IDS mailing list archives

Re: SOHO Hardware IDS

From: Mark Teicher <mteicher () comcast net>
Date: Sun, 16 Nov 2003 14:17:42 -0700

Ron,

Nice speaking to you the other day.

As the previous poster pointed out that the Fortinet Fortigate appliance isa nice box.. The real nice feature is the in-line Anti-Virus blocking. TheIDS/IPS is mostly Sn0rt based with a few custom signatures of their ownThe log output can be downloaded in .csv format or normal log format,whatever that is. The output of the logs is not in Sn0rt format, onlyEnglish-like


The notifications are still primitive as shown below:

The following instrusion was observed: attack_id=110 src=135.122.44.141dst=135.122.51.75 src_port=88 dst_port=1963 interface=port1 status=droppedproto=017 service=1963/udp msg="IP fragment "The following intrusion was observed: netbios: DCERPC ISystemActivator bindattempt[Reference: http://www.fortinet.com/ids/ID102039574]Interface-port2: TCP 135.123.23.188:2793 -> 135.122.51.75:135 .



At 07:41 AM 11/10/2003, Ron Gula wrote:

At 02:04 PM 11/10/2003 +0100, boutros () swissonline ch wrote:

Hi all,
I am curious if there exists a SOHO-type hardware device with thefunctionality of the Snort IDS. I know I could build a cheap Linux box,but I am looking for something small and quieter than a PC....
TIA,
Boutros


Check out Fortinet. http://www.fortinet.com/ Their web site has much
about firewalls and anti-virus, but they also have Snort embedded into
their appliances. I have several Tenable customers/partners looking at
them and they say the logs output pretty much the same data as the
Snort Linux boxes running right next to it.

Ron Gula, CTO
Tenable Network Security
http://www.tenablesecurity.com
[Ligthnign Console - Distributed Enterprise Security Manager     ]
[NeVO Scanner     - 100% Passive Vulnerability Detection        ]
[NeWT Scanner     - The easy-to-use vulnerability scanner for XP ]






---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at

http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 and use prioritycode SF4.

---------------------------------------------------------------------------



---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at

http://www.securityfocus.com/sponsor/RSA_focus-ids_031023and use priority code SF4.

---------------------------------------------------------------------------

Current thread:

SOHO Hardware IDS boutros (Nov 10)
- Re: SOHO Hardware IDS Ron Gula (Nov 10)
  - Message not available
    - Re: SOHO Hardware IDS Jerry Dixon (Nov 10)
- Re: SOHO Hardware IDS Pauli (Nov 12)
  - Re: SOHO Hardware IDS Mark Teicher (Nov 17)
    - Re: SOHO Hardware IDS Pauli (Nov 21)
- Re: SOHO Hardware IDS Steffen Kluge (Nov 12)
- Message not available
  - Re: SOHO Hardware IDS Mark Teicher (Nov 17)
- <Possible follow-ups>
- RE: SOHO Hardware IDS PPowenski (Nov 10)
- Re: SOHO Hardware IDS Jason Wieland (Nov 10)
  - Re: SOHO Hardware IDS Mark Teicher (Nov 17)
- Re: SOHO Hardware IDS dr . kaos (Nov 13)
- RE: SOHO Hardware IDS JAVIER OTERO (Nov 17)