IDS mailing list archives
Re: Real world experience with HIDS
From: Sebastien Tricaud <sebastien.tricaud () wengo fr>
Date: Tue, 14 Feb 2006 10:08:29 +0100
On Tue, 2006-01-31 at 15:44 -0600, Paul Schmehl wrote:
I have some questions for real world users (not vendors) of HIDS products. If you are using HIDS products *and* you're happy with the results, please respond to the following quesitons.
I am using Prelude IDS (www.prelude-ids.com). I am very happy with it so I'd like to give some feedback.
1) Ease of install - can it be done through GPO? SMS? Login scripts?
The install can be done with your distribution system. Gentoo has state-of-the-art packages.
2) Usefulness of the information generated - have you detected any exploits? How were you notified? Etc.,
There is a first step where you tune your IDS. In the case of Prelude, you have to tune sensors such as Snort to avoid false-positives and other useless informations. It has detected attacks occurring on our network, and this being very accurate. I've been notified by going to the Prewikka administrative interface and any high level attack was highlighted in red. I am considering purchasing the mail reporting plugin.
3) Centralized management - is there any? If so, how easy is it to use? Configurable at the host level? Or group of hosts level?
Through the Prewikka administrative interface, you get all data from all sensors connected to it. It is very easy to use and get decent information (see screenshots on their website). It is also possible to configure sensors through Prewikka.
4) Access to data - is it possible to restrict access to the data so that an administrator on the server would *not* be able to see the output of the HIDS?
Yes, not only information is sent securely from sensors to managers but also, once in the administrative interface, you can set up rights. Data are stored in mysql/postgresql/sqlite databases and you can also set up reading rights there to avoid your admistrator to see data.
5) Interference with the server - does it consume lots of memory or CPU? Is it proactive or passive?
This is the result of a top on the server where the manager, frontend (prewikka) and log checker are connected: 4571 prmg 15 0 22792 2520 1860 S 0.0 0.5 0:02.43 prelude-manager 4577 prlm 16 0 4148 2592 1704 S 0.0 0.5 0:00.17 prelude-lml 4587 prka 16 0 11600 7004 3132 S 0.0 1.4 0:00.16 prewikka-httpd The memory and CPU consumption is very low. However, this is something to take care of, in case of traffic and data analysis, I guess this should be higher. I am working for a VoIP company, thus we need to get a very low - memory consumption - CPU consumption - bandwidth consumption program. Prelude really rocks, it is modular and we can have any kind of sensor built for it.
6) Would you purchase again, if you had the option?
Well, I just give some feedback about the opensource product. I am highly considering purchasing this mail reporting plugin and the prewikka pro interface. I am very happy with it, and especially in a VoIP environment like us, this kind of program is gold. It helps us greatly to improve our network security. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Real world experience with HIDS Pukhraj Singh (Feb 02)
- RE: Real world experience with HIDS Charles Heselton (Feb 07)
- <Possible follow-ups>
- RE: Real world experience with HIDS Palmer, Paul (ISSAtlanta) (Feb 02)
- Re: Real world experience with HIDS FinAckSyn (Feb 06)
- Re: Real world experience with HIDS Paul Schmehl (Feb 06)
- RE: Real world experience with HIDS Gregg Earnhart (Feb 07)
- Real world experience with Dlink Hotspot Max Kreimerman (Feb 07)
- Re: Real world experience with HIDS lucien Fransman (Feb 07)
- Re: Real world experience with HIDS Paul Schmehl (Feb 06)
- RE: Real world experience with HIDS Sekurity Wizard (Feb 07)
- Re: Real world experience with HIDS Daniel Cid (Feb 13)
- Re: Real world experience with HIDS Sebastien Tricaud (Feb 14)