IDS?

[Ben Ricker]

On Tuesday, December 2, 2003, at 02:17 AM, R. McFarlane wrote:

> Hello list,
>
> For a co-lo server, what do you recommend for IDS? I've heard of snort 
> and tripwire. Any preferences? Drawbacks? True life stories?

I am not sure what good snort will do on the server being protected. 
Usually, snort is put on a dedicated IDS server which captures 
everything on the wire and rule-matches for intrusion detection and 
notification. If a hacker gets your box, snort may know about it, but 
may also be disabled by a knowing hacker. Additionally, you would need 
to put the NIC of the box in promiscuous mode, which may not sit well 
with the network person.

Tripwire is a good thing, if you are sure the box is secure when 
creating the database. If this box is going to be vulnerable (on the 
internet), I would run it as often as possible.

Another tool I would recommend is logwatcher. It scans the logs and 
send notices about activity different from the norm. Good way to see 
what is going on with the box. Again, run it often if the servers are 
vulnerable (I run logwatcher every 5 minutes on my Internet-facing 
servers).

HTH,

Ben Ricker