IDS mailing list archives
Re: Nagios
From: Daniel Reich <me () danielreich com>
Date: Wed, 25 Jun 2003 10:31:23 -0400
Depending on how you configure Nagios and more specifically what you monitor with Nagios I have found that you can use it to detect anomalous behaviour. In specific, I have setup Nagios to monitor the health of the OS. I took it one step further in that I keep track of the states of health. For example, you can use some of the built in plugins to monitor the load of a system. However, there are probably scenarios in which you have machines backed up at 2AM where the load spikes. (Yes, I think backing up through a firewall is not such a great idea but people still do it) Most people would simply tune the the load average up to the peak load in a given day. What I have done is sample the data on an hourly basis for a week (I keep it all stored in a database). So now I can monitor the system load more closely during the day. I did recently encounter a case where a users'laptop was sending a rather large amount of traffic through a firewall. Turns out it was trojaned (probably when the user took the laptop home or who knows). The point here is that the symptom that I saw on the firewall was the abnormally high load average. When I dug into why the load was high, I noticed the traffic spike from one machine. One could argue that a NIDS box would have picked this up. However, I will point out that NIDS requires that a signature be in place to detect this. In the scenario above, this was something new and was not being detected by the NIDS sensors (yet). Cheers -dr Quoting John <seclist () wiresec net>:
I have used Nagios in production environments. It is a bit cranky getting setup but overall works well. I have never used the security features mostly just used for monitoring hosts. On Thursday, Jun 5, 2003, at 16:16 US/Central, Jennifer Fountain wrote:Does anyone have an opinion on Nagios? They say it can use snort and it has it's own IDS functions to detect certain traffic. I am wondering if this is a good product or just hype. Thanks! Cheers, Jenn ----------------------------------------------------------------------- -------- INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2 ----------------------------------------------------------------------- --------
-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------
------------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com -------------------------------------------------------------------------------
Current thread:
- Nagios Jennifer Fountain (Jun 07)
- RE: Nagios Mikael Björn (Jun 07)
- Re: Nagios stefmit (Jun 07)
- Re: Nagios Dan Clemens (Jun 09)
- Re: Nagios John (Jun 25)
- Re: Nagios Daniel Reich (Jun 25)
- <Possible follow-ups>
- RE: Nagios Routledge, Jeffrey (Jun 07)
- Re: Nagios stefmit (Jun 07)
- Re: Nagios e.Z.y (Jun 07)
- Re: Nagios Marco (Jun 07)
- Re: Nagios stefmit (Jun 07)