Snort mailing list archives
Re: any support / plug-in / integration plan for HID
From: "Moyer, Shawn" <smoyer () rgare com>
Date: Fri, 12 Jul 2002 01:26:58 -0500
DoL wrote: > Hi > > I have asked this same question on "Snort-Devel" with not much success. > So I am trying this here. > > Just wonder if there is any plan / way to support or integrate HID > agents? And how, please! > > Thanks > /dlProlly you got a lukewarm response because it's a question that's fraught with other issues.
First, define what you mean by HID, since what this means changes on a vendor-by-vendor basis. Is what you want simply monitoring interfaces on hosts for bad traffic in addition to monitoring the whole network? If so, Snort can easily be run in non-promisc mode on individual hosts logging to a central server to get this.
If you mean more in-depth monitoring of events at an app, kernel, stack write, and log level on hosts and such, I'd check out Dragon Squire or ISS Server Sensor (yes, I said the I-word, hugs and kisses to Klaus and co., I know they read this list, they have to get their ideas somewhere) if you want to pay money, get support, yadda yadda. I think Cisco has some crap that purports to do this as well.
I've had pretty good luck myself with Syslog-NG, NTsyslog, Logcheck, Swatch, Tripwire, Samhain, (google for 'em or look on Sourceforge) and a number of other homebaked toys to do host IDS-ish things on boxes, and from what I understand you can push some of that data into the Snort DB for perusing in ACID if you're so inclined, although personally I haven't done it. There's also tons of other free auditing / logging tools out there for whatever OS you like, not to mention vendor docs on enabling stronger logging / auditing / security measures.
The question is, what do you gain by integrating the two, other than navel-gazing? Let the host stuff do its thing, and the NIDS stuff do its thing, and as long as both of them make your pager go off at 3 in the morning when the fit hits the shan everybody's happy, right?
--shawn ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Gadgets, caffeine, t-shirts, fun stuff. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- any support / plug-in / integration plan for HID DoL (Jul 11)
- Re: any support / plug-in / integration plan for HID Moyer, Shawn (Jul 11)
- Re: any support / plug-in / integration plan for HID Matt Kettler (Jul 12)
- Re: any support / plug-in / integration plan for HID Moyer, Shawn (Jul 11)