Re: Looking for a prebuilt Snort IDS Distro

[Pak Chan <brightlilim () gmail com>]

Sorry, by "network filter", read "IPS". I can see that it's going to be a
fun ride, getting reacquainted with the theory and practice...

Pak
"Build a fire for a man, and he'll be warm for a day. Set a man on fire,
and he'll be warm for the rest of his life."


On 23 September 2012 11:10, Doug Burks <doug.burks () gmail com> wrote:

> Hi Pak,
>
> You can manually configure Security Onion as an IPS but that's not
> what it was designed for and we don't support it.
>
> We do support BPFs for ignoring specific IP addresses.
>
> If you have further questions specific to Security Onion, please feel
> free to use our mailing list:
> http://groups.google.com/group/security-onion
>
> Thanks,
> Doug
>
> On Saturday, September 22, 2012, Pak Chan wrote:
> > Sorry, that was really badly phrased. I meant to say that I haven't
> discovered all of what it can do yet, so can't comment on its capabilities
> or lack thereof. I'm still in the process of configuring it (and will be
> for a while, mixed in with other work). I also haven't decided if I want to
> have it as an inline sensor/network filter (can it filter as well as
> sense?) or just an out-of-band sensor.
> > I'll also need to see about configuring it to ignore certain IP
> addresses occasionally (for targeted penetration tests, etc.), which I've
> not looked into yet.
> > So, I might as well ask the questions: can I use SO as a network filter,
> and can I configure it to allow pen tests on servers without triggering
> massive amounts of alerts?
> > Pak
> > "Build a fire for a man, and he'll be warm for a day. Set a man on fire,
> and he'll be warm for the rest of his life."
> > On 21 September 2012 23:09, Jeremy Hoel <jthoel () gmail com> wrote:
> >
> > Out ojmf curiosity, what does SO not do for you?
> >
> > On Sep 21, 2012 5:33 PM, "Pak Chan" <brightlilim () gmail com> wrote:
> >
> > That may be true, but there are people who just need an IDS, and having
> an easy-to-use IDS appliance (which is effectively what a distro is, or
> should be) will help that. Most people won't delve into the code to
> understand how it works underneath, in the same way that most people just
> purchase and install firewalls without understanding how they work. It
> means they won't get the best out of it, but it's a great deal better than
> if they didn't have one at all.
> > Personally, I'm in that situation at the moment. The last time I looked
> at an IDS was one I had helped to build about ten years ago, and it was so
> primitive compared to the capabilities modern ones have. I'm getting back
> into it again, and finding myself short on time to learn about the
> fundamentals, I've decided to go for the SecurityOnion distro. It doesn't
> satisfy everything I want (yet), but that's down to my lack of experience
> in tweaking it. I'll get better as I learn more about it, but I don't want
> to be exposed in the meantime. I'll settle for less-than-ideal in the short
> term.
> > Pak
> > "Build a fire for a man, and he'll be warm for a day. Set a man on fire,
> and he'll be warm for the rest of his life."
> > On 21 September 2012 17:51, PR <oly562 () gmail com> wrote:
> >
> > ps. it shouldn't matter what distro, unix/linux, its nix, prebuilt? that
> > means, no real configuring at the beginning, therefore, you will not
> > learn how it works, where it is, how it can be tweeked, unless you are a
> > wizard. not to say you can figure it out, it just means, you will have
> > less knowledge about how it works at the core.
> >
> > On Fri, 2012-09-21 at 13:14 +0000, Turnbough, Bradley E. wrote:
> > > From: Jaime Nebrera [mailto:jnebrera () gmail com]
> > > Sent: Friday, September 21, 2012 2:51 AM
> > > To: snort-users () lists sourceforge net
> > > Subject: Re: [Snort-users] Looking for a prebuilt Snort IDS Distro
> > >
> > >
> > >
> > >
> > > On 20/09/12 15:26, Turnbough, Bradley E. wrote:
> > >
> > > I’m looking for a prebuilt snort IDS Distro.  Preferrably based on the
> > > Centos 6 series.  Any Suggestions?
> > >
> > >
> > >
> > > I’d like it to have (at a minimum):
> > >
> > >
> > >
> > > Snort
> > >
> > > Barnyard 2
> > >
> > > Snorby
> > >
> > > Mysql
> > >
> > >
> > >
> > >
> > >
> > >   Hi Bradley,
> > >
> > >   I would suggest redBorder.net
> > >
> > >   It contains Snort, Barnyard 2, Snorby (for event management) and
> > > MySQL. Besides those, you have a very powerful rule manager, config
> > > system and SNMP monitoring as an extension of Snorby and performance
> > > enhancements on the Snort side.
> > >
> > >   It is free for registered users and under open source license.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > Exactly what I was looking for…. Thanks Jamie!
> > >
> > >
> > > This e-mail transmission contains information that is confidential and
> > > may be privileged. It is intended only for the addressee(s) named
> > > above. If you receive this e-mail in error, please do not read, copy
> > > or disseminate it in any manner. If you are not the intended
> > > recipient, any disclosure, copying, distribution or use of the
> > > contents of this information is prohibited. Please reply to the
> > > message immediately by informing the sender that the message was
> > > misdirected. After replying, please erase it from your computer
> > > system. Your assistance in correcting this error is appreciated.
> ------------------------------------------------------------------------------
>
>
>
> --
> Doug Burks
> http://securityonion.blogspot.com
>
>
>
> --
> Doug Burks
> http://securityonion.blogspot.com
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://ad.doubleclick.net/clk;258768047;13503038;j?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!