[RESOLVED] ossec vs snort for Jail monitoring

fred974

fred974

Hello everyone,

I'm trying decide which intrusion Intrusion Detection System to use. From what I can see the most popular are ossec and snort. I want to monitor my FreeBSD Host and all the jails that leaves in it. Which of the two are the easier to setup and leave with in day to day task?

Thank you.
 
Re: ossec vs snort for Jail monitoring

ossec and snort are two different kinds of intrusion detection systems.

ossec is a host-based IDS (analysing logs and monitoring files) and snort is a network-based IDS (analysing packets).

So use both in conjunction, ossec on you jail host and snort between attacker and host (firewall -> pfSense, mirror port of your switch, taping between host and switch).
 
Re: ossec vs snort for Jail monitoring

Nukama said:
ossec and snort are two different kinds of intrusion detection systems.

ossec is a host-based IDS (analysing logs and monitoring files) and snort is a network-based IDS (analysing packets).

So use both in conjunction, ossec on you jail host and snort between attacker and host (firewall -> pfSense, mirror port of your switch, taping between host and switch).
Click to expand...

Thank you for your reply :)
 
Re: ossec vs snort for Jail monitoring

ossec

As a security professional, I say you get lots more value out of ossec.

Tuning snort will not be easy unless you have a lot of time on your hands or you have a smart admin handy. Also snort will only catch the things it has signatures for, so there will be quite a few important things it will not catch. The internet has a lot of 'noise' so any public website will be blasted with PHP attacks from foreign IPs on a daily basis no matter what.This will all show up on snort and be a drain on your sensor system.

Actually, I'd recommend using Security Onion for running distributed snort sensors.

Now, back to the point I was making: ossec

In any organisation, there has to be a way to control change. A stranger could be accessing one of your jails now and be modifying files. How would you know? How would 90% businesses/enterprises/whoever know? Most don't have a way to track that. Most don't even think about it. Using ossec will give you the answer. Aggregating the ossec information will give you that info in one centralized place.
 
You must log in or register to reply here.
Back
Top