Open source IDS: Prelude and Snort
From Computing and Software Wiki
snort
Snort is a free and open source Network Intrusion prevention system (NIPS) and network intrusion detection system (NIDS) utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. With millions of downloads to date, Snort is the most widely deployed intrusion detection and prevention technology worldwide and has become the de facto standard for the industry. It is capable of performing packet logging and real-time traffic analysis on IP networks. Snort was written by Martin Roesch and is now developed and research and put to research papers by Sourcefire, of which Roesch is the founder and CTO. Integrated enterprise versions with purpose built hardware and commercial support services are sold by Sourcefire. Snort performs protocol analysis, content searching/matching, and is commonly used to actively block or passively detect a variety of attacks and probes, such as buffer overflows, stealth port scans, web application attacks, SMB probes, and OS fingerprinting attempts, amongst other features. The software is mostly used for intrusion prevention purposes, by dropping attacks as they are taking place. Snortâ„¢ can be combined with other software such as SnortSnarf, sguil, OSSIM, and the Basic Analysis and Security Engine (BASE) to provide a visual representation of intrusion data. With patches for the Snort source from Bleeding Edge Threats, support for packet stream antivirus scanning with ClamAV and network abnormality with SPADE in network layers 3 and 4 is possible with historical observation. ( These patches seem to be no longer maintained ) Sourcefire became public in 2007 (NASD:FIRE) after Check Point's attempt to acquire it in 2005 fell through as both companies mutually withdrew from the acquisition process. Sourcefire recently purchased the ClamAV open source project.
Prelude-IDS, open source hybrid IDS framework
Prelude is an open source Unix based Network-Based Intrusion Detection System. It is released under the GPL license, and is similar to Snort.
Prelude is an Hybrid IDS framework, that is, it is a product that enable all available security application, be it opensource or proprietary, to report to a centralized system. In order to achieve this task, Prelude relies on the IDMEF (Intrusion Detection Message Exchange Format) IETF standard, that enables different kinds of sensors to generate events using an unified language.
Prelude benefits from its ability to find traces of malicious activity from different sensors (Snort, honeyd, Nessus Vulnerability Scanner, Samhain, over 30 types of systems logs, and many others) in order to better verify an attack and in the end to perform automatic correlation between the various events.
Prelude is committed to providing an Hybrid IDS that offers the ability to unify currently available tools into one, powerful, and distributed application.
