Snort mailing list archives
Re: New IDS best practise
From: Kevin Ross <kevross33 () googlemail com>
Date: Thu, 17 Nov 2011 15:21:59 +0000
I would go commercial if I was you but nothing to stop you running your own (I have a large organisation with a mix). Anyway what you want to do: 1) Choose a centralised database machine to have base/snorby connect to. I would recommend keeping it more like one main one per large site. You want to put sensors at least on all your Internet links as well as default routes out (especially if traffic is supposed to go out somewhere else and you have strong outbound firewall policies. Non-proxy aware malware may just hit itself off the firewall and you can get it with that and also various generic snort rules, ip blacklists, tools like bothunter etc. Use barnyard on each sensor to log into the database and have snort write off as unified2 as it is a lot faster. 2) I won't go into detail here but: Choose locations, setup centralised database/monitoring, install sensors on each link with 2 network interfaces - one for management with IP with secure iptables rules to limit access and a sniffing interface without ip and have SPAN switchport. Check it is logging. Add more sensors. You could also use a commercial SIEM or open source one (like OSSIM) to help correlate logs. I would also recommend the emergingthreats.net rules - especially for current malware stuff going on and current infection campaigns such as exploit kits. Tuning is also important and you can use threshold.conf to limit alerts, supress etc and pulledpork to disable/enable rules automatically so when your sensors update they are basically being tuned. Make sure you set up the variable right ($HOME_NET as your internal nets, servers, EXTERNAL_NET = !$HOME_NET etc). 3) Pitfalls might be your sensor may not be fast enough. Good network cards, fast disks, memory etc and monitoring (you can use perfmon preprocessor and pmgraph to view statistics about drops and things) though I have had just normal PCs in as sensors on fast links sending up to 1TB of traffic a month while keeping the drop statistic at about 0.3% or below following tuning which was fine. Tuning whether you go commercial or not is essential in order to keep FPs down and also improve sensor performance. With the SSH tunnels there are emergingthreats rules in the emerging-policy rules which can detect SSH on off ports and things. I have detected SSH over 443 and things before using them. Kind Regards, Kevin Ross On 16 November 2011 19:59, Michael Maymann <michael () maymann org> wrote:
Hi List, we are a global multi-site organisation using switched network, firewalls and proxies. 1. Where would be the best place(s) to put IDS(s), if we aim to have a centralised view - e.g. can this be set-up as 1 central master (e.g. Snorby) and site slaves (e.g. Snort) on each FW LAN ? 2. How would it best be implemented - what would be the preferred steps. 3. What could be the typical pitfalls - e.g. would traffic possibly slow down because everything needs to go to a 100mbit port where IDS is located, etc. To begin with we would especially like to detect reverse ssh/corkscrew - any ideas how to do this properly in a set-up like ours, with or without IDS ? Thanks in advance :-) ! ~Maymann ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- New IDS best practise Michael Maymann (Nov 16)
- Re: New IDS best practise Mark W. Jeanmougin (Nov 17)
- Re: New IDS best practise Kevin Ross (Nov 17)
- Re: New IDS best practise Martin Holste (Nov 17)
- Re: New IDS best practise Joel Esler (Nov 17)
- Re: New IDS best practise Martin Holste (Nov 17)
- Re: New IDS best practise beenph (Nov 17)
- Re: New IDS best practise Martin Holste (Nov 17)
- Re: New IDS best practise beenph (Nov 17)
- Re: New IDS best practise Martin Holste (Nov 17)
- Re: New IDS best practise Dustin Webber (Nov 17)