6

Years back we set up an IDS solution by placing a tap in front of our exterior firewall, piping all the traffic on our DS1 through an IDS box and then sending the results off to a logging server running ACiD. This was around 2005-ish. I've been asked to revamp the solution and expand on it and looking around, I see that the last release of ACiD was from 2003 and I can't seem to find anything else that seems even remotely up-to-date. While these things may be feature complete, I worry about library conflicts, etc. Can anyone give me suggestions for a Linux/OpenBSD based solution using somewhat modern tools?

Just to be clear, I know that Snort is still actively developed. I guess I'm more in the market for a modern open-source web console to consolidate the data. Of course if people have great experiences with IDS' other than Snort I'm happy to hear about it.

Josh Brower
  • 1,659
  • 3
  • 18
  • 29
MattC
  • 367
  • 1
  • 4
  • 11

3 Answers3

5

I think the best open source combinations are:

For NIDS: Snort with BASE for the web ui

For HIDS: OSSEC

I also use OSSEC to consolidade the NIDS data into a single place (like a SIEM OSSEC does log analysis, file integrity checking and rootkit detection).

Links: http://www.snort.org http://www.ossec.net http://base.secureideas.net/

sucuri
  • 2,817
  • 1
  • 22
  • 22
1

You can use a open-source and free solution based on Prelude-IDS http://www.prelude-ids.com/

  • Prelude IDS is a SIM (Security Information Management) system / IDS Framework.

  • Snort can be used as NIDS

  • Prelude LML as HIDS : rulesets for SSH, Cisco PIX, Netfilter IPFW, Postfix, Sendmail...

  • Prewikka is is the official Prelude User Interface : Web GUI based on Python => https://dev.prelude-ids.com/wiki/prelude/ManualPrewikka

Foxy
  • 56
  • 1
1

OSSIM.

OSSIM consolidates all that kind of stuff. OSSEC, Snort, etc.

Open source & Free.

OSSIM has the following software components:

Arpwatch – used for MAC anomaly detection.
P0f – used for passive OS detection and OS change analysis.
Pads – used for service anomaly detection.
Nessus – used for vulnerability assessment and for cross correlation (IDS vs Security Scanner).
Snort – the IDS, also used for cross correlation with nessus.
Spade – the statistical packet anomaly detection engine. Used to gain knowledge about attacks without signatures.
Tcptrack – used for session data information which can prove useful for attack correlation.
Ntop – which builds an impressive network information database from which we can identify aberrant behavior/anomaly detection.
Nagios – fed from the host asset database, it monitors host and service availability information.
Osiris – a great HIDS.
OCS-NG – cross-platform inventory solution.
OSSEC – integrity, rootkit, registry detection, and more.

http://www.alienvault.com/community.php?section=Home

-Josh

Josh Brower
  • 1,659
  • 3
  • 18
  • 29