IDS Evaluation

Evaluated IDS

NFR

NFR (Network Flight Recorder) is a commercial IDS produced by NFR. NFR creates a dedicated IDS device which can report either directly to an analysis station or to a central logging station. Detection rules are created in N-Script, the NFR scripting language. The analysis station is a MS Windows system running the NFR client software. The client software provides monitoring and configuration of the IDS device.

• Runs on a dedicated machine
• Can be administrated remotely
• Has a GUI interface for the user
• Logs from several systems can be combined on a single system

• Expensive
• Difficult to extract info from GUI
• GUI only works under Windows
• Recording station had frequent crashes
• Requires knowledge of yet another scripting (n-code) language to develop new detectors
• Core software is Closed Source

Snort

Snort is Free/Open Source IDS from http://www.snort.org. Snort can be used as a basic packet sniffer like tcpdump, a packet logger, or as a full network intrusion detection system. Snort can inspect network traffic and trigger on defined patterns. Detection rules are written with simple keywords similar to tcpdump filters. The snort detection engine can be extended with user written plug-ins. It is actively supported and new filters are created on a regular basis. Snort works on a multitude of platforms and will basically work wherever libpcap can be built.

• Free
• Open Source
• Detectors are developed using tcpdump like syntax
• Powerful yet simple and very flexible
• Can run on a variety of platforms
• Output is in text file format
• Well supported in the Open Source Community

• No GUI interface
• No built in central logging capability
• No built in stateful inspection
• Requires knowledge of networking, programming and system administration to install, use and develop new detectors.

Portsentry

Portsentry is free/Open Source Product from Psionic Software http://www.psionic.com. Portsentry tracks connections to the host it is running on and can identify possible scanning attempts against the host. When this activity is detected Portsentry will deny access to the scanning host. Optionally portsentry can detect more advanced scan techniques (half open syn scans) and can also be configured in even more reactive modes.

• Free
• Open Source
• Very configurable
• Can be configured to be reactive
• Detects advanced scanning methods
• Logging can be customized

• Detection is specific to the host running Portsentry
• In it's default mode it has a high number false positives
• No GUI interface.

Clog

Clog is a Connection Logger. It places the network card into promiscuous mode and logs network connections to stdout or an optional log file in a very simple one line format. Clog uses standard tcpdump filters so that various types of connections can be recorded or ignored.

• Free
• Open Source
• Simple Operation
• Uses a standard filter syntax (tcpdump)

• No GUI
• No built in alerting or reporting capability

Tripwire

Tripwire is a host based system integrity checker. Tripwire inspects a system generating checksums against system critical files. Files are rechecked periodically for modification, which could indicate an intrusion. There is both a commercial (multiplatform) and Free/Open Source (Currently, Linux only from http://www.tripwire.org) version of Tripwire

• Free/Open source option
• A proven system for integrity checking

• Only Host based

AAFID

AAFID is from CERIAS at Purdue University. AAFID is a distributed agent based Intrusion Detection System. AAFID is mostly a host based IDS although it's agent architecture is flexible enough to expand into different IDS roles.

• Open Source (restricted use?)
• Capability to use AI in its detectors
• Detectors are implemented as Agents
• Central and/or multiple logging capabilities

• Not mature (not ready for deployment)
• Mostly host based

Shadow

Shadow IDS was developed by Steven Norcutt. Shadow is a tcpdump based IDS. It post processes tcpdump log files and can identify possible intrusions.

• Open Source?

• Non real time detection

Comments and Conclusions

While all the products have their strengths and weaknesses in the team preferred a combination of Snort, Portsentry and Clog.

Snort was preferred over NFR as a network based IDS for several reasons including:

• Stability
• Portability
• Simplicity
• Text based output

We consistently had stability problems with NFR (system crashes and lockups) this may have been in part to the very strict hardware requirements for NFR. These requirements also effected portability. Snort has been successfully build under several OS's and while a machine could be dedicated to Snort it is happy to run on a multi-use machine. NFR output was difficult to work with. It was accessible only from a MS Windows based machine (not our native platform) and had no easy way to dump the data to a simple text file. The GUI interface for NFR was complex and difficult to work with. We preferred the simple configuration file of Snort. NFR does have benefits including an extensive library of detection scripts and it appears that NFR would scale better in a larger networked environment.

Clog while limited in it's capability provides a good network activity monitor. It's compact logging methods allows it to monitor general network activity while Snort can concentrate on specific intrusion attempts. Clog and Snort compliment each other well.

Portsentry is very effective at monitoring connections to a specific host and its reactive features (if judiciously programmed) could provide some interesting features. Even in it's monitoring mode it provides detailed logs of connection attempts to the host it is running on.

The addition of a host based intrusion detection system to our list, probably Tripwire, would round out our selections. Since Tripwire is now offering an Open Source version it would be aligned with our preference for Open Source tools.

While not mature as of this writing, AFFIDS was a very interesting tool. A obvious benefit could be gained with a distributed, agent based IDS that incorporated both host based and network based detection. With the capability to combine log files and process data in pseudo-realtime, AFFIDS could be base of a powerful IDS.