Re: New to Snort !!!

[Justin.Ross () signalsolutionsinc com]

There's really two schools of thought on where to place an IDS, one is 
external, the other is internal; in a perfect world you'll want to cover 
both and diff the logs (to see what made it through and what didn't).

I agree that for testing (perfomance and functionality) and fun you should 
place your IDS on the "outer-most network device"; however, if you are 
constrained by budget/time and can only place one IDS, my advice would be 
to place it inside your edge device, or behind your firewall. You won't 
see external attacks to your firewall, but you will see how/what attacks 
are coming through your edge and into your "trusted" network, and really 
your firewall should be dropping all packets that have the firewall IP 
address as a destination. That's just my opinion but I think you will get 
the most bang for your buck if you see what makes it through to your 
network not just what exists on the Internet. 

By the way, let me tell you how annoying it is to go to the network 
support staff and show them logs of fruitless/mis-targetted/blocked 
attacks and have them say "yeah yeah..  our firewall blocked that... now 
tell us something we don't know." I'd rather show them what their firewall 
is letting through and leverage that to fix the issues/vulnerabilities 
that effect your network. 

There are tons of online references to find out more about Snort and 
Intrusion Detection in general. I really have to recommend the following: 
Snort 2.0 Intrusion Detection or Snort 2.1 Intrusion detection Second 
Edition from Syngress. It's written by Snort developers and it gives a 
great overview of IDS (in my opinion) as well as takes you into the nuts 
and bolts of Snort, pre-processing, optimizing, and it covers reporting 
too. I would have to rate it as a "must have" for you, in your situation. 
I would also recommend Network Intrusion Detection, An Analyst Handbook by 
New Riders - it's an oldie but a goody that gives great general advice on 
analyzing attacks. 

Googling for Overview of Intrusion Detection, Intrusion detection 
anomalies, and Intrusion Detection system deployment  should give you a 
lot of material for the more generalized background and foundational 
knowledge you should become familiar with. You made a good choice with 
Snort, but now you need to learn why, what the differences are between it 
and other IDS's, and how you can apply those differences to your 
advantage, as well as how to make the system better.

You didn't choose the most noobie friendly IDS, but you certainly picked 
one of the most powerful and customizable.

Good luck!

Justin Ross
MCP+I, MCSE, CCNA, CCSA, CCSE
Senior Network Security Engineer
Signal Solutions Inc.    -   http://www.signalcorp.com
Email: Justin.Ross-at-signalsolutionsinc.com





Joel Esler <eslerj () gmail com> 
05/28/2005 10:14 AM
Please respond to
Joel Esler <eslerj () gmail com>


To
Venkatesh G S <venkatesh.gs () gmail com>
cc
Security Focus IDS Forum <focus-ids () securityfocus com>
Subject
Re: New to Snort !!!






What's your questions?

Snort should be placed on your outer-most network device on a "SPAN"
or "Mirrored" port.

Snort should be installed on a Linux platform.  The Windows version
(as far as I know) tends to drop more packets.  Maybe someone can
correct me.

A better place to submit your questions is on the snort-users listserv..

Look it up at www.snort.org

Joel

On 5/24/05, Venkatesh G S <venkatesh.gs () gmail com> wrote:
> Hi all,
>
>       I am a new member to this group & i am sure i will get your
> valuable suggestion for my problem.
>      I work for an organization where we have almost all the latest
> devices in place, which includes L3 Switches, VOIP,High end server &
> etc. We have around 1500 desktops & this is a production environment.
>
> My problem
>
> i) My network manager wants me to suggest an IDS, and i googled
> yesterday i recommened him - Snort.
> ii) I am quite new to IDS and i haven't done even a single
> installation of Snort till now.
>
> Can anyone let me know the features of Snort, where this sensor should
> be placed in the Network?. Plz dont think that i am not doing my
> homework.i have already started to collect information from Snort.org
> but i find it a little to difficult to undersatnd the concept.
>
> I need help in how to install Snort?. Finally are there any windows
> edition of Snort avaliable.
>
> Regards
>
> Venkatesh
>
>
> --
> The impossible is often untried.
--------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
--------------------------------------------------------------------------
>


-- 
Joel Esler
BASE Project Lead
http://sourceforge.net/projects/secureideas

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------




--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------