Wayne's IDS Intrustion Detection Systems Tips and Resources

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

I will use this page to collect IDS tips and resources. If there is a good resource on the net which is not here, please let me know:

Analysis Console for Intrusion Databases (ACID)
- Query-builder and search interface for finding alerts matching on alert meta information (e.g. signature, detection time) as well as the underlying network evidence (e.g. source/destination address, ports, payload, or flags).
- Packet viewer (decoder) will graphically display the layer-3 and layer-4 packet information of logged alerts
- Alert management by providing constructs to logically group alerts to create incidents (alert groups), deleting the handled alerts or false positives, exporting to email for collaboration, or archiving of alerts to transfer them between alert databases.
- Chart and statistics generation based on time, sensor, signature, protocol, IP address, TCP/UDP ports, or classification
BlackIce Pro
Bro : Open Source IDS
- User Manual
Bruce Schneier's Computer Security: Will We Ever Learn?
Buyer's Guides for IDS
Checklist : Intruder Detection Checklist
cert.org
Cisco Intrusion Detection
COAST Intrustion Detection pages tutorials, links
Cybersafe's Centrax
Demarc Security's Opensource IDS PureSecure
dIDS, Introduction To Distributed Intrusion Detection Systems (Jan 2002)
Deploying an Effective Intrusion Detection System
DoxPara Research : tools for manipulating TCP/IP networks
EagleX
EagleX is an IDS environment using free software. Snort IDS (www.snort.org) and IDScenter (www.packx.net) is the core of this distribution. With IDScenter you can setup very fast a full working Snort IDS for your network. Apache server (www.apache.org), PHP (www.php.net), MySQL (www.mysql.com) and ACID (www.cert.org/kb/acid) are used to see latest alerts in a nice front-end, using http authentication.
Entercept, Intercepting Intrusions With Entercept
Enterasys: Dragon Intrusion Detection System
Exchange Format : Intrusion Detection Exchange Format
FAQs and papers for IDS
- Network Intrusion Detection Systems FAQ
  - www.ticm.com/kb/faq/idsfaq.html
  - secinf.net/info/misc/network-intrusion-detection.html
- Papers
- SANS
- Sobirey's Intrusion Detection Systems page
Firestorm NIDS
Fport : Identify unknown open ports and their associated applications
Fragroute: NIDS testing revisited
Gigabyte IDS
Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection
Intrusion Detection Methodologies Demystified
Intrusion Detection articles ordered by the number of citations
IDS Group Test : www.nss.co.uk
Informer
IDS Informer : test your IDS systems: intrusion detection testing solution that utilizes Simulated Attacks For Evaluation process to launch real but harmless attacks at IDS systems. IDS Informer has the ability to run individual or groups of attacks, the speed of which can all be throttled.
IDS Informer Attack Development Kit : allows any format packet capture to be converted to the IDS Informer format enabling all of the advanced configuration and security options currently available with the default attack library without altering the overall structure of the capture
IDS Informer Command Line Interface : enables existing IDS Informer Professional users to run multiple copies of IDS Informer from a single device from a remote source. The CLI provides all of the configuration options associated with IDS Informer with additional functionality to determine configured groups and interfaces, available attacks and to schedule unattended transmission of attacks.remote control of IDS Informer
Interpreting Network Traffic: A Network Intrusion Detector's Look at Suspicious Events tutorial
Intrusion Signatures and Analysis book recommendation
Intrusion Signatures : Evaluating Network Intrusion Detection Signatures
Intruvert Networks
2G bit/sec+ capable, signature detection; anomaly detection; DoS detection; virtual IDSs, $100,000+
IPolicy Networks
4G bit/sec+ capable, carrier capable; run seven security apps simultaneously; $125,000+
ISS : Internet Security Systems
ISS : Gigabit Ethernet Intrusion Detection Detection
Locking down NT host for Intrusion Detection
LT Auditor+ : intrusion detection/audit trail security software NT, commercial
Mailing list: There is an IDS mailing list hosted at ids@uow.edu.au
To subscribe send a message with following text to majordomo@uow.edu.au
subscribe ids Your Name
Mailing list archive for IDS, Securepoint
Michael Sobirey's Intrusion Detection Systems page links
Network Computing's Review of IDS August 2001
Computer Associate International's eTrust, Cisco Systems' Secure IDS, CyberSafe Corp.'s Centrax, Enterasys Networks' Dragon, Internet Security Systems' BlackICE ISS' RealSecure, Intrusion.com's SecureNet Pro, NFR Security's NFR Network Intrusion Detection System, Anzen Computing's Flight Jacket, open-source Snort, Symantec Corp.'s NetProwler.
NIST Intrusion Detection Systems draft
NIST Special Publication on Intrusion Detection Systems draft
NFR Security commerical IDS products (Sept 2001)
Passive Mapping: An Offensive Use of IDS (Sept 2001)
Planning Concerns, Considerations, and Tips for IDS in Federal IT Systems SANs
Sentinel : fast file/drive scanning utility similar to the Tripwire and Viper.pl unix
Signatures:
- Network Intrusion Detection Signatures Karen Kent Frederick
SNARE : System iNtrusion Analysis & Reporting Environment auditing and intrusion detection on a wide range of platforms
Snort : The Open Source Network Intrusion Detection System
Steps for Recovering from a UNIX or NT System Compromise
TCPDUMP
TelemetryBox : Linux based distribution designed especially for diagnostic purposes
Terminology, Intrusion Detection Systems Terminology, part 1 (July 2001)
Terminology, Intrusion Detection Systems Terminology, part 2 (July 2001)
TippingPoint Technologies
2G bit/sec+ capable NIDS; traffic-specific attack detection to limit false positives; protocol anomaly and traffic anomaly detection, stateful inspection
Vendors:
- Dragon IDS Enterasys Networks
- Entercept : Intrusion prevention for enterprise servers
- GFI LANguard Security Event Log Monitor
- NetIQ Security Manager
- Network-1 CyberwallPLUS
- Okena Stormwatch
- Pentasafe VigilEnt Intrusion Manager
- RealSecure Network Protection
- Symantec HIDS
Virtual Burglar Alarm - Intrusion Detection Systems pt1
Virtual Burglar Alarm - Intrusion Detection Systems pt2
Vulnerabilities of Network Intrustion Detection Systems : Realizing and Overcoming the Risks

Register Now for Office365 CON - 2017 Online Conference!

Early registration is now open for Office365 CON 2017, the annual online gathering of IT Strategists, Microsoft MVPs and Messaging Technology Vendors. This convenient, annual online event is presented by TechGenix and MSExchange.org for the benefit of busy IT Professionals within the global Office 365 and MS Exchange communities.

Early registrants for this year's conference will also receive a Symantec White Paper: Top 5 SSL/TLS Attack Vectors: How they have impacted IT and how you can avoid them , as well as an invitation to join a special Conference Preview broadcast.

Time and Date: Thursday, March 23, 2017, starting at 10am EDT | 9am CDT | 7am PDT