[nylug-talk] Intrusion Detection

[Rodrick Brown]

On Thu, Mar 27, 2008 at 8:43 PM, H. G. <tekronis at gmail.com> wrote:
> A good <time_of_day_goes_here> to you all.
>
>  I'm quite interested in hearing what the wizened and tooth-cut
>  Linux users of the list have to say on the subject of IDSes.  I'm
>  currently using OSSEC, and it isn't too bad.  Since its fairly
>  new, its moving along decently.  Of course we've all heard
>  about Tripwire, but I decided to avoid it since the open source
>  version seemed dead ever since the Tripwire guys went commercial.
>
>  As I recall, the most low impact way monitor the filesystem was
>  with fam or something, since fam alerts you when files change,
>  as opposed to you manually sweeping the filesystem looking
>  for changes (causing lots of disk activity and performance
>  problems in the process).  OSSEC doesn't use the former
>  strategy, unfortunately. :-(
>
>  Theres also aide, but I never gave it a shot.  OSSEC's swank
>  web interface makes it easy for folks to view anomalies.
>  So what has been everyone's experiences?
>
>  DISCLAIMER: we all know IDSes won't _prevent_ attacks,
>  intrusions or exploitations, but at the very least with them around,
>  theres a chance you'll *find out*, which is always better than
>  being entirely clueless.
>  _____________________________________________________________________________
>  Hire expert Linux talent by posting jobs here :: http://jobs.nylug.org
>  The nylug-talk mailing list is at nylug-talk at nylug.org
>  The list archive is at http://nylug.org/pipermail/nylug-talk
>  To subscribe or unsubscribe: http://nylug.org/mailman/listinfo/nylug-talk
>

IDS/IPS are just a waste of bandwidth, I feel as its much faster to
reimage a system these days than going through IDS logs to figured out
what has been compromised. I personally feel the entire network
IDS/IPS market is dead who are buying these devices?

-- 
[ Rodrick R. Brown ]
http://www.rodrickbrown.com
http://www.linkedin.com/in/rodrickbrown