IDS mailing list archives
Re: Low cost HID based IDS system
From: Krzysztof Zaraska <kzaraska () student uci agh edu pl>
Date: Fri, 16 May 2003 23:14:22 +0200
On Fri, 16 May 2003 15:17:24 +1000 "Zach Forsyth" <Zach.Forsyth () kiandra com> wrote:
Hi,
Hello,
I just wanted to ask if anyone out there had some ideas in regards to deploying a low cost HID based IDS system. The problem I have is that a few of our clients are quiet small and whilst I would love to deploy a NID out to all of them they just can't justify that sort of cost. I need to set up a managed type of IDS service that is centrally controlled by us and has a low cost per month to all of our clients. My plan would be to use HID type server sensors where needed and have them all feeding information back to a console that is centrally managed.
<Disclaimer: I am a Prelude developer> I have absolutely idea if it would suit your needs, but you could consider using Prelude (http://www.prelude-ids.org/) in the following setup: - At a central site, you deploy Prelude Manager + database + frontend - At each client site, you deploy: + Prelude Manager configured to relay alerts to Manager on central site + Sensors configured to send alerts to site's Prelude Manager This way alerts are transmitted sensor -> site manager -> central manager, where you can process them any way you want. Connections are SSL'd and authenticated, so the alert transmission over the Internet should be relatively secure ;). Alert transmission system is also designed to avoid losing alerts in case of failure (http://www.prelude-ids.org/download/misc/pingwinaria/2003/html/img27.htm l). The system would be similar to this one: http://www.prelude-ids.org/download/misc/pingwinaria/2003/html/img21.html (your site being Tier-1, clients being Tier-2 and possibly without databases) Another graphic presentation you could find useful: http://www.prelude-ids.org/download/misc/pingwinaria/2003/html/img19.html (client's network at the bottom-right of the image). Concerning the HIDS sensor(s): you may of course want to use something that does not have a possibility of direct logging to Prelude. However, if the HIDS product in question is capable of logging to a text file or to syslog, you can simply use Prelude LML to parse these logs and send to Prelude Manager in the format Prelude uses. If you were logging via syslog, you could do with one LML daemon per network (LML has its own syslog server). So the data flow would be: sensor -> Prelude LML (local) -> Prelude Manager (local) -> Prelude Manager (central). It may be a problem that Prelude does not run on Win32, but the system can still be deployed if client can have one Linux/*BSD box on site to run Prelude Manager + Prelude LML on it. And, BTW, you could deploy Prelude NIDS sensors at clients' sites as well...
The per server cost is then low enough to keep clients interested and the centralized console cost is split over multiple clients on a monthly basis. I can see that they would all be happy paying those sorts of costs. Although, I don't want to deploy this if it is not likely work in a full production environment, and provide accurate timely results to the central console.
Hm, Prelude is used in production environments (at least from what we are told ;)). And we aren't aware of any large delays being introduced by the alert relaying system... Just my PLN 0.02 ;) Krzysztof -- // Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl // http://mops.uci.agh.edu.pl/~kzaraska/ * http://www.prelude-ids.org/ // A dream will always triumph over reality, once it is given the chance. // -- Stanislaw Lem
Attachment:
_bin
Description:
Current thread:
- Low cost HID based IDS system Zach Forsyth (May 16)
- Re: Low cost HID based IDS system Paul Schmehl (May 16)
- Re: Low cost HID based IDS system dreamwvr () dreamwvr com (May 16)
- Re: Low cost HID based IDS system Krzysztof Zaraska (May 16)
- <Possible follow-ups>
- RE: Low cost HID based IDS system Zach Forsyth (May 20)
- RE: Low cost HID based IDS system Paul Schmehl (May 20)
- Re: Low cost HID based IDS system Dick Li (eBits Limited) (May 22)
- RE: Low cost HID based IDS system Paul Schmehl (May 20)
- Re: Low cost HID based IDS system Andrew Plato (May 20)
- Re: Low cost HID based IDS system SecurIT Informatique Inc. (May 20)
- RE: Low cost HID based IDS system Alan Shimel (May 20)
- RE: Low cost HID based IDS system Schmehl, Paul L (May 20)
- RE: Low cost HID based IDS system Sekurity Wizard (May 26)
- Re: Low cost HID based IDS system George W. Capehart (May 27)
- RE: Low cost HID based IDS system Zach Forsyth (May 27)