easyids

nicklauscombs

i noticed this is now quite out of date, is there a similar project currently out there? other suggestions for getting snort up and running quick and easy at home?

nicklauscombs

found this as an option: Snort IDS Sensor with Sguil Framework ISO

hoping to try it out in the next couple of days / early next week. any other options anyone knows of?

Bl8ckr0uter

nicklauscombs wrote: »

found this as an option: Snort IDS Sensor with Sguil Framework ISO

hoping to try it out in the next couple of days / early next week. any other options anyone knows of?

What exactly are you looking for? Just snort based stuff? I was actually looking at bro a while back.

Bro Intrusion Detection System - Bro Overview

nicklauscombs

Bl8ckr0uter wrote: »

What exactly are you looking for? Just snort based stuff? I was actually looking at bro a while back.

Bro Intrusion Detection System - Bro Overview

yup, just looking for a quick easy way to get snort running to play around with a bit, bro looks interesting though ill have to look into that a little more.

Bl8ckr0uter

nicklauscombs wrote: »

yup, just looking for a quick easy way to get snort running to play around with a bit, bro looks interesting though ill have to look into that a little more.

http://www.turnkeylinux.org/forum/general/20101206/insta-snorby-official-snort-snorby-turn-key-solution

This looks promising. In fact I might look this up this weekend.

JDMurray

I would highly advise staying with Snort of you are looking for knowledge and experience at configuring and running an IDS. Besides there being a lot of available Snort tutorials and expertise on the Web, many commercial IDS and SIEM products are based on Snort, making it an excellent tool to know how to use and show off your knowledge of in an interview.

Paul Boz

To second JD, I have to also push for Snort if you're starting to learn intrusion detection and prevention. Snort was the first real player in the game of IPS/IDS and the project has simply had much more time to evolve and mature. It is also more of a ground-up community lead initiative unlike commercial offerings like Cisco, McAfee, etc. I manage a large number of Cisco IPS and a smaller number of Sourcefire boxes and I want to migrate my Cisco IPS infrastructure to Sourcefire more than you can believe.

I feel that if you are competent in Snort it will take you very far. I may have mentioned this before, but about a month ago I was asked to review, procure, and deploy a IPS in under two weeks. I had literally eight hours with the appliance before I had to install it in-line into production traffic but because I had EasyIDS and general CLI snort experience I got it done with flying colors. I always wondered why I was bothering to learn stuff like EasyIDS but this exercise proved to me that you can never be over-prepared.

JDMurray

And regardless of the IDS, you should also get some hands-on experience with Splunk. It's another tool you find a lot of people using. Just for practicing, install it in a VM snapshot and revert back to new when you need to.

Bl8ckr0uter

JDMurray wrote: »

And regardless of the IDS, you should also get some hands-on experience with Splunk. It's another tool you find a lot of people using. Just for practicing, install it in a VM snapshot and revert back to new when you need to.

Good tip. What popular Siems do people use? Alienvault says they are the most popular (opensource siem). I know Arcsight is pretty popular. What other big name ones are out there?

nicklauscombs

JDMurray wrote: »

And regardless of the IDS, you should also get some hands-on experience with Splunk. It's another tool you find a lot of people using. Just for practicing, install it in a VM snapshot and revert back to new when you need to.

jd and paul, thanks for the suggestions ill definitely be sticking with the snort install at home to get some experience. as for splunk i just got access to it at work as of yesterday so im looking forward to taking the deep dive into that tool.

nicklauscombs

Bl8ckr0uter wrote: »

Good tip. What popular Siems do people use? Alienvault says they are the most popular (opensource siem). I know Arcsight is pretty popular. What other big name ones are out there?

Enterprise SIEM - NitroSecurity - Security Information and Event Management (SIEM) - had the opportunity to play around with nitroview over the last couple of days.

Bl8ckr0uter

Are you looking to do GCIA at some point?

Have you picked up these books:

Amazon.com: The Tao of Network Security Monitoring: Beyond Intrusion Detection (9780321246776): Richard Bejtlich: Books


Amazon.com: Extrusion Detection: Security Monitoring for Internal Intrusions (9780321349965): Richard Bejtlich: Books

I own both. I plan to use these as a part of my GCIA attempt later this year.

nicklauscombs

on my hit list at some point in the future, have read parts of tao but havent checked out the other. definitely will look into that one this evening at work, thanks for the suggestion!

