IDS mailing list archives
RE: NIDS and HIDS
From: "Chris Petersen" <chris.petersen () security-conscious com>
Date: Thu, 2 Dec 2004 08:33:42 -0700
***** VENDOR RESPONSE ****** As some of the responses to your post mentioned, you might consider using a Security Event Management product combined with open-source tools to meet your end needs. I can't speak to other SIM/SEMS capabilities but with our product (LogRhythm) you could: - Use open source Snort on Linux for NIDS. SEM Agent can forward logs encrypted or forward to SEM Syslog server - Use SEM agents to collect logs from servers - Use SEM agent to collect logs written to flat file - Use SEM agent to remotely pull Windows Event Logs - Use SEM agent to perform file integrity and system monitoring - Forward logs from syslog and snmp reporting devices (e.g., routers, switches, firewalls) to SEM Syslog/SNMP server Most SEM's have some or all of the above capabilities. Where many of them differ is in how they manage the logs. Many SEM's don't do much with the raw log data other than determine if it is an event or not. In many cases if its not an event, the log is thrown away. We have taken a different approach in that we have seperated log management from event identification/management. Logs are stored at one level, analyzed, and if matching a rule, forwarded as an event. The advantage of this approach is that you maintain all log data for analysis purposes but only high-risk logs (as determined by the user) are forwarded as events. Our customers have found this architecture extremely useful since it allows them to "turn up" their IDS sensors since they can filter the alarms at the log management level and only forward high value alarms as events. This way they are able to collect all the noisy, high-false-positive and/or forensic alarms without inundating the event manager with too much noise. If they need to investigate something, they can pull other non-forwarded IDS alarms (and other non-forwarded logs) from the log management layer. I think the bottom line is that if you are looking at performing network monitoring across NIDS, HIDS, and logs, you might want to start at the center (the SEM) and move outward (the collectors). Imo, NIDS/HIDS/Logs are most valuable when they can be effectively and timely monitored and analyzed. Having spent the last two years building a SEM this is not something to take lightly in putting together yourself via a Syslog server and MySQL. The process of collecting, parsing, and normalizing logs from devices reporting in non-standard formats into a usable report/monitoring format and then developing the monitoring/reporting tools is not trivial, you can probably count on 1 person, full time for the next 12 months for engineering alone. I think by beginning with the SEM you might be able to combine your existing investment in security technologies with open-source to have a more effective and less expensive end solution. Chris Petersen President/CTO, Security Conscious, Inc. www.logrhythm.com -----Original Message----- From: Youngquist, Jason R. [mailto:jryoungquist () ccis edu] Sent: Monday, November 29, 2004 1:49 PM To: Focus IDS List Subject: NIDS and HIDS I just recently started a new job as a network security analyst and one of my projects is to implement an intrusion detection system. I've been doing some research and pursuing the listserv archives and was wondering if anyone had any thoughts/opinions. For NIDS's, I've been looking at SourceFire's commercialized version of Snort, CISCO's IDS appliances, and McAffee's IntruShield. For HIDS's, there appears to be three main categories: monitoring the host's file system, the host's network connections, and the host's log files. --Host's file system: I'm looking at Tripwire Manager, Tripwire for Servers, and Tripwire for Network Devices. --Host's network connections: I'm looking for an enterprise-wide solution that we can roll out to all the Windows XP machines and centrally manage. Since we already use Symantec for anti-virus, Symantec's Client Security 2.0 seems to incorporate a centrally managed personal firewall, HIDS, and anti-virus capability. --Host's log files: I'm looking at implementing a centralized syslog/syslog-ng server on a Linux box and having all Windows XP boxes and network devices log to it. I'd also stick the data into a MySQL database to allow for easy querying. I'd like to have an analysis program that would take data from the NIDS, HIDS, syslog, and tripwire logs, put it all together, and be able to give me some useful charts and graphical summaries so management can see that their money was well spent in securing the organization's infrastructure. Thanks. Jason Youngquist ------------------------------------------------------------------------ -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ -- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: NIDS and HIDS Bastian Ballmann (Dec 01)
- <Possible follow-ups>
- Re: NIDS and HIDS Karel Chwistek (Dec 01)
- Re: NIDS and HIDS Jason Haar (Dec 02)
- Re: NIDS and HIDS Matthew Romanek (Dec 03)
- open source ids list for implementation gaurav_jindal (Dec 07)
- Re: NIDS and HIDS Jason Haar (Dec 02)
- Re: NIDS and HIDS Matthew Romanek (Dec 01)
- RE: NIDS and HIDS Timm, Kevin (Dec 02)
- RE: NIDS and HIDS Chris Petersen (Dec 02)
- Re: NIDS and HIDS KC (Dec 06)
- Re: NIDS and HIDS Martin Mkrtchian (Dec 08)
- RE: NIDS and HIDS Maynor, David (ISS Atlanta) (Dec 09)