Re: snort as HIDS

["Rodgers, Anthony (DTMB)" <RodgersA1 () michigan gov>]

My recommendation would be to deploy SecurityOnion with OSSEC enabled on your desktops. That way, you can continue to 
leverage your existing investment in snort as a NIDS, and gain a true HIDS along with all the alert management 
capabilities of sguil.

--
Anthony Rodgers
Security Analyst
Michigan Security Operations Center (MiSOC)
DTMB, Michigan Cyber Security

From: Lamont, Brian A. [mailto:Brian.Lamont () gd-ms com]
Sent: Wednesday, July 06, 2016 17:25
To: Davison, Charles Robert <cdaviso1 () vols utk edu>; snort-users () lists sourceforge net
Subject: Re: [Snort-users] snort as HIDS

Its "configured" to sniff the local interface with just a community.rules file defined.    I may have been misled that 
we are using it as a "HIDs", but perhaps it's not really doing that.   The initial evaluation and decision to implement 
was done by another team.



Brian Lamont
Unix Systems Admin

[Mission-Systems-logo-2col]
Desk:  480 586-9986
Cell:     480 209-8751
brian.lamont () gd-ms com<mailto:brian.lamont () gd-ms com>

This message and/or attachments may include information subject to GD Corporate Policies 07-103 and 07-105 and is 
intended to be accessed only by authorized recipients.  Use, storage and transmission are governed by General Dynamics 
and its policies. Contractual restrictions apply to third parties.  Recipients should refer to the policies or contract 
to determine proper handling.  Unauthorized review, use, disclosure or distribution is prohibited.  If you are not an 
intended recipient, please contact the sender and destroy all copies of the original message.


From: Davison, Charles Robert [mailto:cdaviso1 () vols utk edu]
Sent: Wednesday, July 06, 2016 2:18 PM
To: Lamont, Brian A.; snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] snort as HIDS

Brian,

You really should look to something else as a HIDS, like:

http://www.la-samhna.de/samhain/
https://ossec.github.io/

Snort is specifically a NIDS and should be used as such. You won't be able to do FIM or log collection. I came into an 
AWS environment where they used snort as a HIDS Only for the fact that it checked a box for PCI. That same environment 
ended up switching to Samhain as a HIDS and funneled all the traffic in a VPC through snort as a NIDS. Hope fully this 
helps.
Get Outlook for iOS<https://aka.ms/o0ukef>

_____________________________
From: Lamont, Brian A. <brian.lamont () gd-ms com<mailto:brian.lamont () gd-ms com>>
Sent: Wednesday, July 6, 2016 2:35 PM
Subject: [Snort-users] snort as HIDS
To: <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>>


We have a very basic configuration of snort deployed across our linux/unix systems, and we are being told that snort is 
not host intrustion tool, although that is what we have configured it to be.    Could I get an argument that supports 
the use of Snort on Linux/Solaris as a host intrustion tool, any supporting names of the features, software, etc. that 
prove its use as a HIDS?

Thank you!


Brian Lamont
Unix Systems Admin

[Mission-Systems-logo-2col]
Desk:  480 586-9986
Cell:     480 209-8751
brian.lamont () gd-ms com<mailto:brian.lamont () gd-ms com>

This message and/or attachments may include information subject to GD Corporate Policies 07-103 and 07-105 and is 
intended to be accessed only by authorized recipients.  Use, storage and transmission are governed by General Dynamics 
and its policies. Contractual restrictions apply to third parties.  Recipients should refer to the policies or contract 
to determine proper handling.  Unauthorized review, use, disclosure or distribution is prohibited.  If you are not an 
intended recipient, please contact the sender and destroy all copies of the original message.

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!