Snort mailing list archives
Re: any support / plug-in / integration plan for HID
From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 12 Jul 2002 12:02:40 -0400
Agreed wholeheartedly. Although the two are related conceptually, ie: both are used for security, the practical relationship in terms of integrating the code or functionality is non-existent.
I guess I'm also a bit biased in that I too agree with the tenets of UNIX. I've seen way too many Microsoftish "do everything, and do them badly" applications (ie: HTML editing in Word?) to take any pleasure at all in these "swiss army knife" applications. If two tools are completely different, putting them on a common handle doesn't do you any good, other than making the tools easier to keep together, and harder to use. I'd much rather eat with a knife and fork than a swiss army knife that has a knife blade and a fork blade.
So no, snort should never include HIDS, firewall, email generation, GUI graph generation, SMTP proxy-thru email virus scanning, HTTP proxies, nmap or nessus type network scanning or anything else that doesn't belong as part of a NIDS. The community is much better served by the snort devel team focusing on making snort the best NIDS there is, and leaving tasks that don't directly benefit from integration with snort as separate tools. Integration of unrelated tools with a common interface is best left to "control center" type applications.
At 01:26 AM 7/12/2002 -0500, Moyer, Shawn wrote:
Prolly you got a lukewarm response because it's a question that's fraught with other issues.First, define what you mean by HID, since what this means changes on a vendor-by-vendor basis. Is what you want simply monitoring interfaces on hosts for bad traffic in addition to monitoring the whole network? If so, Snort can easily be run in non-promisc mode on individual hosts logging to a central server to get this.If you mean more in-depth monitoring of events at an app, kernel, stack write, and log level on hosts and such, I'd check out Dragon Squire or ISS Server Sensor (yes, I said the I-word, hugs and kisses to Klaus and co., I know they read this list, they have to get their ideas somewhere) if you want to pay money, get support, yadda yadda. I think Cisco has some crap that purports to do this as well.I've had pretty good luck myself with Syslog-NG, NTsyslog, Logcheck, Swatch, Tripwire, Samhain, (google for 'em or look on Sourceforge) and a number of other homebaked toys to do host IDS-ish things on boxes, and from what I understand you can push some of that data into the Snort DB for perusing in ACID if you're so inclined, although personally I haven't done it. There's also tons of other free auditing / logging tools out there for whatever OS you like, not to mention vendor docs on enabling stronger logging / auditing / security measures.The question is, what do you gain by integrating the two, other than navel-gazing? Let the host stuff do its thing, and the NIDS stuff do its thing, and as long as both of them make your pager go off at 3 in the morning when the fit hits the shan everybody's happy, right?--shawn ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Gadgets, caffeine, t-shirts, fun stuff. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Gadgets, caffeine, t-shirts, fun stuff. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- any support / plug-in / integration plan for HID DoL (Jul 11)
- Re: any support / plug-in / integration plan for HID Moyer, Shawn (Jul 11)
- Re: any support / plug-in / integration plan for HID Matt Kettler (Jul 12)
- Re: any support / plug-in / integration plan for HID Moyer, Shawn (Jul 11)