[Snort-users] any support / plug-in / integration plan for HID
smoyer at ...5894...
Thu Jul 11 23:28:05 EDT 2002
> I have asked this same question on "Snort-Devel" with not much success.
> So I am trying this here.
> Just wonder if there is any plan / way to support or integrate HID
> agents? And how, please!
Prolly you got a lukewarm response because it's a question that's
fraught with other issues.
First, define what you mean by HID, since what this means changes on a
vendor-by-vendor basis. Is what you want simply monitoring interfaces on
hosts for bad traffic in addition to monitoring the whole network? If
so, Snort can easily be run in non-promisc mode on individual hosts
logging to a central server to get this.
If you mean more in-depth monitoring of events at an app, kernel, stack
write, and log level on hosts and such, I'd check out Dragon Squire or
ISS Server Sensor (yes, I said the I-word, hugs and kisses to Klaus and
co., I know they read this list, they have to get their ideas somewhere)
if you want to pay money, get support, yadda yadda. I think Cisco has
some crap that purports to do this as well.
I've had pretty good luck myself with Syslog-NG, NTsyslog, Logcheck,
Swatch, Tripwire, Samhain, (google for 'em or look on Sourceforge) and a
number of other homebaked toys to do host IDS-ish things on boxes, and
from what I understand you can push some of that data into the Snort DB
for perusing in ACID if you're so inclined, although personally I
haven't done it. There's also tons of other free auditing / logging
tools out there for whatever OS you like, not to mention vendor docs on
enabling stronger logging / auditing / security measures.
The question is, what do you gain by integrating the two, other than
navel-gazing? Let the host stuff do its thing, and the NIDS stuff do its
thing, and as long as both of them make your pager go off at 3 in the
morning when the fit hits the shan everybody's happy, right?
More information about the Snort-users