Bl8ckr0uter

nicklauscombs wrote: »

on my hit list at some point in the future, have read parts of tao but havent checked out the other. definitely will look into that one this evening at work, thanks for the suggestion!

Before my attempt I am going to pick this up to:
Amazon.com: Security Monitoring: Proven Methods for Incident Detection on Enterprise Networks (9780596518165): Chris Fry, Martin Nystrom: Books

JDMurray

Bl8ckr0uter wrote: »

I know Arcsight is pretty popular.

And very expensive. ArcSight is the primo leading in SIEM products and their pricing sheet reflects it. They remind me of Oracle for databases, Google for search engines, and VMware for virtualization. Arcsights is great at finding ways to keep its customers paying reoccurring fees and for upgrades. I know of several large businesses that got sticker-shock after they installed ArcSight because they weren't aware of how much on-going training and support was needed and the cost.

docrice

I'll agree with what others mentioned about Snort. Splunk is also very easy to get up and running - just start syslogging stuff out to it and you have data that you can query and see pretty graphs with. Here's a copy / paste type guide that I wrote a while back to get Snort / Barnyard installed and running on a CentOS 5.5 system. You just need a box with at least two interfaces.

http://kimiushida.com/bitsandpieces/articles/snort_quickstart_on_centos_5.5/

Writing your own rules is the fun part. A web-based GUI to manage everything is nice and all, but it really helps to be able to dig into the guts and see how things are structured via CLI as well. This is critical if you're trying to learn IDS. Snort as an engine is constantly improving, and EasyIDS is a couple of years out of date at this point. Also, spend some time reading through the excellent Snort user's guide.

the_Grinch

I will say this thread has been awesome! Lots of tools I hadn't heard of, so thanks all!

nicklauscombs

Bl8ckr0uter wrote: »

http://www.turnkeylinux.org/forum/general/20101206/insta-snorby-official-snort-snorby-turn-key-solution

This looks promising. In fact I might look this up this weekend.

walked through part of the install this afternoon but unfortunately i had to leave for work before finishing. from what i saw it looks like an incredibly easy way to get snort up and running. very promising indeed. will post more once i finish it out. either tomorrow or monday.

Bl8ckr0uter

Awesome. Im probably going to go through this as well. Update the thread with your thoughts.

jmu200

You may want to check out Security Onion (Security Onion). I think it's freaking awesome. To quote the website:

"The Security Onion LiveDVD is a bootable DVD that contains software used for installing, configuring, and testing Intrusion Detection Systems. It is based on Xubuntu 10.04 and contains Snort, Suricata, Sguil, Squert, Xplico, nmap, metasploit, Armitage, scapy, hping, netcat, tcpreplay, and many other security tools."

It has been a great learning tool and I've used it in production. Great for a beginner to get up an running quickly. Sguil really kicks butt as it lets you query your alerts in depth and effortlessly. I'm curious what commercial solution could be better?

It is of course great to install all the packages on your own, as that is a great learning experience as well.

Bl8ckr0uter

downloading now. Awesome find.

nicklauscombs

thanks for the heads up. looks like i have some projects to work on this week as i'm mostly off work.

Bl8ckr0uter

nicklauscombs wrote: »

thanks for the heads up. looks like i have some projects to work on this week as i'm mostly off work.

What I am concerned about Nick is using all of these prebuilt isos will not help with complete learning. Similar to using a gui in linux, ya know? I don't know, I am still going to check it out.

nicklauscombs

Bl8ckr0uter wrote: »

What I am concerned about Nick is using all of these prebuilt isos will not help with complete learning. Similar to using a gui in linux, ya know? I don't know, I am still going to check it out.

agreed, however i am more concerned (for now) with the learning done inside snort more so than the initial setup.

Bl8ckr0uter

nicklauscombs wrote: »

agreed, however i am more concerned (for now) with the learning done inside snort more so than the initial setup.

I understand that completely. How are the LPIC-1 studies coming?

nicklauscombs

Bl8ckr0uter wrote: »

I understand that completely. How are the LPIC-1 studies coming?

actually coming along decently considering the whirlwind of the past three weeks since taking on my new job.