Re: Real world experience with HIDS

[lucien Fransman <lucien.fransman () irc2 nl>]

On Friday 03 February 2006 01:51, FinAckSyn wrote:
Ok, for some reason I didn't see the original mail, but here it goes:

> > 1) Ease of install - can it be done through GPO?
> > SMS?  Login scripts?
No. software can be installed using loginscripts and such, but there is no 
clear cut howto for this.

> > 2) Usefulness of the information generated - have
> > you detected any
> > exploits?  How were you notified?  Etc.,
Very, using the web-gui at first and mail later. there was no need for SMS or 
pager alerts, but that wouldn't be to hard. Just a perl script ;)

> > 3) Centralized management - is there any?  If so,
> > how easy is it to use?
> > Configurable at the host level?  Or group of hosts
> > level?
Snip, again, sort of.

> > 4) Access to data - is it possible to restrict
> > access to the data so that
> > an administrator on the server would *not* be able
> > to see the output of the
> > HIDS?
The problem with an admin (domain admin, server admin, root)  is that he has 
access to all sorts of things. Like databases that store alerts, the private 
and public keys and such. But yeah, if you count those out, you can make a 
separate admin for the interface and the data is/was ssl encrypted
> > 5) Interference with the server - does it consume
> > lots of memory or CPU?
No.


> > Is it proactive or passive?

passive, with ways to make it proactive of sorts

> > 6) Would you purchase again, if you had the option?
yes. as it was opensource (prelude IDS with snort and a bunch of other things 
mixed in) 

Mind you, one of the requirements was that there should be $0 software costs.

OTOH, if I had no budget restraints, i would have gotten a full IPS product 
and set that in monitoring mode. (iss preventia, mostly because i have good 
experiences with that product)

> > PLEASE NOTE:  Any vendor on this list who emails me
> > suggesting their
> > product will be automatically dropped from
> > consideration, so be forewarned.
> > You're welcome to respond on the list, if you like,
> > but don't email me or you'll be eliminated from
> > consideration.
I'm a independent consultant working for a independent consultancy firm.


snipsnip

Lucien Fransman
irC2

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------