Ids?

zuessh · 04-24-2003, 02:17 PM

Any suggestions on a simple IDS app? Nothing too fancy or detailed. I have a ftp box set up in a dmz and would like to see just the basic traffic that comes and goes, identifying thing like port scan and the such would be nice but not necessary. BTW im using slack and proftp. Thx

Capt_Caveman · 04-24-2003, 05:17 PM

If you just want to monitor traffic, try ethereal/tcpdump. It's pretty simple to setup and even easier to use. If you want an IDS to actually detect intrusions (file alterations), tripwire is pretty simple to install. Unfortunately the default config has entries for almost everything so you'll have to modify the tripwire config file. www.linuxsecurity.com has some others under the packetstorm section.

unSpawn · 04-25-2003, 03:11 AM

Or if you don't want/need to inspect packets contents, why not use your fw with just a few LOG target rules.

AFAIK tripwire ain't (N)IDS, but a filesystem integrity checker like Aide, Samhain, Osiris, Integrit etc etc.

zuessh · 04-25-2003, 08:27 AM

I told wrong. this box is actually suse 8.0, which comes with a firewall. I've never used this firewall, from others experience will this basically do the trick? Changing what I posted earlier, I would like to know if I am being attacked, but again nothing too detailed or fancy. Thanks for the help.

unSpawn · 04-25-2003, 09:20 AM

Oh well. If you want attack logging, dependant on your definition of that tho, and "nothing too detailed or fancy" why not just run Snort, and disable all the preprocessors and rulesets you don't want to have alerts for?

zuessh · 04-25-2003, 09:42 AM

I know snort is ultimately the answer but it seems here lately that snort has had several vulns. In your opion if it is safe enough I will go ahead and try it.

unSpawn · 04-25-2003, 12:18 PM

I'd say go ahead, but go for Snort-2.0x.
If you have questions about Snort configuration, just ask (but plz RTM first) and if you still think running Snort is a major risk you could try running it from a chroot.

Also plz note the 1st thread of this forum has a section on IDSes with much nfo on Snort.

zuessh · 04-25-2003, 01:30 PM

thx, you da' man... even way back from the linuxbox days...

Capt_Caveman · 04-25-2003, 02:32 PM

From www.tripwire.org:

"Tripwire is originally known as an intrusion detection tool, but can be used for many other purposes such as integrity assurance, change management, policy compliance and more."

You do have a point though, that tripwire can only detect file alteration and therefore is much more limited in it's ability to detect intrusions. But often intrusions=file alteration, so I still think it's a useful tool to have around.

unSpawn · 04-26-2003, 05:48 AM

thx, you da' man... even way back from the linuxbox days...
LOL, you remembered.... Seems like ages ago.

From www.tripwire.org:
"Tripwire is originally known as an intrusion detection tool, but can be used for many other purposes such as integrity assurance, change management, policy compliance and more."

Yeah, you're right to quote that, tho I never questioned tripwire's value or usefulness. I'll just say to me the acronym IDS is a bit misleading labelling this type of app. IMHO it would be less confusing if these apps where labelled as "filesystem integrity detection systems". I just hope ppl don't rely on this (passive detection method) as their sole means of detecting changes...