Re: IDS solution
You didn't mention if you are only looking for NIDS, so I will suggest the ossec hids to you. I have been using it very sucessfully and it has been much more useful the any NIDS that I have ever used (just to be fair, I'm the developer of this project, but I know some ISPs and companies that use it and like). The ossec hids and an open source host-based intrusion detection system. It performs log analysis, integrity checking, rootkit detection, time-based alerting and active response... *oh yeah, it runs on OpenBSD. My development box is OpenBSD :) I don't need to say anything else :) If you are interested, download it from: http://www.ossec.net/files/ossec-hids-0.7.tar.gz More info: http://www.ossec.net thanks, -- Daniel B. Cid dcid @ ( at ) ossec.net http://www.ossec.net --- "Hutger H." <[EMAIL PROTECTED]> escreveu: > Hi folks, > > I've been looking for a consolidated IDS solution > that I can deploy in > my network. Snort is really a good option but > currently it seems that > they are charging for updates, it that true? I'd > like to find out a free > of charge Linux, or BSD, solution that can works as > good as snort works > and, rather with some successful deployment cases. > > Any ideas? > > Thanks in advance, > > Hutger.
Re: IDS solution
On 3/21/06, Jason Crawford <[EMAIL PROTECTED]> wrote: > On 3/21/06, Hutger H. <[EMAIL PROTECTED]> wrote: > > Hi folks, > > > > I've been looking for a consolidated IDS solution that I can deploy in > > my network. Snort is really a good option but currently it seems that > > they are charging for updates, it that true? I'd like to find out a free > > of charge Linux, or BSD, solution that can works as good as snort works > > and, rather with some successful deployment cases. > > > > Any ideas? > > Well as far as charging for updates goes, that's only for rulesets I > believe. Basically, the rules that you get with the snort tar ball are > all you get, if you want updates to them you gotta pay. But later > versions of snort are free, so upgrading from 2.4.3 to 2.4.4 is free, > just not the extra snort rules. And even then, only the SourceFire VRT > Certified Rules cost money (for subscriptions and redistribution > rights I believe), a community driven rule group is still free, > however they don't "Guarentee" the rules. If I were you, I'd stick > with snort, you'll be hard pressed to find a free NIDS that is as > robust, and I speak from experience, as I've setup some pretty damn > large and complex snort deployments for my work in the past. > > Jason > > Hutger: VRT Rules are free after you register an account. You are not entitled to new VRT rule drops until 1 week after they are initially released with the free registration. Paying subscribers get the rules when they are first available. In the rules download section you will notice four download sections: - Sourcefire VRT Certified Rules (subscription release) - Sourcefire VRT Certified Rules (registered user release) - Sourcefire VRT Certified Rules (unregistered user release) - Community Rules The 'subscription release' requires a paid subscription The 'registered user release' is one week behind the subscription release and is free with a registered account The 'unregistered user release' is the ruleset included with the source distribution and are free for all The 'Community Rules' are free for all There is also http://www.bleedingsnort.com/ that has it's own rule sets available to supplement the VRT rules. The one thing that is missing while using snort on BSD is the ability to run snort inline, where you can have snort block certain network traffic based on rules (aka IPS). There is a project, pq - http://www.openbeer.it/?open=pq that is attempting to address this for BSD. You have to request an oink code to get the VRT rules using oinkmaster. This is free with a registered account. Axton Grams
Re: IDS solution
On Wed, Mar 22, 2006 at 10:54:04AM +0100, Huzeyfe Onal wrote: > not bsd-ids.org, try http://www.bro-ids.org/ address. > yes, sorry for this typo ;) reyk
Re: IDS solution
not bsd-ids.org, try http://www.bro-ids.org/ address. On 3/22/06, edgarz <[EMAIL PROTECTED]> wrote: > > Reyk Floeter wrote: > > hi, > > > > On Tue, Mar 21, 2006 at 02:50:35PM -0300, Hutger H. wrote: > > > >>I've been looking for a consolidated IDS solution that I can deploy in > >>my network. Snort is really a good option but currently it seems that > >>they are charging for updates, it that true? I'd like to find out a free > >>of charge Linux, or BSD, solution that can works as good as snort works > >>and, rather with some successful deployment cases. > >> > > > > > > an alternative approach to snort is bro, which uses a bsd-style license. > > > > http://www.bsd-ids.org/ > Are you sure about it? Domain not found. > > > > > the c++ code is a bit ugly, but the system is very powerful, supports > > snort rules and is also supported by most of the hybrid IDS frameworks > > (like prelude-ids). bro claims that their own context-based rule > > language is even more powerful than the snort stuff. > > > > reyk > > -- Huzeyfe VNAL --- First Turkish Qmail book is out! Go check it. Duydunuz mu! Turkiye'nin ilk Qmail kitabi cikti. http://www.acikakademi.com/catalog/qmail/
