Recommend good IDS? was Re: /dev/shm/r?

2009-06-03 Thread john
On Tue, Jun 2, 2009 at 4:45 PM, Josh Lauricha j...@lauricha.com wrote: I'm surprised more people aren't running tripwire or other IDS. I'd be interested to hear some recommendations for IDS to run on internet facing servers. Especially from the point of view of ease of installation, ease of

Re: Recommend good IDS? was Re: /dev/shm/r?

2009-06-03 Thread Boyd Stephen Smith Jr.
In 2be970b50906030853t29dfb90atd60089611f98e...@mail.gmail.com, john wrote: On Tue, Jun 2, 2009 at 4:45 PM, Josh Lauricha j...@lauricha.com wrote: I'm surprised more people aren't running tripwire or other IDS. I'd be interested to hear some recommendations for IDS to run on internet facing

Re: Recommend good IDS? was Re: /dev/shm/r?

2009-06-03 Thread Steven Brunasso
Remember, that a HIDS (host IDS) is just a detective control on the host. It shows that you have been hacked, you will probably want a good NIDS (network IDS) to see what attacks are being attempted over the wire. HIDS is good to quickly detect a compromise...

Re: Recommend good IDS? was Re: /dev/shm/r?

2009-06-03 Thread Rick Moen
Quoting Boyd Stephen Smith Jr. (b...@iguanasuicide.net): I inherited a tripwire installation at some point. It was one mail message per day (and if you didn't get that message you knew something was wrong). It required a bit of tuning to not report errors regularly, but once I spent that

Re: Recommend good IDS? was Re: /dev/shm/r?

2009-06-03 Thread Izak Burger
On Wed, Jun 3, 2009 at 5:53 PM, john lists.j...@gmail.com wrote: I'd be interested to hear some recommendations for IDS to run on internet facing servers. Especially from the point of view of ease of installation, ease of maintenance, quality of the tool, and ability to have it deliver really

Re: Recommend good IDS? was Re: /dev/shm/r?

2009-06-03 Thread Nikolai Lusan
On Wed, 2009-06-03 at 08:53 -0700, john wrote: On Tue, Jun 2, 2009 at 4:45 PM, Josh Lauricha j...@lauricha.com wrote: I'm surprised more people aren't running tripwire or other IDS. I'd be interested to hear some recommendations for IDS to run on internet facing servers. Especially from the

Re: Recommend good IDS? was Re: /dev/shm/r?

2009-06-03 Thread Jeremy Melanson
I really like OSSEC. It's licensed under GPL V3. The agent runs on multiple platforms. It's easy to install, relatively easy to configure. The agent is a self-contained HIDS, rootkit detector, log and file monitor. It can also decode Snort, Cisco PIX/ASA, IPTables, and a a whole lot of other logs.

Re: Recommend good IDS? was Re: /dev/shm/r?

2009-06-03 Thread Nicolas GRENECHE
Hi, If you run large nuber of hosts, i suggest samhain. You have many features builtin (monitoring of files, system.map altering, suid bits, appending only on log files etc.). It works on client server model (a server who centralize hosts integrity database). Communications are secure (AES for