IDS Systems

RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
I am already familiar with some of the more popular IDS systems such as SNORT and OSSec, but I would like to know what the security minded admins have used and what they have found to be easy to administer and configure. Please provide details! i love a good story

(Background: We have had some issue with spam bots and viruses on our network and I would like something to assist in managing the security component of the network.)

Comments

  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Referencing your other post too, those denies you place for SMTP make sure you log them too, setup automated alerts in your Syslog server to email you when hits are encountered from your private range (Splunk is great for this).

    For pure IDS functionality Snort is obviously the best bang for the buck, and compares well enough to commercial products. For full blown IPS if you still want to stick with open-source try setting up an Untangle box, Open Source Network Gateway | Untangle (includes SNORT in IPS mode, aswell as some other cool tools). The best commercial IPS I've used are TippingPoints, not cheap though.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • L0gicB0mb508L0gicB0mb508 Member Posts: 538
    Id probably just stick with Snort. As stated above make sure you are collecting your logs to a syslog on your firewall or gateway. You my also want to do some tcpdump caps from the Snort box. You can then look at the packet level for things Snort didn't catch.
    I bring nothing useful to the table...
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    You my also want to do some tcpdump caps from the Snort box. You can then look at the packet level for things Snort didn't catch.

    Good point, I'd recommened NGrep aswell for live filtering,saves having to capture/load into an analyzer/refine capture etc. you can do it on the fly.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • shednikshednik Member Posts: 2,005
    We use TippingPoints at my company globally, seems to do its job.
  • RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    Thanks for the input, guys. I think I'm going to use EasyIDS. CentOS Linux with Snort and Barnyard, etc already installed. Being that I am the only IT staff and I am the Net Admin, DBA, developer, and help desk I have to have something simple that won't take up much time.

    Has any one here used EasyIDS?
  • Hyper-MeHyper-Me Banned Posts: 2,059
    We have a tippingpoint at work.

    I say have instead of use, because its still in the box. :D
  • RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    Hyper-Me wrote: »
    We have a tippingpoint at work.

    I say have instead of use, because its still in the box. :D

    If you'd get off your lazy bum and stop studying for beta exams maybe you guys could deploy it!

    Seriously, though... Is this one of those projects you have no time for because of the non-productive work you are getting drafted into? You mentioned that in another thread.
  • L0gicB0mb508L0gicB0mb508 Member Posts: 538
    Thanks for the input, guys. I think I'm going to use EasyIDS. CentOS Linux with Snort and Barnyard, etc already installed. Being that I am the only IT staff and I am the Net Admin, DBA, developer, and help desk I have to have something simple that won't take up much time.

    Has any one here used EasyIDS?

    I haven't used it personally, but I have built Snort boxes on Centos before. It appears to even use the BASE front end. Should give you a slick little interface catch some alerts. You will obviously have to spend a little time tuning it down. It's not a horrible process, but it can get a little cumbersome. Just make sure you watch what rules you cut out. You really don't want to kill a good rule. You'll also want to set your environmental variables (what servers are hosting what). If you really want a good IDS, I would install some 3rd party rulesets as well. A good one that comes to mind is emerging threats. If you plan on keeping this box in production, download and install Oinkmaster (if it isnt all ready installed). Oinkmaster is basically a perl script that will download, untar, and make snort use rulesets. It really helps in rule management. Make sure you register at snort.org and get the updated rules!
    I bring nothing useful to the table...
  • Hyper-MeHyper-Me Banned Posts: 2,059
    If you'd get off your lazy bum and stop studying for beta exams maybe you guys could deploy it!

    Seriously, though... Is this one of those projects you have no time for because of the non-productive work you are getting drafted into? You mentioned that in another thread.

    Unfortunately the TippingPoint falls under the jurisdiction of our network team, and there is just nobody on that team who has the knowledge or ability to make it work properly. Much in the same way that we spent thousands on Whats Up Gold, but dont even use SNMP. Its just set up to ping several thousand switches. I have too much on my plate to even think of taking on their projects.

    Although, we will be deploying a large scale ISA 2006 setup soon and i'm sure that will fall on me since its an MS product.
  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    Please use multiple IDS solutions on your networks. Snort is very commonly used, and many IDS products are based on it. This means that pen testers (both good and evil) are constantly testing their methods against Snort to discover ways to evade its detection. Having several IDS solutions--like having several A/V solutions--will help discover more security incidence when one catches something that the others miss.
    Hyper-Me wrote: »
    Unfortunately the TippingPoint falls under the jurisdiction of our network team, and there is just nobody on that team who has the knowledge or ability to make it work properly.
    It's astonishing how many IT departments think they can bring in major solutions like TippingPoint, ArcSight, RSA, etc. and not have dedicated, trained personnel for monitoring/maintenance of those solutions. Of course, the solution vendor's sales people will do their best to express how little attention their solution needs to do its job--and actually saves you time by its use--which is rarely the case. I use to work for a company like that. ;)
  • Hyper-MeHyper-Me Banned Posts: 2,059
    JDMurray wrote: »

    It's astonishing how many IT departments think they can bring in major solutions like TippingPoint, ArcSight, RSA, etc. and not have dedicated, trained personnel for monitoring/maintenance of those solutions. Of course, the solution vendor's sales people will do their best to express how little attention their solution needs to do its job--and actually saves you time by its use--which is rarely the case. I use to work for a company like that. ;)


    Take that astonishment and multiply it by 1000, and that is how you would feel about our network team.

    Like I said, they cant even set up SNMP, STP, or IGMP correctly on any of our switches.

    We are bringing up WDS servers in various sites, and when we try to multicast the entire site will lock up, only to find that there is a 10 year old switch in the MDF that a dozen new switches are plugged into. icon_lol.gif
  • carboncopycarboncopy Member Posts: 259
    JDMurray wrote: »

    It's astonishing how many IT departments think they can bring in major solutions like TippingPoint, ArcSight, RSA, etc. and not have dedicated, trained personnel for monitoring/maintenance of those solutions.

    Yeah it seems to be like that everywhere I have worked at.
Sign In or Register to comment.