hey folks, one of the last steps remaining for us to become PCI compliant at my place of employ is to "employ an intrustion detection or prevention system to monitor all traffic in the data environment". we have a lot of software that serves similar function (file-modification monitor, carefully watched syslog including firewall logs, arpwatch, standard system reporting on events like service startups and half-opened-and-never-used-again network connections from postfix/proftpd), but no specific "intrustion detection system". upon looking into it further (ok, i read the wikipedia article and a few SANS articles), i find there is a plethora of signature-based systems which seem to not be what i want--we have very limited services running (ssh/sql connections only) and i'm more interested in a statistical anomaly type of report. "well, you got a thousand SQL connections in a second from this host that usually trickles 'em in at 1/hour" or "hmm, ssh leaving *from* one of the firewalled machines" type of reports. i don't expect to see a lot of the stuff that people use, say, snort for, since there's no incoming traffic at all from the internet, just ssh connections from the dmz hosts and SQL connections from the same. so i don't need to sniff the entire network's traffic (nor do i want to)--i want something host based that i can run on each host behind the firewall to report on things happening to that host.
but i haven't found anything that's free, relatively simple, and statistical-anomaly-type. i don't actually want intrusion *prevention* software that would modify firewall setup or otherwise deny traffic, i just want to get paged when i see a portscan happening *behind* the firewall. ideally, such a system watches the network for awhile and "learns" what's common--"oh, on monday, dude's gonna ssh in for 10 minutes each machine. carry on. but he never seems to ssh in at 3am. and WHOA a netbios packet on this network? red alert!" does anyone use any software that does that? would love to buy you lunch and pick your brains about it! and hey, if you're so inclined and your google-fu is better than mine, let me know what i'm missing! the best candidate i found that-a-way was "SPADE" which is a deprecated snort plugin. _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
