+ Reply to Thread
Results 1 to 13 of 13

Thread: IDS Systems

  1. BOBBY_TABLES RobertKaucher's Avatar
    Join Date
    Dec 2007
    Location
    Lebanon, Ohio - USA
    Posts
    4,274

    Certifications
    MCSD Web Apps/SharePoint Applications, MCITP: DBA 2005/2008, EA, EDA7, Linux+, Sec+, MCSE, MCDST, MCTS
    #1

    Default IDS Systems

    I am already familiar with some of the more popular IDS systems such as SNORT and OSSec, but I would like to know what the security minded admins have used and what they have found to be easy to administer and configure. Please provide details! i love a good story

    (Background: We have had some issue with spam bots and viruses on our network and I would like something to assist in managing the security component of the network.)
    Reply With Quote Quote  

  2. SS -->
  3. SupremeNetworkOverlord Moderator Ahriakin's Avatar
    Join Date
    Oct 2005
    Location
    ::1/128
    Posts
    1,798

    Certifications
    CCIE #23276-Sec, JNCIE-Sec #105, TCSE #2343,MCSE 2003-Sec,LPIC-1
    #2
    Referencing your other post too, those denies you place for SMTP make sure you log them too, setup automated alerts in your Syslog server to email you when hits are encountered from your private range (Splunk is great for this).

    For pure IDS functionality Snort is obviously the best bang for the buck, and compares well enough to commercial products. For full blown IPS if you still want to stick with open-source try setting up an Untangle box, Open Source Network Gateway | Untangle (includes SNORT in IPS mode, aswell as some other cool tools). The best commercial IPS I've used are TippingPoints, not cheap though.
    Reply With Quote Quote  

  4. Cyber Ninja L0gicB0mb508's Avatar
    Join Date
    Apr 2005
    Location
    Teh Tubes
    Posts
    535

    Certifications
    GCIA, GCIH, MCP, Net+, Sec+, CCNA, Proj+, A+, CIW, AESA, CCNA:Sec
    #3
    Id probably just stick with Snort. As stated above make sure you are collecting your logs to a syslog on your firewall or gateway. You my also want to do some tcpdump caps from the Snort box. You can then look at the packet level for things Snort didn't catch.
    Reply With Quote Quote  

  5. SupremeNetworkOverlord Moderator Ahriakin's Avatar
    Join Date
    Oct 2005
    Location
    ::1/128
    Posts
    1,798

    Certifications
    CCIE #23276-Sec, JNCIE-Sec #105, TCSE #2343,MCSE 2003-Sec,LPIC-1
    #4
    Quote Originally Posted by L0gicB0mb508 View Post
    You my also want to do some tcpdump caps from the Snort box. You can then look at the packet level for things Snort didn't catch.
    Good point, I'd recommened NGrep aswell for live filtering,saves having to capture/load into an analyzer/refine capture etc. you can do it on the fly.
    Reply With Quote Quote  

  6. sporadic member shednik's Avatar
    Join Date
    Feb 2007
    Location
    Pittsburgh, PA
    Posts
    2,005

    Certifications
    CCNP, JNCIP-ENT, JNCIS-SP, JNCIA, JNCDA, CCNA, CCNA:Security, MCP, A+, N+, L+, MST:InfoSec, CNSS 4011-4015
    #5
    We use TippingPoints at my company globally, seems to do its job.
    Reply With Quote Quote  

  7. BOBBY_TABLES RobertKaucher's Avatar
    Join Date
    Dec 2007
    Location
    Lebanon, Ohio - USA
    Posts
    4,274

    Certifications
    MCSD Web Apps/SharePoint Applications, MCITP: DBA 2005/2008, EA, EDA7, Linux+, Sec+, MCSE, MCDST, MCTS
    #6
    Thanks for the input, guys. I think I'm going to use EasyIDS. CentOS Linux with Snort and Barnyard, etc already installed. Being that I am the only IT staff and I am the Net Admin, DBA, developer, and help desk I have to have something simple that won't take up much time.

    Has any one here used EasyIDS?
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    Jul 2009
    Posts
    2,056

    Certifications
    Beer+
    #7
    We have a tippingpoint at work.

    I say have instead of use, because its still in the box.
    Reply With Quote Quote  

  9. BOBBY_TABLES RobertKaucher's Avatar
    Join Date
    Dec 2007
    Location
    Lebanon, Ohio - USA
    Posts
    4,274

    Certifications
    MCSD Web Apps/SharePoint Applications, MCITP: DBA 2005/2008, EA, EDA7, Linux+, Sec+, MCSE, MCDST, MCTS
    #8
    Quote Originally Posted by Hyper-Me View Post
    We have a tippingpoint at work.

    I say have instead of use, because its still in the box.
    If you'd get off your lazy bum and stop studying for beta exams maybe you guys could deploy it!

