easyids
nicklauscombs
Member Posts: 885
i noticed this is now quite out of date, is there a similar project currently out there? other suggestions for getting snort up and running quick and easy at home?
WIP: IPS exam
Comments
-
nicklauscombs Member Posts: 885found this as an option: Snort IDS Sensor with Sguil Framework ISO
hoping to try it out in the next couple of days / early next week. any other options anyone knows of?WIP: IPS exam -
Bl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□nicklauscombs wrote: »found this as an option: Snort IDS Sensor with Sguil Framework ISO
hoping to try it out in the next couple of days / early next week. any other options anyone knows of?
What exactly are you looking for? Just snort based stuff? I was actually looking at bro a while back.
Bro Intrusion Detection System - Bro Overview -
nicklauscombs Member Posts: 885Bl8ckr0uter wrote: »What exactly are you looking for? Just snort based stuff? I was actually looking at bro a while back.
Bro Intrusion Detection System - Bro Overview
yup, just looking for a quick easy way to get snort running to play around with a bit, bro looks interesting though ill have to look into that a little more.WIP: IPS exam -
Bl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□nicklauscombs wrote: »yup, just looking for a quick easy way to get snort running to play around with a bit, bro looks interesting though ill have to look into that a little more.
http://www.turnkeylinux.org/forum/general/20101206/insta-snorby-official-snort-snorby-turn-key-solution
This looks promising. In fact I might look this up this weekend. -
JDMurray Admin Posts: 13,101 AdminI would highly advise staying with Snort of you are looking for knowledge and experience at configuring and running an IDS. Besides there being a lot of available Snort tutorials and expertise on the Web, many commercial IDS and SIEM products are based on Snort, making it an excellent tool to know how to use and show off your knowledge of in an interview.
-
Paul Boz Member Posts: 2,620 ■■■■■■■■□□To second JD, I have to also push for Snort if you're starting to learn intrusion detection and prevention. Snort was the first real player in the game of IPS/IDS and the project has simply had much more time to evolve and mature. It is also more of a ground-up community lead initiative unlike commercial offerings like Cisco, McAfee, etc. I manage a large number of Cisco IPS and a smaller number of Sourcefire boxes and I want to migrate my Cisco IPS infrastructure to Sourcefire more than you can believe.
I feel that if you are competent in Snort it will take you very far. I may have mentioned this before, but about a month ago I was asked to review, procure, and deploy a IPS in under two weeks. I had literally eight hours with the appliance before I had to install it in-line into production traffic but because I had EasyIDS and general CLI snort experience I got it done with flying colors. I always wondered why I was bothering to learn stuff like EasyIDS but this exercise proved to me that you can never be over-prepared.CCNP | CCIP | CCDP | CCNA, CCDA
CCNA Security | GSEC |GCFW | GCIH | GCIA
pbosworth@gmail.com
http://twitter.com/paul_bosworth
Blog: http://www.infosiege.net/ -
Bl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□And regardless of the IDS, you should also get some hands-on experience with Splunk. It's another tool you find a lot of people using. Just for practicing, install it in a VM snapshot and revert back to new when you need to.
Good tip. What popular Siems do people use? Alienvault says they are the most popular (opensource siem). I know Arcsight is pretty popular. What other big name ones are out there? -
nicklauscombs Member Posts: 885And regardless of the IDS, you should also get some hands-on experience with Splunk. It's another tool you find a lot of people using. Just for practicing, install it in a VM snapshot and revert back to new when you need to.
jd and paul, thanks for the suggestions ill definitely be sticking with the snort install at home to get some experience. as for splunk i just got access to it at work as of yesterday so im looking forward to taking the deep dive into that tool.WIP: IPS exam -
nicklauscombs Member Posts: 885Bl8ckr0uter wrote: »Good tip. What popular Siems do people use? Alienvault says they are the most popular (opensource siem). I know Arcsight is pretty popular. What other big name ones are out there?
Enterprise SIEM - NitroSecurity - Security Information and Event Management (SIEM) - had the opportunity to play around with nitroview over the last couple of days.WIP: IPS exam -
Bl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□Are you looking to do GCIA at some point?
