RE: IIS and Snort

From: Mike Coliton (mcoliton@twmi.rr.com)
Date: 09/20/01 

From: "Mike Coliton" <mcoliton@twmi.rr.com>
To: "Kelley, John" <john.kelley@nmci-isf.com>, "Brian Carvalho" <brian.carvalho@verizon.net>, <focus-ids@securityfocus.com>
Subject: RE: IIS and Snort
Date: Wed, 19 Sep 2001 19:30:21 -0400
Message-ID: <AKEHKFFIDEEOJGPKCBKFAEKGCEAA.mcoliton@twmi.rr.com>

If you have more time then money, then OpenSnort is a great application.
Snort (like any Nids) takes time to setup and tune as well. You may want
to consider Marty's new Sourcefire box. It will cost money, but will save
you a great deal of time (thus money).

Check out www.sourcefire.com. Either way, good choice.

-----Original Message-----
From: Kelley, John [mailto:john.kelley@nmci-isf.com]
Sent: Wednesday, September 19, 2001 6:38 PM
To: Brian Carvalho; focus-ids@securityfocus.com
Cc: focus-ms@securityfocus.com
Subject: RE: IIS and Snort

Yes
Yes
Yes

First goto snort.org.. look for a great win32 panel for snort called
'IDS Panel'
The rules sets are very configurable and its up to you to mix and match
the sigs..
get the latest sigs from whitehats.com

-Grep

-----Original Message-----
From: Brian Carvalho [mailto:brian.carvalho@verizon.net]
Sent: Wednesday, September 19, 2001 6:19 PM
To: focus-ids@securityfocus.com
Cc: focus-ms@securityfocus.com
Subject: IIS and Snort

My company has an IIS 5 webserver sitting on the perimeter of
its network. I have done my best to disable and remove just about
every possible service, programs and other files that are not needed,
in my novice eyes I believe I have a bastion host.

I would like to setup some sort of IDS to monitor for this server.
What would be the best solution here? I was thinking of
Snort because I've heard so much good praise about it, and
because its free.

I have some questions I hope you can shed some light on
to get me moving up to speed...

Would Snort be a good choice for my application?

Are there specific Snort rulesets for IIS?

Is there any way to send alerts with Snort?

Should I monitor on the actual server or from an admin
machine?

Any help you can give me would be appreciated...

Thankyou.

Relevant Pages

  • Re: 3rd Party IIS log analysis
    ... >>I'm currently in the market for a tool which analyzes IIS logs. ... There are some articles at http://online.securityfocus.com about using Snort ... There are a number of other affordable IDS devices and solutions that have ...
    (microsoft.public.inetserver.iis.security)
  • RE: Win32 Snort Question
    ... Website, in de FAQ about Snort, they expose some good links to that... ... If you try to use the network control panel Windows will complain that no IP ... >I would avoid putting firewall software on the machine as it might block ... >running IIS on the boxes to allow the ACID analysis tool to run. ...
    (Security-Basics)
  • RE: IIS and Snort
    ... Subject: IIS and Snort ... look for a great win32 panel for snort called ... 'IDS Panel' ...
    (Focus-IDS)
  • IIS and Snort
    ... Subject: IIS and Snort ... I would like to setup some sort of IDS to monitor for this server. ...
    (Focus-IDS)
  • RE: Which intrusion detection to use?
    ... >>> I don't know how tight your particular setup is, but if you deny ... Snort does not care about ... >> and while I would get ipfw dropping packets in my logs, ... > From my experience snort will not catch much in this setup. ...
    (FreeBSD-Security)