IDS mailing list archives
Re: Real world experience with HIDS
From: lucien Fransman <lucien.fransman () irc2 nl>
Date: Mon, 6 Feb 2006 21:16:42 +0100
On Friday 03 February 2006 01:51, FinAckSyn wrote: Ok, for some reason I didn't see the original mail, but here it goes:
1) Ease of install - can it be done through GPO? SMS? Login scripts?
No. software can be installed using loginscripts and such, but there is no clear cut howto for this.
2) Usefulness of the information generated - have you detected any exploits? How were you notified? Etc.,
Very, using the web-gui at first and mail later. there was no need for SMS or pager alerts, but that wouldn't be to hard. Just a perl script ;)
3) Centralized management - is there any? If so, how easy is it to use? Configurable at the host level? Or group of hosts level?
Snip, again, sort of.
4) Access to data - is it possible to restrict access to the data so that an administrator on the server would *not* be able to see the output of the HIDS?
The problem with an admin (domain admin, server admin, root) is that he has access to all sorts of things. Like databases that store alerts, the private and public keys and such. But yeah, if you count those out, you can make a separate admin for the interface and the data is/was ssl encrypted
5) Interference with the server - does it consume lots of memory or CPU?
No.
Is it proactive or passive?
passive, with ways to make it proactive of sorts
6) Would you purchase again, if you had the option?
yes. as it was opensource (prelude IDS with snort and a bunch of other things mixed in) Mind you, one of the requirements was that there should be $0 software costs. OTOH, if I had no budget restraints, i would have gotten a full IPS product and set that in monitoring mode. (iss preventia, mostly because i have good experiences with that product)
PLEASE NOTE: Any vendor on this list who emails me suggesting their product will be automatically dropped from consideration, so be forewarned. You're welcome to respond on the list, if you like, but don't email me or you'll be eliminated from consideration.
I'm a independent consultant working for a independent consultancy firm. snipsnip Lucien Fransman irC2 ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Real world experience with HIDS Pukhraj Singh (Feb 02)
- RE: Real world experience with HIDS Charles Heselton (Feb 07)
- <Possible follow-ups>
- RE: Real world experience with HIDS Palmer, Paul (ISSAtlanta) (Feb 02)
- Re: Real world experience with HIDS FinAckSyn (Feb 06)
- Re: Real world experience with HIDS Paul Schmehl (Feb 06)
- RE: Real world experience with HIDS Gregg Earnhart (Feb 07)
- Real world experience with Dlink Hotspot Max Kreimerman (Feb 07)
- Re: Real world experience with HIDS lucien Fransman (Feb 07)
- Re: Real world experience with HIDS Paul Schmehl (Feb 06)
- RE: Real world experience with HIDS Sekurity Wizard (Feb 07)
- Re: Real world experience with HIDS Daniel Cid (Feb 13)
- Re: Real world experience with HIDS Sebastien Tricaud (Feb 14)