[ossec-list] Re: Snort vs. OSSEC

[Meir Michanie]

snort is blind to activity in you servers through encrypted connections as ssl and ssh

On 9/1/06, Marty E. Hillman < [EMAIL PROTECTED]> wrote:

Makes sense.

-----Original Message-----
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com]
On Behalf Of Herb Commodore
Sent: Friday, September 01, 2006 11:37 AM
To: ossec-list@googlegroups.com
Subject: [ossec-list] Re: Snort vs. OSSEC




Marty,

Snort & OSSEC are two different layers of security.  Using both
together would improve the overall security level of a site.  Snort &
co watches for network events; OSSEC HIDS, from what I've been able to
tell, watches & coordinates host-based events.  And you can
use OSSEC to monitor snort logs and send alerts based on those --
instead of using some other application to monitor the snort logs.

Basically, best practices would dictate using both a network-based IDS
such as snort, as well as a host-based IDS such as OSSEC.

                        -- Herb


"Marty E. Hillman" <[EMAIL PROTECTED]> writes:

> I am not trying to start a flame war here - just trying to get a
better
> sense of direction no how to best protect my network.  Does anyone
know
> what the advantage to using OSSEC HIDS over Snort is?
>
> I have been playing with OSSEC quite successfully for the past week in
a
> demo environment, but it seems to have stopped sending email alerts
> sometime last evening.  I thought since I would have to do a bunch of
> rebuilding that I might give other products a shot.
>
> I need to monitor Windows and Cisco devices and like the aggregation
of
> data and alerting functions within OSSEC.  Does anyone have
experiences
> with other products that they would be willing to share?
>
> Marty
>
>
>
> This electronic mail (including any attachments) may contain
information that
> is privileged, confidential, and/or otherwise protected from
disclosure to
> anyone other than its intended recipient(s). Any dissemination or use
of this
> electronic email or its contents (including any attachments) by
persons other
> than the intended recipient(s) is strictly prohibited. If you have
received
> this message in error, please notify us immediately by reply email so
that we
> may correct our internal records. Please then delete the original
message
> (including any attachments) in its entirety. Thank you.
>
>
>

--
Herb Commodore <[EMAIL PROTECTED]>          +1.919.660.6951
IT Security Office, OIT, Duke University
Box 104106, Durham NC  27708