Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: Re: snort tamandua or prelude ids

Re: snort tamandua or prelude ids

From: Olaf Gellert <og_at_pre-secure.de>
Date: Sat, 07 Aug 2004 00:44:48 +0200

Lee Sheng wrote:
> Then about
> the prelude IDS, prelude ids seems very complicated and I still not sure
> where to start. Anyone have any ideas cause now I still in the way of
> thinking which ids to deploy for the company. Snort, tamandua or prelude?
> Prelude seems more in depth on tracking what attacker try to do with
> HIDS as well. I've one and half years experience in snort (not in
> transparent mode of course). If I want to save my time, sure I will
> choose snort, however I would like to hear from you all. Thanks again.

I know snort and I know Prelude. I do not know tamandua. So
to the differences between snort and prelude:

Prelude is more designed as a complete IDS framework with many
different sensors. So on the first view it may seem a little
bit more complicated. But in the end I think it is not.

1. You can set up a prelude nids sensor on its own
   (just using libprelude and prelude-nids). This is
   very close to standalone snort (prelude-nids even
   uses snort rulesets).

2. You can set up one (or more) network-sensors logging
   to a central prelude-manager (which usually stores
   the alerts in an SQL database (postgres, mysql).
   This does not seem to differ very much from using
   Snort with ACID. The perl frontend of Prelude (called
   piwi) works fine though other, more advanced frontends
   seem to be in development. I am not too sure, it may
   be that ACID is a more enhanced frontend.

3. Using prelude you can add a few more different types
   of sensors, which can be a real advance, eg prelude-lml
   (hostbased sensor checking syslog files) or libsafe.
   You can even use a patched version of snort as a
   replacement for prelude-nids.

We have been running Prelude with lots of network sensors
distributed across the world (they log in an encrypted and
authenticated way to our manager), getting milions of
alerts without any remarkable downtime in the last
10 months. I found this quite amazing (but I guess this
holds true for a Snort environment, too).

What I really like using prelude is that the sensor
and manager stuff is all based on one library that
provides the functions for logging (using local
unix sockets for local communication and SSL for
remote communication automatically). That way it
is quite easy to use whatever security monitoring
tool and make it a sensor for prelude (eg we are
logging argus netflow data to the prelude manager).

So the advantages of prelude may somehow be more in
the area of the underlying concepts than in the actual
plain usage.

Just my 2 cents, cheers,
Olaf 

-- 
Dipl.Inform. Olaf Gellert                  PRESECURE (R)
Consultant,                              Consulting GmbH
Phone: (+49) 0700 / PRESECURE           og_at_pre-secure.de
                        A daily view on Internet Attacks
                        https://www.ecsirt.net/sensornet
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Received on Aug 09 2004
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]