IDS mailing list archives

Re: newbie quetsions

From: Dave Aitel <dave () immunitysec com>
Date: Fri, 31 Dec 2004 00:14:30 -0500

Although, keep in mind, Snort completely fails the CRI test, and doeshorrible TCP reassembly, let alone SMB or MSRPC reassembly. It justisn't up to the job of detecting an attacker who's gone to some work tobypass this sort of thing.


Dave Aitel
Immunity, Inc.

Harper, Patrick wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Snort is a good option (in my opinion) for any size business.  The
larger the deployment the better you need to be at using it.  The box
your running now for your gateway might be a little light for the
job, you might want to look at a faster system but you do not need a
fast server or anything for a deployment your size.

Remember IDS's require tuning, out of the box they are all pretty
much useless because they will just overload you with info that does
not matter and you will either stop watching or uninstall it because
you think it is useless.  Tune the rule set for your deployment.  If
your running an IIS server internally then you do not need the apache
rules.  If you are an oracle shop then you do not need most of the MS
SQL rules. Learn how to threshold and suppress as needed.
There are several good books out on snort.  The Syngress book is
written by people that know Snort inside and out like Brian Caswell.
http://www.bookpool.com/.x/pizrqesaor/sm/1931836744

Hope that helps, I am a little biased to the snort side of the world
but that is only because it has done me well for so long.


- -----Original Message-----
From: Andrey Todorov [mailto:andreyt () gawab com]Sent: Friday, December 24, 2004 9:08 AM
To: focus-ids () securityfocus com
Subject: newbie quetsions

Hi People,
I tried several times to subscribe myself to "Security Basics"
mailinglist to ask my questions, but didn't succeed. Excuse me if myquestionsaren't adequate to "Focus IDS" mailing list!
I'll be very gratefull if you share your opinion with me for thefollowing situation. I have small network (5 PCs) behind one Linuxbox(iptables firewall , Pentium I 166Mhz, 32MB RAM, 4GB HDD) and want to
increase security for this network.

   1. Do I need IDS?
2. What do you think about Snort? Can I find easy maintainablefree/opensource IDS then Snort?
   3. What IDS literature should I read?

Thank you in advance!

Andrey



- ----------------------------------------------------------------------
- ----
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks
fromCORE IMPACT.
Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708to learn more.
- ----------------------------------------------------------------------
- ----




-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQdF3kJiWafDb7+B/EQI6tgCfV2rP2l2PUMxHzj2XSK/d/ncQB94AoOW1
2fp7hsiFLetlfReGfdqt1r+m
=LBep
-----END PGP SIGNATURE-----




Disclaimer:
This electronic message, including any attachments, is confidential and intended solely for use of the intended recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have received this message in error, please delete it and notify the sender immediately.
--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks fromCORE IMPACT.Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708to learn more.
--------------------------------------------------------------------------



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing it with real-world attacks fromCORE IMPACT.Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708to learn more.

--------------------------------------------------------------------------

Current thread:

newbie quetsions Andrey Todorov (Dec 27)
- Re: newbie quetsions GuidoZ (Dec 27)
- Re: newbie quetsions ken_i_m (Dec 30)
- Re: newbie quetsions Fabien Degouet (Dec 30)
- RE: newbie quetsions Randy Golly (Dec 30)
- RE: newbie quetsions zekker (Dec 30)
- <Possible follow-ups>
- RE: newbie quetsions Harper, Patrick (Dec 30)
  - Re: newbie quetsions Dave Aitel (Dec 30)