Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rate the Intrusion Detection Systems?

Posted by Cliff on from the watch-out-for-the-rabid-digital-guard-dog dept.

Swannie asks: "The company I'm working for is looking into Intrusion Detection Systems. I was curious on how good/bad/ugly/cute/cuddly LIDS (Linux Intrusion Detection System) is when compared to other, commercial, systems like Cisco's NetRanger, etc. I'd be interested in information from my fellow geeks that have deployed LIDS in real world situations, as well as anyone that has switched to LIDS from a commercial solution, or vice-versa. Hopefully if I have some ammunition to go to the powers that be, I'll be able to utilize an open-source (and less expensive) Linux solution instead of a more expensive commercial one." Are there any other options out there which can be added to this comparison? In an odd bit of synchronicity, this article popped up before press time, which offers up another possible answer, in the form of Snort.

14 comments

  1. Some Outdated Answers by Outland+Traveller · · Score: 3, Informative

    It's been a year since I've researched the subject, but some of this info still may be relevant. If not, I'm sure I'll be moderated down and/or corrected :)

    LIDS and Snort do very different things. LIDS is more for host-based security. It is primarily used for locking down the kernel. For example, adding additional layers of security to prevent unauthorized kernel module loading, file access, etc. It foils common rootkits and can be used to make a hardened machine. The downside is that it works at a very low level. You have to patch your kernel to get it to work, and the LIDS package lag behind the linus tree. The configuration interface at the time I looked at it was in flux and poorly documented. It might be better now, but it looked like it took a lot of effort to customize a configuration to meet your particular needs.

    Snort is a whole different story. It is used to report suspicious network activity, such as portscans, web server attacks, ftp overflow attacks, etc. The snort scanning engine is quite sophisticated and easily customizable by rules files. It appears to be every bit as effective as commercial equivalents if not better. The downside is that the reporting is very do-it-yourself. If you want to get something more than spammy SYSLOG alerts, you have to roll your own reporting/alert/reaction tool. To be fair there are lots of hooks and database-backend support for this, but it doesn't come with the base package. Perhaps someone will reply with a link to a third-party add on that fills this gap.

  2. NetRanger by andy@petdance.com · · Score: 3, Funny
    I've got a soft spot in my heart for NetRanger. I know that everyone equates them with "Sister Christian", but don't ignore the other rockers like "Don't Tell Me You Love Me" and the harmonies behind "Sing Me Away" and "When You Close Your Eyes".

    I saw 'em last fall at Taste Of Hanover Park, and they rocked like it was 1984. I expected them to come off as dinosaurs, but they held up well. Definitely worth the trip to the western suburbs.

  3. Recent articles by larien · · Score: 3, Informative

    There was a series of articles on Security Focus (which seems to be down ATM) recently on LIDS. Although it isn't really a comparison with anything else, it might give you an idea of what it can and can't do.

    1. Re:Recent articles by larien · · Score: 3, Informative

      Yes, I'm replying to my own post. SF is back up, and here's the index of IDS stuff, including the LIDS articles.

  4. Tripwire... by itwerx · · Score: 2, Insightful

    ...is great for detecting if somebody got through your defenses/detection. It's by no means the first or only line of defense, but it's definitely a must-have.
    (Plus if you have over-eager assistant admins it'll catch them mucking about as well. :)

    1. Re:Tripwire... by Bryan+Andersen · · Score: 3, Insightful

      I've used tripwire on developer boxes where they had to have root. Combined with an initial install backup it works nicely to see what they are changing, etc. OpenBSD has a better system for monitering the contents of system configuration files. It will email you the differences between the old and new versions of a file.

  5. Production System LIDS? by Anonymous Coward · · Score: 0

    I always was interested in LIDS and all of its advantages so finally i found some time to install it. It provides a complete ACL to protect your system and let you sleep at night. Someone mentioned using tripwire, tripwire will not provide your with the proper defense that you will need. It will only notify you of files that have changed every time your run tripwire. LIDS prevents you from modifying it in the first place.

    Yes, it does take quite a bit a reading and figging to get it setup and working (took me about 2-3 days to get a system working), but if you don't have hours to spend on security then i would definately do it.

    Bravo to the LIDS boys.

  6. IDS != firewall; it's like raising a child by Helevius · · Score: 0, Troll
    Although any incremental improvement in security is beneficial, true network security monitoring requires a real commitment of trained manpower, customized applications, and rational processes. Unless you're willing to devote all of your time, and the time of a motivated and quick-learning staff, don't bother with IDS. Network security monitoring is much more involved than firewall deployment or router ACL configuration, for example.

    If you've only got the time, energy, inclination, or budget to do the job halfway, you'll get more productive results monitoring your firewall, router, and application logs.

    If you really feel you want network security monitoring, but can't commit to it, I recommend a competent managed security services provider. Unfortunately, I'm not comfortable with any of the offerings besides that of my employer. Sure, it sounds like a shameless plug, but if other MSSPs care to explain how they do business, I'll have good words for them. Until then, I know my shop does good network security monitoring work. Of the few competitors whose operations I understand, none inspire confidence.

    If you think I only rip on other MSSPs, I can heartily recommend Digital Defense for doing top-notch vulnerability assessments (but that's not IDS, unfortunately).

    Helevius

  7. Try looking at Secureworks by Anonymous Coward · · Score: 0

    Hello!

    We use Secureworks's MSSP (it's an IDS/Firewall hybrid such that it can automatically block attacks, it's updated by the provider, and fits virtually anywhere in your network.) (it runs off a customized Cobalt Raq3/4 unit.)

    www.secureworks.net

    Try it out!

    It might be worth it for you.

  8. Real Secure by Anonymous Coward · · Score: 0

    iss.net