From owner-freebsd-isp  Tue Jan 29  7:38:58 2002
Delivered-To: freebsd-isp@freebsd.org
Received: from netra.netcologne.de (netra.netcologne.de [194.8.194.106])
	by hub.freebsd.org (Postfix) with ESMTP id 3DB2237B416
	for <freebsd-isp@freebsd.org>; Tue, 29 Jan 2002 07:38:45 -0800 (PST)
Received: from emre.de (sys-125.netcologne.de [194.8.193.125])
	by netra.netcologne.de (8.9.1/8.9.1) with ESMTP id QAA22321;
	Tue, 29 Jan 2002 16:38:41 +0100 (MET)
X-Ncc-Regid: de.netcologne
Message-ID: <3C56C20B.70306@emre.de>
Date: Tue, 29 Jan 2002 16:38:51 +0100
From: Emre Bastuz <info@emre.de>
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; de-DE; rv:0.9.2) Gecko/20010726 Netscape6/6.1
X-Accept-Language: de-DE
MIME-Version: 1.0
To: freebsd-isp@freebsd.org
Cc: jim <jim@jwweeks.com>
Subject: Re: Security methods
References: <Pine.BSF.4.21.0201290942200.688-100000@veager.jwweeks.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-isp.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-isp>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-isp>
X-Loop: FreeBSD.org

Hi Jim,

 > I would like to get a rough idea as to what people are using for hacker
 > detection
there are several software packets out there, but first off you have to
decide if you are looking for a network intrusion detection system or
a host based intrusion detection system.

A freeware NIDS thatīs quite popular is Snort: http://www.snort.org.
There are commercial NIDS out there. For example NFR (Network Flight Recorder)
and RealSecure.

Basically these do listen on a network interface and compare the collected
ip packets with certain rules. If a packet matches a known attacking scheme/rule,
an alert is sent out (or at least recorded).

On the other hand, host based intrusion detection systems are installed on
a certain host and gather information about the modification time and
checksums of vital system files. With a cron job the recorded information
is checked against the current modification time and checksums. If a change has
occured, indicating a compromised system, a message is being sent out (or at least
recorded :)
The two HIDS that come to my mind are Tripwire
(http://sourceforge.net/projects/tripwire/) or Aide (in ports collection,
/usr/ports/security/aide).

Regards,

Emre

jim wrote:

> Hey Guys,
> 
> I would like to get a rough idea as to what people are using for hacker
> detection i.e. port scan logging, deception software, etc.  Possibly some
> pointers on recently well written articles.
> 
> Thanks in advance.
> 
> --
> Jim Weeks
> 
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-isp" in the body of the message
> 
> 


-- 
Emre Bastuz
info@emre.de 
	    http://www.emre.de
UIN: 561260		PGP Key ID: 0xEA0E2CA1


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message