IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Best Host IDS Tools

From: "Rob Shein" <shoten () starpower net>
Date: Wed, 25 Dec 2002 21:09:18 -0500
Well, chkrootkit isn't an IDS, or anything like it, for one...you run it
to check for the presence of certain known rootkits.  It doesn't sit
around, and it doesn't detect intrusions in of themselves (or attempts
to intrude).

Snort isn't a host-based IDS either; it's network-based only.  While it
can be used on the web server and set up not to act promiscuously, I
would not consider it to be a host-based IDS any more than I would any
other network IDS that were set up in the same fashion.

AIDE sounds pretty good, but I have no experience with it.  Upon looking
at their website today, I noticed the following under the "Mirrors"
section of their page:

"Currently there are no mirrors. The version at ftp.linux.hr is hacked."

This is not something that gives me a warm and fuzzy feeling with
respect to trust in competence.  Tripwire, albeit less functional as a
free program, is well-known and well tested, and familiarity with it is
widespread in case you need further assistance.

Have you considered any other options, like open-source hybrid systems
that include a host-monitoring component, or other open-source HIDS (of
which there are many)?


-----Original Message-----
From: frank [mailto:chocobofrank () HOTMAIL COM] 
Sent: Monday, December 23, 2002 11:37 PM
To: focus-ids () securityfocus com
Subject: Best Host IDS Tools


I have just setup my Web server on solaris platform and is 
planning to deploy a freeware IDS. Now I am evaluating the 
below IDS tools :- AIDE Snort Tripwire Chkrootkit

and would like to have the comments from everyone on which is 
the best IDS tools ? Or what is the best combination so that 
I can mix them together to form a more complete IDS enabled 
environment. Or is there any other better free IDS tools available ?

Below is the criteria of my evaluation.

1. CPU Loading/Utilization - Is the IDS resouce hungry ?
2. Disk Consumption - Is that too much log generated ?
3. Usability - Is the IDS ease of configuration and 
reconfiguration ? Or have to take days in order to configure 
it properly ? 4. Completeness - Can the IDS detect most of 
the intrusion ? 5. Extendability - Can the IDS detect new intrusion ?

Any comments are much appreciated.

Frank
Previous By Date Next
Previous By Thread Next

Current thread: