IDS mailing list archives
Re: Host Based IDS Recommendations
From: Maarten Van Horenbeeck <maarten () daemon be>
Date: Sat, 20 Dec 2003 18:16:31 +0000 (GMT)
Hi, In the field of HIDS, I have had some very good experiences with Symantec's Host IDS. In real-life use, it has shown to be a very trustworthy system, and has grown to be very reliable. Another exquisite system, though more limited in scope, is Tripwire. While a different approach, many host-based Intrusion Prevention Systems also generate an important deal of logging which is extremely useful from an HID point of view. On many systems, I tend to run software such as the grsecurity patches (on Linux kernels), which can be configured in such a way to log a syslog event on somewhat suspicious traffic. An example: Dec 3 05:05:11 shiva kernel: grsec: attempted resource overstep by requesting 1024 for RLIMIT_NOFILE against limit 1024 by (initlog:27874) UID(0) EUID(0), parent (S55sshd:15305) UID(0) EUID(0) You will have to write some custom log parsers yourself, and develop a secure log transportation mechanism, as syslog may become unreliable immediately after compromise, before these log entries are actually of use. However, this is more than worth it, especially if you consider the fact that this software is often not all that pricy (this specific example is even free). Best regards, Maarten -- Maarten Van Horenbeeck maarten () daemon be --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- RE: Host Based IDS Recommendations mbateman (Dec 18)
- <Possible follow-ups>
- Re: Host Based IDS Recommendations Maarten Van Horenbeeck (Dec 22)
- Re: Host Based IDS Recommendations Krzysztof Zaraska (Dec 29)