Re: Recommend good IDS? was Re: /dev/shm/r?

To: debian-security@lists.debian.org
Subject: Re: Recommend good IDS? was Re: /dev/shm/r?
From: Nicolas GRENECHE <nicolas.greneche@gmail.com>
Date: Wed, 3 Jun 2009 23:17:46 +0200
Message-id: <[🔎] b9f118970906031417h740ab6a9labbf96366fc8e089@mail.gmail.com>
In-reply-to: <[🔎] 1244057966.5709.42.camel@asset413.passkey.com>
References: <[🔎] 2be970b50906030853t29dfb90atd60089611f98e336@mail.gmail.com> <[🔎] 200906031155.23416.bss@iguanasuicide.net> <[🔎] 20090603171404.GI9854@linuxmafia.com> <[🔎] 1244057966.5709.42.camel@asset413.passkey.com>

Hi,

If you run large nuber of hosts, i suggest samhain.
You have many features builtin (monitoring of files, system.map
altering, suid bits, appending only on log files etc.).
It works on client server model (a server who centralize hosts
integrity database).

Communications are secure (AES for ciphering and SRP for authentication).

The deployement procedure is very convenient : you can build samhain
instances on dedicated machines and deploying them on network with a
sing script. Everything done over SSH.

Give it a try ;-)

Ressource : http://la-samhna.de/samhain/


2009/6/3 Jeremy Melanson <jmelanson@systemhalted.com>:
> I really like OSSEC. It's licensed under GPL V3. The agent runs on multiple
> platforms. It's easy to install, relatively easy to configure.
> The agent is a self-contained HIDS, rootkit detector, log and file monitor.
> It can also decode Snort, Cisco PIX/ASA, IPTables, and a a whole lot of
> other logs. This means that it can act as a centralized security monitoring
> and alerting system.
> There are tons of other features that I'm not going to mention here.
>
> Oh yeah, and you can get commercial support for it if needed.
>
> -----
> Jeremy Melanson
>
>
> On Wed, 2009-06-03 at 10:14 -0700, Rick Moen wrote:
>
> Quoting Boyd Stephen Smith Jr. (bss@iguanasuicide.net):
>
>> I inherited a tripwire installation at some point.  It was one mail
>> message
>> per day (and if you didn't get that message you knew something was wrong).
>>
>> It required a bit of tuning to not report errors regularly, but once I
>> spent
>> that time it was fairly hands-off.
>
> One way to use Tripwire in conjunction with a slightly more modern and
> lightweight file-based IDS alongside it:
> http://linuxgazette.net/issue98/moen.html
>
> (That article is not, however, a comparative review, which is apparently
> what the original poster is seeking.)
>
> --
> Cheers,                      Notice:  The value of your Hofstadter's
> Constant
> Rick Moen                    (the average amount of time you spend each
> month
> rick@linuxmafia.com          thinking about Hofstadter's Constant) has just
> McQ!  (4x80)                 been adjusted upwards.
>
>
>

Reply to:

References:
- Recommend good IDS? was Re: /dev/shm/r?
  - From: john <lists.john@gmail.com>
- Re: Recommend good IDS? was Re: /dev/shm/r?
  - From: "Boyd Stephen Smith Jr." <bss@iguanasuicide.net>
- Re: Recommend good IDS? was Re: /dev/shm/r?
  - From: Rick Moen <rick@linuxmafia.com>
- Re: Recommend good IDS? was Re: /dev/shm/r?
  - From: Jeremy Melanson <jmelanson@systemhalted.com>

Prev by Date: Re: Recommend good IDS? was Re: /dev/shm/r?
Next by Date: Re: Recommend good IDS? was Re: /dev/shm/r?
Previous by thread: Re: Recommend good IDS? was Re: /dev/shm/r?
Next by thread: Re: Recommend good IDS? was Re: /dev/shm/r?
Index(es):
- Date
- Thread