[nylug-talk] Intrusion Detection
H. G.
tekronis at gmail.com
Thu Mar 27 20:43:31 EDT 2008
A good <time_of_day_goes_here> to you all.
I'm quite interested in hearing what the wizened and tooth-cut
Linux users of the list have to say on the subject of IDSes. I'm
currently using OSSEC, and it isn't too bad. Since its fairly
new, its moving along decently. Of course we've all heard
about Tripwire, but I decided to avoid it since the open source
version seemed dead ever since the Tripwire guys went commercial.
As I recall, the most low impact way monitor the filesystem was
with fam or something, since fam alerts you when files change,
as opposed to you manually sweeping the filesystem looking
for changes (causing lots of disk activity and performance
problems in the process). OSSEC doesn't use the former
strategy, unfortunately. :-(
Theres also aide, but I never gave it a shot. OSSEC's swank
web interface makes it easy for folks to view anomalies.
So what has been everyone's experiences?
DISCLAIMER: we all know IDSes won't _prevent_ attacks,
intrusions or exploitations, but at the very least with them around,
theres a chance you'll *find out*, which is always better than
being entirely clueless.
More information about the nylug-talk
mailing list