Lets not forget Prelude.. http://prelude-ids.org/article.php3?id_article=66
Rather interesting functionality with it as well. Andre On 21 Sep 2005 15:02:49 -0000, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > Hi! > I'm an It engineering student co Politecnico di Milano. I'm studying ids > correlation for my thesis > and I'm now working on ossim. I think it's a very interesting tool, although > it has some problems: > 1. lack of complete documentation > 2. server (which implements correlation) c source code completely obscure: > not a single comment in all > the source code, nor a single doc about implementation. Agent and Framework > are better commented > (and they're in python, perl and php). > 3. difficult installation (except for debian or fedora users); you have > precompiled binaries, but > building from source is a pain (you have to patch other tools as well) and > badly documented. > 4. not portable (server doesn't work well on *bsd) > Moreover, i think they should have used pure idmef, not a different > implementation. > Anyway, if you can get it work, it's really powerful imho. I think > correlation engine could be > empowered (i'm working on that) because it's composed by a simple fsa > implementation (you have to manually > insert all possible event chain) and a very simple anomaly algorithm (calm). > This is my impression, and I'd really like to know other's too. > I'd like to know if someone's tried to work on server sources, and if he's > got some documentation > about this. > Regards > Giorgio Luciani > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > to learn more. > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
