[Snort-users] any support / plug-in / integration plan for HID

Moyer, Shawn smoyer at ...5894...
Thu Jul 11 23:28:05 EDT 2002


DoL wrote:
 > Hi
 >
 > I have asked this same question on "Snort-Devel" with not much success.
 > So I am trying this here.
 >
 > Just wonder if there is any plan / way to support or integrate HID
 > agents? And how, please!
 >
 > Thanks
 > /dl


Prolly you got a lukewarm response because it's a question that's 
fraught with other issues.

First, define what you mean by HID, since what this means changes on a 
vendor-by-vendor basis. Is what you want simply monitoring interfaces on 
hosts for bad traffic in addition to monitoring the whole network? If 
so, Snort can easily be run in non-promisc mode on individual hosts 
logging to a central server to get this.

If you mean more in-depth monitoring of events at an app, kernel, stack 
write, and log level on hosts and such, I'd check out Dragon Squire or 
ISS Server Sensor (yes, I said the I-word, hugs and kisses to Klaus and 
co., I know they read this list, they have to get their ideas somewhere) 
if you want to pay money, get support, yadda yadda. I think Cisco has 
some crap that purports to do this as well.

I've had pretty good luck myself with Syslog-NG, NTsyslog, Logcheck, 
Swatch, Tripwire, Samhain, (google for 'em or look on Sourceforge) and a 
number of other homebaked toys to do host IDS-ish things on boxes, and 
from what I understand you can push some of that data into the Snort DB 
for perusing in ACID if you're so inclined, although personally I 
haven't done it. There's also tons of other free auditing / logging 
tools out there for whatever OS you like, not to mention vendor docs on 
enabling stronger logging / auditing / security measures.

The question is, what do you gain by integrating the two, other than 
navel-gazing? Let the host stuff do its thing, and the NIDS stuff do its 
thing, and as long as both of them make your pager go off at 3 in the 
morning when the fit hits the shan everybody's happy, right?




--shawn





More information about the Snort-users mailing list