topic Re: ids for linux in Operating System - Linux

ids for linux

Maaz — Sun, 26 Dec 2004 14:35:21 GMT

hi all,
is there any free ids for linux, other than snort ?

Regards
Maaz

Re: ids for linux

Ragu_3 — Sun, 26 Dec 2004 23:30:28 GMT

Check out labrea (http://labrea.sf.net/) and Prelude. There are many file integrity checking tools too.

Re: ids for linux

Oliver Schwank — Mon, 27 Dec 2004 04:02:30 GMT

Hello,

depends on what you want to operate your IDS to work on? Network?

http://www.snort.org/

Host? Perhaps samhain is a solution for you:
http://la-samhna.de/samhain/

Best wishes

Re: ids for linux

Ivajlo Yanakiev — Mon, 27 Dec 2004 04:07:27 GMT

you do not like snort ?

Re: ids for linux

Don_89 — Mon, 27 Dec 2004 17:15:39 GMT

Snort is the most popular and has really good support. If your having problems getting it installed, I have a kickscript script for installing ES 3.0 and a Bash script for installing all of the necessary packages. It took me 2 days to get it to work but I can get a new box with Snort,PHP, ACiD & MySQL backend up and running within 60 minutes or so. Doing all the steps by hand takes an easily 4+ hours. Let me know if your interested..

www.linuxtech.cc

Re: ids for linux

Ivajlo Yanakiev — Tue, 28 Dec 2004 03:52:17 GMT

Where I can get this scripts ?

Re: ids for linux

Maaz — Tue, 28 Dec 2004 14:10:24 GMT

Many Thanks Dear Ragu
Nice Help from Dear Oliver Schwank

I m eagerly looking forward for the script from Don

and Dear Ivajlo Yanakiev, i am working on snort, and want some other tool, also.

Nice help
Thanks to all

Regards
Maaz

Re: ids for linux

Don_89 — Tue, 28 Dec 2004 16:41:51 GMT

Ok,

Sorry for the late reply. I haven't ran the script in awhile and I just wanted to make sure it still works..

Goto my website and grab the two files listed in the directory.

www.linuxtech.cc/snort

The first file (snort.cfg) is a kickstart script for ES 3.0. It will probably work for 2.1 also but I haven't tried. You'll need to change a few things like the NFS server where you do your installs from. Also, the disk partitions are setup for 'sda' (VMware). If this was a HP box with a RAID controller, you would use 'cciss/c0d0' , if using IDE, then use 'hda'. This script isn't too critical, if you install from CD, just make sure NOT to install Apache, MySql or PHP. BTW, the root PW is -> payday

The second file (snort.tar.gz) is a tar of various packages needed for a complete Snort install with ACiD frontend and MySql backend. The install-script goes through all the setup steps which are descriped in this document. http://www.internetsecurityguru.com/documents/snort_acid_rhws3.pdf

Once the OS is up & running;

1) mkdir /root/snort
2) copy the snort.tar.gz file into /root/snort
3) tar zxvf snort.tar.gz
4) run ./install-script
(this takes about 20mins. depending on CPU power)
5) When the script completes, it will say "Snort up & running!"
6) Next you'll need to extend the Snort DB to support ACID, point yor broswer to the IDS box; http://snortip/acid and click the 'Setup' link. This will extended the DB.

7) Goto URL http://snortip/acid ; you should see the ACID frontend. Snort is offically running..

Let me know how things progress..

Re: ids for linux

Ivajlo Yanakiev — Wed, 29 Dec 2004 07:47:07 GMT

Hi don,
I can't install this now but I plane to do it.
tnks

Re: ids for linux

Ross Minkov — Wed, 29 Dec 2004 18:47:41 GMT

Here are some more links you might want to check:

Tripwire -- http://www.tripwire.org/

yafic -- Yet Another File Integrity Checker:
http://www.philosophysw.com/software/yafic/

integrit -- http://integrit.sourceforge.net/

AIDE (Advanced Intrusion Detection Environment) -- http://www.cs.tut.fi/%7Erammer/aide.html

HTH,
Ross

Re: ids for linux

Steven Coutts_1 — Sat, 01 Jan 2005 09:26:25 GMT

Personally I don't think you can go wrong with Snort.

I also use Sguil (sguil.sourceforge.net) for monitoring it.