I endorse this thread.
thanks a lot man
you have done a huge effort you are very nice ,,,,,,
You are an absolute genious of security.
Thanks so much.
can i install both
without create any conflict ?
if install both do they need a lot off CPU recourse ?
Security Focus ~ An Introduction to Intrusion Detection Systems
Yes you can run them together. "lot of CPU" is subjective and means different things to different people. In general snort and ossec do not slow down your web server and if they do, IMO, your server is probably underpowered.
Code-based Intrusion Detection for Linux by Ohad Ben-Cohen and Avishai Wool :
Just a newbie question:
Does that info have any use for desktop version of Ubuntu?
I do have ufw enabled and ports closed, but I want to monitor internet connections and other things. Can I use snort and the other thing for that???
Sorry, I know I do look like an incompetent person now, but... I really am)))
Thanks very much for this post
You are asking the right questions, but you will get a range of answers depending on who you ask.
Rather then turn this thread into a meandering debate re: firewalls and security I would prefer to keep it on topic, ie intrusion detection.
My best advice is that you start by asking yourself what it is you are trying to accomplish and determine your own level of "paranoia". Next read through some of the links I provided and determine the right tool for the job.
ossec == HIDS
snort == NIDS
As most people come from a Windows background, the HIDS systems are most familiar. These are tools to monitor your host (desktop) for changes in system files. For example on Windows one scans for viruses or other malware (adblock software is often HIDS).
You are asking about NIDS, ie monitoring network traffic. Snort captures or monitors all network activity (packets) going to and coming from your Desktop (or server). You will likely recieve several thousand packets in short order, Snort filters through these thousands of packets by checking each packet against a set of "rules" and logs sustpcious activity to a database (mysql). You then use Base to generate a "report" you can view on any web browser. From there you will need to research any "alerts". How you manage alterts then is also a matter of style.
There are other tools for each of these tasks including wireshark (which will keep the contents of all packets, not just alerts) , barnyard (as an alternate to mysql) etc.
guide by djhedges and works great.
apt-get install snort-mysql