On Sun, Jun 15, 2003 at 04:29:36PM +0300, Mika Bostr?m wrote: > You must understand that Snort, ACID or any other IDS setup does not > provide any protection against threats. They just monitor what takes > place in the network. > > To really protect against break-ins, install a system monitor. There > are few Tripwire-like programs. Tiger is a set of scripts, AIDE is > perhaps the best known, Samhain is the one I've been eyeing myself.
tripwire and similar programs don't provide any protection against break-ins. Certainly no more than snort and other network-based IDSes. Tripwire, Tiger, etc are "host-based" IDSes, while snort is an example of a "network-based" IDS. Neither provides any actual protection against break-in, they merely help you to realize it when it happens. They should be used in concert with each other for maximum utility. In terms of protecting against breakin, it seems like a lot of people here have been advocating the grsecurity kernel patch. I have no experience with it, but the list of features certainly makes it sound like it will protect against some of the frequently exploited classes of bugs. Certainly not all of them, though. The best thing you can do to keep your machine secure is to simply pay attention to what's on it and to the potential intrusion vectors that exist. If you can minimize those, you don't even need grsecurity. (Though there's nothing wrong with a little paranoia, especially now that you've already experienced a breakin.) noah
pgpjct5rcaOAk.pgp
Description: PGP signature
