Re: New to Snort !!!
Justin.Ross_at_signalsolutionsinc.com
Date: 06/01/05
- Previous message: THolman_at_toplayer.com: "RE: IDS\IPS that can handle one Gig"
- Next in thread: Doug.Janelle_at_Thermo.com: "Re: New to Snort !!!"
- Maybe reply: Doug.Janelle_at_Thermo.com: "Re: New to Snort !!!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Joel Esler <eslerj@gmail.com> Date: Tue, 31 May 2005 16:08:54 -0700
There's really two schools of thought on where to place an IDS, one is
external, the other is internal; in a perfect world you'll want to cover
both and diff the logs (to see what made it through and what didn't).
I agree that for testing (perfomance and functionality) and fun you should
place your IDS on the "outer-most network device"; however, if you are
constrained by budget/time and can only place one IDS, my advice would be
to place it inside your edge device, or behind your firewall. You won't
see external attacks to your firewall, but you will see how/what attacks
are coming through your edge and into your "trusted" network, and really
your firewall should be dropping all packets that have the firewall IP
address as a destination. That's just my opinion but I think you will get
the most bang for your buck if you see what makes it through to your
network not just what exists on the Internet.
By the way, let me tell you how annoying it is to go to the network
support staff and show them logs of fruitless/mis-targetted/blocked
attacks and have them say "yeah yeah.. our firewall blocked that... now
tell us something we don't know." I'd rather show them what their firewall
is letting through and leverage that to fix the issues/vulnerabilities
that effect your network.
There are tons of online references to find out more about Snort and
Intrusion Detection in general. I really have to recommend the following:
Snort 2.0 Intrusion Detection or Snort 2.1 Intrusion detection Second
Edition from Syngress. It's written by Snort developers and it gives a
great overview of IDS (in my opinion) as well as takes you into the nuts
and bolts of Snort, pre-processing, optimizing, and it covers reporting
too. I would have to rate it as a "must have" for you, in your situation.
I would also recommend Network Intrusion Detection, An Analyst Handbook by
New Riders - it's an oldie but a goody that gives great general advice on
analyzing attacks.
Googling for Overview of Intrusion Detection, Intrusion detection
anomalies, and Intrusion Detection system deployment should give you a
lot of material for the more generalized background and foundational
knowledge you should become familiar with. You made a good choice with
Snort, but now you need to learn why, what the differences are between it
and other IDS's, and how you can apply those differences to your
advantage, as well as how to make the system better.
You didn't choose the most noobie friendly IDS, but you certainly picked
one of the most powerful and customizable.
Good luck!
Justin Ross
MCP+I, MCSE, CCNA, CCSA, CCSE
Senior Network Security Engineer
Signal Solutions Inc. - http://www.signalcorp.com
Email: Justin.Ross-at-signalsolutionsinc.com
Joel Esler <eslerj@gmail.com>
05/28/2005 10:14 AM
Please respond to
Joel Esler <eslerj@gmail.com>
To
Venkatesh G S <venkatesh.gs@gmail.com>
cc
Security Focus IDS Forum <focus-ids@securityfocus.com>
Subject
Re: New to Snort !!!
What's your questions?
Snort should be placed on your outer-most network device on a "SPAN"
or "Mirrored" port.
Snort should be installed on a Linux platform. The Windows version
(as far as I know) tends to drop more packets. Maybe someone can
correct me.
A better place to submit your questions is on the snort-users listserv..
Look it up at www.snort.org
Joel
On 5/24/05, Venkatesh G S <venkatesh.gs@gmail.com> wrote:
> Hi all,
>
> I am a new member to this group & i am sure i will get your
> valuable suggestion for my problem.
> I work for an organization where we have almost all the latest
> devices in place, which includes L3 Switches, VOIP,High end server &
> etc. We have around 1500 desktops & this is a production environment.
>
> My problem
>
> i) My network manager wants me to suggest an IDS, and i googled
> yesterday i recommened him - Snort.
> ii) I am quite new to IDS and i haven't done even a single
> installation of Snort till now.
>
> Can anyone let me know the features of Snort, where this sensor should
> be placed in the Network?. Plz dont think that i am not doing my
> homework.i have already started to collect information from Snort.org
> but i find it a little to difficult to undersatnd the concept.
>
> I need help in how to install Snort?. Finally are there any windows
> edition of Snort avaliable.
>
> Regards
>
> Venkatesh
>
>
> --
> The impossible is often untried.
>
>
--------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
>
--------------------------------------------------------------------------
>
>
-- Joel Esler BASE Project Lead http://sourceforge.net/projects/secureideas -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. -------------------------------------------------------------------------- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
- Previous message: THolman_at_toplayer.com: "RE: IDS\IPS that can handle one Gig"
- Next in thread: Doug.Janelle_at_Thermo.com: "Re: New to Snort !!!"
- Maybe reply: Doug.Janelle_at_Thermo.com: "Re: New to Snort !!!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
