Lee Sheng wrote:
Then about
the prelude IDS, prelude ids seems very complicated and I still not sure
where to start. Anyone have any ideas cause now I still in the way of
thinking which ids to deploy for the company. Snort, tamandua or prelude?
Prelude seems more in depth on tracking what attacker try to do with
HIDS as well. I've one and half years experience in snort (not in
transparent mode of course). If I want to save my time, sure I will
choose snort, however I would like to hear from you all. Thanks again.
I know snort and I know Prelude. I do not know tamandua. So
to the differences between snort and prelude:
Prelude is more designed as a complete IDS framework with many
different sensors. So on the first view it may seem a little
bit more complicated. But in the end I think it is not.
1. You can set up a prelude nids sensor on its own
(just using libprelude and prelude-nids). This is
very close to standalone snort (prelude-nids even
uses snort rulesets).
2. You can set up one (or more) network-sensors logging
to a central prelude-manager (which usually stores
the alerts in an SQL database (postgres, mysql).
This does not seem to differ very much from using
Snort with ACID. The perl frontend of Prelude (called
piwi) works fine though other, more advanced frontends
seem to be in development. I am not too sure, it may
be that ACID is a more enhanced frontend.
3. Using prelude you can add a few more different types
of sensors, which can be a real advance, eg prelude-lml
(hostbased sensor checking syslog files) or libsafe.
You can even use a patched version of snort as a
replacement for prelude-nids.
We have been running Prelude with lots of network sensors
distributed across the world (they log in an encrypted and
authenticated way to our manager), getting milions of
alerts without any remarkable downtime in the last
10 months. I found this quite amazing (but I guess this
holds true for a Snort environment, too).
What I really like using prelude is that the sensor
and manager stuff is all based on one library that
provides the functions for logging (using local
unix sockets for local communication and SSL for
remote communication automatically). That way it
is quite easy to use whatever security monitoring
tool and make it a sensor for prelude (eg we are
logging argus netflow data to the prelude manager).
So the advantages of prelude may somehow be more in
the area of the underlying concepts than in the actual
plain usage.
Just my 2 cents, cheers,
Olaf
--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Consultant, Consulting GmbH
Phone: (+49) 0700 / PRESECURE og@pre-secure.de
A daily view on Internet Attacks
https://www.ecsirt.net/sensornet
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.
--------------------------------------------------------------------------
