The most powerful tool in Intrusion detection comes from Internet Security Systems (ISS). It Produces a variety of tools like host sensor, OS sensor and most powerful among all; network sensor. It also gives a very wide range of activities that one need to track down for consideration into network intrusion detection system
---Rajesh -----Original Message----- From: Varun Varma To: multiple recipients of Cc: [EMAIL PROTECTED] Sent: 3/17/02 7:21 PM Subject: Re: [ilugd]: Intrusion Detection System Dear Raju, That's what I like about snort - it can be scaled down from being a NIDS to a HIDS and it can be run either a logger like iplog or dynamic firewall like portsentry or both. Can detect all the common attacks like scans, smurfs, floods etc. Seems to have a far more configurable/powerfull signature matching syntax then other things out there. It is basically a IDS/Dynamic firewall in one package - kinda like iplog and portsentry combined, which can be deployed over the entire network [would have to be on the firewall box, or connected to the snoop port if you just want logging] or just a single host. Now, I am sure that you can get iplog and/or portsentry to do the same by fancy hacks, but that's another discussion. My problem is this - snort seems to have the goods, but does it deliver? Does it accurately detect attacks, does it report too many false attacks, does it just die out under heavy load? Regards, -Varun -- Mindframe Software & Services Pvt. Ltd., A-50, Sector-39, NOIDA, U.P. - 201301, India http://www.mindsw.com > Hi Varun, > > Snort, iplog and portsentry are different tools for different purposes: > > - Snort: full-blown network IDS. Snoops packets on the ethernet and > takes actions if it finds packets matching user-specified rules. > Actions could include logging the connection, alerting an > administrator, resetting the connection, etc. > > - Iplog: Only a IP packet logger for a single host. Does not do > anything except logging. Is smart, so stops logging if it detects a > flood. > > - Portsentry: Watches specific ports on your (single) server and takes > appropriate action if activity is detected on them. Usually used to > block hosts which try to hit unauthorised ports (e.g. 31337, 139, > etc). > > Hope that makes things clearer. > > Regards, > > -- Raju > >>>>>> "Varun" == Varun Varma <[EMAIL PROTECTED]> writes: > > Varun> Hi! Snort is a tool (http://www.snort.org) that provides > Varun> IDS functionality, pretty much like iplog. This seems a bit > Varun> fancier though - experimental built in route deletion > Varun> etc. Claim to fame - made to a Gartner Group Report on > Varun> IDSs', alongwith Cisco et. al. You can see the link to the > Varun> report somewhere near the bottom of the homepage. > > Varun> Anyone tried it? How does it stack up againt iplog and/or > Varun> portsentry? > > -- > Raju Mathur [EMAIL PROTECTED] http://kandalaya.org/ > It is the mind that moves > > ================================================ > To subscribe, send email to [EMAIL PROTECTED] with subscribe in > subject header To unsubscribe, send email to [EMAIL PROTECTED] > with unsubscribe in subject header Archives are available at > http://www.mail-archive.com/ilugd%40wpaa.org > ================================================= ================================================ To subscribe, send email to [EMAIL PROTECTED] with subscribe in subject header To unsubscribe, send email to [EMAIL PROTECTED] with unsubscribe in subject header Archives are available at http://www.mail-archive.com/ilugd%40wpaa.org ================================================= ================================================ To subscribe, send email to [EMAIL PROTECTED] with subscribe in subject header To unsubscribe, send email to [EMAIL PROTECTED] with unsubscribe in subject header Archives are available at http://www.mail-archive.com/ilugd%40wpaa.org =================================================
