Topic: Intrusion Detection

[John Quirk]

I feel this is one feature that is really missing from e-smith, currently using 4.1.2.

Something like Snort looks like a good solution.

Since I haven't looked at 5.0 but from the manual it looks like it still does not
have good log file tools.

[Luke Drumm]

Hi,

Just the odd two cents worth....

While I'd love to have Snort as an easily installable blade, I think it's very much a double edged sword to have as a standard install.

IDS is only one part of producing a secure system. It also requires a fair amount of knowldege, full time monitoring and an intelligent preset of response procedures.

Without these you tend to wind up with Users doing one or more of the following:
 - Getting alarmed over false positives
 - Ignoring the log/message data altogether
 - Never updating the snort configs for newer attack types
 - Not knowing what to do when a true attack does happen

It's like installing a home alarm system without knowing anything about locking up, alarm codes or emergency telephone numbers.

IDS only makes sense when you've got the resources to deal with it.

Regards,
Luke