We need to setup an intrusion detection system (IDS) on our linux proxy server. Please suggest intrusion detection systems ? anything else than Snort ?
And ... does snort have a good web interface ?
We need to setup an intrusion detection system (IDS) on our linux proxy server. Please suggest intrusion detection systems ? anything else than Snort ?
And ... does snort have a good web interface ?
Your question is rather ambiguous. I've answered a similar ambiguous question here:
SNORT is pretty much the defacto standard for Open Source network based IDS. The Wikipedia page lists others as well. There's a variety of front-ends for SNORT. An Open Source one is BASE and Sourcefire, the company who owns SNORT, sells a commercial one.
For just network monitoring or intrusion on the system? A file integrity scanner can be beneficial, but it takes work to maintain as it needs updating each time you update the system and needs a bit of initial tuning. See the Open Source Tripwire page for information on that.
Wikipedia has some links to IDS systems as well.
I used OSSEC HIDS. Basically, it checks file integrity (/etc/passwd,...) and parses log files (syslog, auth.log,...). It has usable web interface and email notification. But nothing special, I guess.
Regards,
Martin
i'd say nothing better than command-level settings for security solutions to control everything implemented... though
for a GUI to Snort, there is : http:// sguil.sourceforge.net / don't know how good you'll find it, but can have a look at Scrrenshots @ http:// sguil.sourceforge.net / screenshots.html
other than SNORT, nice IDS is BRO : http://www.bro-ids.org/
read a research article over it... has a nice plug-able architecture... works good
IDS is different from IPS (intrusion protection system). Why the requirement for IDS, do you plan on reporting attacks or building firewalls to stop dirty network traffic?
Squid and other proxys can be configured to only transfer clean traffic... There is allot of packets of dirty data floating around on the internet, allot of them can be ignored.
Snort with an interface like BASE or ACID use a lot of CPU cycles, RAM and SQL space (Physical storage). If your dealing with a production level environment IDS must be setup correctly or it becomes pointless very quickly.
If you run snort on your proxy server, databases and logs are not maintained on a weekly basis, sooner rather than later your proxy server is going to hang from lack of resources.
So say you have a genuine interest in IDS, You will require a serious server depending on your traffic though-put to support both the Squid + Snort + Apache + MySQL + PHP WebGUI.
A more desirable option would be to setup a dedicated machine and dedicated monitoring NIC connected to a mirror port on your main switch.
Good luck, IDS is more interesting than useful.
Check out HoneyPot Project and OSSEC