Open Source IDS/IPS

Question : Are there an open source IDS or Firewall which alert the command center or system administrator by pager, e-mail or cell phone when an event listed on the company’s security event list is triggered?

Answer:
Xxxxxxxxxx,
The answer will be based on the company’s security event list. The first prerequisite is that you need to find an opensource IDS or Firewall that can detect security events in the list. Detection success rate will be based on the complexity of the security events in your list.

Firewalls are usually not very good in malicious activity detection so IDS/IPS is a better idea. Snort is a good start (http://www.snort.org/) . It is opensource and it allows you to configure your custom detection signature and rules.

Alerting is simple, you can configure Snort to alert via e-mail E-mail messages can be converted to SMS and pager messages easily. (you may need to pay for SMS messages depending on the destination and or geographic location)

For IDS/IPS deployment you have to be careful. You might be receiving millions of alerts so forwarding them as a message might not be the best good idea. You need to tune your IDS to report real incidents only (e.g. you may have detected 1 million identical events but all you need is to know what the incident is when it started and what is the frequency). Also remember that Snort will only inspect cleartext traffic in day1 unless you are decrypting the encrypted traffic.

Another approach is to use a Security Information Event Management Solution in addition to the IDS. Forward all Snort alerts and other alerts (e.g. Windows logs, Syslog) to your SIEM tool and make sure that the SIEM consolidates normalizes and correlates the alerts for you, so that you receive the ultimate information from SIEM instead of IDS tools. There are opensource SIEM tools like OSSIM (http://sourceforge.net/projects/os-sim/) and Cyberoam iView (http://sourceforge.net/projects/cyberoam-iview/files/)

Let me know if you have a specific question,

Cheers,
- yinal