IDS?
Ben Ricker
yellowdog-general@lists.terrasoftsolutions.com
Tue Dec 2 06:08:02 2003
On Tuesday, December 2, 2003, at 02:17 AM, R. McFarlane wrote:
> Hello list,
>
> For a co-lo server, what do you recommend for IDS? I've heard of snort
> and tripwire. Any preferences? Drawbacks? True life stories?
I am not sure what good snort will do on the server being protected.
Usually, snort is put on a dedicated IDS server which captures
everything on the wire and rule-matches for intrusion detection and
notification. If a hacker gets your box, snort may know about it, but
may also be disabled by a knowing hacker. Additionally, you would need
to put the NIC of the box in promiscuous mode, which may not sit well
with the network person.
Tripwire is a good thing, if you are sure the box is secure when
creating the database. If this box is going to be vulnerable (on the
internet), I would run it as often as possible.
Another tool I would recommend is logwatcher. It scans the logs and
send notices about activity different from the norm. Good way to see
what is going on with the box. Again, run it often if the servers are
vulnerable (I run logwatcher every 5 minutes on my Internet-facing
servers).
HTH,
Ben Ricker