Snort mailing list archives

Re: New IDS best practise

From: Kevin Ross <kevross33 () googlemail com>
Date: Thu, 17 Nov 2011 15:21:59 +0000

I would go commercial if I was you but nothing to stop you running your own
(I have a large organisation with a mix). Anyway what you want to do:

1) Choose a centralised database machine to have base/snorby connect to. I
would recommend keeping it more like one main one per large site. You want
to put sensors at least on all your Internet links as well as default
routes out (especially if traffic is supposed to go out somewhere else and
you have strong outbound firewall policies. Non-proxy aware malware may
just hit itself off the firewall and you can get it with that and also
various generic snort rules, ip blacklists, tools like bothunter etc. Use
barnyard on each sensor to log into the database and have snort write off
as unified2 as it is a lot faster.

2) I won't go into detail here but: Choose locations, setup centralised
database/monitoring, install sensors on each link with 2 network interfaces
- one for management with IP with secure iptables rules to limit access and
a sniffing interface without ip and have SPAN switchport. Check it is
logging. Add more sensors. You could also use a commercial SIEM or open
source one (like OSSIM) to help correlate logs. I would also recommend the
emergingthreats.net rules - especially for current malware stuff going on
and current infection campaigns such as exploit kits.

Tuning is also important and you can use threshold.conf to limit alerts,
supress etc and pulledpork to disable/enable rules automatically so when
your sensors update they are basically being tuned. Make sure you set up
the variable right ($HOME_NET as your internal nets, servers, EXTERNAL_NET
= !$HOME_NET etc).

3) Pitfalls might be your sensor may not be fast enough. Good network
cards, fast disks, memory etc and monitoring (you can use perfmon
preprocessor and pmgraph to view statistics about drops and things) though
I have had just normal PCs in as sensors on fast links sending up to 1TB of
traffic a month while keeping the drop statistic at about 0.3% or below
following tuning which was fine. Tuning whether you go commercial or not is
essential in order to keep FPs down and also improve sensor performance.

With the SSH tunnels there are emergingthreats rules in the emerging-policy
rules which can detect SSH on off ports and things. I have detected SSH
over 443 and things before using them.

Kind Regards,
Kevin Ross



On 16 November 2011 19:59, Michael Maymann <michael () maymann org> wrote:

Hi List,

we are a global multi-site organisation using switched network, firewalls
and proxies.
1. Where would be the best place(s) to put IDS(s), if we aim to have a
centralised view - e.g. can this be set-up as 1 central master (e.g.
Snorby) and site slaves (e.g. Snort) on each FW LAN ?
2. How would it best be implemented - what would be the preferred steps.
3. What could be the typical pitfalls - e.g. would traffic possibly slow
down because everything needs to go to a 100mbit port where IDS is located,
etc.

To begin with we would especially like to detect reverse ssh/corkscrew -
any ideas how to do this properly in a set-up like ours, with or without
IDS ?

Thanks in advance :-) !


~Maymann


------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

New IDS best practise Michael Maymann (Nov 16)
- Re: New IDS best practise Mark W. Jeanmougin (Nov 17)
- Re: New IDS best practise Kevin Ross (Nov 17)
  - Re: New IDS best practise Martin Holste (Nov 17)
    - Re: New IDS best practise Joel Esler (Nov 17)
    - Re: New IDS best practise Martin Holste (Nov 17)
    - Re: New IDS best practise beenph (Nov 17)
    - Re: New IDS best practise Martin Holste (Nov 17)
    - Re: New IDS best practise beenph (Nov 17)
    - Re: New IDS best practise Dustin Webber (Nov 17)