Snort or OSSEC ? ( IDS )

mike2010 · 01-09-2010, 08:37 PM

It seems like these are the 2 popular ones out there these days..

Trying to figure out which Intrusion Detection System would be best for me.

I've got a CentOs 5 / Linux / Apache system.

If you've got experience with either (or both ) , please let me know your thoughts.

I'm looking for the one thats not as technical, And a bit more user friendly I guess.

Thx

MB

esaym · 01-10-2010, 04:47 PM

I just used psad because I only wanted to block people that port scan
snort, just takes too much time for me to eliminate false positives. Plus it only alerts, not block

http://cipherdyne.org/psad/

unSpawn · 01-10-2010, 05:53 PM

Quote:

Originally Posted by esaym

I just used psad because I only wanted to block people that port scan

Depending on the purpose of the machine (given the OP runs Apache) just portscans may be the least of his worries.

Quote:

Originally Posted by esaym

snort, just takes too much time for me to eliminate false positives. Plus it only alerts, not block

A little tweaking of the config and rulesets (and maybe a threshold or BPF filter) can help. For blocking with "regular" Snort there's third party apps like Guardian.

Quote:

Originally Posted by mike2010

Trying to figure out which Intrusion Detection System would be best for me. I've got a CentOs 5 / Linux / Apache system.

"The best" is as vague as it gets. But since you've mentioned "user friendly" too maybe it's just you're afraid to invest time to learn to handle an IDS? Given the fact you're running something on Apache I'd suggest you review the machines access controls and exposed services and complement your SW toolkit with some initial assessment tools like Tiger and OpenVAS (Atomic Rocket Turtle repo, run it from a remote host), a rootkit and malware scanner like Chkrootkit or Rootkit Hunter (OSSEC HIDS includes a scanner), a filesystem integrity checker like Samhain or Aide, Snort + Guardian, Logwatch (and read the reports), fail2ban or denyhosts and mod_security.

This is by no means complete. Do search the 'net for the term "hardening" (or see this) using those correctly you stand a better chance.

mike2010 · 01-11-2010, 08:29 PM

arghh, esaym's seemed more simple.

I have most things / ports closed off.. but they tell me I should still install CLAM AV & and an IDS to feel more safe.

I even have SSH / FTP shutoff to only my IP as well. run Yum Updates daily as well.

Quote:

Originally Posted by unSpawn

a rootkit and malware scanner like Chkrootkit or Rootkit Hunter (OSSEC HIDS includes a scanner), a filesystem integrity checker like Samhain or Aide, Snort + Guardian, Logwatch (and read the reports), fail2ban or denyhosts and mod_security.

I've got WatchDog installed.. and it has rootkit hunter with it. But my tech guys say rkhunter sucks.

So is PSAD kind of like syslog ? better than syslog ?

Maybe thats all I need. I need something simple / easy to configure..and gets the job done.

no thoughts on OSSEC ?

unSpawn · 01-12-2010, 01:31 PM

Quote:

Originally Posted by mike2010

Maybe thats all I need. I need something simple / easy to configure..and gets the job done.

People choose what they like, not what they need. My point was that server hardening and auditing is important and it should not be handled by one tool. If you like your "tech guy's" quality assesments and like esaym's yellow brick road better then by all means follow it.