IDS mailing list archives

Re: newbie quetsions

From: "Fabien Degouet" <fdegouet () contrhackt com mx>
Date: Mon, 27 Dec 2004 23:52:25 -0600

Andrey,

My point of view is:
    1- Yes you need an IDS, we always need an IDS as iptables just block
ports or connections but do not check for attacks or inside trafic. If you
have multiple segments you should have an IDS per segment. Here IDS stands
for NIDS but HIDS or better IPS would be required for critical hosts (like
servers).

    2- Snort is a good one and you can update the rules through oinkmaster
(inline). Other good one is Bro-IDS (opensource too). Snort is quite easy to
maintain and update but you may need some time for customization of rules.
Take a look to www.prelude-ids.org, this could give you some ideas on how to
manage the whole thing (logs too).

    3- For documentation, take a look at www.snort.org/docs and google.com
is always a good friend. You can find some good books (dealing with snort or
security) on amazon - for snort they come in the main page. The book of R.
Bejtlich (the tao of network security monitoring is also a good one!).

Regards

fabien
----- Original Message ----- 
From: "Andrey Todorov" <andreyt () gawab com>
To: <focus-ids () securityfocus com>
Sent: Friday, December 24, 2004 9:07 AM
Subject: newbie quetsions

Hi People,
I tried several times to subscribe myself to "Security Basics" mailing
list to ask my questions, but didn't succeed. Excuse me if my questions
aren't adequate to "Focus IDS" mailing list!

I'll be very gratefull if you share your opinion with me for the
following situation. I have small network (5 PCs) behind one Linux box
(iptables firewall , Pentium I 166Mhz, 32MB RAM, 4GB HDD) and want to
increase security for this network.

    1. Do I need IDS?
    2. What do you think about Snort? Can I find easy maintainable
free/opensource IDS then Snort?
    3. What IDS literature should I read?

Thank you in advance!

Andrey



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

Current thread:

newbie quetsions Andrey Todorov (Dec 27)
- Re: newbie quetsions GuidoZ (Dec 27)
- Re: newbie quetsions ken_i_m (Dec 30)
- Re: newbie quetsions Fabien Degouet (Dec 30)
- RE: newbie quetsions Randy Golly (Dec 30)
- RE: newbie quetsions zekker (Dec 30)
- <Possible follow-ups>
- RE: newbie quetsions Harper, Patrick (Dec 30)
  - Re: newbie quetsions Dave Aitel (Dec 30)