    Seriously, though... Is this one of those projects you have no time for because of the non-productive work you are getting drafted into? You mentioned that in another thread.
    Reply With Quote Quote  

  10. Cyber Ninja L0gicB0mb508's Avatar
    Join Date
    Apr 2005
    Location
    Teh Tubes
    Posts
    535

    Certifications
    GCIA, GCIH, MCP, Net+, Sec+, CCNA, Proj+, A+, CIW, AESA, CCNA:Sec
    #9
    Quote Originally Posted by RobertKaucher View Post
    Thanks for the input, guys. I think I'm going to use EasyIDS. CentOS Linux with Snort and Barnyard, etc already installed. Being that I am the only IT staff and I am the Net Admin, DBA, developer, and help desk I have to have something simple that won't take up much time.

    Has any one here used EasyIDS?
    I haven't used it personally, but I have built Snort boxes on Centos before. It appears to even use the BASE front end. Should give you a slick little interface catch some alerts. You will obviously have to spend a little time tuning it down. It's not a horrible process, but it can get a little cumbersome. Just make sure you watch what rules you cut out. You really don't want to kill a good rule. You'll also want to set your environmental variables (what servers are hosting what). If you really want a good IDS, I would install some 3rd party rulesets as well. A good one that comes to mind is emerging threats. If you plan on keeping this box in production, download and install Oinkmaster (if it isnt all ready installed). Oinkmaster is basically a perl script that will download, untar, and make snort use rulesets. It really helps in rule management. Make sure you register at snort.org and get the updated rules!
    Reply With Quote Quote  

  11. Senior Member
    Join Date
    Jul 2009
    Posts
    2,056

    Certifications
    Beer+
    #10
    Quote Originally Posted by RobertKaucher View Post
    If you'd get off your lazy bum and stop studying for beta exams maybe you guys could deploy it!

    Seriously, though... Is this one of those projects you have no time for because of the non-productive work you are getting drafted into? You mentioned that in another thread.
    Unfortunately the TippingPoint falls under the jurisdiction of our network team, and there is just nobody on that team who has the knowledge or ability to make it work properly. Much in the same way that we spent thousands on Whats Up Gold, but dont even use SNMP. Its just set up to ping several thousand switches. I have too much on my plate to even think of taking on their projects.

    Although, we will be deploying a large scale ISA 2006 setup soon and i'm sure that will fall on me since its an MS product.
    Reply With Quote Quote  

  12. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,615
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #11
    Please use multiple IDS solutions on your networks. Snort is very commonly used, and many IDS products are based on it. This means that pen testers (both good and evil) are constantly testing their methods against Snort to discover ways to evade its detection. Having several IDS solutions--like having several A/V solutions--will help discover more security incidence when one catches something that the others miss.

    Quote Originally Posted by Hyper-Me View Post
    Unfortunately the TippingPoint falls under the jurisdiction of our network team, and there is just nobody on that team who has the knowledge or ability to make it work properly.
    It's astonishing how many IT departments think they can bring in major solutions like TippingPoint, ArcSight, RSA, etc. and not have dedicated, trained personnel for monitoring/maintenance of those solutions. Of course, the solution vendor's sales people will do their best to express how little attention their solution needs to do its job--and actually saves you time by its use--which is rarely the case. I use to work for a company like that.
    Moderator of the InfoSec, CWNP, IT Jobs, Virtualization, Java, and Microsoft Developers forums at www.techexams.net
    --
    Blog: www.techexams.net/blogs/jdmurray
    LinkedIn: www.linkedin.com/in/jamesdmurray
    Twitter: www.twitter.com/jdmurray
    Reply With Quote Quote  

  13. Senior Member
    Join Date
    Jul 2009
    Posts
    2,056

    Certifications
    Beer+
    #12
    Quote Originally Posted by JDMurray View Post

    It's astonishing how many IT departments think they can bring in major solutions like TippingPoint, ArcSight, RSA, etc. and not have dedicated, trained personnel for monitoring/maintenance of those solutions. Of course, the solution vendor's sales people will do their best to express how little attention their solution needs to do its job--and actually saves you time by its use--which is rarely the case. I use to work for a company like that.

    Take that astonishment and multiply it by 1000, and that is how you would feel about our network team.

    Like I said, they cant even set up SNMP, STP, or IGMP correctly on any of our switches.

    We are bringing up WDS servers in various sites, and when we try to multicast the entire site will lock up, only to find that there is a 10 year old switch in the MDF that a dozen new switches are plugged into.
    Reply With Quote Quote  

  14. Senior Member
    Join Date
    Nov 2008
    Location
    Florida
    Posts
    258

    Certifications
    some
    #13
    Quote Originally Posted by JDMurray View Post

    It's astonishing how many IT departments think they can bring in major solutions like TippingPoint, ArcSight, RSA, etc. and not have dedicated, trained personnel for monitoring/maintenance of those solutions.
    Yeah it seems to be like that everywhere I have worked at.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks