RE: Snortcenter, Prelude-IDS

["Matthew MacAulay" <matthew.macaulay () cobweb co uk>]

Hi Sven,

I too have started to steer away from Snortcenter for the same reasons as you. And like you I found Prelude. 

I am in the process of installing and configuring it this week. So far so good. There are several things I like but one 
of the best is the log lackey. 

You point it at log files you want to monitor like "message" or "everything" and any suspect events (like a failed 
login) get reported. I hope to expand on this to log successful logins too for some devices.  

FreeBSD is great and everything but consider Gentoo. 

Check out http://gentoo-wiki.com/HOWTO_IDS details all of the steps required to get Prelude-manager, prelude-lml and 
the GUi Prewikka working.

Unfortunately the bit about getting Snort to report to prelude is pending some input. I am following the instructions 
on the prelude site for configuring snort to log to prelude.

I am clearly new to Prelude so I may find the features I think are missing in the next few days. In Snort centre you 
could see a snapshot of the health of your remote IDS nodes. In Prelude IDS nodes are call Agents and beyond the status 
(online / offline) of the Prelude apps (Prelude-manager, prelude-lml) there is not much else, would be good to see a 
few basics like CPU, memory, disk space, Snort rule version....

> From what I have read so far I think it is intended to have Nagios bolted on to SNMP monitor Agents and collect events 
> from other remote nodes so I guess it is intended for Nagios to monitor IDS node health.

Regards,

Mat. 

  

 


-----Original Message-----
From: Sven Müller [mailto:smueller () magellan-net de] 
Sent: 15 August 2005 09:44
To: focus-ids () securityfocus com
Subject: Snortcenter, Prelude-IDS

Hello!

I'm planing to set up a new IDS environment. Up to now I always used
Snortcenter (http://users.pandora.be/larc/index.html) which worked quite
well for me. But I think the development of this tool stopped because the last
news entry on the web page is more the 2 years old. Does anyone have
some information about that?

However, I just visited the prelude homepage
(http://www.prelude-ids.org/) and this framework sounds very intersting
for me. Does anyone has some experinces with Prelude? 
I like Snort very much and Prelude can be connected with Snort, so I
would have a centralized place for collecting and normalizing events.

Do you have any experiences with Prelude?

Mostly I prefer to use FreeBSD do you have any information about this
combination?

Thanks for you hints!

Regards, Sven

-- 
---------------------------------------------------------
MAGELLAN Netzwerke GmbH
Dipl.-Ing. (FH)
Sven Müller

Network Security Engineer

Max-Reichpietsch-Straße 2
51147 Köln

Tel. :  +49-2203-92263-0
Fax:    +49-2203-92263-99

E-Mail: smueller () magellan-net de
Web:    http://www.magellan-net.de
---------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

----------------------------------------------------------------
The information in this email is confidential and may be legally
privileged. It is intended solely for the addressee. Access to
this email by anyone else is unauthorised. If you are not the
intended recipient, any disclosure, copying, distribution or any
action taken or omitted to be taken in reliance on it, is
prohibited and may be unlawful. If you have received this
communication in error please return it to the sender, then
delete and destroy any copies of it.
----------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------