| 1 |
As (hopefully) many of you are aware I am the current |
| 2 |
code-monkey/ebuild-hacker for Prelude IDS. But as I am interested in |
| 3 |
many (well, more or less all [free]) IDS systems I just want to do a |
| 4 |
quick poll. |
| 5 |
|
| 6 |
Those who are following the snort mailing lists (-user in particular) |
| 7 |
might be aware that there is a new console called sguil |
| 8 |
(pronounced "sgweel") that offers real-time (well, as close to real-time |
| 9 |
as possible) and it has a quite nice GUI (for those interested go to |
| 10 |
http://sguil.sf.net and check it out). |
| 11 |
|
| 12 |
What I am proposing to do is to modify the net-analyzer/snort ebuild to |
| 13 |
support sguil, as well as creating ebuilds for the other needed |
| 14 |
components to get this working nicely under Gentoo (it would need a |
| 15 |
local +sguil USE flag). |
| 16 |
|
| 17 |
What I am polling about is "should I do it?" ;) |
| 18 |
|
| 19 |
BTW: Snort 2.0.1 is released, and it seems like 2.0.2 is not far away as |
| 20 |
a few post-release bugs was found (mainly in win32 port, according to |
| 21 |
the CVS logs..) |
| 22 |
|
| 23 |
Final note: I have added some instructions on the Gentoo wiki/Prelude |
| 24 |
(http://gentoo.zhware.net/cgi-bin/moin.cgi/PreludeIntrusionDetectionSystem) that explains how to use snort as a prelude sensor. Will soon (in the next few hours) update the bug #19672 (http://bugs.gentoo.org/show_bug.cgi?id=19672) with updated patches to do this. In my lab enviroment the patch has been working fine (well, the alerts could be more descriptive, but it does alert). |
| 25 |
|
| 26 |
Best regards |
| 27 |
Michael Boman |
| 28 |
|
| 29 |
-- |
| 30 |
Michael Boman |
| 31 |
Security Architect, SecureCiRT Pte Ltd |
| 32 |
http://www.securecirt.com |
Archives