On Sat, 6 Jan 2001, bacano wrote:
Thomas,
Hi,
Can you advice us a IDS that dont suck?
First you have to answer yourself some question: What do I want to protect? What attacks (insider, outsider) do I want to detect? How many machines do I want to protect? How much money do I want to spent? Ok. If it's your home network, then I would advise you to use a packetfilter + Snort + a file integrity checker (don't use tripwire, because it's old code) + C(ryptedF(ile)S(ystem) (if needed) Snort is well maintained, so it will become better and better in (relatively) short time intervals. At my home network, I have a OpenBSD Router, which has one interface connected to my internal network and another one connected to a DMZ. The Router uses IPFilter for filtering and Snort as NIDS. Snort just listens to the internal interfaces, because I don't want to be alarmed by every stupid attack that ipf is able to block. :-) The DMZ hosts a Proxy server (stripped down SuSE 7.0) and a Honeypot for detecting and studying attacks. (And a RS/6000, as development machine, but that doesn't matter.) ;) If you are looking for a IDS for your company, then I would advise you to the following book: Proctor; The practical Intrusion Detection Handbook; Prentice Hall It describes the basics of IDS, shows the pros and cons of the different IDS architectures/phylosophies, and has a chapter just for describing commercial IDS. There are two other IDS books, that I have listed in my 'Book Review' table at my home page (www.suse.de/~thomas) Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47