[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: shadow IDS

To: <schmeits.roger@webmail.clarksoncollege.edu>
Subject: RE: shadow IDS
From: "Benninghoff, John" <JABenninghoff@dainrauscher.com>
Date: Tue, 21 Aug 2001 15:21:47 -0500
Cc: <ports@openbsd.org>
content-class: urn:content-classes:message
Thread-Index: AcEpjamoVVasAa0+Q5yjL2Ej9ZgzPgA76nFw
Thread-Topic: shadow IDS

I am currently running SHADOW + some customizations on OpenBSD 2.9. It
works very well, as most of the supplemental tools are included with the
base distribution. Those that aren't included have ports available (with
the exception of SHADOW itself).

I don't know if there's much point in creating a port, as SHADOW is
basically a collection of Perl scripts, and much of its value comes from
the localization / customization. I would consider doing one if there's
enough demand, though.

SHADOW does an excellent job of network-layer anomaly detection and
forensics, but requires a lot of time up front setting everything up and
building filters. It isn't good at detecting application layer attacks,
though. You might also want to take a look at snort
(http://www.snort.org) which is good at detecting application layer
attacks, and does have a port (but isn't as good at anomaly detection or
forensics). I plan on using both Snort and SHADOW together, for the best
of both worlds.

-----Original Message-----
From: schmeits.roger@webmail.clarksoncollege.edu
[mailto:schmeits.roger@webmail.clarksoncollege.edu]
Sent: Monday, August 20, 2001 10:28 AM
To: ports@openbsd.org
Subject: shadow IDS


Is there a port for Shadow IDS from http://www.nswc.navy.mil/ISSEC/CID.
Does any one have any past/present exposure from this packages?

Prev by Date: Re: installing files in /var
Next by Date: Re: Build Cyrus SASL with Berkeley DB3
Prev by thread: shadow IDS
Next by thread: New port mail/prepop
Index(es):
- Date
- Thread