IDS mailing list archives
RE: Best Host IDS Tools
From: "Rob Shein" <shoten () starpower net>
Date: Wed, 25 Dec 2002 21:09:18 -0500
Well, chkrootkit isn't an IDS, or anything like it, for one...you run it to check for the presence of certain known rootkits. It doesn't sit around, and it doesn't detect intrusions in of themselves (or attempts to intrude). Snort isn't a host-based IDS either; it's network-based only. While it can be used on the web server and set up not to act promiscuously, I would not consider it to be a host-based IDS any more than I would any other network IDS that were set up in the same fashion. AIDE sounds pretty good, but I have no experience with it. Upon looking at their website today, I noticed the following under the "Mirrors" section of their page: "Currently there are no mirrors. The version at ftp.linux.hr is hacked." This is not something that gives me a warm and fuzzy feeling with respect to trust in competence. Tripwire, albeit less functional as a free program, is well-known and well tested, and familiarity with it is widespread in case you need further assistance. Have you considered any other options, like open-source hybrid systems that include a host-monitoring component, or other open-source HIDS (of which there are many)?
-----Original Message----- From: frank [mailto:chocobofrank () HOTMAIL COM] Sent: Monday, December 23, 2002 11:37 PM To: focus-ids () securityfocus com Subject: Best Host IDS Tools I have just setup my Web server on solaris platform and is planning to deploy a freeware IDS. Now I am evaluating the below IDS tools :- AIDE Snort Tripwire Chkrootkit and would like to have the comments from everyone on which is the best IDS tools ? Or what is the best combination so that I can mix them together to form a more complete IDS enabled environment. Or is there any other better free IDS tools available ? Below is the criteria of my evaluation. 1. CPU Loading/Utilization - Is the IDS resouce hungry ? 2. Disk Consumption - Is that too much log generated ? 3. Usability - Is the IDS ease of configuration and reconfiguration ? Or have to take days in order to configure it properly ? 4. Completeness - Can the IDS detect most of the intrusion ? 5. Extendability - Can the IDS detect new intrusion ? Any comments are much appreciated. Frank
Current thread:
- Best Host IDS Tools frank (Dec 24)
- Re: Best Host IDS Tools Bryan Strong (Dec 27)
- RE: Best Host IDS Tools Rob Shein (Dec 27)
- Re: Best Host IDS Tools Frank Knobbe (Dec 27)
- Re: Best Host IDS Tools Jerry (Dec 27)
- Re: Best Host IDS Tools Frank Cheong (Dec 27)