IDS world has changed a lot in the last decade

Its been a while since I last played with snort and even longer since I touched tripwire which was at one point the most popular host based intrusion detection tool out there. A lot has changed since then.

From a quick glance at the various tools I found below, its clear that just alerting based on signatures isn’t enough. This is not surprising since I can see how lot of false positives can lead to a configuration which could produce false negatives. Whats needed is a set of tools which can help investigate false positives quickly using visual notification or automated secondary scripts which could pull data from various sources to put a confidence number on each alert.

  • Security onion – Security Onion is a Linux distro for IDS (Intrusion Detection) and NSM (Network Security Monitoring). It’s based on Xubuntu 10.04 and contains Snort, Suricata, Sguil, Squert, Snorby, Bro, NetworkMiner, Xplico, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!
  • Suricata – The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine
  • Sguil – Sguil’s main component is an intuitive GUI that provides access to realtime events, session data, and raw packet captures.
  • Squert – Squert is a web application that is used to query and view event data stored in a Sguil database (typically IDS alert data).
  • Snorby – Snorby is a ruby on rails web application for network security monitoring that interfaces with current popular intrusion detection systems (Snort, Suricata and Sagan).
  • NetworkMiner – NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows that can detect the OS, hostname and open ports of network hosts through packet sniffing or by parsing a PCAP file. NetworkMiner can also extract transmitted files from network traff
  • Xplico – The goal of Xplico is extract from an internet traffic capture the applications data contained.
  • Configuring Security Onion – A SANS paper which goes into the process of setting up Security onion.