Interesting title, don't you think? But, it is accurate if you think about it. HIDS, or Host Intrusion Detection System/Software, and NIDS, Network Intrusion Detection System/Software, though having the same core purpose (that being Intrusion Detection) are such very different creatures. HIDS looks at events as they relate to the host, or occur on the host. NIDS looks at events as they relate to network traffic.
Example: HIDS will see the syslog events where someone tried logging in via ssh, and is pretty positive that these events occurred. Very fact based, not very subtle. NIDS sees the ssh traffic, and probably wouldn't trigger an event unless the ssh packets are not rfc compliant or an attack pattern is detected in the packets themselves. If NIDS does trigger an event, the event would be somewhat vague and non-committal, and you (the IDS engineer/analyst) would have to do some interpretation and correlation. Note the subtle differences in how each approaches and implements their solutions to the same problem; that being intrusion detection.
I'll leave it up to you, the reader, to decide which variant of IDS fits which gender. It's safer that way...less chance of offending someone's (so-called) politically correct sensibilities. Me personally....I'm a HIDS.
Quite often it can be difficult correlating events from HIDS and NIDS (e.g. He said..., She said...”), let alone other event sources (which we won't go into for this brief discussion). Since HIDS and NIDS look at intrusion detection differently, they are bound to talk about (log) events differently and use differing lingo. You need someone to act as a go-between, and interpreter who understands both languages (HIDS and NIDS), and can make sense out each input (logs) as well as provide an accurate “big picture” of your environment (depending on how many logging sources you have of course). OSSEC-HIDS fits that role quite well. It understands NIDS events, HIDS events, firewall events, and so much more. It's the relationship counselor of intrusion detection. *smile*
Anyone who knows me, knows that somehow I'll find a way to wriggle OSSEC-HIDS into most any conversation. It's one of my favorite open source projects. Perhaps I am somewhat biased in my opinions regarding OSSEC-HIDS, but what I said about it is essentially accurate, though understates the features it brings to any environment. OSSEC is more than an IDS relationship counselor, but it handles that task quite nicely if you ask me.
Tuesday, July 17, 2007
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment