IDS mailing list archives
Re: IDS and NMS
From: Devdas Bhagat <dvb () users sourceforge net>
Date: Sun, 15 Jun 2003 18:12:19 +0530
On 13/06/03 20:51 +0530, Mayank-Bhatnagar wrote:
hi folks, Well there is this issue that I would like to put to the group. "Requirement of an interface of an IDS with an already installed Network Management System".
Couple of questions here: Is your network management system limited to SNMP? Or is the SNMP functionality a part of what your management system does (and can it do more, via different protocols)? <snip>
a NMS and also provided IDS functionality using SNMP. The other case is where an independent IDS solution (independent of SNMP), getting incorporated in a NMS.
You can have both possibilities. If your IDS does not have SNMP support for management built into it, you can write a Perl wrapper around it to handle SNMP. The Perl wrapper can modify as you need.
How much is this a viable solution or whether such requirement could exist, and if yes, what could be implications of same?
Implications, if you build SNMP support for management into the IDS, you are increasing the probability of compromise of the IDS itself. The IDS has a management protocol, which will have to be maintained as well.
As far as I know, top notch IDS products dont have any integration with NMS, Some do send traps (which could be a minimal part of IDS ie sending alerts to IDS management console as well as NMS)
Different purposes, different tools. Commonly: The network management scenario involves monitoring of various network components, and their suitability for work. This has to work even in cases of bad network conditions. An IDS is looking for wierd, abnormal behaviour. This is a subset of a full network management system, but has typically not been called for. A good IDS like snort can log to a database and you can extract data from it automatically, via your favorite programming language. If you use PostgreSQL, you could write a trigger with pl/perlu to send a SNMP alert to your NMS for this. On the other hand, SNMP might not be the best way to see the output of an IDS, or to manage its configuration (depending on the IDS, the labour involved in making it SNMP compatible, etc). Devdas Bhagat ------------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com -------------------------------------------------------------------------------
Current thread:
- RE: False Positives (Definitions White Paper) Markle, Scott (Jun 05)
- IDS and NMS Mayank-Bhatnagar (Jun 13)
- RE: IDS and NMS David Markle (Jun 17)
- RE: IDS and NMS Jim Butterworth (Jun 17)
- Re: IDS and NMS Devdas Bhagat (Jun 17)
- RE: IDS and NMS Jim Butterworth (Jun 17)
- Re: IDS and NMS Devdas Bhagat (Jun 18)
- RE: IDS and NMS Jim Butterworth (Jun 18)
- Re: IDS and NMS Devdas Bhagat (Jun 18)
- RE: IDS and NMS David Markle (Jun 17)
- RE: IDS and NMS Mayank-Bhatnagar (Jun 19)
- IDS and NMS Mayank-Bhatnagar (Jun 13)
- Re: IDS and NMS Mayank-Bhatnagar (Jun 18)