler and focus on the > essentials. > > Does anyone have some recommendations for me. > Other recommendations to increase my security are also welcome? > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message