Have you picked up these books:
Amazon.com: The Tao of Network Security Monitoring: Beyond Intrusion Detection (9780321246776): Richard Bejtlich: Books
Amazon.com: Extrusion Detection: Security Monitoring for Internal Intrusions (9780321349965): Richard Bejtlich: Books
I own both. I plan to use these as a part of my GCIA attempt later this year. -
nicklauscombs Member Posts: 885on my hit list at some point in the future, have read parts of tao but havent checked out the other. definitely will look into that one this evening at work, thanks for the suggestion!WIP: IPS exam
-
Bl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□nicklauscombs wrote: »on my hit list at some point in the future, have read parts of tao but havent checked out the other. definitely will look into that one this evening at work, thanks for the suggestion!
Before my attempt I am going to pick this up to:
Amazon.com: Security Monitoring: Proven Methods for Incident Detection on Enterprise Networks (9780596518165): Chris Fry, Martin Nystrom: Books -
JDMurray Admin Posts: 13,101 AdminBl8ckr0uter wrote: »I know Arcsight is pretty popular.
-
docrice Member Posts: 1,706 ■■■■■■■■■■I'll agree with what others mentioned about Snort. Splunk is also very easy to get up and running - just start syslogging stuff out to it and you have data that you can query and see pretty graphs with. Here's a copy / paste type guide that I wrote a while back to get Snort / Barnyard installed and running on a CentOS 5.5 system. You just need a box with at least two interfaces.
http://kimiushida.com/bitsandpieces/articles/snort_quickstart_on_centos_5.5/
Writing your own rules is the fun part. A web-based GUI to manage everything is nice and all, but it really helps to be able to dig into the guts and see how things are structured via CLI as well. This is critical if you're trying to learn IDS. Snort as an engine is constantly improving, and EasyIDS is a couple of years out of date at this point. Also, spend some time reading through the excellent Snort user's guide.Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/ -
the_Grinch Member Posts: 4,165 ■■■■■■■■■■I will say this thread has been awesome! Lots of tools I hadn't heard of, so thanks all!WIP:
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff -
nicklauscombs Member Posts: 885Bl8ckr0uter wrote: »http://www.turnkeylinux.org/forum/general/20101206/insta-snorby-official-snort-snorby-turn-key-solution
This looks promising. In fact I might look this up this weekend.
walked through part of the install this afternoon but unfortunately i had to leave for work before finishing. from what i saw it looks like an incredibly easy way to get snort up and running. very promising indeed. will post more once i finish it out. either tomorrow or monday.WIP: IPS exam -
Bl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□Awesome. Im probably going to go through this as well. Update the thread with your thoughts.
-
jmu200 Member Posts: 11 ■□□□□□□□□□You may want to check out Security Onion (Security Onion). I think it's freaking awesome. To quote the website:
"The Security Onion LiveDVD is a bootable DVD that contains software used for installing, configuring, and testing Intrusion Detection Systems. It is based on Xubuntu 10.04 and contains Snort, Suricata, Sguil, Squert, Xplico, nmap, metasploit, Armitage, scapy, hping, netcat, tcpreplay, and many other security tools."
It has been a great learning tool and I've used it in production. Great for a beginner to get up an running quickly. Sguil really kicks butt as it lets you query your alerts in depth and effortlessly. I'm curious what commercial solution could be better?
It is of course great to install all the packages on your own, as that is a great learning experience as well.
-
nicklauscombs Member Posts: 885thanks for the heads up. looks like i have some projects to work on this week as i'm mostly off work.WIP: IPS exam
-
Bl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□nicklauscombs wrote: »thanks for the heads up. looks like i have some projects to work on this week as i'm mostly off work.
What I am concerned about Nick is using all of these prebuilt isos will not help with complete learning. Similar to using a gui in linux, ya know? I don't know, I am still going to check it out. -
nicklauscombs Member Posts: 885Bl8ckr0uter wrote: »What I am concerned about Nick is using all of these prebuilt isos will not help with complete learning. Similar to using a gui in linux, ya know? I don't know, I am still going to check it out.
agreed, however i am more concerned (for now) with the learning done inside snort more so than the initial setup.WIP: IPS exam -
Bl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□nicklauscombs wrote: »agreed, however i am more concerned (for now) with the learning done inside snort more so than the initial setup.
I understand that completely. How are the LPIC-1 studies coming? -
nicklauscombs Member Posts: 885Bl8ckr0uter wrote: »I understand that completely. How are the LPIC-1 studies coming?
actually coming along decently considering the whirlwind of the past three weeks since taking on my new job.WIP: IPS exam