OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Intrusion Detection Logfile Software
From: Billy Austin (baustinINTRUSION.COM)
Date: Wed Oct 11 2000 - 20:46:45 CDT

Jason:

First,

Intrusion.com offers SecureNet Pro, a high performance network intrusion
detection system that runs on Linux. You can download an evaluation at
http://www.intrusion.com/ or request an integrated appliance with hardened
Linux as the OS.

Not sure what your requirements are, however you can check the features at
http://www.intrusion.com/Products/securenet.shtml for yourself.

Secondly,

Ron mentioned by running a web-SSL attack that most NIDS don't report
anything. Place the firewall in front of the NIDS and the NIDS may not see
port scans. This is not a true statement for SecureNet Pro.

He also mentions if you have a Nokia firewall with a built in CSU/DSU T1
interface, then you may not get the chance to put a NIDS in front of the
firewall.

I agree with him partially however if your looking for a great single point
of failure, then the nokia integrated router/firewall may be a great choice
for you especially if you like the month of February. Not only would you not
be able to put an IDS in front of this firewall/slash router but you would
also be vulnerable to a variety of attacks if you have BGP or OSPF enabled
on the Nokia platform as it would not be uncommon to see an injection of
bogus routes.

Bottom line, by having your router and firewall reside as separate devices,
this will eliminate both the single point of failure and the need to have an
IDS between the firewall and router. I am not stating that this is a bad
solution for all environments, just giving you a few thoughts for pondering.

SecureNet Pro and Dragon are the only two commercial NIDS solutions today
that I am aware of for Linux.

Check them both out for yourself.

SecureNet Pro would be a great choice if any of the following are important
to you:

100Mbps detection with no packet loss
100% packet defragmentation
Out-of-order or overlapping tcp segment reassembly
Real-time session logging and termination
Support for both win32 and unix fragment reassembly methods
Multi-threaded architecture
State-based protocol decoding
Application-layer anomaly detection
CSV/HTML/Text report generation
Intregrated Scripting Language

Cheers,

Billy Austin
Vice President
Intrusion.com
http://www.intrusion.com/
baustinintrusion.com

-----Original Message-----
From: Jason Tackaberry [mailto:tackLINUX.COM]
Sent: Tuesday, October 10, 2000 5:43 PM
To: FOCUS-IDSSECURITYFOCUS.COM
Subject: Re: Intrusion Detection Logfile Software

> If your pocketbook is thin, you can go for the obvious no-cost solution of
> Snort+aracNIDS?

What reasons would there be _not_ to go with this solution?

I'm passively investigating IDS solutions for Linux, so I'm curious
about what's available, and what you guys think is good. What other
free or commercial NIDS packages are available?

Cheers,
Jason.