HPE Community
Operating System - HP-UX
1836937 Members
2949 Online
110111 Solutions
New Discussion

IDS 9000 Survey

 
Craig Rants
Honored Contributor

‎11-07-2001 02:10 PM

‎11-07-2001 02:10 PM

IDS 9000 Survey

I would like to hear from all of you who have or are using IDS 9000. I have installed it and done some minimal configuration on it. I then tested the templates like failed su's and failed logins, as well as running a DOS scan against the box. I was not impressed, especially compared to other IDS software I have used. I know it is new and free, so I can't complain, however, I just wanted to get opinions from others who have used it.

This is not a knock against the developers(especially ones who monitor this forum!). I couldn't write the software so...


TIA,
Craig
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
7 REPLIES 7
Kurt Henning
Advisor

‎11-12-2001 11:24 AM

‎11-12-2001 11:24 AM

Re: IDS 9000 Survey

I'm still trying to get it running. After much mousing around, and patching, and back-revving Java, and poring through documentation, I've got it to a state where the agent will load, the gui will run, and a surveillance schedule will download for the test host.

It won't start, though. It claims there is no agent available, even though I've confirmed it's existance, brought it down, and back up, numerous times. I'm getting ready to give up on the thing. Free software is worth a little extra effort, but I've spent hours on the thing with little to show for it.

I'm not sure this thing is ready for prime-time. Too many hoops to jump through just to get it running, at least in my experience.
0 Kudos
Reply
Rainer von Bongartz
Honored Contributor

‎11-12-2001 10:54 PM

‎11-12-2001 10:54 PM

Re: IDS 9000 Survey

Craig,

I just noticed that version 2.0 of IDS/9000 was released. We should give this a try as I agree with Kurt that 1.0 was quite a mess !!!!

Regards
Rainer
He's a real UNIX Man, sitting in his UNIX LAN making all his UNIX plans for nobody ...
0 Kudos
Reply
John Horn
Occasional Contributor

‎11-13-2001 07:52 AM

‎11-13-2001 07:52 AM

Re: IDS 9000 Survey

In our evaluation of the IDS/9000 product we have been very happy with the results.

We are primarily testing the product with realtime "Tripwire" functionality (file create/delete/mod, SUID) with no system degradation. We are also trying out the failed login, "su" to special accounts, and log file editing. The file mod. template does require some initial tuning but the time spent is worth the protection provided.

Realistically, if a system would be penetrated or if a user took hostile action against the company/system, the "Modification of files/dirs" and watching for interactive root logins would catch the condition.

If a questionable condition occurs, IDS emails a sys. admin with the alert. If a downright dangerous situation occurs (a SUID root executable file is created, etc...), sys admins are paged. This response script and other programs were very easy to set up.

Stay away from the "Race Condition" and "Buffer Overflow" templates as they have a high system overhead.

Version 2.0 is primarily a documentation & GUI improvement and is worth looking in to.
0 Kudos
Reply
Kevin Moore_2
Occasional Advisor

‎11-13-2001 08:51 AM

‎11-13-2001 08:51 AM

Re: IDS 9000 Survey

I'm having exactly the same problem as Kurt described above. This appears like there is a bug in version 1.0. I am currently downloading version 2.0, so hopefully that should rectify the problem. I am definitely looking forward to getting it working, as I have heard some interesting things about it. I will post a further update when (hopefully) I get it running.

Kevin
Never put something off, for it may be your last chance
0 Kudos
Reply
Frank H. Quinteros
New Member

‎01-08-2002 12:51 PM

‎01-08-2002 12:51 PM

Re: IDS 9000 Survey

Craig,
I configured IDSv1 admin on a K box and the agent on an N and another K box.
It was a struggle to install, but one day II saw the gui... monitored the N server but could not get the K to work. I guess altogether I was dissapointed that v1 was not configuration-friendly although the documentation was pretty complete.
I will look for v2 and implement on the same set of servers. If I do not get "my efforts worth" I will probably go "tripwire" or else.
Anyone know whether the new CDs include v2 in them or else a link.
they are out there...
0 Kudos
Reply
Ron Freund
Occasional Advisor

‎01-08-2002 06:37 PM

‎01-08-2002 06:37 PM

Re: IDS 9000 Survey

Hi Frank:
By all means, give Version 2.0 a try. And yes, the December
2001 AR CD's and the OEUR CD's in January 2002 have the
new release V2.0 bits included. OEUR is Op. Environ. Update
Release.
The new release requires Java 1.3 and as before 11.0 needs
kernel patching, but 11.11 doesn't. Release notes have good
instructions for installation and are on docs.hp.com/hpux/internet
while the product itself is free from www.hp.com (drill down or search
for J5083AA).
Kind Regards,
Ron Freund
WTEC Cupertino
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎01-09-2002 03:10 AM

‎01-09-2002 03:10 AM

Re: IDS 9000 Survey

Hi,

One of my colleagues faced problems with the IDS/9000 2.0 installation and from his response, it doesn't seem to be a matured-enough product for deployment on mission-critical servers.

Problem:

Experiencing idscor getting killed. When restart idsagent it will die after about 5 minutes.

Only workaround available, solution available only in Feb:

I have the solution to your error. This is known issue in the lab and they are coming out an official patch in February. Like to know if you want to included in the testing of this patch?

If you are not comfortable with the test, there is a workaround to this problem:

Workaround: comment out all lines which say

DSP_TAG KERN

DSP_FILTER SETSCALL on 366 1 # lstat64

DSP_TAG KERN

DSP_FILTER SETSCALL on 369 1 # stat64

in /etc/opt/ids/ids.cf

Hope this helps. Regards.

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.