Intrusion Detection System

FredrikN · 03-19-2007, 02:20 PM

Hello all GNU/Linux users.

I'm a student and I'm doing an research about Open Source Host Intrusion Detection Systems and usability.

The work is almost done but I also want to do an quick(9 questions) survey online so I can compare it with my result.

The paper is limited to open source intrusion detection systems.

Please take a minute and make an contribution to this paper if your are using or have been using any system below.

*FCheck
*serverM
*AIDE
*Swatch

Thanks.

http://www.thegate.nu/idssurvey/

anomie · 03-19-2007, 02:49 PM

How can anyone contribute when http traffic is filtered on thegate.nu?

edit2:

Code:

[hector@troy ~]$ host thegate.nu
thegate.nu has address 208.69.32.130
thegate.nu mail is handled by 10 www.thegate.nu.
thegate.nu mail is handled by 10 mail.thegate.nu.

[hector@troy ~]$ host www.thegate.nu
www.thegate.nu has address 83.253.117.18

[hector@troy ~]$ nmap -P0 208.69.32.13 -p 80

Starting Nmap 4.20 ( http://insecure.org ) at 2007-03-19 14:54 CDT
Interesting ports on bld3.ash.opendns.com (208.69.32.13):
PORT   STATE  SERVICE
80/tcp closed http

Nmap finished: 1 IP address (1 host up) scanned in 0.190 seconds

[hector@troy ~]$ nmap -P0 83.253.117.18 -p 80

Starting Nmap 4.20 ( http://insecure.org ) at 2007-03-19 14:54 CDT
Interesting ports on c83-253-117-18.bredband.comhem.se (83.253.117.18):
PORT   STATE    SERVICE
80/tcp filtered http

Nmap finished: 1 IP address (1 host up) scanned in 12.061 seconds

I can't access the survey from either. Happy to contribute if you can allow access.

FredrikN · 03-19-2007, 03:05 PM

Hello
Very strange, I'm not blocking anything on port 80.

I'm running Apache and my access.log is full of visitors.

What's your IP ?, maybe there is something wrong with you dns ?

Or maybe problem with my isp

anomie · 03-19-2007, 03:19 PM

Maybe your ISP is filtering IPs from Texas.

I think my DNS should be ok - I'm actually using the opendns.com nameservers.

My ISP won't give me information about the DHCP ranges they give out to clients (no matter how much I bother them) but it seems to consist of ranges within a number of class A networks following 66.x.x.x - 71.x.x.x.

Anyway, good luck with your survey. Sorry I can't contribute.

FredrikN · 03-19-2007, 03:21 PM

Quote:

Originally Posted by anomie

Maybe your ISP is filtering IPs from Texas.

I think my DNS should be ok - I'm actually using the opendns.com nameservers.

My ISP won't give me information about the DHCP ranges they give out to clients (no matter how much I bother them) but it seems to consist of ranges within a number of class A networks following 66.x.x.x - 71.x.x.x.

Anyway, good luck with your survey. Sorry I can't contribute.

Ok, thanks anyway.

OlRoy · 03-19-2007, 03:21 PM

The site works fine for me, but I haven't used any of those HIDS before so I didn't do the survey.

nx5000 · 03-19-2007, 03:46 PM

You should put "others" in ids because you don't mention tools like samhain for example.

OlRoy · 03-19-2007, 04:12 PM

Quote:

Originally Posted by nx5000

You should put "others" in ids because you don't mention tools like samhain for example.

Yeah I think Samhain and OSSEC are much more popular than some of the other choices too.

FredrikN · 03-23-2007, 01:54 AM

Quote:

Originally Posted by nx5000

You should put "others" in ids because you don't mention tools like samhain for example.

Hello. If I make any changes after the survey start it can corrupt the result.