Re: IDS solution
On 22/03/06, edgarz <[EMAIL PROTECTED]> wrote: > Reyk Floeter wrote: > > hi, > > > > On Tue, Mar 21, 2006 at 02:50:35PM -0300, Hutger H. wrote: > > > >>I've been looking for a consolidated IDS solution that I can deploy in > >>my network. Snort is really a good option but currently it seems that > >>they are charging for updates, it that true? I'd like to find out a free > >>of charge Linux, or BSD, solution that can works as good as snort works > >>and, rather with some successful deployment cases. > >> > > > > > > an alternative approach to snort is bro, which uses a bsd-style license. > > > > http://www.bsd-ids.org/ > Are you sure about it? Domain not found. > > > > > the c++ code is a bit ugly, but the system is very powerful, supports > > snort rules and is also supported by most of the hybrid IDS frameworks > > (like prelude-ids). bro claims that their own context-based rule > > language is even more powerful than the snort stuff. > > > > reyk > > No, the link is http://www.bro-ids.org/
Re: IDS solution
Reyk Floeter wrote: hi, On Tue, Mar 21, 2006 at 02:50:35PM -0300, Hutger H. wrote: I've been looking for a consolidated IDS solution that I can deploy in my network. Snort is really a good option but currently it seems that they are charging for updates, it that true? I'd like to find out a free of charge Linux, or BSD, solution that can works as good as snort works and, rather with some successful deployment cases. an alternative approach to snort is bro, which uses a bsd-style license. http://www.bsd-ids.org/ Are you sure about it? Domain not found. the c++ code is a bit ugly, but the system is very powerful, supports snort rules and is also supported by most of the hybrid IDS frameworks (like prelude-ids). bro claims that their own context-based rule language is even more powerful than the snort stuff. reyk
Re: IDS solution
hi, On Tue, Mar 21, 2006 at 02:50:35PM -0300, Hutger H. wrote: > I've been looking for a consolidated IDS solution that I can deploy in > my network. Snort is really a good option but currently it seems that > they are charging for updates, it that true? I'd like to find out a free > of charge Linux, or BSD, solution that can works as good as snort works > and, rather with some successful deployment cases. > an alternative approach to snort is bro, which uses a bsd-style license. http://www.bsd-ids.org/ the c++ code is a bit ugly, but the system is very powerful, supports snort rules and is also supported by most of the hybrid IDS frameworks (like prelude-ids). bro claims that their own context-based rule language is even more powerful than the snort stuff. reyk -- /* .vantronix|secure systems - (research & development) * reyk floeter - friendly known free software engineer * [EMAIL PROTECTED] - http://team.vantronix.net/reyk/ */
Re: IDS solution
On 3/21/06, Hutger H. <[EMAIL PROTECTED]> wrote: > Hi folks, > > I've been looking for a consolidated IDS solution that I can deploy in > my network. Snort is really a good option but currently it seems that > they are charging for updates, it that true? I'd like to find out a free > of charge Linux, or BSD, solution that can works as good as snort works > and, rather with some successful deployment cases. > > Any ideas? Well as far as charging for updates goes, that's only for rulesets I believe. Basically, the rules that you get with the snort tar ball are all you get, if you want updates to them you gotta pay. But later versions of snort are free, so upgrading from 2.4.3 to 2.4.4 is free, just not the extra snort rules. And even then, only the SourceFire VRT Certified Rules cost money (for subscriptions and redistribution rights I believe), a community driven rule group is still free, however they don't "Guarentee" the rules. If I were you, I'd stick with snort, you'll be hard pressed to find a free NIDS that is as robust, and I speak from experience, as I've setup some pretty damn large and complex snort deployments for my work in the past. Jason
Re: IDS solution
Hutger H. wrote: Hi folks, I've been looking for a consolidated IDS solution that I can deploy in my network. Snort is really a good option but currently it seems that they are charging for updates, it that true? I'd like to find out a free of charge Linux, or BSD, solution that can works as good as snort works and, rather with some successful deployment cases. I just visited the Snort website, and I didn't have any trouble getting the source for it... http://www.snort.org/dl/ Isn't snort also included in ports and packages??? Bryan
IDS solution
Hi folks, I've been looking for a consolidated IDS solution that I can deploy in my network. Snort is really a good option but currently it seems that they are charging for updates, it that true? I'd like to find out a free of charge Linux, or BSD, solution that can works as good as snort works and, rather with some successful deployment cases. Any ideas? Thanks in advance, Hutger.
