10

Start-ups and organizations with limited budgets that are security conscious are often encouraged to deploy intrusion detection stacks. Given that prevention will always fail, intrusion detection stacks are often vital to learn why defenses failed.

I am a fan of the following intrusion stack covering the app layer, system layer, and network layer:

system: OSSEC
application: ModSecurity
network: FlowMatrix (i cheated, this one is not FOSS, but it's free!)

What are your favorite intrusion (FOSS or free) stacks?

Scott Pack
  • 15,297
  • 6
  • 63
  • 91
Tate Hansen
  • 13,804
  • 3
  • 42
  • 84
  • ModSecurity is more of a WAF (web application firewall) than IDS (though of course you can set it to log instead of block...) Not familiar with the other ones. – AviD Nov 16 '10 at 06:02
  • I disagree: most of the installations I've seen ModSec deployed it is used to enhance visibility (i.e. logging & intrusion detection). I use it the same way. Ivan Ristiæ (original author of ModSecurity https://www.feistyduck.com/books/modsecurity-handbook/index.html) actually says in his book: “Other times I will call it an HTTP intrusion detection tool, because I think that name better describes what ModSecurity does.” – Tate Hansen Nov 17 '10 at 03:55

3 Answers3

5

Snort is an excellent IDS with a long track record. I have deployed slightly over a dozen sensors at my organization, and am continually adding more to the mix. Snort's biggest downfall is the fact that current versions are single-threaded, though that will be changing with the upcoming version 3 release. Combined with the Emerging Threats rules, I have been extremely impressed with the product.

The full platform consists of:

  • Snort
  • Puppet (for system management and rule dissimination)
  • Oinkmaster (for rule updates and management)
  • Cobbler (for provisioning)
  • RedHat

All logging is aggregated using RSA enVision, though Splunk should it handle it fine.

Scott Pack
  • 15,297
  • 6
  • 63
  • 91
5
atdre
  • 19,072
  • 6
  • 61
  • 108
  • 1
    Argus is a great tool. We use it all the time as a supplementary data source for forensics examinations and incident handling. – Scott Pack Dec 08 '10 at 01:39
2

The Bro IDS http://www.bro-ids.org/ which has been funded by the National Science Foundation's Strategic Technologies for the Internet program, DOE, DEC, and other research groups. It has it's own event-driven system and can also import Snort rules for added signature based detection.

Weber
  • 1,016
  • 1
  • 6
  • 10