RE: Snort IDS
From: Burton M. Strauss III (bstrauss3@attbi.com)Date: 09/27/02
- Previous message: Chris Berry: "Re: Security policy managment"
- In reply to: hejimenez@bancoagricola.com: "Snort IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Burton M. Strauss III" <bstrauss3@attbi.com> To: <security-basics@securityfocus.com> Date: Thu, 26 Sep 2002 17:29:26 -0500
It may not be what you want. It depends on what you're attempting to
accomplish.
Snort is an intrusion DETECTION tool, not an audit tool.
^^^^^^^^^
As an IDS tool, it's great, IF (and ONLY IF) the administrator is
knowledgeable enough to keep it current and to review and RESPOND/REACT to
the logs.
As an auditor, you should be checking whether there is a formal procedure
for monitoring and acting upon the output of the tool! Just having it
running, with a rules base from six months ago and nobody monitoring the
logs is useless.
If you do monitor the IDS output and react to it, then the IDS is a tool
that helps in two ways -
information is power and an IDS is an information source:
One is the knowledge of how much of a target you are,
and
Two is information to allow you to focus your security efforts on "real
world", high-payback tasks. Suppose that TODAY, you can either update
OpenSSH or install the new release of Apache. Which one offers the payback,
RIGHT NOW? If you don't know what probes are being made against your
systems (and what you have installed), then you can't make the right
decision.
Unfortunately, IDS have two "flaws"... Both are inherent with the beast and
are not reasons not to use an IDS (but are reasons not to naively use an
IDS)...
1. They generate a lot of "false positives". Say for example, you just
install the whole default rules set, you will have (and almost certainly be
probed for) a huge # of Windows IIS log messages. If you're not running
IIS, then these really aren't meaningful (except for scare tactics -- "we
were probed 200 times last night" ... "So what, we're not vulnerable to ANY
of the probes"). But on a major or high-profile site, you will have a
tremendous number of log messages to deal with every day...
That brings up the second "flaw":
2. They only detect attacks/probes where signatures have been created. I.e.
yesterday's and (if you keep current) today's attacks, but not tomorrow's.
-----Burton
-----Original Message-----
From: hejimenez@bancoagricola.com [mailto:hejimenez@bancoagricola.com]
Sent: Monday, September 23, 2002 5:07 PM
To: security-basics@securityfocus.com
Subject: Snort IDS
Hi everyone!!!, I'm an EDP auditor and I want to know some commentaries
about the use of Snort IDS...I'de like to know if anyone recommend it and
if it's a good choice to install in a financial organization.
Thanks
Héctor E. Jiménez
Coordinador-Auditoria de Sistemas
Banco Agrícola, S.A.
Tel. 279-4545
Ext. 123
email:hejimenez@bancoagricola.com
- Previous message: Chris Berry: "Re: Security policy managment"
- In reply to: hejimenez@bancoagricola.com: "Snort IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
