SNORT AND OSSEC FEATURES
SNORT:
Snort is an open source network intrusion prevention and detection
system, IDS and IPS. This tool developed by Sourcefire team, combining the
benefits of signature, protocol, and anomaly-based inspection. This is very
powerful tool and more useful for Penetration Testers, and Security Reasercher.
Snort can
perform protocol analysis and content searching/matching. It can be used to
detect a variety of attacks and probes, such as buffer overflows, stealth port
scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. It
uses a flexible rules language to describe traffic that it should collect or
pass, as well as a detection engine that utilizes a modular plug-in
architecture. Snort has a real-time alerting capability as well, incorporating
alerting mechanisms for syslog, a user specified file, a UNIX socket, or
WinPopup messages to Windows clients. Snort has three primary uses: a straight
packet sniffer like tcpdump, a packet logger (useful for network traffic
debugging, etc), or a full-blown network intrusion prevention system.
http://www.snort.org/
OSSEC:
OSSEC:
OSSEC is an Open Source Host-based Intrusion Detection System that
performs log analysis, file integrity checking, policy monitoring, rootkit
detection, real-time alerting and active response.
Manager
The
manager is the central piece of the OSSEC deployment. It stores the file
integrity checking databases, the logs, events and system auditing entries. All
the rules, decoders and major configuration options are stored centrally in the
manager, making easy to administer even a large number of agents.
Agents
The
agent is a small program installed on the systems you desire to monitor. It
will collect information on real time and forward to the manager for analysis
and correlation. It has a very small memory and CPU footprint by default, not
affecting with the system’s usage.
Agent
security: It runs with a
low privilege user (created during the installation) and inside a chroot jail
isolated from the system. Most of the agent configuration is pushed from the
manager, with just some of them are stored locally on each agent. In case these
local options are changed, the manager will receive the information and will
generate an alert.
Agentless
For
systems that you can’t install an agent, OSSEC allows you to perform file
integrity monitoring on them without the agent installed. It can be very useful
to monitor firewalls, routers and even Unix systems where you are not allowed
to install the agent.
Virtualization/Vmware
OSSEC
allows you to install the agent on the guest operating systems or inside the
host (Vmware ESX). With the agent installed inside the VMware ESX you can get
alerts about when a VM guest is being installed, removed, started, etc. It also
monitors logins, logouts and errors inside the ESX server. In addition to that,
OSSEC performs the CIS checks for Vmware, alerting if there is any insecure
configuration option enabled or any other issue.
Firewalls,
switches and routers
OSSEC
can receive and analyze syslog events from a large variety of firewalls,
switches and routers. It supports all Cisco routers, Cisco PIX, Cisco FWSM,
Cisco ASA, Juniper Routers, Netscreen firewall, Checkpoint and many others.
Great Post! Thanks.
ReplyDeleteTitle is misleading!
ReplyDeleteWhere is the comparison?
Copy-paste text from products' websites and you'll get a useless article like this one.
ReplyDeleteGood Job dumb-ass! (Y)