IDS mailing list archives
Re: New to Snort !!!
From: Justin.Ross () signalsolutionsinc com
Date: Tue, 31 May 2005 16:08:54 -0700
There's really two schools of thought on where to place an IDS, one is external, the other is internal; in a perfect world you'll want to cover both and diff the logs (to see what made it through and what didn't). I agree that for testing (perfomance and functionality) and fun you should place your IDS on the "outer-most network device"; however, if you are constrained by budget/time and can only place one IDS, my advice would be to place it inside your edge device, or behind your firewall. You won't see external attacks to your firewall, but you will see how/what attacks are coming through your edge and into your "trusted" network, and really your firewall should be dropping all packets that have the firewall IP address as a destination. That's just my opinion but I think you will get the most bang for your buck if you see what makes it through to your network not just what exists on the Internet. By the way, let me tell you how annoying it is to go to the network support staff and show them logs of fruitless/mis-targetted/blocked attacks and have them say "yeah yeah.. our firewall blocked that... now tell us something we don't know." I'd rather show them what their firewall is letting through and leverage that to fix the issues/vulnerabilities that effect your network. There are tons of online references to find out more about Snort and Intrusion Detection in general. I really have to recommend the following: Snort 2.0 Intrusion Detection or Snort 2.1 Intrusion detection Second Edition from Syngress. It's written by Snort developers and it gives a great overview of IDS (in my opinion) as well as takes you into the nuts and bolts of Snort, pre-processing, optimizing, and it covers reporting too. I would have to rate it as a "must have" for you, in your situation. I would also recommend Network Intrusion Detection, An Analyst Handbook by New Riders - it's an oldie but a goody that gives great general advice on analyzing attacks. Googling for Overview of Intrusion Detection, Intrusion detection anomalies, and Intrusion Detection system deployment should give you a lot of material for the more generalized background and foundational knowledge you should become familiar with. You made a good choice with Snort, but now you need to learn why, what the differences are between it and other IDS's, and how you can apply those differences to your advantage, as well as how to make the system better. You didn't choose the most noobie friendly IDS, but you certainly picked one of the most powerful and customizable. Good luck! Justin Ross MCP+I, MCSE, CCNA, CCSA, CCSE Senior Network Security Engineer Signal Solutions Inc. - http://www.signalcorp.com Email: Justin.Ross-at-signalsolutionsinc.com Joel Esler <eslerj () gmail com> 05/28/2005 10:14 AM Please respond to Joel Esler <eslerj () gmail com> To Venkatesh G S <venkatesh.gs () gmail com> cc Security Focus IDS Forum <focus-ids () securityfocus com> Subject Re: New to Snort !!! What's your questions? Snort should be placed on your outer-most network device on a "SPAN" or "Mirrored" port. Snort should be installed on a Linux platform. The Windows version (as far as I know) tends to drop more packets. Maybe someone can correct me. A better place to submit your questions is on the snort-users listserv.. Look it up at www.snort.org Joel On 5/24/05, Venkatesh G S <venkatesh.gs () gmail com> wrote:
Hi all, I am a new member to this group & i am sure i will get your valuable suggestion for my problem. I work for an organization where we have almost all the latest devices in place, which includes L3 Switches, VOIP,High end server & etc. We have around 1500 desktops & this is a production environment. My problem i) My network manager wants me to suggest an IDS, and i googled yesterday i recommened him - Snort. ii) I am quite new to IDS and i haven't done even a single installation of Snort till now. Can anyone let me know the features of Snort, where this sensor should be placed in the Network?. Plz dont think that i am not doing my homework.i have already started to collect information from Snort.org but i find it a little to difficult to undersatnd the concept. I need help in how to install Snort?. Finally are there any windows edition of Snort avaliable. Regards Venkatesh -- The impossible is often untried.
--------------------------------------------------------------------------
Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
-- Joel Esler BASE Project Lead http://sourceforge.net/projects/secureideas -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. -------------------------------------------------------------------------- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: New to Snort !!! Doug . Janelle (Jun 01)
- <Possible follow-ups>
- Re: New to Snort !!! Justin . Ross (Jun 01)
- RE: New to Snort !!! Eric Hines (Jun 01)