Re: newbie quetsions
From: Dave Aitel (dave_at_immunitysec.com)
Date: 12/31/04
- Previous message: zekker: "RE: newbie quetsions"
- In reply to: Harper, Patrick: "RE: newbie quetsions"
- Next in thread: Randy Golly: "RE: newbie quetsions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 31 Dec 2004 00:14:30 -0500 To: "Harper, Patrick" <Patrick.Harper@phns.com>
Although, keep in mind, Snort completely fails the CRI test, and does
horrible TCP reassembly, let alone SMB or MSRPC reassembly. It just
isn't up to the job of detecting an attacker who's gone to some work to
bypass this sort of thing.
Dave Aitel
Immunity, Inc.
Harper, Patrick wrote:
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Snort is a good option (in my opinion) for any size business. The
>larger the deployment the better you need to be at using it. The box
>your running now for your gateway might be a little light for the
>job, you might want to look at a faster system but you do not need a
>fast server or anything for a deployment your size.
>
>Remember IDS's require tuning, out of the box they are all pretty
>much useless because they will just overload you with info that does
>not matter and you will either stop watching or uninstall it because
>you think it is useless. Tune the rule set for your deployment. If
>your running an IIS server internally then you do not need the apache
>rules. If you are an oracle shop then you do not need most of the MS
>SQL rules. Learn how to threshold and suppress as needed.
>
>There are several good books out on snort. The Syngress book is
>written by people that know Snort inside and out like Brian Caswell.
>http://www.bookpool.com/.x/pizrqesaor/sm/1931836744
>
>Hope that helps, I am a little biased to the snort side of the world
>but that is only because it has done me well for so long.
>
>
>- -----Original Message-----
>From: Andrey Todorov [mailto:andreyt@gawab.com]
>Sent: Friday, December 24, 2004 9:08 AM
>To: focus-ids@securityfocus.com
>Subject: newbie quetsions
>
>Hi People,
>I tried several times to subscribe myself to "Security Basics"
>mailing
>list to ask my questions, but didn't succeed. Excuse me if my
>questions
>aren't adequate to "Focus IDS" mailing list!
>
>I'll be very gratefull if you share your opinion with me for the
>following situation. I have small network (5 PCs) behind one Linux
>box
>(iptables firewall , Pentium I 166Mhz, 32MB RAM, 4GB HDD) and want to
>increase security for this network.
>
> 1. Do I need IDS?
> 2. What do you think about Snort? Can I find easy maintainable
>free/opensource IDS then Snort?
> 3. What IDS literature should I read?
>
>Thank you in advance!
>
>Andrey
>
>
>
>- ----------------------------------------------------------------------
>- ----
>Test Your IDS
>
>Is your IDS deployed correctly?
>Find out quickly and easily by testing it with real-world attacks
>from
>CORE IMPACT.
>Go to
>http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
>to learn more.
>- ----------------------------------------------------------------------
>- ----
>
>
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGP 8.1
>
>iQA/AwUBQdF3kJiWafDb7+B/EQI6tgCfV2rP2l2PUMxHzj2XSK/d/ncQB94AoOW1
>2fp7hsiFLetlfReGfdqt1r+m
>=LBep
>-----END PGP SIGNATURE-----
>
>
>
>
>Disclaimer:
>This electronic message, including any attachments, is confidential and intended solely for use of the intended recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have received this message in error, please delete it and notify the sender immediately.
>
>
>
>
>--------------------------------------------------------------------------
>Test Your IDS
>
>Is your IDS deployed correctly?
>Find out quickly and easily by testing it with real-world attacks from
>CORE IMPACT.
>Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
>to learn more.
>--------------------------------------------------------------------------
>
>
>
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
- Previous message: zekker: "RE: newbie quetsions"
- In reply to: Harper, Patrick: "RE: newbie quetsions"
- Next in thread: Randy Golly: "RE: newbie quetsions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
