Snort mailing list archives

Re: What makes a complete IDS package?

From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Fri, 18 Mar 2011 10:08:55 -0600

Here's what I currently have and I think is pretty much the minimum for any security shop running IDS/IPS (substitute 
your favorite software, but since this is a snort list, we're probably all using snort.)

Snort
Barnyard2
Pulledpork (VRT + ET rules)
PRADS or Hogger to build host_attribute table
BASE (could be any of the good alert viewers)
Syslog to SIEM
Integration to Systems Management or Vulnerability Management Systems
Full packet capture/stream capture for further analysis of events




________________________________
From: James Lay [mailto:jlay () slave-tothe-box net]
Sent: Friday, March 18, 2011 5:38 AM
To: Snort
Subject: [Snort-users] What makes a complete IDS package?

So.....topic says it all.  We all know Snort in and of itself isn't what say...a CEO would call a complete IDS package. 
 That being said, what addons are really required, to you, to make it so?  As much as I loath the LAMP environment, it 
seems like that's pretty much the only option if you want reporting.  I'm currently using snortalog (modified since 
it's old) from syslog, and oinkmaster...what else is there besides LAMP above?  I know there's barnyard2 for piping 
unified to mysql, but to be honest, the less processes I have running on my IDS, the better in my mind.  Can anyone add 
to my list below?  Thanks for anything you can add.

Reporting:
LAMP, Barnyard2 &
Base
Sguil
Snorby

Rules management:
Oinkmaster
Pulled pork

------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

What makes a complete IDS package? James Lay (Mar 18)
- Re: What makes a complete IDS package? Jefferson, Shawn (Mar 18)
- Re: What makes a complete IDS package? Joel Esler (Mar 18)
  - Re: What makes a complete IDS package? James Lay (Mar 19)
    - Re: What makes a complete IDS package? Joel Esler (Mar 19)
    - Re: What makes a complete IDS package? Martin Holste (Mar 21)
    - Re: What makes a complete IDS package? Joel Esler (Mar 21)
    - Re: What makes a complete IDS package? Jefferson, Shawn (Mar 21)
    - Re: What makes a complete IDS package? Joel Esler (Mar 21)
- Re: What makes a complete IDS package? Edward Fjellskål (Mar 18)