easyids

i noticed this is now quite out of date, is there a similar project currently out there? other suggestions for getting snort up and running quick and easy at home?
WIP: IPS exam

Comments

  • nicklauscombsnicklauscombs Member Posts: 885
    found this as an option: Snort IDS Sensor with Sguil Framework ISO

    hoping to try it out in the next couple of days / early next week. any other options anyone knows of?
    WIP: IPS exam
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    found this as an option: Snort IDS Sensor with Sguil Framework ISO

    hoping to try it out in the next couple of days / early next week. any other options anyone knows of?

    What exactly are you looking for? Just snort based stuff? I was actually looking at bro a while back.

    Bro Intrusion Detection System - Bro Overview
  • nicklauscombsnicklauscombs Member Posts: 885
    What exactly are you looking for? Just snort based stuff? I was actually looking at bro a while back.

    Bro Intrusion Detection System - Bro Overview

    yup, just looking for a quick easy way to get snort running to play around with a bit, bro looks interesting though ill have to look into that a little more.
    WIP: IPS exam
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    yup, just looking for a quick easy way to get snort running to play around with a bit, bro looks interesting though ill have to look into that a little more.


    http://www.turnkeylinux.org/forum/general/20101206/insta-snorby-official-snort-snorby-turn-key-solution

    This looks promising. In fact I might look this up this weekend.
  • JDMurrayJDMurray Admin Posts: 13,101 Admin
    I would highly advise staying with Snort of you are looking for knowledge and experience at configuring and running an IDS. Besides there being a lot of available Snort tutorials and expertise on the Web, many commercial IDS and SIEM products are based on Snort, making it an excellent tool to know how to use and show off your knowledge of in an interview.
  • Paul BozPaul Boz Member Posts: 2,620 ■■■■■■■■□□
    To second JD, I have to also push for Snort if you're starting to learn intrusion detection and prevention. Snort was the first real player in the game of IPS/IDS and the project has simply had much more time to evolve and mature. It is also more of a ground-up community lead initiative unlike commercial offerings like Cisco, McAfee, etc. I manage a large number of Cisco IPS and a smaller number of Sourcefire boxes and I want to migrate my Cisco IPS infrastructure to Sourcefire more than you can believe.

    I feel that if you are competent in Snort it will take you very far. I may have mentioned this before, but about a month ago I was asked to review, procure, and deploy a IPS in under two weeks. I had literally eight hours with the appliance before I had to install it in-line into production traffic but because I had EasyIDS and general CLI snort experience I got it done with flying colors. I always wondered why I was bothering to learn stuff like EasyIDS but this exercise proved to me that you can never be over-prepared.
    CCNP | CCIP | CCDP | CCNA, CCDA
    CCNA Security | GSEC |GCFW | GCIH | GCIA
    pbosworth@gmail.com
    http://twitter.com/paul_bosworth
    Blog: http://www.infosiege.net/
  • JDMurrayJDMurray Admin Posts: 13,101 Admin
    And regardless of the IDS, you should also get some hands-on experience with Splunk. It's another tool you find a lot of people using. Just for practicing, install it in a VM snapshot and revert back to new when you need to. ;)
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    JDMurray wrote: »
    And regardless of the IDS, you should also get some hands-on experience with Splunk. It's another tool you find a lot of people using. Just for practicing, install it in a VM snapshot and revert back to new when you need to. ;)

    Good tip. What popular Siems do people use? Alienvault says they are the most popular (opensource siem). I know Arcsight is pretty popular. What other big name ones are out there?
  • nicklauscombsnicklauscombs Member Posts: 885
    JDMurray wrote: »
    And regardless of the IDS, you should also get some hands-on experience with Splunk. It's another tool you find a lot of people using. Just for practicing, install it in a VM snapshot and revert back to new when you need to. ;)

    jd and paul, thanks for the suggestions ill definitely be sticking with the snort install at home to get some experience. as for splunk i just got access to it at work as of yesterday so im looking forward to taking the deep dive into that tool.
    WIP: IPS exam
  • nicklauscombsnicklauscombs Member Posts: 885
    Good tip. What popular Siems do people use? Alienvault says they are the most popular (opensource siem). I know Arcsight is pretty popular. What other big name ones are out there?

