Security Basics mailing list archives
Re: Is snort an overkill for desktop only environment ?
From: Stephen Mullins <steve.mullins.work () gmail com>
Date: Mon, 26 Oct 2009 16:02:54 -0400
Eh...you can run Snort at home if you want. There is nothing saying that you have to be on a huge enterprise network in order to have an IDS, especially a free/open source one. If I were in your shoes I would deploy Snort simply for the great learning opportunity, so long as your budget permits it. You may not be able to get the most current rules from Source Fire but you can at least get the most current rules from Emerging Threats, which tend to be relevant to current events and high quality. For something so high profile as Conficker, you can usually find a Snort rule on the front page of the Internet Storm Center. There is no monopoly on such rules. This is another benefit of Snort's origins, and thorough documentation due to remaining open source. On the other hand, you'll need to devote a lot of time to tuning the sensor, especially at first. Otherwise you'll be inundated with junk alerts/false positives and will quickly simply ignore it altogether. That's part of the learning process. Given the state of most private sector's IT security, your first and best step would be taking away admin privileges from all your users before you go through the trouble of deploying an IDS. Steve On Sat, Oct 24, 2009 at 2:53 PM, martin <martiniscool () gmail com> wrote:
anybody have any thoughts at all ? ---------- Forwarded message ---------- From: martin <martiniscool () gmail com> Date: 2009/10/22 Subject: Is snort an overkill for desktop only environment ? To: security-basics () securityfocus com Hi all I've been reading up on IDP recently, and particularly started looking at snort. I'm considering suggesting to my boss that we install it at a small branch office I'm based at. However, all that we have at the branch office are a few desktop PC's, a firewall, switch, and a printer. Our DC, file server etc, is at head office and accessed using a VPN. Is it worth installing IDP in simplified environment such as this ? Or is it designed for more "complex" environments which have more resources such as file servers, web servers etc ?? Also, currently we wouldn't have anything in the budget to pay for the $500 rule subscription for one sensor - so all the rules we would be getting would be 30 days old. Is it worth having an IDP with rules that are this old ? Are they still of any value ? I'm thinking back to the conflicker threat last year - I know there was a Snort rule for it, but without the subscription, we wouldn't have gotten it for 30 days. So it would have been pretty much too late in that case. I know that we can write our own rules, but I don't think anybody would have time to do that. So we'd be relying on what rules get downloaded Any feedback would be greatly appreciated thanks in advance M ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Fwd: Is snort an overkill for desktop only environment ? martin (Oct 26)
- RE: Is snort an overkill for desktop only environment ? Jason Hurst (Oct 26)
- Re: Is snort an overkill for desktop only environment ? José Manuel Molina Pascual (Oct 27)
- Re: Is snort an overkill for desktop only environment ? Stephen Mullins (Oct 26)
- Re: Is snort an overkill for desktop only environment ? mojorising (Oct 26)
- Re: Is snort an overkill for desktop only environment ? Kurt Buff (Oct 27)
- <Possible follow-ups>
- Re: Fwd: Is snort an overkill for desktop only environment ? krymson (Oct 26)
- Re: Is snort an overkill for desktop only environment ? Craig S Wright (Oct 27)
- RE: Is snort an overkill for desktop only environment ? Jason Hurst (Oct 26)