3

We need to setup an intrusion detection system (IDS) on our linux proxy server. Please suggest intrusion detection systems ? anything else than Snort ?

And ... does snort have a good web interface ?

nitins
  • 2,527
  • 15
  • 42
  • 65
  • "good" is a relative term...what do you mean by "good"? I don't think snort itself has a web interface, but there are third party programs that can interface to the logs and stats and manage the configuration, as I recall. – Bart Silverstrim May 25 '10 at 12:50

5 Answers5

4

Your question is rather ambiguous. I've answered a similar ambiguous question here:

Comparison of Firewall, Intrusion Prevention, Detection and Antivirus Technologies in Organizational Network Architecture

SNORT is pretty much the defacto standard for Open Source network based IDS. The Wikipedia page lists others as well. There's a variety of front-ends for SNORT. An Open Source one is BASE and Sourcefire, the company who owns SNORT, sells a commercial one.

Community
  • 1
Warner
  • 23,440
  • 2
  • 57
  • 69
3

For just network monitoring or intrusion on the system? A file integrity scanner can be beneficial, but it takes work to maintain as it needs updating each time you update the system and needs a bit of initial tuning. See the Open Source Tripwire page for information on that.

Wikipedia has some links to IDS systems as well.

Bart Silverstrim
  • 31,092
  • 9
  • 65
  • 87
3

I used OSSEC HIDS. Basically, it checks file integrity (/etc/passwd,...) and parses log files (syslog, auth.log,...). It has usable web interface and email notification. But nothing special, I guess.

Regards,

Martin

mkudlacek
  • 1,657
  • 1
  • 11
  • 15
  • 2
    I use OSSEC quite a bit and I really like it. Fairly easy to setup and you can have your agents report to one central location if you have multiple proxies or do a stand alone install. It has some default rules that detect attacks/errors but also allows you to create as many rules as you want and modify the current rule set. –  May 25 '10 at 14:52
1

i'd say nothing better than command-level settings for security solutions to control everything implemented... though

for a GUI to Snort, there is : http:// sguil.sourceforge.net / don't know how good you'll find it, but can have a look at Scrrenshots @ http:// sguil.sourceforge.net / screenshots.html

other than SNORT, nice IDS is BRO : http://www.bro-ids.org/

read a research article over it... has a nice plug-able architecture... works good

AbhishekKr
  • 217
  • 1
  • 3
1

IDS is different from IPS (intrusion protection system). Why the requirement for IDS, do you plan on reporting attacks or building firewalls to stop dirty network traffic?

Squid and other proxys can be configured to only transfer clean traffic... There is allot of packets of dirty data floating around on the internet, allot of them can be ignored.

Snort with an interface like BASE or ACID use a lot of CPU cycles, RAM and SQL space (Physical storage). If your dealing with a production level environment IDS must be setup correctly or it becomes pointless very quickly.

If you run snort on your proxy server, databases and logs are not maintained on a weekly basis, sooner rather than later your proxy server is going to hang from lack of resources.

So say you have a genuine interest in IDS, You will require a serious server depending on your traffic though-put to support both the Squid + Snort + Apache + MySQL + PHP WebGUI.

A more desirable option would be to setup a dedicated machine and dedicated monitoring NIC connected to a mirror port on your main switch.

Good luck, IDS is more interesting than useful.

Check out HoneyPot Project and OSSEC

Ash Palmer
  • 347
  • 1
  • 8