Snort mailing list archives
Re: What makes a complete IDS package?
From: "Edward Fjellskål" <edwardfjellskaal () gmail com>
Date: Fri, 18 Mar 2011 20:25:02 +0100
For what it is worth... If you look at the IDS as if you where to buy it as an commercial appliance, you would want at least to have something like this: * An easy way to upgrade the OS (/Firmware). * An easy way to upgrade the IDS/IPS engine * An easy way to update rules * An easy way to tune rules/policies * A way to do user/group management * A way to query the appliance for status (SNMP etc.) * A way to get syslog data * A way to protect the appliance (Firewall and Integrity checking) * A way to easy replace/restore it from backup * A way to see trend graphing and system health. * One good GUI to do all this in... :) * And reports for the guys up stairs.... :) I have yet to find any silver bullets in the free and open world. Thats why I use parts that exists... I commonly use (but this is more than just IDS): * Ubuntu LTS for OS * OSSEC for integrity checking+++ * Nagios for system health and alert * Munin for trend graphing * Oinkmaster/Pulledp0rk/Homebrewed for rules * I update my IDS packages my self :) * VRT and ET rules + homebrew I also use Sguil, with the stack that that brings... * Snort/Suricata * PADS(And PRADS from today!!) * daemonlogger * cxtracker At the moment I use snort for IDS/IPS, suricata for HTTP/proxy logs. I use PRADS for making host_attribute.xml file for snort and also for having control over my inventory/assets. cxtracker for sessions, and daemonlogger for pcap. I have used PADS in sguil for gathering some quick info about hosts, but PRADS on the sensors for more deep insight into my network and for snort auto tuning. (PRADS in git today has a way (beta) to replace PADS) In the future Im looking for passive-dns also. (http://www.enyo.de/fw/software/dnslogger/) as I see it has great value too my Network Security Monitoring stack. E On 03/18/2011 01:38 PM, James Lay wrote:
So…..topic says it all. We all know Snort in and of itself isn't what say…a CEO would call a complete IDS package. That being said, what addons are really required, to you, to make it so? As much as I loath the LAMP environment, it seems like that's pretty much the only option if you want reporting. I'm currently using snortalog (modified since it's old) from syslog, and oinkmaster…what else is there besides LAMP above? I know there's barnyard2 for piping unified to mysql, but to be honest, the less processes I have running on my IDS, the better in my mind. Can anyone add to my list below? Thanks for anything you can add. Reporting: LAMP, Barnyard2 & Base Sguil Snorby Rules management: Oinkmaster Pulled pork ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- What makes a complete IDS package? James Lay (Mar 18)
- Re: What makes a complete IDS package? Jefferson, Shawn (Mar 18)
- Re: What makes a complete IDS package? Joel Esler (Mar 18)
- Re: What makes a complete IDS package? James Lay (Mar 19)
- Re: What makes a complete IDS package? Joel Esler (Mar 19)
- Re: What makes a complete IDS package? Martin Holste (Mar 21)
- Re: What makes a complete IDS package? Joel Esler (Mar 21)
- Re: What makes a complete IDS package? Jefferson, Shawn (Mar 21)
- Re: What makes a complete IDS package? Joel Esler (Mar 21)
- Re: What makes a complete IDS package? James Lay (Mar 19)