Re: Real world experience with HIDS

[Sebastien Tricaud <sebastien.tricaud () wengo fr>]

On Tue, 2006-01-31 at 15:44 -0600, Paul Schmehl wrote:
> I have some questions for real world users (not vendors) of HIDS products. 
> If you are using HIDS products *and* you're happy with the results, please 
> respond to the following quesitons.


I am using Prelude IDS (www.prelude-ids.com). I am very happy with it so
I'd like to give some feedback.

> 1) Ease of install - can it be done through GPO?  SMS?  Login scripts?

The install can be done with your distribution system. Gentoo has
state-of-the-art packages.

> 2) Usefulness of the information generated - have you detected any 
> exploits?  How were you notified?  Etc.,

There is a first step where you tune your IDS. In the case of Prelude,
you have to tune sensors such as Snort to avoid false-positives and
other useless informations. It has detected attacks occurring on our
network, and this being very accurate.
I've been notified by going to the Prewikka administrative interface and
any high level attack was highlighted in red.
I am considering purchasing the mail reporting plugin.

> 3) Centralized management - is there any?  If so, how easy is it to use? 
> Configurable at the host level?  Or group of hosts level?

Through the Prewikka administrative interface, you get all data from all
sensors connected to it. It is very easy to use and get decent
information (see screenshots on their website). It is also possible to
configure sensors through Prewikka. 

> 4) Access to data - is it possible to restrict access to the data so that 
> an administrator on the server would *not* be able to see the output of the 
> HIDS?

Yes, not only information is sent securely from sensors to managers but
also, once in the administrative interface, you can set up rights. Data
are stored in mysql/postgresql/sqlite databases and you can also set up
reading rights there to avoid your admistrator to see data.

> 5) Interference with the server - does it consume lots of memory or CPU? 
> Is it proactive or passive?

This is the result of a top on the server where the manager, frontend
(prewikka) and log checker are connected:
 4571 prmg  15   0 22792 2520 1860 S  0.0  0.5   0:02.43 prelude-manager
 4577 prlm  16   0  4148 2592 1704 S  0.0  0.5   0:00.17 prelude-lml
 4587 prka  16   0 11600 7004 3132 S  0.0  1.4   0:00.16 prewikka-httpd

The memory and CPU consumption is very low. 

However, this is something to take care of, in case of traffic and data
analysis, I guess this should be higher.

I am working for a VoIP company, thus we need to get a very low
- memory consumption
- CPU consumption
- bandwidth consumption
program.

Prelude really rocks, it is modular and we can have any kind of sensor
built for it.


> 6) Would you purchase again, if you had the option?

Well, I just give some feedback about the opensource product.
I am highly considering purchasing this mail reporting plugin and the
prewikka pro interface.
I am very happy with it, and especially in a VoIP environment like us,
this kind of program is gold. It helps us greatly to improve our network
security.



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------