Re: IDS Opinions

[Greg Martin <greg () ddos com>]

In-Reply-To: <40C40812.8000407 () gmx net>

> Hello
>
> why is nobody talking about prelude (http://www.prelude-ids.org)? It's
> supposed to perform much better than snort and fits better into large
> environments, it's much more felxible becasue prelude is more a
> framework than just a single IDS. Till now I did not have the chance to
> have a closer look to prelude, but I would really be interested in
> experiences made by some others.
>
>
> thanks
> nik

Nik,

Your exactly right prelude is just a framework ontop of snort-like IDS :) it doesn't deserve to be called an IDS 
without mentioning Snort.  Built as open source to correlate between nessus scans, syslogs (ssh,ftp,mail,etc), from 
many different systems and drones/sensors, this is the approach to a much wider scale IDS system which is the direction 
we need to be going.  Unfortunatly from my tests it is very beta, it takes alot of customizing for your own network so 
most admins don't have the time/resources to explore this option yet unless their networks are small.  It only seems to 
work well with Linux/*BSD machines you cannot easily add your NT/2000, Mac and other servers into the mix.  And 
finnally the documentation isn't wonderful.  I did find one step by step guide but it is Gentoo specific:
http://www.gentoo.org/proj/en/hardened/prelude-ids.xml

That being said besides its current weaknesses, this is a very promising open source IDS system to keep an eye on.  
They are looking for some help $$$, but seem to be steady developing regardless of resources.


-Greg

---------------------------------------------------------------------------

---------------------------------------------------------------------------