RE: Intrusion Detection recommendations

[Warsaw LATAM Operations Group <gaswarsaw-latam () outlook com>]

Hello Andy,
I believe you are very good set up the way you are in technology. I see you are surrounded by BSD systems everywhere, 
on servers, mobile and desktop. And I suggest you keep running FreeBSD for this new security requirement you have.
We run FreeBSD as IDS/IPS system on several sites, and pfSense on a couple others. From my experience, we started using 
Snort, the common path people usually follow, but under certain circumstances, the drop ratio (unprocessed packets) 
started to raise a lot, and we looked for options. Tried Bro and Suricata and with some help from one of our servers 
supplier we decided to give Suricata a tuning and special try, and it became our primary option for IDS.
Therefore I strongly suggest you start researching around Bro vs Snort vs Suricata and try to reach your conclusions 
from your own findings. But if you ask me for suggestion, as a long time user for Snort, I deprecated it in favor of 
Suricata. So my primary suggestion is Suricata + FreeBSD as IDP. Suricata is a very serious Project with very good 
software provided.
We run ServerU networking servers, and they are the vendor who supported us. Usually they offer their own software 
solution called ProApps, it's a system made on top of FreeBSD which you have full root access etc, a plain old good 
FreeBSD system, but with nice auto update features and a helpful web GUI which allows me to delegate IDS operations to 
different level of staff operators on my team. 
They allow using for their ProApps solution on ServerU hardware, so if intend to add new hardware to your project, it 
might worth a try. I find the tool very powerful and very complete.
On pfSense side you have a third party package made by community members, it also has a nice GUI, good deployment 
practices, but is Snort based. 
At one special location we needed even more performance for packets capturing, and we added Suricata running in Netmap 
mode, and it raised performance three times on the same box.
So if you are looking for something easy, ready and supported, go for ServerU+ProApps. If you are looking for plain 
good open source arranged the way want to, you can have just the same with FreeBSD + Suricata & Friends.
Should you want to do everything by yourself, FreeBSD + Suricata + Barnyard2 + Sguil + Snortsam is my suggested path 
way to go, with Richard Beijtlichs' books on your hand for good analysis learning and IDS best common operation 
practices. And maybe I can be of any help, private mail me if you want to.
Regards,
> From: andy () newslink com
> Subject: Intrusion Detection recommendations
> Date: Fri, 13 Feb 2015 11:40:06 -0600
> To: nanog () nanog org
>
> NANOG'ers,
>
> I've been tasked by our company president to learn about, investigate and recommend an intrusion detection system for 
> our company.
>
> We're a smaller outfit, less than 100 employees, entirely Apple-based. Macs, iPhones, some Mac Mini servers, etc., 
> and a fiber connection to the world. We are protected by a FreeBSD firewall setup, and we stay current on 
> updates/patches from Apple and FreeBSD, but that's as far as my expertise goes.
>
> Initially, what do people recommend for:
>
> 1. Crash course in intrusion detection as a whole
> 2. Suggestions or recommendations for intrusion detection hardware or software
> 3. Other things I'm likely overlooking
>
> Thank you all in advance for your wisdom.
>
>
> ----
> Andy Ringsmuth
> andy () newslink com
> News Link – Manager Technology & Facilities
> 2201 Winthrop Rd., Lincoln, NE 68502-4158
> (402) 475-6397    (402) 304-0083 cellular