Just thought I'd put a plug in for BRO-IDS:
http://www.bro-ids.org/
Basically, you write all the signatures you want, but then write policy files on top of that to interpret that data, so it's a strict superset of Snort's functionality. There's even a tool in the distribution that lets you turn snort signatures into bro rules.
So, you can have things like:
If a user logs in to a machine on HOME NET from anywhere outside of HOME NET
and in the next 15 minutes initiates a file transfer to that machine
and that machine joins an IRC server or has FTP transfers from it in the next 2 days
then raise an alert
At OSU, Bro is used to check all files coming over the border against team cmruy's (http://www.team-cymru.org/) DNS based malware database.
Check it out! Plus, you get the INFORMATION SECURITY CUBE OF POTENTIAL DOOM! (http://www.nersc.gov/nusers/security/TheSpinningCube.php)
Slashdot Mirror
Just thought I'd put a plug in for BRO-IDS: http://www.bro-ids.org/ Basically, you write all the signatures you want, but then write policy files on top of that to interpret that data, so it's a strict superset of Snort's functionality. There's even a tool in the distribution that lets you turn snort signatures into bro rules. So, you can have things like: If a user logs in to a machine on HOME NET from anywhere outside of HOME NET and in the next 15 minutes initiates a file transfer to that machine and that machine joins an IRC server or has FTP transfers from it in the next 2 days then raise an alert At OSU, Bro is used to check all files coming over the border against team cmruy's (http://www.team-cymru.org/) DNS based malware database. Check it out! Plus, you get the INFORMATION SECURITY CUBE OF POTENTIAL DOOM! (http://www.nersc.gov/nusers/security/TheSpinningCube.php)