Linux Today: Linux News On Internet Time.

Help Net Security: Interview with Judy Novak, Co-author of "Network Intrusion Detection 3/e"

Feb 25, 2003, 05:30 (0 Talkback[s])
(Other stories by Mirko Zorz)

[ Thanks to LogError for this link. ]

Which are your favourite security tools and why?

"We'll I'm going to show my roots by declaring the Naval Surface Warfare Center (NSWC) Shadow as one of the first and favorite intrusion detection systems I used. I'd installed this at the urging of Stephen Northcutt and discovered a great tool in Shadow and a great friend in Stephen. It is based on tcpdump; and using tcpdump and Shadow required that I become very familiar with TCP/IP otherwise I would be totally clueless. To this day, even though IDS' have made phenomenal advances, I still like using Shadow along with the more modern IDS' to collect background traffic.

"Snort is another favorite tool since it rivals a lot of commercial IDS' and is easy to install and configure. It's pretty easy to write simple or complex rules and I like that you see the offending packet when it alerts. If you don't have access to the guts of the rule that triggered the alert and the dump of offending packet, you don't know if an alert is real or a false positive. Too many commercial IDS' don't let you see the signatures, rules, etc. and don't dump the packet. You are at the mercy of the IDS with no way of validating the accuracy of the alert. You can end up crying wolf if you believe the IDS all of the time or you end up simply ignoring it if you don't.

"We just finished up a red team exercise using nothing more than freeware--nmap, nessus, and the Center for Internet Security (CIS) benchmark tools. This gave us a combination of tools to map the network using nmap, expose the vulnerabilities remotely using nessus, and examine host configurations using the CIS benchmark tools..."

Complete Story

Related Stories: