 TEST CENTER
Free, dependable IDS
By Mandy Andress
January 24, 2002
HISTORICALLY, ANY enterprise search for a host-based IDS (intrusion-detection system) to protect its Linux environment has found itself stymied by a lack of available solutions. Network-based IDSes such as Snort have been available for some time, but the host-based approach offers certain advantages, such as the capability to detect attacks that network-based solutions sometimes miss and greater flexibility for fine-tuning which activities should be monitored.
Thankfully, the market opened up last November when an Australian security company called InterSect Alliance released SNARE (System iNtrusion Analysis and Reporting Environment), an open-source, host-based intrusion-detection tool for Linux. SNARE consists of three main components: a dynamic kernel audit module, an audit daemon, and a front-end GUI. The kernel audit module wraps critical system calls such as mkdir, open, and execve and gathers information about the process and the user that executed the call. This information is then stored in a temporary buffer. The user-space audit daemon reads the event data from the temporary buffer via the /proc/audit device and converts it from binary format to a delimited text format. Meanwhile, SNARE's GUI displays these events in a colorful, easy-to-read window; it also provides configuration screens to define which events should be logged.
We tested SNARE on a default Red Hat 7.1 distribution and were impressed with the solution's performance. Using the GUI, you can configure SNARE to monitor either raw kernel events or defined filtered objects. If you choose the former, SNARE will log every instance of a given process, which can lead to very large log files. By defining filtered objectives, you can achieve more granular control, allowing you to monitor different kinds of alerts or specific users.
And there's more good news: Significant enhancements are already in the works for future versions of SNARE. InterSect is planning features such as a user-exclusion list, open-flag filtering (to log events only when files are opened in write mode), and a tool to connect the GUI to remote SNARE installations via a network.
While they're at it, InterSect might want to consider other enhancements such as centralized logging and more granular filtering capabilities. We also uncovered one error in the documentation, which states that the audit daemon auditd file is located in /etc/init.d. In our installation, the file was found in /usr/sbin.
Those shortcomings aside, SNARE performed admirably in our tests, proving itself a remarkably easy-to-use and potent security solution. Any organization running Linux servers would be well-advised to evaluate what SNARE has to offer -- particularly when used in combination with the network-based, open-source Snort IDS.
Return to our Test Center In Focus: Linux package.
Mandy Andress (mandy_andress@infoworld.com) covers security for the Test Center.
| BOTTOM LINE |
 |
System iNtrusion Analysis and Reporting Environment 0.8
BUSINESS CASE
This host-based intrusion-detection software identifies malicious or unauthorized access attempts against any Linux system. Dependable and free, it merits serious consideration by any IT shop running Linux servers.
TECHNOLOGY CASE
SNARE can be configured to watch for either raw kernel events or defined filtered objects. Either way, SNARE is a solid performer.
|
| |
|
PROS
+ Strong intrusion-detection capabilities
+ Cost-effective
+ Intuitive, easy-to-use interface
CONS
- Unproven in enterprise settings
COST
Free
PLATFORMS
Linux
COMPANY
InterSect Alliance; www.intersectalliance.com
|
|
|
| Deploy | | Ease of use | 10 | | Implementation | 10 | | Innovation | 8 | | Interoperability | 8 | | Scalability | 5 | | Security | 8 | | Suitability | 8 | | Support | 9 | | Training | 7 | | Value | 10 | | Deploy |
| | See our scoring methodology | |
RELATED SUBJECTS
 Security
SPONSORED WHITE PAPERS
EMC
- Lower costs and improve reliability-Get the EMC CLARiiON white paper!
Ciphertrust
- Are you ready for Sobig.G? Learn how to protect your email systems.
CDW
- Personal attention. CDW. The Right Technology. Right Away.
EMC
- Explore key performance features and capabilities of EMC ControlCenter 5.1.1.
Intel
- Free Intel white paper shows you how to deploy a secure wireless LAN
Cisco
- FREE WHITE PAPER: BLUEPRINT to design and implement secure VPNs
Verity, Inc.
- "Mass Consolidation Hits the Web-Search Market"
McDATA
- Download a FREE storage consolidation white paper from McDATA(R).
Lucent Technologies
- Overcoming Common Firewall Limitations
Lucent Technologies
- Leverage Your Mobile High Speed Data Access. Download Free White Paper!
Nokia
- Get the scoop! Mobilizing business white papers & case studies.
BMC Software
- Maximize the Potential of Enterprise Data: Free white paper!
Network Associates
- Free white paper - Strategies for Optimizing Network Costs and Benefits
Entrust
- Manage identities across applications. Improve productivity.
Stalker Software
- CommuniGate Pro - Transform your Email and Calendaring
Remedy
- A NEW Gartner Research Note:Producing Quality IT Services
Search the IDG White Paper Library:
|
SPONSORED LINKS
|