    Enterprise SIEM - NitroSecurity - Security Information and Event Management (SIEM) - had the opportunity to play around with nitroview over the last couple of days.
    WIP: IPS exam
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
  • nicklauscombsnicklauscombs Member Posts: 885
    on my hit list at some point in the future, have read parts of tao but havent checked out the other. definitely will look into that one this evening at work, thanks for the suggestion!
    WIP: IPS exam
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    on my hit list at some point in the future, have read parts of tao but havent checked out the other. definitely will look into that one this evening at work, thanks for the suggestion!

    Before my attempt I am going to pick this up to:
    Amazon.com: Security Monitoring: Proven Methods for Incident Detection on Enterprise Networks (9780596518165): Chris Fry, Martin Nystrom: Books
  • JDMurrayJDMurray Admin Posts: 13,101 Admin
    I know Arcsight is pretty popular.
    And very expensive. ArcSight is the primo leading in SIEM products and their pricing sheet reflects it. They remind me of Oracle for databases, Google for search engines, and VMware for virtualization. Arcsights is great at finding ways to keep its customers paying reoccurring fees and for upgrades. I know of several large businesses that got sticker-shock after they installed ArcSight because they weren't aware of how much on-going training and support was needed and the cost.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    I'll agree with what others mentioned about Snort. Splunk is also very easy to get up and running - just start syslogging stuff out to it and you have data that you can query and see pretty graphs with. Here's a copy / paste type guide that I wrote a while back to get Snort / Barnyard installed and running on a CentOS 5.5 system. You just need a box with at least two interfaces.

    http://kimiushida.com/bitsandpieces/articles/snort_quickstart_on_centos_5.5/

    Writing your own rules is the fun part. A web-based GUI to manage everything is nice and all, but it really helps to be able to dig into the guts and see how things are structured via CLI as well. This is critical if you're trying to learn IDS. Snort as an engine is constantly improving, and EasyIDS is a couple of years out of date at this point. Also, spend some time reading through the excellent Snort user's guide.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    I will say this thread has been awesome! Lots of tools I hadn't heard of, so thanks all!
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • nicklauscombsnicklauscombs Member Posts: 885

    walked through part of the install this afternoon but unfortunately i had to leave for work before finishing. from what i saw it looks like an incredibly easy way to get snort up and running. very promising indeed. will post more once i finish it out. either tomorrow or monday.
    WIP: IPS exam
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Awesome. Im probably going to go through this as well. Update the thread with your thoughts.
  • jmu200jmu200 Member Posts: 11 ■□□□□□□□□□
    You may want to check out Security Onion (Security Onion). I think it's freaking awesome. To quote the website:

    "The Security Onion LiveDVD is a bootable DVD that contains software used for installing, configuring, and testing Intrusion Detection Systems. It is based on Xubuntu 10.04 and contains Snort, Suricata, Sguil, Squert, Xplico, nmap, metasploit, Armitage, scapy, hping, netcat, tcpreplay, and many other security tools."

    It has been a great learning tool and I've used it in production. Great for a beginner to get up an running quickly. Sguil really kicks butt as it lets you query your alerts in depth and effortlessly. I'm curious what commercial solution could be better?

    It is of course great to install all the packages on your own, as that is a great learning experience as well.


  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    downloading now. Awesome find.
  • nicklauscombsnicklauscombs Member Posts: 885
    thanks for the heads up. looks like i have some projects to work on this week as i'm mostly off work.
    WIP: IPS exam
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    thanks for the heads up. looks like i have some projects to work on this week as i'm mostly off work.

    What I am concerned about Nick is using all of these prebuilt isos will not help with complete learning. Similar to using a gui in linux, ya know? I don't know, I am still going to check it out.
  • nicklauscombsnicklauscombs Member Posts: 885
    What I am concerned about Nick is using all of these prebuilt isos will not help with complete learning. Similar to using a gui in linux, ya know? I don't know, I am still going to check it out.

    agreed, however i am more concerned (for now) with the learning done inside snort more so than the initial setup.
    WIP: IPS exam
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    agreed, however i am more concerned (for now) with the learning done inside snort more so than the initial setup.

    I understand that completely. How are the LPIC-1 studies coming?
  • nicklauscombsnicklauscombs Member Posts: 885
    I understand that completely. How are the LPIC-1 studies coming?

    actually coming along decently considering the whirlwind of the past three weeks since taking on my new job.
    WIP: IPS exam
Sign In or Register to comment.