nanog mailing list archives
RE: Intrusion Detection recommendations
From: Warsaw LATAM Operations Group <gaswarsaw-latam () outlook com>
Date: Fri, 13 Feb 2015 19:48:44 -0500
Hello Andy, I believe you are very good set up the way you are in technology. I see you are surrounded by BSD systems everywhere, on servers, mobile and desktop. And I suggest you keep running FreeBSD for this new security requirement you have. We run FreeBSD as IDS/IPS system on several sites, and pfSense on a couple others. From my experience, we started using Snort, the common path people usually follow, but under certain circumstances, the drop ratio (unprocessed packets) started to raise a lot, and we looked for options. Tried Bro and Suricata and with some help from one of our servers supplier we decided to give Suricata a tuning and special try, and it became our primary option for IDS. Therefore I strongly suggest you start researching around Bro vs Snort vs Suricata and try to reach your conclusions from your own findings. But if you ask me for suggestion, as a long time user for Snort, I deprecated it in favor of Suricata. So my primary suggestion is Suricata + FreeBSD as IDP. Suricata is a very serious Project with very good software provided. We run ServerU networking servers, and they are the vendor who supported us. Usually they offer their own software solution called ProApps, it's a system made on top of FreeBSD which you have full root access etc, a plain old good FreeBSD system, but with nice auto update features and a helpful web GUI which allows me to delegate IDS operations to different level of staff operators on my team. They allow using for their ProApps solution on ServerU hardware, so if intend to add new hardware to your project, it might worth a try. I find the tool very powerful and very complete. On pfSense side you have a third party package made by community members, it also has a nice GUI, good deployment practices, but is Snort based. At one special location we needed even more performance for packets capturing, and we added Suricata running in Netmap mode, and it raised performance three times on the same box. So if you are looking for something easy, ready and supported, go for ServerU+ProApps. If you are looking for plain good open source arranged the way want to, you can have just the same with FreeBSD + Suricata & Friends. Should you want to do everything by yourself, FreeBSD + Suricata + Barnyard2 + Sguil + Snortsam is my suggested path way to go, with Richard Beijtlichs' books on your hand for good analysis learning and IDS best common operation practices. And maybe I can be of any help, private mail me if you want to. Regards,
From: andy () newslink com Subject: Intrusion Detection recommendations Date: Fri, 13 Feb 2015 11:40:06 -0600 To: nanog () nanog org NANOG'ers, I've been tasked by our company president to learn about, investigate and recommend an intrusion detection system for our company. We're a smaller outfit, less than 100 employees, entirely Apple-based. Macs, iPhones, some Mac Mini servers, etc., and a fiber connection to the world. We are protected by a FreeBSD firewall setup, and we stay current on updates/patches from Apple and FreeBSD, but that's as far as my expertise goes. Initially, what do people recommend for: 1. Crash course in intrusion detection as a whole 2. Suggestions or recommendations for intrusion detection hardware or software 3. Other things I'm likely overlooking Thank you all in advance for your wisdom. ---- Andy Ringsmuth andy () newslink com News Link – Manager Technology & Facilities 2201 Winthrop Rd., Lincoln, NE 68502-4158 (402) 475-6397 (402) 304-0083 cellular
Current thread:
- Re: Intrusion Detection recommendations, (continued)
- Re: Intrusion Detection recommendations J. Oquendo (Feb 13)
- Re: Intrusion Detection recommendations Rich Kulawiec (Feb 14)
- Re: Intrusion Detection recommendations BPNoC Group (Feb 14)
- Re: Intrusion Detection recommendations Jimmy Hess (Feb 14)
- Re: Intrusion Detection recommendations Mel Beckman (Feb 13)
- Re: Intrusion Detection recommendations Justin M. Streiner (Feb 14)
- RE: Re: Intrusion Detection recommendations Darden, Patrick (Feb 19)
- Re: Intrusion Detection recommendations Owen DeLong (Feb 19)
- Re: Intrusion Detection recommendations Rafael Possamai (Feb 14)
- Re: Intrusion Detection recommendations Jimmy Hess (Feb 14)
- Re: Intrusion Detection recommendations Charles N Wyble (Feb 14)
- Re: Intrusion Detection recommendations Rich Kulawiec (Feb 14)
- RE: Intrusion Detection recommendations Colin Bodor (Feb 15)
- RE: Re: Intrusion Detection recommendations Darden, Patrick (Feb 19)